On the Robustness of Topics API to a Re-Identification Attack

by   Nikhil Jha, et al.

Web tracking through third-party cookies is considered a threat to users' privacy and is supposed to be abandoned in the near future. Recently, Google proposed the Topics API framework as a privacy-friendly alternative for behavioural advertising. Using this approach, the browser builds a user profile based on navigation history, which advertisers can access. The Topics API has the possibility of becoming the new standard for behavioural advertising, thus it is necessary to fully understand its operation and find possible limitations. This paper evaluates the robustness of the Topics API to a re-identification attack where an attacker reconstructs the user profile by accumulating user's exposed topics over time to later re-identify the same user on a different website. Using real traffic traces and realistic population models, we find that the Topics API mitigates but cannot prevent re-identification to take place, as there is a sizeable chance that a user's profile is unique within a website's audience. Consequently, the probability of correct re-identification can reach 15-17 we use in this work to stimulate further studies and the tuning of the Topic API parameters.


page 1

page 2

page 3

page 4


Interest-disclosing Mechanisms for Advertising are Privacy-Exposing (not Preserving)

Today, targeted online advertising relies on unique identifiers assigned...

Measuring Re-identification Risk

Compact user representations (such as embeddings) form the backbone of p...

Keep your Identity Small: Privacy-preserving Client-side Fingerprinting

Device fingerprinting is a widely used technique that allows a third par...

Privacy Limitations Of Interest-based Advertising On The Web: A Post-mortem Empirical Analysis Of Google's FLoC

In 2020, Google announced they would disable third-party cookies in the ...

Chrowned by an Extension: Abusing the Chrome DevTools Protocol through the Debugger API

The Chromium open-source project has become a fundamental piece of the W...

Gummy Browsers: Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques

We present a simple yet potentially devastating and hard-to-detect threa...

Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid to Ask

User data is the primary input of digital advertising, the fuel of free ...

Please sign up or login with your details

Forgot password? Click here to reset