Measuring UID Smuggling in the Wild

Audrey Randall (University of California San Diego), Peter Snyder (Brave Software), Alisha Ukani (University of California San Diego), Alex Snoeren (University of California San Diego), Geoffrey M. Voelker (University of California San Diego), Stefan Savage (University of California San Diego), Aaron Schulman (University of California San Diego) | Privacy

This work presents a systematic study of UID smuggling, an emerging tracking technique that is designed to evade browsers’ privacy protections. Browsers are increasingly attempting to prevent cross-site tracking by partitioning the storage where trackers store user identifiers (UIDs). UID smuggling allows trackers to synchronize UIDs across sites by inserting UIDs into users’ navigation requests. Trackers can thus regain the ability to aggregate users’ activities and behaviors across sites, in defiance of browser protections.

In this work, we introduce CrumbCruncher, a system for measuring UID smuggling in the wild by crawling the Web. CrumbCruncher provides several improvements over prior work on identifying UIDs and measuring tracking via web crawling, including in distinguishing UIDs from session IDs, handling dynamic web content, and synchronizing multiple crawlers. We use CrumbCruncher to measure the frequency of UID smuggling on the Web, and find that UID smuggling is present on more than eight percent of all navigations that we made. Furthermore, we perform an analysis of the entities involved in UID smuggling, and discuss their methods and possible motivations. We discuss how our findings can be used to protect users from UID smuggling, and release both our complete dataset and our measurement pipeline to aid in protection efforts.

View paper

Links

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.

close

Almost there…

You’re just 60 seconds away from the best privacy online

If your download didn’t start automatically, .

  1. Download Brave

    Click “Save” in the window that pops up, and wait for the download to complete.

    Wait for the download to complete (you may need to click “Save” in a window that pops up).

  2. Run the installer

    Click the downloaded file at the top right of your screen, and follow the instructions to install Brave.

    Click the downloaded file, and follow the instructions to install Brave.

  3. Import settings

    During setup, import bookmarks, extensions, & passwords from your old browser.

Need help?

Get better privacy. Everywhere!

Download Brave mobile for privacy on the go.

Download QR code
Click this file to install Brave Brave logo
Click this file to install Brave Brave logo
Click this file to install Brave Brave logo