Papers
Topics
Authors
Recent
Search
2000 character limit reached

Exposed: Shedding Blacklight on Online Privacy

Published 30 Dec 2025 in stat.AP and cs.CR | (2512.24041v1)

Abstract: To what extent are users surveilled on the web, by what technologies, and by whom? We answer these questions by combining passively observed, anonymized browsing data of a large, representative sample of Americans with domain-level data on tracking from Blacklight. We find that nearly all users ($ > 99\%$) encounter at least one ad tracker or third-party cookie over the observation window. More invasive techniques like session recording, keylogging, and canvas fingerprinting are less widespread, but over half of the users visited a site employing at least one of these within the first 48 hours of the start of tracking. Linking trackers to their parent organizations reveals that a single organization, usually Google, can track over $50\%$ of web activity of more than half the users. Demographic differences in exposure are modest and often attenuate when we account for browsing volume. However, disparities by age and race remain, suggesting that what users browse, not just how much, shapes their surveillance risk.

Authors (2)

Summary

  • The paper precisely measures user exposure to diverse tracking methods, revealing near-universal, rapid encounters across U.S. adults.
  • It integrates passively logged browsing data with Blacklight audits to calculate both cumulative and normalized tracking exposure rates.
  • Findings show a dominant organization (e.g., Google) accounts for over 50% of tracked events, underscoring critical privacy risks.

Shedding Light on Online Tracking: A User-Centric Assessment of Web Surveillance

Introduction

"Exposed: Shedding Blacklight on Online Privacy" (2512.24041) conducts a rigorous empirical analysis of individual exposure to online tracking, advancing beyond traditional site-centric audits. By integrating passively logged browsing data from a nationally representative sample of U.S. adults with domain-level tracking inspections using Blacklight, the study precisely quantifies the scope, rapidity, and organization-level consolidation of web surveillance. The examination utilizes high-resolution measures—cumulative exposure and exposure rate—while systematically probing demographic disparities and organizational dominance in tracking reach.

Methodology and Data Architecture

The research design merges two pivotal data streams. The first comprises one month of domain-level, passively recorded browsing traces from 1,134 U.S. adults collected via the YouGov panel using RealityMine meters. This panel is demographically representative, with granular metadata on gender, race, education, and age groups. The second stream is derived from Blacklight's comprehensive audits of each visited domain, identifying seven prominent tracking mechanisms: ad trackers, third-party cookies, Facebook Pixel, Google Analytics, session recording, keylogging, and canvas fingerprinting.

By joining these sources, the authors compute both absolute and normalized (per-visit) measures of tracking exposure for each participant. This enables precise attribution of exposure to user-specific browsing behaviors, as opposed to aggregated site inventories, and further supports stratified analyses by demographic categories.

Prevalence, Rapidity, and Breadth of Tracking

The results unambiguously demonstrate that online tracking is nearly ubiquitous. Over 99% of users confronted at least ten ad trackers or third-party cookies during the month-long observation period, with means exceeding 27,000 ad tracker encounters and 32,000 cookie exposures per user (right-skewed an order of magnitude above medians). Normalization by activity reveals that users, on average, experience between 5 (ad trackers) and 6.1 (third-party cookies) tracking events per site visit, indicating that exposure scales broadly with browsing volume.

More intrusive tracking vectors such as session recording, keylogging, and canvas fingerprinting are less prevalent per domain (<10% rate per visit), yet a substantial majority of users experience each at least once in a month. Notably, 91.7% of users encountered canvas fingerprinting during the observation window, and more than 65% experienced all three invasive practices ten or more times.

Temporal analyses show tracking exposure is rapid—over half the panel encountered an ad tracker or cookie in the first 12 hours, with >80% exposed within 48 hours. Even advanced, less prevalent methods reach nearly half the sample in the same interval. Figure 1

Figure 1: Exposure rate by birth year, showing standardized exposure rates for seven tracking methods across age cohorts.

Demographic Disparities in Exposure

Controlling for browsing volume and other covariates, the study finds limited overall demographic stratification in tracking exposure. Gender differences are largely negligible except for a higher rate of canvas fingerprinting in women. Racial disparities are minor, primarily showing Asian participants have significantly lower exposure to session recording and keylogging, and Hispanic users encounter Facebook Pixel and Google Analytics less frequently.

Contrasts by education and age are more pronounced. College-educated users encounter substantially more trackers in aggregate, but these gaps substantially decrease after normalizing by activity, suggesting this is an effect of online intensity rather than the nature of visited domains. In contrast, older users—especially those 65+—retain higher per-visit exposure rates for ad trackers, cookies, session recording, and fingerprinting, independent of browsing quantity. This signals a qualitative difference in the types of sites frequented by older populations. Figure 2

Figure 2: Estimated coefficients in cumulative exposure by demographic group, illustrating the effect size of demographic features on aggregate tracking exposure.

Figure 3

Figure 3: Estimated coefficients in exposure rate by demographic group, representing normalized per-visit disparities by demographic attributes.

Organizational Concentration and Surveillance Power

Mapping detected third-party tracking domains to their corporate parents using DuckDuckGo Tracker Radar data, the analysis reveals formidable consolidation in data visibility. Median users are tracked by over 240 distinct organizations, but the effective surveillance load is highly concentrated: a single organization—predominantly Google—accounts for over 50% of tracked browsing events for more than half the cohort. At the distribution’s upper quartile, an organization can observe over 66% of a user's activity. This dominance remains unchanged when adjusting for time-on-site, underscoring structural platform centrality in the tracking ecosystem. Figure 4

Figure 4

Figure 4: Number of organizations tracking user web histories across the population sample.

Figure 5

Figure 5: The largest share of each user’s browsing time online tracked by a single organization, quantifying corporate surveillance reach on an individual basis.

Analytical Strengths, Limitations, and Implications

The longitudinal and user-centric construction of the dataset allows the study to resolve limitations endemic to prior, site-centric audits—yielding more accurate and representative population-level inferences. The findings establish that while nearly all individuals are exposed to tracking, the underlying determinants of variance are primarily individualized online behavior rather than group-level attributes.

Practically, the magnitude and immediacy of exposure—especially to invasive methods—highlight the inadequacy of opt-in-style privacy controls and the urgent need for systematic policy and technical interventions. That most of users’ browsing histories are accessible to a single dominant actor signals persistent risk for re-identification and cross-context data fusion at unprecedented scale, with substantial implications for personal privacy, behavioral profiling, and market power dynamics.

On a theoretical level, the attenuation of demographic disparities after normalizing by volume—except age—suggests that behavioral, rather than structural, factors are the main drivers of exposure, with ramifications for the focus of privacy policy and education campaigns. The identification of rapid, high-frequency exposure means that risk accumulates almost instantaneously, undermining the efficacy of real-time user interventions (e.g., cookie consent prompts) as privacy mitigation tools.

Outlook and Future Research Trajectories

This research advances empirical methodology in privacy quantification and sets a foundational benchmark for future longitudinal, user-centric tracking audits in other populations and geographies. Future work should further dissect organizational visibility within mobile app ecosystems, explore more obfuscated tracking (e.g., CNAME cloaking, server-side correlates), and explicitly measure downstream effects of exposure (such as discriminatory or exploitative targeting).

From the standpoint of system design, the evidence solidifies the argument for privacy-preserving intermediaries, fine-grained regulatory oversight, and a move away from platform-dependent consent models toward architectural protections at the protocol or browser level. Quantitative mapping of corporate surveillance concentrations might also inform antitrust scrutiny and consumer rights frameworks going forward.

Conclusion

"Exposed: Shedding Blacklight on Online Privacy" delivers a comprehensive and technically robust account of user-level online tracking in the U.S., revealing near-universal and immediate exposure, high organizational concentration, and only modest demographic disparities after controlling for browsing behavior. These findings underscore both the scale of ongoing privacy risk and the necessity for more systemic, less user-dependent interventions to ensure online privacy resilience.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We found no open problems mentioned in this paper.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 4 likes about this paper.

HackerNews