Cookie banners are fooling users into consent and the websites do not respect user choices. ETH researchers show the prevalence of this deceptive website behavior and developed a solution: a browser extension CookieBlock that uses machine learning to protect user’s privacy.
Cookies make web browsing stateful. They enable websites’ customization and authenticated sections. However, they are also used to track users’ behavior for targeted advertising. Privacy regulations such as GDPR and ePrivacy Directive therefore came into force to limit the latter usage. Websites are no longer allowed to set tracking cookies without users’ consent, so they use cookie banners to inform users and allow users to choose what private data the website can use.
However, the practice of cookie banners is far from what the regulations intended. Prior research showed that these consents are largely non-compliant as they nudge users to accept all cookies or they are incomplete and according to regulations.
Dino Bollinger, Karel Kubicek, Carlos Cotrini, and David Basin also investigated the effectiveness of the consent banners. They focused on banners with specific choices of which cookie categories the user may accept. They found at least one potential legal violation by almost 95% of websites. These violations are not only about deceptive content. More than 20% of websites use cookies that the user specifically rejected and 70% of websites activate cookies prior user interaction with the banner in the first place. This suggests that the majority of websites do not enable users to protect their privacy according to regulations. Users are again as vulnerable as before GDPR, but this time they are also annoyed and deceived by the banners.
Given the vast prevalence of these violations, it is difficult for data protection authorities to enforce the law.
“We cannot expect the websites to mitigate all the violations, we have to give the power to users to protect themselves. That is why we developed the browser extension CookieBlock.“
CookieBlock uses machine learning to categorize cookies into privacy categories, namely useful cookies as “necessary” or “functional” and tracking cookies as “analytics” and “advertising”. When users install CookieBlock, they are asked which categories they allow and which should be rejected and this is meant to be the last consent that the users ever need to grant to cookies. CookieBlock then monitors all cookies, automatically classifies them, and removes those in rejected categories.
Since CookieBlock works in the browser, it truly removes privacy threatening cookies even if the website would use them disregarding the law. It also works independently of the user’s location, so users outside of the EU can enforce the same privacy protection as GDPR mandates for EU citizens.
CookieBlock is available for Chrome, Firefox, Edge, and Opera browsers (Safari cannot be supported for technical reasons). The installation and setup is easy: just three clicks enable the protection. Since machine learning is prone to errors, the extension popup allows adding exceptions to websites similarly as ad blockers. The authors improve CookieBlock continuously and try to prevent issues on websites. Lastly, CookieBlock is not meant for removing the cookie banners themselves, it just supersedes them. Yet for the user’s convenience, the authors recommend installing an extension I don’t care about cookies or uBlock Origin with Annoyances filters (e.g., EasyList Cookie). The latter provides further privacy protection for safe browsing.
Bollinger D, Kubicek K, Cotrini C, Basin D: Automating Cookie Consent and GDPR Violation Detection, 31st USENIX Security Symposium, August 2022, (Preprint). https://www.usenix.org/conference/usenixsecurity22/presentation/bollinger