At the beginning of this year, Google announced that by 2022, the Chrome web browser will drop support for third-party tracking cookies, which – until now – have allowed advertisers to collect information from online users and follow them around the web to deliver more personalized messages. Although competing browsers such as Apple’s Safari and Mozilla’s Firefox have already blocked tracking cookies by default, Chrome dominates the global browser market with at least a 62% market share, spelling the death of third-party tracking cookies as a viable way to identify users in the coming future.
Google’s decision comes at a time when consumers are more concerned about the safety of their identity than ever before, and data privacy advocates have welcomed it with cautious enthusiasm. However, tech commentators should not celebrate too early, nor should organizations believe that this decision will reduce their responsibility to protect consumers or mitigate the danger of lawsuits based on legislation like the California Consumer Privacy Act (CCPA) which went into effect at the end of January.
Since competing browsers first targeted tracking cookies, advertisers, malicious actors and digital third parties have worked around the clock to develop alternative tracking technologies with a great deal of success. If not better understood, these alternatives may become a greater threat to user privacy than tracking cookies ever were, and organizations should be prepared to fight them for the indefinite future if they want to keep their users safe and stay compliant.
On their own, these details are usually not compromising, and devices are generally willing to divulge them. But when this information is combined, it can be used to create a unique “fingerprint” that de-anonymizes users, allowing third parties to successfully monitor their activity across multiple domains and apps. In a study by Lehigh University and Washington University, fingerprinting was found to accurately identify 99% of targets.
Since the data collected by fingerprinting is also collected by legitimate apps and websites for purposes of functionality, blocking it is hard. Mozilla and Apple have tried to do so anyways with limited success, but – assuming this deters advertisers from attempting to fingerprint users – they have even more advanced techniques to fall back on.
In 2017, researchers from the Technical University of Braunschweig described a method for user-tracking based on ultrasonic frequencies that lie outside the human range of hearing (18 – 20KHz). Over 200 mobile applications were discovered in the Android store which listened for beacons hiding in web advertisements that played on a nearby computer or tablet, allowing attackers to confirm the location of a user and track them across multiple devices.
The FTC warned multiple developers who hid this functionality inside their applications without notifying users in any way; ultimately, many did not comply, and Google removed them. Even so, the incident proved that mobile devices can be used to collect environmental data in a way that compromises the identity of a user, and – since most users automatically grant apps permission to access their camera, microphone or contacts – few protections stand in their way.
Throughout the COVID-19 pandemic, governments have struggled to find policies for disease control that balance personal liberties and public safety. Many countries have created smartphone apps to monitor the health of their citizens, help them to avoid the disease, and impose selective quarantines on those affected by it. Although controversial, there is every reason to believe these policies have been effective and will likely inform future legislation.
As digital devices collect more and more information about us, they create countless openings that advertisers and other third-parties will abuse to expand their tracking capabilities in ways that legislation, web browsers and app stores simply cannot anticipate or keep up with. Ultimately, ultrasonic beacons in web advertisements were never blocked in Chrome, Safari or Firefox, nor were they addressed by the CCPA – the same pattern is sure to repeat itself.
Even after two years, there are many organizations who aren’t in compliance with GDPR, nor are they prepared for CCPA when it comes to their digital assets. Even worse, many organizations who aren’t compliant believe that they are. Since 2018, consent management platforms (CMPs) have emerged as the de facto solution for collecting permission to track users and communicate that permission with upstream partners.
There is reason to believe that CMPs are not GDPR or CCPA-compliant in the first place: they only acquire a “general consent” which the E.U has called “unacceptable,” and have not been tested in a court of law. But even if they are compliant, CMPs cannot protect an organization from lawsuits based on abusive data tracking practices which will persist long after the death of third-party cookies.
Today, every business with a website is threatened by third-party partners who provide 80 – 95% of the code across their digital domains. Yet many are not even aware that this code exists: they do not vet their partners or enforce data privacy policies to ensure that user consent is respected, nor do they monitor their network activity to ensure that underhanded techniques are not being used to collect data under the table.
To protect their users from the coming wave of data privacy threats – and to protect themselves from data breaches that lead to expensive lawsuits – organizations must take a more proactive role in the security of their online properties. Today, it is not enough to merely comply with legislation or wait for major web browsers to change the rules. Those who do will soon be facing risks to their customer’s security that go far beyond third-party cookies.
by PAT CIAVOLELLA
Digital3PC.com is an independent platform that brings together the best minds from tech, government, research, and academia to shape the future of cybersecurity policy and offer best practice solutions when responding to cyber threats. The most common access point for malware spread, data breaches, IP theft, election meddling, disinformation campaigns, and cyberwarfare is malicious third-party code (3PC) that makes its way into our websites, apps, and IoT devices. The compromise of the digital ecosystem erodes user trust and the credibility of media organizations, and undermines the integrity of our democracy, economy, and public safety.