Did I delete my cookies? Cookies respawning with browser fingerprinting
This addresses privacy concerns for web users by exposing a widespread tracking technique that may breach GDPR and ePrivacy regulations, with potential fines up to 20 million euro.
The study tackled the problem of cookie respawning using browser and machine fingerprinting, detecting that 1,150 out of the top 30,000 Alexa websites deploy this tracking mechanism, which can track users across websites even without third-party cookies.
Stateful and stateless web tracking gathered much attention in the last decade, however they were always measured separately. To the best of our knowledge, our study is the first to detect and measure cookie respawning with browser and machine fingerprinting. We develop a detection methodology that allows us to detect cookies dependency on browser and machine features. Our results show that 1,150 out of the top 30, 000 Alexa websites deploy this tracking mechanism. We further uncover how domains collaborate to respawn cookies through fingerprinting. We find out that this technique can be used to track users across websites even when third-party cookies are deprecated. Together with a legal scholar, we conclude that cookie respawning with browser fingerprinting lacks legal interpretation under the GDPR and the ePrivacy directive, but its use in practice may breach them, thus subjecting it to fines up to 20 million euro.