Iordanou, CostasSmaragdakis, GeorgiosPoese, IngmarLaoutaris, Nikolaos2019-12-042019-12-042018-10-31978-1-4503-5619-0https://depositonce.tu-berlin.de/handle/11303/10429http://dx.doi.org/10.14279/depositonce-9381© ACM 2018 . This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the Internet Measurement Conference 2018 - IMC ’18, http://dx.doi.org/10.1145/3278532.3278561.A tracking flow is a flow between an end user and a Web tracking service. We develop an extensive measurement methodology for quantifying at scale the amount of tracking flows that cross data protection borders, be it national or international, such as the EU28 border within which the General Data Protection Regulation (GDPR) applies. Our methodology uses a browser extension to fully render advertising and tracking code, various lists and heuristics to extract well known trackers, passive DNS replication to get all the IP ranges of trackers, and state-of-the art geolocation. We employ our methodology on a dataset from 350 real users of the browser extension over a period of more than four months, and then generalize our results by analyzing billions of web tracking flows from more than 60 million broadband and mobile users from 4 large European ISPs. We show that the majority of tracking flows cross national borders in Europe but, unlike popular belief, are pretty well con ned within the larger GDPR jurisdiction. Simple DNS redirection and PoP mirroring can increase national confinement while sealing almost all tracking flows within Europe. Last, we show that cross boarder tracking is prevalent even in sensitive and hence protected data categories and groups including health, sexual orientation, minors, and others.en000 Informatik, Informationswissenschaft, allgemeine WerkeGDPRinternet measurementGeneral Data Protection RegulationtrackingprivacynetworkConference Object