惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
D
DataBreaches.Net
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
B
Blog RSS Feed
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
S
Secure Thoughts
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
V2EX - 技术
V2EX - 技术
腾讯CDC
GbyAI
GbyAI
G
Google Developers Blog
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
Schneier on Security
Schneier on Security
Microsoft Security Blog
Microsoft Security Blog
Jina AI
Jina AI
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
MyScale Blog
MyScale Blog
Help Net Security
Help Net Security
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
AI
AI
MongoDB | Blog
MongoDB | Blog
Scott Helme
Scott Helme
J
Java Code Geeks
Engineering at Meta
Engineering at Meta
H
Heimdal Security Blog
H
Help Net Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
云风的 BLOG
云风的 BLOG
Microsoft Azure Blog
Microsoft Azure Blog
S
Security Affairs
TaoSecurity Blog
TaoSecurity Blog
The GitHub Blog
The GitHub Blog
Hacker News: Ask HN
Hacker News: Ask HN
Martin Fowler
Martin Fowler
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Last Week in AI
Last Week in AI

Help Net Security

FIDO Alliance wants to keep AI agents from going rogue on online payments Police arrest 10 suspected members of Black Axe cybercrime gang ShinyHunters claims it stole 1.4 million records from Udemy Sevii unveils Cyber Swarm Defense Mode to stop AI-driven attacks at scale Alleged Chinese hacker extradited to US over cyberattacks targeting COVID-19 research Cequence Agent Personas bring granular control and governance to enterprise AI agents NowSecure MARI gives enterprises evidence-based visibility into third-party mobile app risk The metrics killing your SOC, and what to use instead US state privacy fines reached $3.425 billion in 2025 Canada’s first SMS blaster case leads to three arrests Linux storage management tool Stratis 3.9.0 adds online encryption and cache-less pool startup TLS Connect gives SMBs a right-sized automated tool to manage TLS certificates Aptori expands its platform with autonomous offensive testing to reduce security bottlenecks Your IAM was built for humans, AI agents don’t care The AI criminal mastermind is already hiring on gig platforms 25 open-source cybersecurity tools that don’t care about your budget Product showcase: LuLu reveals unauthorized outbound connections from Mac apps Week in review: Claude Mythos finds 271 Firefox flaws, Vercel breach Users advised to drop passwords and make room for passkeys - Help Net Security Indirect prompt injection is taking hold in the wild - Help Net Security Compromised everyday devices power Chinese cyber espionage operations - Help Net Security New Cisco firewall malware can only be killed by pulling the plug - Help Net Security Meta is overhauling how you sign in, manage settings, and protect your accounts - Help Net Security Ubuntu 26.04 LTS delivers memory-safe system tools and live patching for Arm servers - Help Net Security OpenAI’s GPT-5.5 is out with expanded cybersecurity safeguards - Help Net Security AI is speeding up nation-state cyber programs - Help Net Security A study of 1,000 Android apps finds a privacy policy logging gap - Help Net Security IT spending to hit $6.31 trillion record, thanks to AI - Help Net Security Where AI in CI/CD is working for engineering teams - Help Net Security With AI's help, North Korean hackers stumbled into a near-undetectable attack - Help Net Security Hacker with a special interest in breaching sports institutions ends behind bars - Help Net Security IP Fabric MCP server adds governance and control to enterprise AIOps workflows - Help Net Security Aqua Compass MCP server enables real-time investigation and containment of runtime threats - Help Net Security Google brings instant email verification to Android, no OTP needed - Help Net Security If cyber espionage via HDMI worries you, NCSC built a device to stop it - Help Net Security Apple fixes iPhone bug that let FBI retrieve deleted Signal messages(CVE-2026-28950) - Help Net Security GopherWhisper APT group hides command and control traffic in Slack and Discord - Help Net Security OpenAI tackles a bad habit people have when interacting with AI - Help Net Security A year in, Zoom's CISO reflects on balancing security and business - Help Net Security Scenario: Open-source framework for automated AI app red-teaming - Help Net Security Ransomware, fraud, and lawsuits drive cyber insurance claims to new peaks - Help Net Security Google’s Workspace Intelligence promises privacy while running on your data - Help Net Security Cyberattack on French government agency triggers phishing alert - Help Net Security Claude Mythos finds 271 Firefox flaws, Mozilla believes zero-days are numbered - Help Net Security Prove Identity Platform connects verification, authentication, and fraud prevention - Help Net Security New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security Acronis GenAI Protection gives MSPs control over AI usage and data risks - Help Net Security Elastic MCP Apps bring security and observability workflows into AI tools - Help Net Security Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876) - Help Net Security Tencent's QClaw AI agent app arrives on Windows and macOS - Help Net Security Phishing reclaims the top initial access spot, attackers experiment with AI tools - Help Net Security OneDrive updates focus on AI, access control, and compliance - Help Net Security PentAGI: Open-source autonomous AI penetration testing system - Help Net Security Apple Intelligence flaw kept stolen tokens reusable on another device - Help Net Security Shadow AI, deepfakes, and supply chain compromise are rewriting the financial sector threat playbook - Help Net Security Thunderbird 150 arrives with encrypted message search and OpenPGP improvements - Help Net Security VirtualBox 7.2.8 is out with Linux kernel 7.0 support and crash fixes - Help Net Security Ransomware negotiator admits role in attacks he was hired to resolve - Help Net Security Scattered Spider hacker pleads guilty to stealing $8 million in cryptocurrency Meta and PortSwigger drive offensive security further to find what others miss - Help Net Security EU pushes for stronger cloud sovereignty, awards €180 million to four providers - Help Net Security SmokedMeat: Open-source tool shows what attackers do inside CI/CD pipelines - Help Net Security How to spot a North Korean fake in a job interview - Help Net Security Product showcase: Syncthing for secure, private file synchronization - Help Net Security Week in review: Acrobat Reader flaw exploited, Claude Mythos offensive capabilities and limits Google wipes out 602 million scam ads with Gemini on duty Researcher drops two more Microsoft Defender zero-days, all three now exploited in the wild GitLab 18.11 brings agentic AI to security fixes, CI pipelines, and delivery analytics Liongard upgrades LiongardIQ with AI access, live asset data, and deeper discovery Mozilla challenges enterprise AI providers with Thunderbolt, open-source AI client under your control Codex can now operate between apps. Where are the boundaries? Android 17 Beta 4 arrives with post-quantum cryptography and new memory limits Apple AirTag tracking can be misled by replayed Bluetooth signals Social media bans might steer kids into riskier corners of the internet Workplace stress in 2026 is still worse than before the pandemic New infosec products of the week: April 17, 2026 - Help Net Security ImmuniWeb brings AI upgrades, post-quantum detection and more in Q1 2026 NIST admits defeat on NVD backlog, will enrich only highest-risk CVEs going forward Anthropic releases Claude Opus 4.7 with automated cybersecurity safeguards - Help Net Security Fortinet fixes critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808) - Help Net Security Google Play is changing how Android apps access your contacts and location Tails 7.6.2 patches vulnerability that could expose saved files Cargo theft malware actor spent a month inside a decoy network before researchers pulled the plug OpenAI updates Agents SDK, adds sandbox for safer code execution Anthropic tests user trust with ID and selfie checks for Claude GitHub lays out copyright liability changes and upcoming DMCA review for developers EU cybersecurity standards are at risk if supplier ban passes Command integrity breaks in the LLM routing layer The fully free Linux OS Trisquel gets a major update with version 12.0 Ecne Week in review: Windows zero-day exploit leaked, Patch Tuesday forecast ClickFix campaign delivers Mac malware via fake Apple page Poisoned “Office 365” search results lead to stolen paychecks Gmail’s end-to-end encryption comes to mobile, no extra apps required To counter cookie theft, Chrome ships device-bound session credentials Product showcase: Session, a messenger without phone numbers or metadata Little Snitch for Linux shows what your apps are connecting to - Help Net Security Apiiro CLI turns AI coding assistants into full-stack security engineers - Help Net Security April 2026 Patch Tuesday forecast: Spring-cleaning of a preview - Help Net Security What vibe hunting gets right about AI threat hunting, and where it breaks down - Help Net Security Health insurance lead sites sell personal data within seconds of form submission - Help Net Security
GDPR works, but only where someone enforces it - Help Net Security
Sinisa Marko · 2026-04-23 · via Help Net Security

A new measurement study of web tracking across ten countries offers a reality check for anyone working on privacy compliance.

Researchers crawled the same set of globally popular websites from virtual machines located in Australia, Brazil, Canada, Germany, India, Singapore, South Africa, South Korea, Spain, and California. The results show that European privacy law does reduce tracking, and that most of the reduction happens in the two jurisdictions where regulators bring cases.

GDPR enforcement

The headline numbers

Visitors from Germany and Spain see less tracking than visitors from elsewhere on the identical set of global sites. On a shared list of 525 globally popular sites, users in EU countries encountered 50.5% fewer tracker connections on average than users in non-EU countries. German users saw the lowest exposure at 4.2 average tracker connections per site. Spanish users saw 5.3. California users saw 11.7, and Australian users saw 11.2.

A smaller experiment on 36 of those global sites produced an even sharper result. In Germany, a user who simply ignored the cookie banner saw 48.5% fewer tracker connections than a user who clicked accept. In California, the same behavior produced only a 21.1% reduction, which aligns with the opt-out design of the California Consumer Privacy Act.

On locally popular sites, the range widens considerably. Only 44.6% of the most popular German country-coded sites made any tracker connection at all. In Australia, 96% did.

Enforcement is the variable

Seven of the ten studied jurisdictions require opt-in consent for tracking cookies. Three permit tracking until the user opts out. On paper, Brazil, India, Singapore, South Korea, and South Africa all have opt-in regimes comparable to the GDPR. In the data, their tracking levels sit much closer to the opt-out jurisdictions than to Germany and Spain.

The authors categorize only Germany and Spain as high-enforcement jurisdictions. German data protection authorities have been active since the 1970s, and the Spanish authority recently fined SEAT for placing non-essential cookies without consent. Across the EU, regulators have issued 833 fines totaling €3.01 billion for insufficient legal basis for data processing.

Medium-enforcement jurisdictions include Australia, Canada, South Korea, and California. These regulators pursue individual high-profile cases. The California Attorney General recently settled with Disney for $2.75 million over failures to honor opt-out signals. The new California Privacy Protection Agency has brought actions against PlayOn Sports and Ford.

Low-enforcement jurisdictions include Brazil, India, Singapore, and South Africa. Brazil’s LGPD closely mirrors the GDPR, and its first enforcement actions have focused on data breaches in the public sector. India’s DPDP Act is too new for meaningful enforcement. Singapore and South Africa have had laws on the books for more than a decade without strong action on consent.

South Korea illustrates the gap. Its Personal Information Protection Act requires opt-in consent comparable to the GDPR. Among the most popular Korean sites, 75.9% connect to at least one tracker, and 1.8% deploy a cookie banner of any kind.

The Brussels shield

The study’s more original contribution is its framing of a “Brussels shield” effect. The widely discussed Brussels effect predicts that EU rules export themselves globally because multinational companies find it cheaper to apply the strictest standard everywhere. The data shows something more limited.

When operators of the globally popular sites decide where to deploy cookie banners, their behavior falls into three groups. About a quarter deploy banners in every country studied. A roughly equal share deploy banners nowhere. The remaining sites deploy banners selectively, and when they do, the selection is almost always Germany and Spain, sometimes paired with Brazil or California. The EU-only pattern is the dominant selective strategy by a wide margin.

The 28% that deploy everywhere do reflect a genuine Brussels effect. For the larger population of sites that geofence their compliance to EU visitors, the law functions as a shield for Europeans without improving matters for users elsewhere.

What the tracking layer looks like

Advertising is the dominant category of tracking on the web, accounting for about two-thirds of recorded connections. Analytics and social trackers make up the rest. The advertising category has a long tail of vendors, and the social category is concentrated in four companies: Facebook, LinkedIn, X, and Reddit. Across every country in the study, the same handful of parent companies sit at the top of the rankings: Google, Facebook, LinkedIn, Microsoft, Adobe, and X.

The consent management layer is consolidating around a small number of platforms, with OneTrust appearing on a large share of sites the crawler visited. For security and compliance teams, this means the behavior of a few vendors largely determines whether a given site’s banner is compliant and whether trackers fire before consent is captured.

One finding deserves attention from anyone auditing their own properties. On the globally popular list, sites without a visible cookie banner carried more trackers on average than sites with one. The quieter user experience was the more tracker-heavy one. A missing banner is a stronger signal of non-compliance than a present one.

Caveats worth keeping in mind

The study measures tracker connections, which is a proxy for potential data sharing. A connection is a necessary condition for third-party data collection. It is not a sufficient one. Some recipients may discard data server-side. The study also cannot capture tracking that happens through server-to-server channels, fingerprinting techniques outside the Disconnect block lists, or other mechanisms that leave no network trace on the client. The tracker categorization depends on the accuracy of the Disconnect Tracker Protection lists.

The “US” jurisdiction in this study is specifically California under the CCPA. Results would differ in states with weaker or no comprehensive privacy law. The country-specific site lists rely on country-code top-level domains, which under-represent sites that operate locally on .com addresses. The interaction sub-study covered 36 sites.

What to take from this

For compliance leaders, the study supports a few working conclusions. A privacy law without active regulators produces tracking behavior close to having no law at all. The gap between Brazil’s LGPD text and Brazilian tracker exposure is the clearest example in the dataset. Opt-in legal regimes do produce lower tracker exposure when enforced, and the combination of the GDPR and the ePrivacy Directive is the only combination in the study that produces a large gap between consenting and ignoring a banner.

For architects, the concentration of the ad and analytics markets around roughly six parent companies means that privacy improvements at the platform layer propagate widely. The consolidation around a small number of consent management platforms has a similar effect. Decisions made at OneTrust or its competitors now determine baseline compliance for a large share of the web.

For anyone operating across jurisdictions, the trimodal deployment pattern reflects the dominant strategy in practice. Apply GDPR-grade controls in the EU, lighter controls elsewhere, and accept the resulting complexity. The study suggests this approach will grow harder as more countries adopt opt-in laws with local variations, and as California and its sister states push opt-out preference signals like Global Privacy Control into broader use.

Web tracking exists because the ad-financed content model requires it. Privacy law can shape the terms of that exchange, and the evidence from this study indicates that it does so where regulators follow through.

Secure by Design: Building security in at the beginning