ChangSeok Oh
ABSTRACT
Targeted advertising is a pervasive practice in the advertising ecosystem, with complex representations of user identity central to targeting. Ad networks are incentivized to tie ephemeral cookies across devices to lasting durable identifiers such as email addresses in order to develop comprehensive cross-device user profiles. Third-party ad networks typically do not have relationships with users and must rely on external parties such as merchant websites for durable identity information, introducing intricate trust relationships. We find attackers can exploit these trust relationships to confuse an ad network into linking an unprivileged attacker's browser to a victim's identity, thus "impersonating" the victim to the ad network.
We present Advertising Identity Entanglement, a vulnerability to extract specific user browsing behavior from ad networks remotely, knowing only a victim's email address, with no access to the victim, ad network, or websites. This new fundamental flaw in cross-device tracking allows attackers to pass erroneous identity information to third-party ad networks, causing the networks to confuse attacker and victim. Once entangled, the attacker receives advertisements intended for the victim across the entire ad network. We find identity entanglement is a significant user privacy vulnerability where attackers can learn detailed victim browsing activity such as retail websites, products, and even specific apartments or hotels the victim has interacted with. The vulnerability is also bi-directional, with the attacker able to cause specific ads to be shown to the victim, introducing the possibility of embarrassment attacks and blackmail. We have disclosed the vulnerability; Criteo, one of the largest third-party ad networks, acknowledges the attack.
References-
AdRoll. 2015. STATE of the INDUSTRY: A close look at retargeting and the programmatic marketer. https://www.iab.com/wp-content/uploads/2015/07/US_ AdRoll_State_of_the_Industry.pdf.
Google Scholar
-
AdRoll. 2016. Demystifying Cross-Device Marketing. https://pages.adroll.com/rs/964-WFU-818/images/Collision_Adam_Berke_Marketing_Stage.pdf.
Google Scholar
-
Google Ads. 2022. Tag your website for dynamic remarketing. https://support. google.com/google-ads/answer/3103357?hl=en&ref_topic=10070359#.
Google Scholar
-
AWS. 2019. Identity Graphs on AWS. https://aws.amazon.com/neptune/identity-graphs-on-aws/.
Google Scholar
-
Paul Barford, Igor Canadi, Darja Krushevskaja, Qiang Ma, and S. Muthukrishnan. 2014. Adscape: Harvesting and Analyzing Online Display Ads. In Proceedings of the 23rd International Conference on World Wide Web (Seoul, Korea) (WWW'14). Association for Computing Machinery, New York, NY, USA, 597--608. https://doi.org/10.1145/2566486.2567992
Google Scholar
Digital Library
-
Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wilson. 2016. Tracing Information Flows Between Ad Exchanges Using Retargeted Ads. In Proceedings of the 25th USENIX Security Symposium (Security). Austin, TX.
Google Scholar
Digital Library
-
Chetna Bindra. 2021. Building a privacy-first future for web advertising. https://blog.google/products/ads-commerce/2021-01-privacy-sandbox.
Google Scholar
-
Dieter Bohn. 2021. Google delays blocking third-party cookies in Chrome until 2023. https://www.theverge.com/2021/6/24/22547339/google-chrome-cookiepocalypse-delayed-2023.
Google Scholar
-
Adina Bresge. 2018. Online ads spoil Christmas surprises, raising privacy concerns. https://www.cbc.ca/news/science/online-ads-christmas-spoilers-1.4942461.
Google Scholar
-
Justin Brookman, Phoebe Rouge, Aaron Alva, and Christina Yeung. 2017. Cross-Device Tracking: Measurement and Disclosures. Proc. Priv. Enhancing Technol. 2017, 2 (2017), 133--148.
Google Scholar
Cross Ref
-
Juan Miguel Carrascosa, Jakub Mikians, Ruben Cuevas, Vijay Erramilli, and Nikolaos Laoutaris. 2015. I Always Feel like Somebody's Watching Me: Measuring Online Behavioural Advertising. In Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies (Heidelberg, Germany) (CoNEXT '15). Association for Computing Machinery, New York, NY, USA, Article 13, 13 pages. https://doi.org/10.1145/2716281.2836098
Google Scholar
Digital Library
-
Quan Chen, Panagiotis Ilia, Michalis Polychronakis, and Alexandros Kapravelos. 2021. Cookie Swap Party: Abusing First-Party Cookies for Web Tracking. In Proceedings of the 30th International World Wide Web Conference (WWW). Virtual Event.
Google Scholar
Digital Library
-
Catalin Cimpanu. 2020. Apple blocks third-party cookies in Safari. https://www.zdnet.com/article/apple-blocks-third-party-cookies-in-safari/.
Google Scholar
-
Eliza Crawford. 2020. Website Tracking: Why and How Do Websites Track You? https://www.cookiepro.com/blog/website-tracking.
Google Scholar
-
Criteo. 2018. Criteo Ranked Number One in AdTech Worldwide Market Share According to Leading Analyst Firm Report. https://www.criteo.com/news/press-releases/2018/09/criteo-ranked-number-one-in-adtech-worldwide-market-share/.
Google Scholar
-
Criteo. 2018. OneTag for CSP. https://www.criteo.com/wp-content/uploads/2018/09/CSPOneTag_v1.1.pdf.
Google Scholar
-
Criteo. 2020. Criteo Ad Tech Explained - Shopper Graph. https://youtu.be/s3UVXOmCtmg.
Google Scholar
-
Criteo. 2022. About Us. https://labs.criteo.com/about-us.
Google Scholar
-
Criteo. 2022. Criteo OneTag advanced settings. https://help.criteo.com/kb/guide/en/criteo-onetag-advanced-settings-M2TiX6m90K/Steps/886908,887075.
Google Scholar
-
Criteo. 2022. Shopper Graph | Criteo. https://www.criteo.com/technology/shopper-graph/.
Google Scholar
-
The Trade Desk. 2021. How the advertising industry is preparing for life after cookies. https://www.thetradedesk.com/us/news/what-the-tech-is-unified-id-2-0.
Google Scholar
-
Steven Englehardt, Jeffrey Han, and Arvind Narayanan. 2018. I never signed up for this! Privacy implications of email tracking. Proc. Priv. Enhancing Technol. 2018, 1 (2018), 109--126.
Google Scholar
Cross Ref
-
Ghostery GmbH. 2022. Ghostery. https://www.ghostery.com.
Google Scholar
-
Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In Proceedings of the 27th International World Wide Web Conference (WWW).
Google Scholar
Digital Library
-
Apple Inc. 2021. What is Hide My Email? https://support.apple.com/en-us/HT210425.
Google Scholar
-
Arjaldo Karaj, Sam Macbeth, Rémi Berson, and Josep M. Pujol. 2018. Who-Tracks.Me: Shedding light on the opaque world of online tracking. (2018). arXiv:1804.08959 [cs.CY]
Google Scholar
-
Pavel Kireyev, Koen Pauwels, and Sunil Gupta. 2016. Do display ads influence search? Attribution and dynamics in online advertising. International Journal of Research in Marketing 33, 3 (2016), 475--490. https://doi.org/10.1016/j.ijresmar. 2015.09.007
Google Scholar
Cross Ref
-
Steve Kroft. 2014. The Data Brokers: Selling your personal information. https://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information.
Google Scholar
-
Mathias Lécuyer, Guillaume Ducoffe, Francis Lan, Andrei Papancea, Theofilos Petsios, Riley Spahn, Augustin Chaintreau, and Roxana Geambasu. 2014. Xray: Enhancing the web's transparency with differential correlation. In Proceedings of the 23rd USENIX Security Symposium (Security). San Diego, CA.
Google Scholar
-
Mathias Lecuyer, Riley Spahn, Yannis Spiliopolous, Augustin Chaintreau, Roxana Geambasu, and Daniel Hsu. 2015. Sunlight: Sunlight: Fine-grained Targeting Detection at Scale with Statistical Confidence. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). Denver, Colorado.
Google Scholar
Digital Library
-
Evan Neufeld. 2016. Best practices in cross-device and cross-channel identity measurement. https://cimm-us.org/wp-content/uploads/2012/07/CIMM_Best-Practices-in-Cross-Device-and-Cross-Channel-Identity-Measurement.pdf.
Google Scholar
-
Oliver. 2018. Does YouTube Recommend Videos Watched by People on the Same Wi-Fi as You? https://weakwifisolutions.com/does-youtube-recommend-videos-watched-by-people-on-the-same-wifi-as-you/.
Google Scholar
-
Michalis Pachilakis, Panagiotis Papadopoulos, Evangelos P Markatos, and Nicolas Kourtellis. 2019. No More Chasing Waterfalls: A Measurement Study of the Header Bidding Ad-Ecosystem. In Proceedings of the 19th ACM Internet Measurement Conference (IMC). Amsterdam, Netherlands.
Google Scholar
Digital Library
-
Emmanouil Papadogiannakis, Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P Markatos. 2021. User tracking in the post-cookie era: How websites bypass gdpr consent to track users. In Proceedings of the Web Conference 2021. 2130--2141.
Google Scholar
Digital Library
-
Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P. Markatos. 2019. Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask. In Proceedings of the 28th International World Wide Web Conference (WWW). San Francisco, CA, USA.
Google Scholar
-
Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don't) use password managers effectively. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS). Santa Clara, CA.
Google Scholar
-
Franziska Roesner, Tadayoshi Kohno, and David Wetherall. 2012. Detecting and Defending Against Third-Party Tracking on the Web. In USENIX Symposium on Networked Systems Design and Implementation (NSDI).
Google Scholar
-
Iskander Sanchez-Rola, Matteo Dell'Amico, Davide Balzarotti, Pierre-Antoine Vervier, and Leyla Bilge. 2021. Journey to the Center of the Cookie Ecosystem: Unraveling Actors' Roles and Relationships. In Proceedings of the 42th IEEE Symposium on Security and Privacy (Oakland). Virtual Event.
Google Scholar
Cross Ref
-
SimilarTech. 2022. Retargeting Technologies Market Share and Web Usage Statistics. https://www.similartech.com/categories/retargeting.
Google Scholar
-
Konstantinos Solomos, Panagiotis Ilia, Sotiris Ioannidis, and Nicolas Kourtellis. 2019. {TALON}: an automated framework for cross-device tracking detection. In Proceedings of the 22th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Beijing, China.
Google Scholar
-
Catherine E. Tucker. 2012. The economics of advertising and privacy. International Journal of Industrial Organization 30, 3 (2012), 326--329. https://doi.org/10.1016/j.ijindorg.2011.11.004 Selected Papers, European Association for Research in Industrial Economics 38th Annual Conference, Stockholm, Sweden, September 1--3, 2011.
Google Scholar
Cross Ref
-
Vishak. 2020. 12 Best Temporary Email Services To Protect Your Privacy In 2021. https://codeandhack.com/temporary-email-services-to-protect-privacy/.
Google Scholar
-
Marissa Wood. 2019. Today's Firefox Blocks Third-Party Tracking Cookies and Cryptomining by Default. https://blog.mozilla.org/en/products/firefox/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/.
Google Scholar
-
Yahoo! 2022. Supply Side Platform (SSP) Advertising | Yahoo Ad Tech. https://www.adtech.yahooinc.com/advertising/publishers/solutions/ssp.
Google Scholar
-
Yahoo! 2022. Yahoo | Our Trusted Brands | Verizon Media. https://www.adtech.yahooinc.com/our-brands/yahoo.
Google Scholar
-
Yahoo! 2022. Yahoo Native Dot Tags. https://developer.yahooinc.com/native/guide/audience-management/dottags.
Google Scholar
-
Sebastian Zimmeck, Jie S Li, Hyungtae Kim, Steven M Bellovin, and Tony Jebara. 2017. A Privacy Analysis of Cross-device Tracking. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, BC, Canada
Google Scholar
-
Published in
November 20223598 pagesISBN: 9781450394505DOI: 10.1145/3548606- General Chairs:
- Heng Yin ,
- Angelos Stavrou ,
- Program Chairs:
- Cas Cremers ,
- Elaine Shi
Other Metrics
-
Article Metrics
-
View Citations0Total Citations
-
546Total Downloads
- Downloads (Last 12 months) 546
- Downloads (Last 6 weeks) 41
Other Metrics
-