On the Robustness of Topics API to a Re-Identification Attack

• URL: http://arxiv.org/abs/2306.05094v1
• Date: Thu, 8 Jun 2023 10:53:48 GMT
• Title: On the Robustness of Topics API to a Re-Identification Attack
• Authors: Nikhil Jha, Martino Trevisan, Emilio Leonardi, Marco Mellia
• Abstract summary: Google proposed the Topics API framework as a privacy-friendly alternative for behavioural advertising. This paper evaluates the robustness of the Topics API to a re-identification attack. We find that the Topics API mitigates but cannot prevent re-identification to take place, as there is a sizeable chance that a user's profile is unique within a website's audience.
• Score: 6.157783777246449
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Web tracking through third-party cookies is considered a threat to users' privacy and is supposed to be abandoned in the near future. Recently, Google proposed the Topics API framework as a privacy-friendly alternative for behavioural advertising. Using this approach, the browser builds a user profile based on navigation history, which advertisers can access. The Topics API has the possibility of becoming the new standard for behavioural advertising, thus it is necessary to fully understand its operation and find possible limitations. This paper evaluates the robustness of the Topics API to a re-identification attack where an attacker reconstructs the user profile by accumulating user's exposed topics over time to later re-identify the same user on a different website. Using real traffic traces and realistic population models, we find that the Topics API mitigates but cannot prevent re-identification to take place, as there is a sizeable chance that a user's profile is unique within a website's audience. Consequently, the probability of correct re-identification can reach 15-17%, considering a pool of 1,000 users. We offer the code and data we use in this work to stimulate further studies and the tuning of the Topic API parameters.

Related papers

• How Unique is Whose Web Browser? The role of demographics in browser fingerprinting among US users [50.699390248359265]
  Browser fingerprinting can be used to identify and track users across the Web, even without cookies. This technique and resulting privacy risks have been studied for over a decade. We provide a first-of-its-kind dataset to enable further research.
  arXiv  Detail & Related papers  (2024-10-09T14:51:58Z)
• Keypoint Promptable Re-Identification [76.31113049256375]
  Occluded Person Re-Identification (ReID) is a metric learning task that involves matching occluded individuals based on their appearance. We introduce Keypoint Promptable ReID (KPR), a novel formulation of the ReID problem that explicitly complements the input bounding box with a set of semantic keypoints. We release custom keypoint labels for four popular ReID benchmarks. Experiments on person retrieval, but also on pose tracking, demonstrate that our method systematically surpasses previous state-of-the-art approaches.
  arXiv  Detail & Related papers  (2024-07-25T15:20:58Z)
• The Privacy-Utility Trade-off in the Topics API [0.34952465649465553]
  We analyze the re-identification risks for individual Internet users and the utility provided to advertising companies by the Topics API. We provide theoretical results dependent only on the API parameters that can be readily applied to evaluate the privacy and utility implications of future API updates.
  arXiv  Detail & Related papers  (2024-06-21T17:01:23Z)
• A Public and Reproducible Assessment of the Topics API on Real Data [1.1510009152620668]
  The Topics API for the web is Google's privacy-enhancing alternative to replace third-party cookies. Results of prior work have led to an ongoing discussion about the capability of Topics to trade off both utility and privacy. This paper shows on real data that Topics does not provide the same privacy guarantees to all users and that the information leakage worsens over time.
  arXiv  Detail & Related papers  (2024-03-28T17:03:44Z)
• User Strategization and Trustworthy Algorithms [81.82279667028423]
  We show that user strategization can actually help platforms in the short term. We then show that it corrupts platforms' data and ultimately hurts their ability to make counterfactual decisions.
  arXiv  Detail & Related papers  (2023-12-29T16:09:42Z)
• A Quantitative Information Flow Analysis of the Topics API [0.34952465649465553]
  We analyze the re-identification risk for individual Internet users introduced by the Topics API from the perspective of information- and decision-theoretic framework. Our model allows a theoretical analysis of both privacy and utility aspects of the API and their trade-off, and we show that the Topics API does have better privacy than third-party cookies.
  arXiv  Detail & Related papers  (2023-09-26T08:14:37Z)
• PRAT: PRofiling Adversarial aTtacks [52.693011665938734]
  We introduce a novel problem of PRofiling Adversarial aTtacks (PRAT) Given an adversarial example, the objective of PRAT is to identify the attack used to generate it. We use AID to devise a novel framework for the PRAT objective.
  arXiv  Detail & Related papers  (2023-09-20T07:42:51Z)
• Measuring Re-identification Risk [72.6715574626418]
  We present a new theoretical framework to measure re-identification risk in compact user representations. Our framework formally bounds the probability that an attacker may be able to obtain the identity of a user from their representation. We show how our framework is general enough to model important real-world applications such as the Chrome's Topics API for interest-based advertising.
  arXiv  Detail & Related papers  (2023-04-12T16:27:36Z)
• Masked LARk: Masked Learning, Aggregation and Reporting worKflow [6.484847460164177]
  Many web advertising data flows involve passive cross-site tracking of users. Most browsers are moving towards removal of 3PC in subsequent browser iterations. We propose a new proposal, called Masked LARk, for aggregation of user engagement measurement and model training.
  arXiv  Detail & Related papers  (2021-10-27T21:59:37Z)
• Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
  Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy. We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
  arXiv  Detail & Related papers  (2020-06-10T16:05:05Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.