Page:Privacy Rarely Considered, Exploring Considerations in the Adoption of Third-Party Services by Websites.pdf/3

 Privacy Rarely Considered: Exploring Considerations in the Adoption of Third-Party Services by Websites Christine Utz

Sabrina Amft

Martin Degeling

CISPA Helmholtz Center for Information Security Saarbrücken, Germany christine.utz@cispa.de

CISPA Helmholtz Center for Information Security Hannover, Germany sabrina.amft@cispa.de

Ruhr University Bochum Bochum, Germany martin.degeling@rub.de

Thorsten Holz

Sascha Fahl

Florian Schaub

CISPA Helmholtz Center for Information Security Saarbrücken, Germany holz@cispa.de

CISPA Helmholtz Center for Information Security Hannover, Germany fahl@cispa.de

University of Michigan School of Information Ann Arbor, Michigan, USA fschaub@umich.edu

ABSTRACT

online marketing campaigns. User expectations regarding the look and functionality of websites, paired with time and resource constraints in web development, were also found to drive the adoption of third-party resources [19], such as design frameworks, contact forms, and external media hosting. This reliance on third parties can come at the cost of website visitors’ privacy. By embedding external resources, websites provide third-party vendors with the opportunity to collect personal data about the website’s visitors, such as their IP address, visited pages, and access to long-term identifiers the third party may have stored in visitors’ browsers [50]. This data collection potentially allows them to track people across the Web, learn large shares of their browsing histories, and use this information to infer interests or demographics. Considering that third-party resources are often automatically retrieved in the background without visible indication, this may be at odds with privacy legislation. For example, the European Union’s General Data Protection Regulation (GDPR) [20], in effect since 2018, demands that processing of personal data is grounded on one of six legal bases, including user consent, is transparently communicated, and a “privacy by design and by default” approach is followed. Privacy risks of third-party website resources have been pointed out by courts and technical guides, noting, for example, that use of the most prevalent third-party service [16, 34, 39], Google Analytics, is only compliant with privacy law with IP anonymization [80]. Recent years have also seen the introduction of more privacy-friendly ways to embed externally hosted media or social media functionality [30, 31]. Still, post-GDPR measurements have shown little change in the prevalence of third-party web tracking [14, 76, 88], and practices that are already “quite pervasive” [19] may be hard to change. In early 2022, several European courts and data protection authorities have directed attention towards the privacy implications of third-party use through decisions that declared the use of certain services a GDPR violation: the Austrian and French data protection boards for Google Analytics [59, 67], the Belgian one for IAB Europe’s Transparency and Consent Framework (TCF), the basis for many third-party consent providers [7], and a German court for Google Fonts [43], with more decisions expected to follow [8]. Website creators are a crucial part of the third-party tracking ecosystem, as it is them who integrate third parties into websites and enable them to track visitors’ behavior across the Web. Thus,

Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website’s visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied, little is known about the decision processes that lead to websites using third-party functionality and whether efforts are being made to protect their visitors’ privacy. We report results from an online survey with 395 participants involved in the creation and maintenance of websites. For ten common website functionalities we investigated if privacy has played a role in decisions about how the functionality is integrated, if specific efforts for privacy protection have been made during integration, and to what degree people are aware of data collection through third parties. We find that ease of integration drives thirdparty adoption but visitor privacy is considered if there are legal requirements or respective guidelines. Awareness of data collection and privacy risks is higher if the collection is directly associated with the purpose for which the third-party service is used.

KEYWORDS Web privacy, web tracking, third parties, survey.

1

INTRODUCTION

Contemporary websites often use third-party services for certain functionality, design, or media resources. The underlying reasons are as multifaceted as the purposes for which external resources are used in web development. Web content is often monetized via online advertising and marketing [50], which frequently involves the inclusion of advertising networks to target ads to website visitors’ presumed interests and web analytics to measure the success of This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license visit https://creativecommons.org/licenses/by/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. Proceedings on Privacy Enhancing Technologies 2023(1), 5–28 © 2023 Copyright held by the owner/author(s). https://doi.org/10.56553/popets-2023-0002 5