My Cookie is a phoenix: detection, measurement, and lawfulness of cookie respawning with browser fingerprinting

Authors: Imane Fouad (Univ. Lille, CNRS, Inria), Cristiana Santos (Utrecht University), Arnaud Legout (Inria), Nataliia Bielova (LINC team, CNIL, France)

Volume: 2022
Issue: 3
Pages: 79–98

Download PDF

Abstract: Stateful and stateless web tracking gathered much attention in the last decade, however they were always measured separately. To the best of our knowledge, our study is the first to detect and measure cookie respawning with browser and machine fingerprinting. We develop a detection methodology that allows us to detect cookies dependency on browser and machine features. Our results show that 1, 150 out of the top 30, 000 Alexa websites deploy this tracking mechanism. We find out that this technique can be used to track users across websites even when third-party cookies are deprecated. Together with a legal scholar, we conclude that cookie respawning with browser fingerprinting lacks legal interpretation under the GDPR and the ePrivacy directive, but its use in practice may breach them, thus subjecting it to fines up to 20 million e.

Keywords: fingerprinting, cookie respawning, GDPR

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.