{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T00:30:06Z","timestamp":1766449806061,"version":"3.41.0"},"reference-count":28,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2024,8,16]],"date-time":"2024-08-16T00:00:00Z","timestamp":1723766400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"MUR National Recovery and Resilience Plan funded by the European Union - NextGenerationEU","award":["PE00000014"],"award-info":[{"award-number":["PE00000014"]}]},{"name":"Bando M42C \u2013Investimento 1.4 \u2013 Avviso Centri Nazionali\u201d","award":["CN00000013"],"award-info":[{"award-number":["CN00000013"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2024,8,31]]},"abstract":"<jats:p>\n            Recently, Google proposed the Topics API framework as a privacy-friendly alternative for behavioural advertising as a possible solution to balance user\u2019s privacy and advertisement effectiveness. Using the Topics API, the browser builds a user profile based on navigation history, which advertisers can access. The Topics API aim at becoming the new standard for behavioural advertising, thus it is necessary to fully understand its operation and find possible limitations. In this article, we evaluate the robustness of the Topics API to a re-identification attack. To build a user profile, we suppose an attacker accumulates over time the topics a user exposes to different websites. The attacker later re-identifies the same user matching the profiles of their audience. We leverage real traffic traces and realistic population models, and we present increasingly powerful attack threats. We find that the Topics API mitigates but cannot prevent re-identification from taking place, as there is a sizeable chance that a user\u2019s profile remains unique within a website\u2019s audience and the attacker successfully matches it with the profile of the same user on a second website. Depending on environmental factors, the probability of correct re-identification can reach 50%, considering a pool of 1,000 users. We offer the code and data we use in this work to stimulate further studies and the tuning of the Topic API parameters.\n            <jats:xref ref-type=\"fn\">\n              <jats:sup>1<\/jats:sup>\n            <\/jats:xref>\n          <\/jats:p>","DOI":"10.1145\/3675400","type":"journal-article","created":{"date-parts":[[2024,6,27]],"date-time":"2024-06-27T11:21:41Z","timestamp":1719487301000},"page":"1-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Re-Identification Attacks against the Topics API"],"prefix":"10.1145","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7533-4051","authenticated-orcid":false,"given":"Nikhil","family":"Jha","sequence":"first","affiliation":[{"name":"Politecnico di Torino, Torino, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4258-4679","authenticated-orcid":false,"given":"Martino","family":"Trevisan","sequence":"additional","affiliation":[{"name":"Universit\u00e0 degli Studi di Trieste, Trieste, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3070-4274","authenticated-orcid":false,"given":"Emilio","family":"Leonardi","sequence":"additional","affiliation":[{"name":"Politecnico di Torino, Torino, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1859-6693","authenticated-orcid":false,"given":"Marco","family":"Mellia","sequence":"additional","affiliation":[{"name":"Politecnico di Torino, Torino, Italy"}]}],"member":"320","published-online":{"date-parts":[[2024,8,16]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660347"},{"key":"e_1_3_3_3_2","doi-asserted-by":"crossref","first-page":"337","DOI":"10.1145\/3548606.3560626","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","author":"Berke Alex","year":"2022","unstructured":"Alex Berke and Dan Calacci. 2022. Privacy limitations of interest-based advertising on the web: A post-mortem empirical analysis of google\u2019s FLoC. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security . Association for Computing Machinery, New York, NY, USA, 337\u2013349."},{"key":"e_1_3_3_4_2","article-title":"California Consumer Privacy Act of 2018","author":"Legislature California State","year":"2018","unstructured":"California State Legislature. 2018. California Consumer Privacy Act of 2018. Retrieved from https:\/\/leginfo.legislature.ca.gov\/faces\/billTextClient.xhtml?bill_id=201720180AB375 (Last accessed September 6, 2021).","journal-title":"R"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3589294"},{"key":"e_1_3_3_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/318242.318443"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978313"},{"key":"e_1_3_3_8_2","unstructured":"Alessandro Epasto Andres Munoz Medina Christina Ilvento and Josh Karlin. 2022. Measures of Cross-Site Re-Identification Risk: An Analysis of the Topics API Proposal. Retrieved from https:\/\/github.com\/patcg-individual-drafts\/topics\/blob\/main\/topics_analysis.pdf (Last accessed February 27 2023)."},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.1145\/3447548.3467180"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2016.12.016"},{"key":"e_1_3_3_11_2","unstructured":"European Parliament and Council of European Union. 2016. Directive 95\/46\/EC. General Data Protection Regulation. Retrieved from http:\/\/data.consilium.europa.eu\/doc\/document\/ST-5419-2016-INIT\/en\/pdf (Last accessed February 27 2023)."},{"key":"e_1_3_3_12_2","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7258"},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.03.012"},{"key":"e_1_3_3_14_2","first-page":"66","volume-title":"Proceedings of the on Privacy Enhancing Technologies 2023(4)","author":"Jha Nikhil","year":"2023","unstructured":"Nikhil Jha, Martino Trevisan, Emilio Leonardi, and Marco Mellia. 2023. On the robustness of topics API to a Re-identification attack. In Proceedings of the on Privacy Enhancing Technologies 2023(4). 66\u201378."},{"key":"e_1_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/MIC.2022.3157356"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.47"},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-17172-2_8"},{"key":"e_1_3_3_18_2","volume-title":"Proceedings of the 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2012)","author":"Olejnik Lukasz","year":"2012","unstructured":"Lukasz Olejnik, Claude Castelluccia, and Artur Janc. 2012. Why johnny can\u2019t browse in peace: On the uniqueness of web browsing history patterns. In Proceedings of the 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2012). Spain."},{"key":"e_1_3_3_19_2","first-page":"2130","volume-title":"User Tracking in the Post-Cookie Era: How Websites Bypass GDPR Consent to Track Users","author":"Papadogiannakis Emmanouil","year":"2021","unstructured":"Emmanouil Papadogiannakis, Panagiotis Papadopoulos, Nicolas Kourtellis, and Evangelos P. Markatos. 2021. User Tracking in the Post-Cookie Era: How Websites Bypass GDPR Consent to Track Users. Association for Computing Machinery, New York, NY, USA, 2130\u20132141."},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.1145\/2815675.2815705"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/3517745.3561415"},{"key":"e_1_3_3_22_2","article-title":"Evaluation of cohort algorithms for the FLoC API","author":"Ravichandran Deepak","year":"2021","unstructured":"Deepak Ravichandran and S Vasilvitskii. 2021. Evaluation of cohort algorithms for the FLoC API. Retrieved from https:\/\/github.com\/google\/ads-privacy\/raw\/master\/proposals\/FLoC\/FLOC-Whitepaper-Google.pdf (Last accessed February 27, 2023). Google Research & Ads white paper (2021).","journal-title":"Google Research & Ads white paper"},{"key":"e_1_3_3_23_2","article-title":"Technical comments on FLoC privacy","author":"Rescorla Eric","year":"2021","unstructured":"Eric Rescorla and Martin Thomson. 2021. Technical comments on FLoC privacy. Retrieved from https:\/\/mozilla.github.io\/ppa-docs\/floc_report.pdf (Last accessed February 27, 2023). (2021).","journal-title":"R"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.2478\/popets-2021-0004"},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.1080\/15332861.2011.558454"},{"key":"e_1_3_3_26_2","unstructured":"Martin Thomson. 2023. A privacy analysis of google\u2019s topics proposal. Retrieved from https:\/\/mozilla.github.io\/ppa-docs\/topics.pdf(Last accessed February 27 2023). (2023)."},{"key":"e_1_3_3_27_2","volume-title":"Analysing and Exploiting Google\u2019s FLoC Advertising Proposal","author":"Turati Florian","year":"2022","unstructured":"Florian Turati. 2022. Analysing and Exploiting Google\u2019s FLoC Advertising Proposal. Master\u2019s thesis. ETH Zurich, Department of Computer Science."},{"key":"e_1_3_3_28_2","doi-asserted-by":"publisher","DOI":"10.1145\/3098593.3098602"},{"key":"e_1_3_3_29_2","first-page":"223","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14)","author":"Viswanath Bimal","year":"2014","unstructured":"Bimal Viswanath, M. Ahmad Bashir, Mark Crovella, Saikat Guha, Krishna P. Gummadi, Balachander Krishnamurthy, and Alan Mislove. 2014. Towards detecting anomalous user behavior in online social networks. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 14). 223\u2013238."}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3675400","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3675400","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:04:05Z","timestamp":1750291445000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3675400"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,8,16]]},"references-count":28,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2024,8,31]]}},"alternative-id":["10.1145\/3675400"],"URL":"https:\/\/doi.org\/10.1145\/3675400","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"type":"print","value":"1559-1131"},{"type":"electronic","value":"1559-114X"}],"subject":[],"published":{"date-parts":[[2024,8,16]]},"assertion":[{"value":"2023-12-27","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-06-09","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-08-16","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}