A first look into Utiq: Next-generation cookies at the ISP level
Ismael Castell-Uroz, Pere Barlet-Ros
TL;DR
This paper investigates Utiq, an ISP-level user identification system proposed as an alternative to third-party cookies. It analyzes the system’s architecture, consent framework, and its adoption on the 10K most popular websites one half-year after launch, using a methodology that verifies loader availability and ISP eligibility. The findings show a marginal adoption rate of 0.7%–1.2% across France, Germany, and Spain, with sites often combining Utiq with invasive fingerprinting techniques, limiting privacy gains. The study highlights the privacy-commercial trade-offs of ISP-level identifiers and points to future work on broader propagation methods, consent design, and policy considerations to assess real-world impact.
Abstract
Online privacy has become increasingly important in recent years. While third-party cookies have been widely used for years, they have also been criticized for their potential impact on user privacy. They can be used by advertisers to track users across multiple sites, allowing them to build detailed profiles of their behavior and interests. However, nowadays, many browsers allow users to block third-party cookies, which limits their usefulness for advertisers. In this paper, we take a first look at Utiq, a new way of user tracking performed directly by the ISP, to substitute the third-party cookies used until now. We study the main properties of this new identification methodology and their adoption on the 10K most popular websites. Our results show that, although still marginal due to the restrictions imposed by the system, between 0.7% and 1.2% of websites already include Utiq as one of their user identification methods.