Measuring the Privacy vs. Compatibility Trade-off in Preventing Third-Party Stateful Tracking

Despite much web privacy research on sophisticated tracking techniques (e.g., fingerprinting, cache collusion, bounce tracking), most tracking on the web is still done by transmitting stored identifiers across site boundaries. “Stateful” tracking is not a bug but a misfeature of classical browser storage policies: per-site storage is shared across all visits, from both first- and third-party (i.e., embedded in other sites) context, enabling the most pervasive forms of online tracking.

In response, some browser vendors have implemented alternate, privacy-preserving storage policies, especially for third-party site context. However, such changes risk breaking websites that presume the traditional model of non-partitioned third-party storage. Such breakage can itself harm web privacy: browsers that frustrate user expectations will be abandoned for more permissive, privacy-harming browsers, cementing rather than disrupting the status quo.

Our work improves the state of web privacy by measuring the privacy vs. compatibility trade-offs of representative third-party storage policies, with the end-goal of enabling design of browsers that are both compatible and privacy respecting. Our contributions include web-scale measurements of page behaviors under multiple third-party storage policies representative of those deployed in several production browsers. We define metrics for measuring aggregate effects on web privacy and compatibility, including a novel system for programmatically estimating aggregate website breakage under different policies. We find that making third-party storage partitioned by first-party, and lifetimes by site-session achieves the best privacy and compatibility trade-off. We provide complete datasets and implementations for our measurements and tools.