Do Opt-Outs Really Opt Me Out?
Nov 8, 22
Information
Authors
Duc Bui , Brian Tang, Kang G. Shin
Conference
29th ACM Conference on Computer and Communications Security (2022)
Blog
Intro
Online trackers, such as advertising and analytics service companies, have provided users with choices to opt out of their tracking and data collection to mitigate the users’ concerns of increasing privacy risks. While opt-out choices of online services for the cookies placed on their own websites have been examined before, the choices provided by trackers for their third-party tracking services on publisher websites have been largely overlooked. There is no guarantee that a tracker’s opt-out option would faithfully follow the statements in its privacy policy. To address this concern, we develop an automated framework, called OptOutCheck, that analyzes (in)consistencies between trackers’ data practices and the opt-out choice statements in their privacy policies.
System Design
We create sentence-level classifiers, which achieve ≥84.6% precision on previously-unseen statements, to extract the opt-out policies that state neither tracking nor data collection for opted-out users from trackers’ privacy-policy documents. OptOutCheck analyzes both tracker and publisher websites to detect opt-out buttons, perform the opt-out, and extract the data flows to the tracker servers after the user opts out. Finally, we formalize the opt-out policies and data flows to derive logical conditions to detect the inconsistencies.
Evaluation
In a large-scale study of 2.9k popular trackers, OptOutCheck detected opt-out choices on 165 trackers and found 11 trackers who exhibited data practices inconsistent with their stated opt-out policies. Since inconsistencies are violations of the trackers’ privacy policies and demonstrate data collection without user consent, they are likely to cause a loss of users’ trust in the online trackers and trigger the necessity of an automatic auditing process. These trackers were present on 3.65% of the top 10k websites on average and tracked a significant amount of web traffic.
The 11 trackers we discovered who violated their own privacy policies are listed in the following website: https://rtcl.eecs.umich.edu/optoutcheck/ .
They are: adtriba.com, criteo.com, deepintent.com, dianomi.com, dynad.net, liveintent.com, onaudience.com, reachlocal.com, sovrn.com, taboola.com, underdogmedia.com. We communicated with each of their privacy teams. Dianomi and Taboola’s privacy teams were the only organizations who responded and remediated the issues.
Citation
@inproceedings{bui2022opt,
title={Do Opt-Outs Really Opt Me Out?},
author={Bui, Duc and Tang, Brian and Shin, Kang G},
booktitle={Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
pages={425--439},
year={2022}
}