{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,2]],"date-time":"2026-07-02T15:54:09Z","timestamp":1783007649304,"version":"3.54.5"},"reference-count":73,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"4","license":[{"start":{"date-parts":[[2020,8,17]],"date-time":"2020-08-17T00:00:00Z","timestamp":1597622400000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/3.0"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,10,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>We investigate data exfiltration by third-party scripts directly embedded on web pages. Specifically, we study three attacks: misuse of browsers\u2019 internal login managers, social data exfiltration, and whole-DOM exfiltration. Although the possibility of these attacks was well known, we provide the first empirical evidence based on measurements of 300,000 distinct web pages from 50,000 sites. We extend OpenWPM\u2019s instrumentation to detect and precisely attribute these attacks to specific third-party scripts. Our analysis reveals invasive practices such as inserting invisible login forms to trigger autofilling of the saved user credentials, and reading and exfiltrating social network data when the user logs in via Facebook login. Further, we uncovered password, credit card, and health data leaks to third parties due to wholesale collection of the DOM. We discuss the lessons learned from the responses to the initial disclosure of our findings and fixes that were deployed by the websites, browser vendors, third-party libraries and privacy protection tools.<\/jats:p>","DOI":"10.2478\/popets-2020-0070","type":"journal-article","created":{"date-parts":[[2020,8,28]],"date-time":"2020-08-28T14:43:42Z","timestamp":1598625822000},"page":"220-238","source":"Crossref","is-referenced-by-count":26,"title":["No boundaries: data exfiltration by third parties embedded on web pages"],"prefix":"10.56553","volume":"2020","author":[{"given":"Gunes","family":"Acar","sequence":"first","affiliation":[{"name":"imec-COSIC KU Leuven"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Steven","family":"Englehardt","sequence":"additional","affiliation":[{"name":"Mozilla"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Arvind","family":"Narayanan","sequence":"additional","affiliation":[{"name":"Princeton University"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"35752","published-online":{"date-parts":[[2020,8,17]]},"reference":[{"key":"2022042800574894468_j_popets-2020-0070_ref_001_w2aab3b7c24b1b6b1ab1ab1Aa","unstructured":"[1] \u201cFacebook login,\u201d 2018. [Online]. Available: https:\/\/developers.facebook.com\/docs\/facebook-login\/"},{"key":"2022042800574894468_j_popets-2020-0070_ref_002_w2aab3b7c24b1b6b1ab1ab2Aa","doi-asserted-by":"crossref","unstructured":"[2] S. Englehardt and A. Narayanan, \u201cOnline tracking: A 1- million-site measurement and analysis,\u201d in ACM Conference on Computer and Communications Security, 2016.10.1145\/2976749.2978313","DOI":"10.1145\/2976749.2978313"},{"key":"2022042800574894468_j_popets-2020-0070_ref_003_w2aab3b7c24b1b6b1ab1ab3Aa","unstructured":"[3] A. Fou. (2016) Javascript trackers open security holes | exchangewire.com. [Online]. Available: https:\/\/www.exchangewire.com\/blog\/2016\/05\/19\/%E2%80%8Bon-sitejavascript-trackers-open-gaping-security-holes\/"},{"key":"2022042800574894468_j_popets-2020-0070_ref_004_w2aab3b7c24b1b6b1ab1ab4Aa","unstructured":"[4] J. Weiler. (2016) 3rd party javascript management cheat sheet - owasp. [Online]. Available: https:\/\/www.owasp.org\/index.php\/3rd_Party_Javascript_Management_Cheat_Sheet#Major_risks"},{"key":"2022042800574894468_j_popets-2020-0070_ref_005_w2aab3b7c24b1b6b1ab1ab5Aa","unstructured":"[5] Mozilla, \u201cDocument.referrer - Web APIs,\u201d https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Document\/referrer, accessed: 2019-12-02."},{"key":"2022042800574894468_j_popets-2020-0070_ref_006_w2aab3b7c24b1b6b1ab1ab6Aa","unstructured":"[6] J. Eisinger and E. Stark, \u201cReferrer Policy \u2013 W3C Candidate Recommendation,\u201d https:\/\/www.w3.org\/TR\/referrerpolicy\/, 2017, accessed: 2018-02-01."},{"key":"2022042800574894468_j_popets-2020-0070_ref_007_w2aab3b7c24b1b6b1ab1ab7Aa","doi-asserted-by":"crossref","unstructured":"[7] B. Krishnamurthy and C. E. Wills, \u201cOn the leakage of personally identifiable information via online social networks,\u201d in 2nd ACM workshop on Online social networks. ACM, 2009.10.1145\/1592665.1592668","DOI":"10.1145\/1592665.1592668"},{"key":"2022042800574894468_j_popets-2020-0070_ref_008_w2aab3b7c24b1b6b1ab1ab8Aa","unstructured":"[8] \u2014\u2014, \u201cPrivacy leakage in mobile online social networks,\u201d in 3rd conference on Online social networks. USENIX Association, 2010."},{"key":"2022042800574894468_j_popets-2020-0070_ref_009_w2aab3b7c24b1b6b1ab1ab9Aa","unstructured":"[9] B. Krishnamurthy, K. Naryshkin, and C. Wills, \u201cPrivacy leakage vs. protection measures: the growing disconnect,\u201d in Proceedings of W2SP, vol. 2, 2011."},{"key":"2022042800574894468_j_popets-2020-0070_ref_010_w2aab3b7c24b1b6b1ab1ac10Aa","unstructured":"[10] J. Mayer, \u201cTracking the trackers: Where everybody knows your username,\u201d https:\/\/cyberlaw.stanford.edu\/blog\/2011\/10\/tracking-trackers-where-everybody-knows-your-username, 2011."},{"key":"2022042800574894468_j_popets-2020-0070_ref_011_w2aab3b7c24b1b6b1ab1ac11Aa","unstructured":"[11] J. Ren, A. Rao, M. Lindorfer, A. Legout, and D. Choffnes, \u201cRecon: Revealing and controlling pii leaks in mobile network traffic,\u201d in Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 2016, pp. 361\u2013374."},{"key":"2022042800574894468_j_popets-2020-0070_ref_012_w2aab3b7c24b1b6b1ab1ac12Aa","doi-asserted-by":"crossref","unstructured":"[12] A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill, \u201cApps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem,\u201d in Network and Distributed System Security Symposium (NDSS). IEEE, 2018.10.14722\/ndss.2018.23353","DOI":"10.14722\/ndss.2018.23353"},{"key":"2022042800574894468_j_popets-2020-0070_ref_013_w2aab3b7c24b1b6b1ab1ac13Aa","doi-asserted-by":"crossref","unstructured":"[13] I. Reyes, P. Wijesekera, J. Reardon, A. E. B. On, A. Razaghpanah, N. Vallina-Rodriguez, and S. Egelman, \u201c\u201cWon\u2019t somebody think of the children?\u201d examining COPPA compliance at scale,\u201d Proceedings on Privacy Enhancing Technologies, vol. 2018, no. 3, pp. 63\u201383, 2018.","DOI":"10.1515\/popets-2018-0021"},{"key":"2022042800574894468_j_popets-2020-0070_ref_014_w2aab3b7c24b1b6b1ab1ac14Aa","doi-asserted-by":"crossref","unstructured":"[14] S. Jain, M. Javed, and V. Paxson, \u201cTowards mining latent client identifiers from network traffic,\u201d Proceedings on Privacy Enhancing Technologies, vol. 2016, no. 2, pp. 100\u2013114, 2016.","DOI":"10.1515\/popets-2016-0007"},{"key":"2022042800574894468_j_popets-2020-0070_ref_015_w2aab3b7c24b1b6b1ab1ac15Aa","doi-asserted-by":"crossref","unstructured":"[15] O. Starov, P. Gill, and N. Nikiforakis, \u201cAre you sure you want to contact us? quantifying the leakage of pii via website contact forms,\u201d Proceedings on Privacy Enhancing Technologies, vol. 2016, no. 1, pp. 20\u201333, 2016.","DOI":"10.1515\/popets-2015-0028"},{"key":"2022042800574894468_j_popets-2020-0070_ref_016_w2aab3b7c24b1b6b1ab1ac16Aa","doi-asserted-by":"crossref","unstructured":"[16] O. Starov and N. Nikiforakis, \u201cExtended tracking powers: Measuring the privacy diffusion enabled by browser extensions,\u201d in Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 2017, pp. 1481\u20131490.10.1145\/3038912.3052596","DOI":"10.1145\/3038912.3052596"},{"key":"2022042800574894468_j_popets-2020-0070_ref_017_w2aab3b7c24b1b6b1ab1ac17Aa","doi-asserted-by":"crossref","unstructured":"[17] J. Brookman, P. Rouge, A. Alva, and C. Yeung, \u201cCrossdevice tracking: Measurement and disclosures,\u201d Proceedings on Privacy Enhancing Technologies, vol. 2017, no. 2, pp. 133\u2013148, 2017.","DOI":"10.1515\/popets-2017-0020"},{"key":"2022042800574894468_j_popets-2020-0070_ref_018_w2aab3b7c24b1b6b1ab1ac18Aa","unstructured":"[18] S. Zimmeck, J. S. Li, H. Kim, S. M. Bellovin, and T. Jebara, \u201cA privacy analysis of cross-device tracking,\u201d in Proceedings of the 26th USENIX Security Symposium, 2017."},{"key":"2022042800574894468_j_popets-2020-0070_ref_019_w2aab3b7c24b1b6b1ab1ac19Aa","doi-asserted-by":"crossref","unstructured":"[19] D. Hedin, A. Birgisson, L. Bello, and A. Sabelfeld, \u201cJsflow: Tracking information flow in javascript and its apis,\u201d in Proceedings of the 29th Annual ACM Symposium on Applied Computing, 2014, pp. 1663\u20131671.10.1145\/2554850.2554909","DOI":"10.1145\/2554850.2554909"},{"key":"2022042800574894468_j_popets-2020-0070_ref_020_w2aab3b7c24b1b6b1ab1ac20Aa","doi-asserted-by":"crossref","unstructured":"[20] W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens, \u201cFlowfox: a web browser with flexible and precise information flow control,\u201d in Proceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 748\u2013759.10.1145\/2382196.2382275","DOI":"10.1145\/2382196.2382275"},{"key":"2022042800574894468_j_popets-2020-0070_ref_021_w2aab3b7c24b1b6b1ab1ac21Aa","unstructured":"[21] J. Ren, M. Lindorfer, D. J. Dubois, A. Rao, D. Choffnes, and N. Vallina-Rodriguez, \u201cBug fixes, improvements,... and privacy leaks,\u201d 2018."},{"key":"2022042800574894468_j_popets-2020-0070_ref_022_w2aab3b7c24b1b6b1ab1ac22Aa","unstructured":"[22] \u201cnsILoginManager - Mozilla | MDN,\u201d May 2020, [Online; accessed 17. May 2020]. [Online]. Available: https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Tech\/XPCOM\/Reference\/Interface\/nsILoginManager"},{"key":"2022042800574894468_j_popets-2020-0070_ref_023_w2aab3b7c24b1b6b1ab1ac23Aa","unstructured":"[23] N. Vallina-Rodriguez, C. Kreibich, M. Allman, and V. Paxson, \u201cLumen: Fine-grained visibility and control of mobile traffic in user-space,\u201d 2017."},{"key":"2022042800574894468_j_popets-2020-0070_ref_024_w2aab3b7c24b1b6b1ab1ac24Aa","unstructured":"[24] Electronic Frontier Foundation, \u201cEFForg\/privacybadger,\u201d May 2020, [Online; accessed 16. May 2020]. [Online]. Available: https:\/\/github.com\/EFForg\/privacybadger"},{"key":"2022042800574894468_j_popets-2020-0070_ref_025_w2aab3b7c24b1b6b1ab1ac25Aa","unstructured":"[25] G. Acar, \u201cInstrument the stackstrace for the HTTP requests. \u00b7 mozilla\/OpenWPM@d659792,\u201d October 2016, [Online; accessed 17. May 2020]. [Online]. Available: https:\/\/github.com\/mozilla\/OpenWPM\/commit\/d659792766b940755634877cdc1e6a8267fa9eb7"},{"key":"2022042800574894468_j_popets-2020-0070_ref_026_w2aab3b7c24b1b6b1ab1ac26Aa","unstructured":"[26] Mozilla, \u201cComponents.stack - Mozilla | MDN,\u201d 2017. [Online]. Available: https:\/\/developer.mozilla.org\/en-US\/docs\/Mozilla\/Tech\/XPCOM\/Language_Bindings\/Components.stack"},{"key":"2022042800574894468_j_popets-2020-0070_ref_027_w2aab3b7c24b1b6b1ab1ac27Aa","doi-asserted-by":"crossref","unstructured":"[27] S. Englehardt, J. Han, and A. Narayanan, \u201cI never signed up for this! privacy implications of email tracking,\u201d Proceedings on Privacy Enhancing Technologies, vol. 2018, no. 1, pp. 109\u2013126, 2018.","DOI":"10.1515\/popets-2018-0006"},{"key":"2022042800574894468_j_popets-2020-0070_ref_028_w2aab3b7c24b1b6b1ab1ac28Aa","unstructured":"[28] Bugzilla, \u201cStealing Firefox saved passwords,\u201d https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1107422."},{"key":"2022042800574894468_j_popets-2020-0070_ref_029_w2aab3b7c24b1b6b1ab1ac29Aa","unstructured":"[29] \u2014\u2014, \u201cpassword manager + XSS = disaster,\u201d https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=408531."},{"key":"2022042800574894468_j_popets-2020-0070_ref_030_w2aab3b7c24b1b6b1ab1ac30Aa","unstructured":"[30] \u201cPrinceton Web Census Data Release,\u201d 2018, [Online; accessed 9. Dec. 2019]. [Online]. Available: https:\/\/webtransparency.cs.princeton.edu\/webcensus\/data-release\/"},{"key":"2022042800574894468_j_popets-2020-0070_ref_031_w2aab3b7c24b1b6b1ab1ac31Aa","unstructured":"[31] \u201cRevealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach,\u201d https:\/\/www.theguardian.com\/news\/2018\/mar\/17\/cambridgeanalytica- facebook-influence-us-election, 2018, accessed: 2018."},{"key":"2022042800574894468_j_popets-2020-0070_ref_032_w2aab3b7c24b1b6b1ab1ac32Aa","unstructured":"[32] I. Facebook, \u201cZuckerberg Responses to Judiciary Committee Questions for the Record,\u201d https:\/\/www.judiciary.senate.gov\/imo\/media\/doc\/Zuckerberg%20Responses%20to%20Judiciary%20Committee%20QFRs.pdf, 2018, online; accessed 2019-02-29."},{"key":"2022042800574894468_j_popets-2020-0070_ref_033_w2aab3b7c24b1b6b1ab1ac33Aa","unstructured":"[33] \u201cDe-anonymizing Facebook\u2019s app-scoped ids,\u201d Oct 2015, [Online; accessed 11. Apr. 2020]. [Online]. Available: https:\/\/snarfed.org\/2015-10-25_de-anonymizing-facebooksapp-scoped-ids"},{"key":"2022042800574894468_j_popets-2020-0070_ref_034_w2aab3b7c24b1b6b1ab1ac34Aa","unstructured":"[34] \u201cGraph API Reference v6.0: User Picture - Documentation - Facebook for Developers,\u201d Apr 2020, [Online; accessed 11. Apr. 2020]. [Online]. Available: https:\/\/developers.facebook.com\/docs\/graph-api\/reference\/user\/picture"},{"key":"2022042800574894468_j_popets-2020-0070_ref_035_w2aab3b7c24b1b6b1ab1ac35Aa","unstructured":"[35] W. Palant, \u201cpalant\/jsdeobfuscator:,\u201d Dec 2017, [Online; accessed 16. May 2020]. [Online]. Available: https:\/\/github.com\/palant\/jsdeobfuscator"},{"key":"2022042800574894468_j_popets-2020-0070_ref_036_w2aab3b7c24b1b6b1ab1ac36Aa","unstructured":"[36] \u201cSocial SDK Usage Distribution in the Top 1 Million Sites,\u201d May 2020, [Online; accessed 21. May 2020]. [Online]. Available: https:\/\/web.archive.org\/web\/20200507012108\/https:\/\/trends.builtwith.com\/javascript"},{"key":"2022042800574894468_j_popets-2020-0070_ref_037_w2aab3b7c24b1b6b1ab1ac37Aa","unstructured":"[37] \u201cbeautifulsoup4,\u201d May 2020, [Online; accessed 17. May 2020]. [Online]. Available: https:\/\/pypi.org\/project\/beautifulsoup4"},{"key":"2022042800574894468_j_popets-2020-0070_ref_038_w2aab3b7c24b1b6b1ab1ac38Aa","unstructured":"[38] \u201czlib \u2014 Compression compatible with gzip \u2014 Python 3.8.3 documentation,\u201d May 2020, [Online; accessed 17. May 2020]. [Online]. Available: https:\/\/docs.python.org\/3\/library\/zlib.html"},{"key":"2022042800574894468_j_popets-2020-0070_ref_039_w2aab3b7c24b1b6b1ab1ac39Aa","unstructured":"[39] FullStory, \u201cTerms & Conditions,\u201d https:\/\/web.archive.org\/web\/20171115044316\/https:\/\/www.fullstory.com\/legal\/terms-and-conditions\/, 2017, accessed: 2018-05-09."},{"key":"2022042800574894468_j_popets-2020-0070_ref_040_w2aab3b7c24b1b6b1ab1ac40Aa","unstructured":"[40] SessionCam, \u201cWhat information do we collect for our clients?\u201d https:\/\/web.archive.org\/web\/20171115050443\/https:\/\/sessioncam.com\/privacy-policy-cookies\/, 2017, accessed: 2018-05-09."},{"key":"2022042800574894468_j_popets-2020-0070_ref_041_w2aab3b7c24b1b6b1ab1ac41Aa","unstructured":"[41] \u201cShow Password,\u201d May 2020, [Online; accessed 19. May 2020]. [Online]. Available: https:\/\/chrome.google.com\/webstore\/detail\/show-password\/gaichhcdflnpllpkmocfcbkbacefiank"},{"key":"2022042800574894468_j_popets-2020-0070_ref_042_w2aab3b7c24b1b6b1ab1ac42Aa","unstructured":"[42] \u201cUnmask Password,\u201d May 2020, [Online; accessed 19. May 2020]. [Online]. Available: https:\/\/chrome.google.com\/webstore\/detail\/unmaskpassword\/pmmeddaccflimcipblojlnfandenhicb?hl=en-US"},{"key":"2022042800574894468_j_popets-2020-0070_ref_043_w2aab3b7c24b1b6b1ab1ac43Aa","unstructured":"[43] Chromium, \u201cUsers can be tracked via password manager,\u201d https:\/\/bugs.chromium.org\/p\/chromium\/issues\/detail?id=798492."},{"key":"2022042800574894468_j_popets-2020-0070_ref_044_w2aab3b7c24b1b6b1ab1ac44Aa","unstructured":"[44] Bugzilla, \u201cConsider making signon.autofillForms = false to be the default,\u201d https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1427543."},{"key":"2022042800574894468_j_popets-2020-0070_ref_045_w2aab3b7c24b1b6b1ab1ac45Aa","unstructured":"[45] \u2014\u2014, \u201cConsider imposing restrictions on tracking scripts running in the first-party context,\u201d https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1601452."},{"key":"2022042800574894468_j_popets-2020-0070_ref_046_w2aab3b7c24b1b6b1ab1ac46Aa","unstructured":"[46] Apple, \u201cAbout the security content of Safari 11.1,\u201d http:\/\/support.apple.com\/en-us\/HT208695."},{"key":"2022042800574894468_j_popets-2020-0070_ref_047_w2aab3b7c24b1b6b1ab1ac47Aa","unstructured":"[47] A. Tseng, \u201cDisable password autofill on page load,\u201d http:\/\/github.com\/brave\/browser-laptop\/issues\/12489, 2018, accessed: 2018-05-28."},{"key":"2022042800574894468_j_popets-2020-0070_ref_048_w2aab3b7c24b1b6b1ab1ac48Aa","unstructured":"[48] P. Snyder, B. Eich, and P. Jumde, \u201cprivacycg\/js-membranes: JS Isolation via Origin Labels and Membranes,\u201d https:\/\/github.com\/privacycg\/js-membranes, [Online; accessed 12. Mar. 2020]."},{"key":"2022042800574894468_j_popets-2020-0070_ref_049_w2aab3b7c24b1b6b1ab1ac49Aa","unstructured":"[49] MonztA, \u201c(Comment) No boundaries: Exfiltration of personal data by session-replay scripts,\u201d https:\/\/freedom-to-tinker.com\/2017\/11\/15\/no-boundaries-exfiltration-of-personaldata-by-session-replay-scripts\/#comment-28428, 2017, accessed: 2018-05-28."},{"key":"2022042800574894468_j_popets-2020-0070_ref_050_w2aab3b7c24b1b6b1ab1ac50Aa","unstructured":"[50] lukemulks, \u201cBlock ad tracking scripts used with password managers,\u201d https:\/\/github.com\/disconnectme\/disconnecttracking-protection\/issues\/36, 2018, accessed: 2018-05-28."},{"key":"2022042800574894468_j_popets-2020-0070_ref_051_w2aab3b7c24b1b6b1ab1ac51Aa","unstructured":"[51] carbureted, \u201cAdd screen tracking services, bitcoin miners, miscellaneous third party analytics, and move wishabi.net to content,\u201d https:\/\/github.com\/disconnectme\/disconnect-tracking-protection\/commit\/09c7b279a88c8eda1ae18fe7b405e6cc315d2855, 2017, accessed: 2018-05-28."},{"key":"2022042800574894468_j_popets-2020-0070_ref_052_w2aab3b7c24b1b6b1ab1ac52Aa","unstructured":"[52] R. Brandom, \u201cAd targeters are pulling data from your browser\u2019s password manager,\u201d 2017. [Online]. Available: https:\/\/www.theverge.com\/2017\/12\/30\/16829804\/browserpassword-manager-adthink-princeton-research"},{"key":"2022042800574894468_j_popets-2020-0070_ref_053_w2aab3b7c24b1b6b1ab1ac53Aa","unstructured":"[53] \u201cDiff of the api.behavioralengine.com\/scripts\/be-init.js script archived by the Wayback Machine on 28 December 2017 and 3 January 2018.\u201d Jun 2020, [Online; accessed 4. Jun. 2020]. [Online]. Available: https:\/\/gist.github.com\/gunesacar\/11883c40b4a2def7cee0f5dd757787d6#fileonaudience_behavioral_engine-diff-L95-L134"},{"key":"2022042800574894468_j_popets-2020-0070_ref_054_w2aab3b7c24b1b6b1ab1ac54Aa","unstructured":"[54] S. Englehardt, G. Acar, and A. Narayanan, \u201cNo boundaries for credentials: New password leaks to Mixpanel and Session Replay Companies,\u201d https:\/\/freedom-to-tinker.com\/2018\/02\/26\/no-boundaries-for-credentials-password-leaks-tomixpanel-and-session-replay-companies\/, 2018."},{"key":"2022042800574894468_j_popets-2020-0070_ref_055_w2aab3b7c24b1b6b1ab1ac55Aa","unstructured":"[55] \u201cFacebook Login Changes to Address Abuse,\u201d Apr 2018, [Online; accessed 9. Dec. 2019]. [Online]. Available: https:\/\/developers.facebook.com\/blog\/post\/2018\/04\/19\/facebook-login-changes-address-abuse"},{"key":"2022042800574894468_j_popets-2020-0070_ref_056_w2aab3b7c24b1b6b1ab1ac56Aa","unstructured":"[56] \u201cOver 400 of the World\u2019s Most Popular Websites Record Your Every Keystroke, Princeton Researchers Find,\u201d Nov 2017, [Online; accessed 9. Dec. 2019]. [Online]. Available: https:\/\/www.vice.com\/en_us\/article\/59yexk\/princetonstudy-session-replay-scripts-tracking-you"},{"key":"2022042800574894468_j_popets-2020-0070_ref_057_w2aab3b7c24b1b6b1ab1ac57Aa","unstructured":"[57] N. Tiku, \u201cThe Dark Side of \u2019Replay Sessions\u2019 That Record Your Every Move Online,\u201d Nov 2017. [Online]. Available: https:\/\/www.wired.com\/story\/the-dark-side-ofreplay-sessions-that-record-your-every-move-online"},{"key":"2022042800574894468_j_popets-2020-0070_ref_058_w2aab3b7c24b1b6b1ab1ac58Aa","unstructured":"[58] S. Englehardt, G. Acar, and A. Narayanan, \u201cWebsite operators are in the dark about privacy violations by third-party scripts,\u201d https:\/\/freedom-to-tinker.com\/2018\/01\/12\/websiteoperators-are-in-the-dark-about-privacy-violations-by-thirdparty-scripts\/, 2018."},{"key":"2022042800574894468_j_popets-2020-0070_ref_059_w2aab3b7c24b1b6b1ab1ac59Aa","unstructured":"[59] G. Acar, S. Englehardt, and A. Narayanan, \u201cNo boundaries for user identities: Web trackers exploit browser login managers,\u201d https:\/\/freedom-to-tinker.com\/2017\/12\/27\/noboundaries-for-user-identities-web-trackers-exploit-browserlogin-managers\/, 2017."},{"key":"2022042800574894468_j_popets-2020-0070_ref_060_w2aab3b7c24b1b6b1ab1ac60Aa","unstructured":"[60] S. Englehardt, G. Acar, and A. Narayanan, \u201cNo boundaries for Facebook data: third-party trackers abuse Facebook Login,\u201d https:\/\/freedom-to-tinker.com\/2018\/04\/18\/noboundaries-for-facebook-data-third-party-trackers-abusefacebook-login\/, 2018."},{"key":"2022042800574894468_j_popets-2020-0070_ref_061_w2aab3b7c24b1b6b1ab1ac61Aa","unstructured":"[61] \u2014\u2014, \u201cNo boundaries: Exfiltration of personal data by session-replay scripts,\u201d https:\/\/freedom-to-tinker.com\/2017\/11\/15\/no-boundaries-exfiltration-of-personal-data-bysession-replay-scripts\/, 2017."},{"key":"2022042800574894468_j_popets-2020-0070_ref_062_w2aab3b7c24b1b6b1ab1ac62Aa","unstructured":"[62] Apple Inc., \u201cCVE-2018-4137,\u201d https:\/\/cve.mitre.org\/cgibin\/cvename.cgi?name=CVE-2018-4137, 2018, accessed: 2018-05-28."},{"key":"2022042800574894468_j_popets-2020-0070_ref_063_w2aab3b7c24b1b6b1ab1ac63Aa","unstructured":"[63] FullStory, \u201cDigital Experience Analytics, Session Replay, Heatmaps | FullStory,\u201d Jan 2019, [Online; accessed 28. Feb. 2020]. [Online]. Available: https:\/\/www.fullstory.com\/features\/session-replay"},{"key":"2022042800574894468_j_popets-2020-0070_ref_064_w2aab3b7c24b1b6b1ab1ac64Aa","unstructured":"[64] M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay, \u201cSafe active content in sanitized javascript,\u201d Google, Inc., Tech. Rep, 2008."},{"key":"2022042800574894468_j_popets-2020-0070_ref_065_w2aab3b7c24b1b6b1ab1ac65Aa","doi-asserted-by":"crossref","unstructured":"[65] L. A. Meyerovich and B. Livshits, \u201cConscript: Specifying and enforcing fine-grained security policies for javascript in the browser,\u201d in 2010 IEEE Symposium on Security and Privacy. IEEE, 2010, pp. 481\u2013496.10.1109\/SP.2010.36","DOI":"10.1109\/SP.2010.36"},{"key":"2022042800574894468_j_popets-2020-0070_ref_066_w2aab3b7c24b1b6b1ab1ac66Aa","unstructured":"[66] \u201cGDPR (General Data Protection Regulation), FullStory, and You,\u201d Jan 2020, [Online; accessed 13. Apr. 2020]. [Online]. Available: https:\/\/www.fullstory.com\/resources\/gdpr-andfullstory"},{"key":"2022042800574894468_j_popets-2020-0070_ref_067_w2aab3b7c24b1b6b1ab1ac67Aa","unstructured":"[67] \u201cGeneral Data Protection Regulation (GDPR),\u201d Apr 2020, [Online; accessed 13. Apr. 2020]. [Online]. Available: https:\/\/www.clicktale.com\/company\/data-privacy\/generaldata-protection-regulation-gdpr"},{"key":"2022042800574894468_j_popets-2020-0070_ref_068_w2aab3b7c24b1b6b1ab1ac68Aa","unstructured":"[68] \u201cYANDEX.METRICA DATA PROCESSING AGREEMENT (DPA) - Legal documents. Help,\u201d Apr 2020, [Online; accessed 13. Apr. 2020]. [Online]. Available: https:\/\/yandex.com\/legal\/metrica_agreement"},{"key":"2022042800574894468_j_popets-2020-0070_ref_069_w2aab3b7c24b1b6b1ab1ac69Aa","unstructured":"[69] \u201cAdd-on SDK - Archive of obsolete content | MDN,\u201d Feb 2020, [Online; accessed 26. Feb. 2020]. [Online]. Available: https:\/\/developer.mozilla.org\/en-US\/docs\/Archive\/Addons\/Add-on_SDK"},{"key":"2022042800574894468_j_popets-2020-0070_ref_070_w2aab3b7c24b1b6b1ab1ac70Aa","unstructured":"[70] Mozilla, \u201cRestore instrumentation regarding what code is causing requests \u00b7 Issue #352 \u00b7 mozilla\/OpenWPM,\u201d Feb 2020, [Online; accessed 26. Feb. 2020]. [Online]. Available: https:\/\/github.com\/mozilla\/OpenWPM\/issues\/352"},{"key":"2022042800574894468_j_popets-2020-0070_ref_071_w2aab3b7c24b1b6b1ab1ac71Aa","doi-asserted-by":"crossref","unstructured":"[71] D. Zeber, S. Bird, C. Oliveira, W. Rudametkin, I. Segall, F. Wolls\u00e9n, and M. Lopatka, \u201cThe representativeness of automated web crawls as a surrogate for human browsing,\u201d in The Web Conference, 2020.10.1145\/3366423.3380104","DOI":"10.1145\/3366423.3380104"},{"key":"2022042800574894468_j_popets-2020-0070_ref_072_w2aab3b7c24b1b6b1ab1ac72Aa","doi-asserted-by":"crossref","unstructured":"[72] S. S. Ahmad, M. D. Dar, M. F. Zaffar, N. Vallina-Rodriguez, and R. Nithyanand, \u201cApophanies or epiphanies? how crawlers impact our understanding of the web,\u201d 2020.10.1145\/3366423.3380113","DOI":"10.1145\/3366423.3380113"},{"key":"2022042800574894468_j_popets-2020-0070_ref_073_w2aab3b7c24b1b6b1ab1ac73Aa","unstructured":"[73] \u201cBandsintown Amplified,\u201d 2019, [Online; accessed 10. Dec. 2019]. [Online]. Available: https:\/\/publishers.bandsintown.com"}],"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/content.sciendo.com\/view\/journals\/popets\/2020\/4\/article-p220.xml","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.sciendo.com\/pdf\/10.2478\/popets-2020-0070","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,7,20]],"date-time":"2022-07-20T16:31:11Z","timestamp":1658334671000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2020\/popets-2020-0070.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,8,17]]},"references-count":73,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2020,8,17]]},"published-print":{"date-parts":[[2020,10,1]]}},"alternative-id":["10.2478\/popets-2020-0070"],"URL":"https:\/\/doi.org\/10.2478\/popets-2020-0070","relation":{},"ISSN":["2299-0984"],"issn-type":[{"value":"2299-0984","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,8,17]]}}}