As online privacy is cementing itself as one of the core pillars of the Internet, major changes are happening across many industries. On the technological side, users are pushing for more privacy-preserving technologies and rely on browsers and extensions that limit online tracking as much as possible. On the legal front, regulations like GDPR and the ePrivacy Directive in Europe have forced companies to change their practices and be more transparent about how they handle user data. For the ad industry, the end of third-party cookies planned for 2025 is having severe ramifications as the main source of data on which this industry is built on will be gone. In this tumultuous context, companies have come up with innovative ways to overcome current and future restrictions. A novel technique which has not received much attention called Server-side tracking (SST) moves its tracking logic away from the user's device onto an external server. In this work, our aim is to detect SST on the web and understand its lawfulness with respect to current legislation. We developed a methodology that relies on crawls spaced 2 years apart performed before and after the introduction of SST to identify trackers that moved behind SST domains and that are now hidden from view. Our results show that 389, out of 7,367 visited websites, track users behind a cloaked domain and that 28 websites perform Server-side tracking in a first-party capacity. We demonstrate that such a tracking technique can overcome the Same-Origin Policy and introduce security vulnerabilities. Together with a legal scholar, we also show that SST entails non-compliant practices and infringes the GDPR and the ePrivacy Directive.
Read full abstract