Gunes Acar
ABSTRACT
We present the first large-scale studies of three advanced web tracking mechanisms - canvas fingerprinting, evercookies and use of "cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it. We then present the first automated study of evercookies and respawning and the discovery of a new evercookie vector, IndexedDB. Turning to cookie syncing, we present novel techniques for detection and analysing ID flows and we quantify the amplification of privacy-intrusive tracking practices due to cookie syncing.
Our evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls --- such as failing to clear state on multiple browsers at once - in which a single lapse in judgement can shatter privacy defenses. This suggests that even sophisticated users face great difficulties in evading tracking techniques.
- Privacychoice - get a free privacy scan of your site. http://privacychoice.org/assessment.Google Scholar
- Bug 757726 - disallow enumeration of navigator.plugins. https://bugzilla.mozilla.org/show_bug.cgi?id=757726, May 2012.Google Scholar
- Manage, disable Local Shared Objects j Flash Player. http://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html, 2014.Google Scholar
- Doubleclick ad exchange real-time bidding protocol: Cookie matching. https://developers.google.com/ad-exchange/rtb/cookie-guide, February 2014.Google Scholar
- Selenium - Web Browser Automation. http://docs.seleniumhq.org/, 2014. 24In fact, there is a fledgling commercial market for such tools {1}, but they are not very sophisticated.Google Scholar
- G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gurses, F. Piessens, and B. Preneel. FPDetective: Dusting the Web for fingerprinters. In ACM Conference on Computer and Communications Security (CCS), pages 1129--1140. ACM, 2013. Google ScholarDigital Library
- M. Ayenson, D. J. Wambach, A. Soltani, N. Good, and C. J. Hoofnagle. Flash cookies and privacy II: Now with HTML5 and ETag respawning. World Wide Web Internet and Web Information Systems, 2011.Google ScholarCross Ref
- M. Backes, A. Kate, M. Maffei, and K. Pecina. Obliviad: Provably secure and practical online behavioral advertising. In IEEE Security and Privacy (S&P), pages 257--271. IEEE, 2012. Google ScholarDigital Library
- R. Balebako, P. Leon, R. Shay, B. Ur, Y. Wang, and L. Cranor. Measuring the effectiveness of privacy tools for limiting behavioral advertising. In Web 2.0 Workshop on Security and Privacy (W2SP). IEEE, 2012.Google Scholar
- F. Besson, N. Bielova, T. Jensen, et al. Enforcing Browser Anonymity with Quantitative Information Flow. 2014.Google Scholar
- M. Bilenko, M. Richardson, and J. Y. Tsai. Targeted, not tracked: Client-side solutions for privacy-friendly behavioral advertising. In Privacy Enhancing Technologies (PETS). Springer, 2011.Google Scholar
- P. E. Black. Ratcliff/Obershelp pattern recognition. http://xlinux.nist.gov/dads/HTML/ratcliffObershelp.html, December 2004.Google Scholar
- K. Brade. gitweb.torproject.org - torbrowser.git/blob - src/current-patches/refox/0019-add-canvas-imageextraction- prompt.patch. https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/src/current-patches/firefox/0019-Add-canvas-image-extraction-prompt.patch, November 2012.Google Scholar
- W. Davis. KISSmetrics Finalizes Supercookies Settlement. http://www.mediapost.com/ publications/article/191409/kissmetrics- finalizes-supercookies-settlement.html, 2013. {Online; accessed 12-May-2014}.Google Scholar
- N. Doty. Fingerprinting Guidance for Web Specification Authors. http://w3c.github.io/fingerprinting-guidance/, 2014.Google Scholar
- P. Eckersley. How unique is your web browser? In Privacy Enhancing Technologies (PETs), pages 1{18. Springer, 2010. Google ScholarDigital Library
- C. Eubank, M. Melara, D. Perez-Botero, and A. Narayanan. Shining the floodlights on mobile web tracking - a privacy survey. In "Web 2.0 Security and Privacy", May 2013.Google Scholar
- E. W. Felten. If You're Going to Track Me, Please Use Cookies. https://freedom-to-tinker.com/blog/felten/if-youre-going-track-me-please-use-cookies/, 2009.Google Scholar
- M. Fredrikson and B. Livshits. Repriv: Re-imagining content personalization and in-browser privacy. In IEEE Security and Privacy (S&P), pages 131--146. IEEE, 2011. Google ScholarDigital Library
- S. Guha, B. Cheng, and P. Francis. Privad: practical privacy in online advertising. In USENIX Conference on Networked Systems Design and Implementation, pages 169{182. USENIX Association, 2011. Google ScholarDigital Library
- S. Kamkar. Evercookie - virtually irrevocable persistent cookies. http://samy.pl/evercookie/, Sep 2010.Google Scholar
- M. Kerrisk. strace(1) - linux manual page. http://man7.org/linux/man-pages/man1/strace.1.html, May 2014.Google Scholar
- T. Kohno, A. Broido, and K. C. Claffy. Remotephysical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2):93--108, 2005. Google ScholarDigital Library
- R. Kotcher, Y. Pei, P. Jumde, and C. Jackson. Cross-origin pixel stealing: timing attacks using CSS filters. In ACM Conference on Computer and Communications Security (CCS), pages 1055--1062. ACM, 2013. Google ScholarDigital Library
- B. Krishnamurthy and C. Wills. Privacy diffusion on the Web: a longitudinal perspective. In International Conference on World Wide Web, pages 541--550. ACM, 2009. Google ScholarDigital Library
- B. Krishnamurthy and C. E. Wills. On the leakage of personally identifiable information via online social networks. In ACM Workshop on Online Social Networks, pages 7--12. ACM, 2009. Google ScholarDigital Library
- B. Liu, A. Sheth, U. Weinsberg, J. Chandrashekar, and R. Govindan. AdReveal: Improving transparency into online targeted advertising. In ACM Workshop on Hot Topics in Networks, page 12. ACM, 2013. Google ScholarDigital Library
- J. Mayer. Tracking the trackers: Self-help tools. https://cyberlaw.stanford.edu/blog/2011/09/tracking-trackers-self-help-tools, September 2011.Google Scholar
- J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In IEEE Symposium on Security and Privacy (S&P)), pages 413--427. IEEE, 2012. Google ScholarDigital Library
- A. M. McDonald and L. F. Cranor. Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies, A. ISJLP, 7:639, 2011.Google Scholar
- K. Mowery, D. Bogenreif, S. Yilek, and H. Shacham. Fingerprinting information in JavaScript implementations. In Web 2.0 Workshop on Security and Privacy (W2SP), volume 2. IEEE, 2011.Google Scholar
- K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in HTML5. In Web 2.0 Workshop on Security and Privacy (W2SP). IEEE, 2012.Google Scholar
- M. Mulazzani, P. Reschl, M. Huber, M. Leithner, S. Schrittwieser, E. Weippl, and F. C. Wien. Fast and reliable browser identification with JavaScript engine fingerprinting. In Web 2.0 Workshop on Security and Privacy (W2SP), volume 1. IEEE, 2013.Google Scholar
- A. Narayanan, J. Mayer, and S. Iyengar. Tracking Not Required: Behavioral Targeting. http://33bits.org/2012/06/11/tracking-not-required-behavioral-targeting/, 2012.Google Scholar
- N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote javascript inclusions. In ACM Conference on Computer and Communications Security (CCS), pages 736--747. ACM, 2012. Google ScholarDigital Library
- N. Nikiforakis, W. Joosen, and B. Livshits. PriVaricator: Deceiving Fingerprinters with Little White Lies. Available at http://research.microsoft.com/en-us/um/people/livshits/papers%5Ctr%5Cprivaricator.pdf.Google Scholar
- N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In IEEE Symposium on Security and Privacy, pages 541--555. IEEE, 2013. Google ScholarDigital Library
- L. Olejnik, T. Minh-Dung, and C. Castelluccia. Selling Off Privacy at Auction. In Annual Network and Distributed System Security Symposium (NDSS). IEEE, 2014.Google ScholarCross Ref
- C. R. Orr, A. Chauhan, M. Gupta, C. J. Frisz, and C. W. Dunn. An approach for identifying JavaScript-loaded advertisements through static program analysis. In ACM Workshop on Privacy in the Electronic Society (WPES), pages 1--12. ACM, 2012. Google ScholarDigital Library
- M. Perry, E. Clark, and S. Murdoch. The design and implementation of the Tor browser {draft}. https:// www.torproject.org/projects/torbrowser/design, 2013.Google Scholar
- F. Roesner, T. Kohno, and D. Wetherall. Detecting and Defending Against Third-Party Tracking on the Web. In Symposium on Networking Systems Design and Implementation. USENIX Association, 2012. Google ScholarDigital Library
- N. Singer. Do Not Track? Advertisers Say 'Don't Tread on Us'. http://www.nytimes.com/2012/10/14/technology/do-not-track-movement-is-drawing- advertisers-fire.html, 2012.Google Scholar
- A. Soltani, S. Canty, Q. Mayo, L. Thomas, and C. J. Hoofnagle. Flash Cookies and Privacy. In AAAI Spring Symposium: Intelligent Information Privacy Management. AAAI, 2010.Google Scholar
- O. Sorensen. Zombie-cookies: Case studies and mitigation. In Internet Technology and Secured Transactions (ICITST), pages 321--326. IEEE, 2013.Google Scholar
- P. Stone. Pixel perfect timing attacks with HTML5. Context Information Security (White Paper), 2013.Google Scholar
- A. Taly, J. C. Mitchell, M. S. Miller, J. Nagra, et al. Automated analysis of security-critical javascript apis. In IEEE Security and Privacy (S&P), pages 363--378. IEEE, 2011. Google ScholarDigital Library
- J. Temple. Stale Cookies: How companies are tracking you online today. http://blog.sfgate.com/techchron/2013/10/02/stale-cookies-how-companies-are-tracking-you-online-today/, 2013.Google Scholar
- M. Tran, X. Dong, Z. Liang, and X. Jiang. Tracking the trackers: Fast and scalable dynamic analysis of web content for privacy violations. In Applied Cryptography and Network Security, pages 418--435. Springer, 2012. Google ScholarDigital Library
- M.-D. Tran, G. Acs, and C. Castelluccia. Retargeting without tracking. arXiv preprint arXiv:1404.4533, 2014.Google Scholar
- T. Unger, M. Mulazzani, D. Fruhwirt, M. Huber, S. Schrittwieser, and E. Weippl. SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting. In Availability, Reliability and Security (ARES), pages 255--261. IEEE, 2013. Google ScholarDigital Library
- V. Vasilyev. Valve/fingerprintjs. https://github.com/Valve/fingerprintjs, 2012.Google Scholar
Index Terms
- The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
Recommendations
FPDetective: dusting the web for fingerprinters
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityIn the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly ...
CookieGraph: Understanding and Detecting First-Party Tracking Cookies
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityAs third-party cookie blocking is becoming the norm in mainstream web browsers, advertisers and trackers have started to use first-party cookies for tracking. To understand this phenomenon, we conduct a differential measurement study with versus without ...
The Representativeness of Automated Web Crawls as a Surrogate for Human Browsing
WWW '20: Proceedings of The Web Conference 2020Large-scale Web crawls have emerged as the state of the art for studying characteristics of the Web. In particular, they are a core tool for online tracking research. Web crawling is an attractive approach to data collection, as crawls can be run at ...
Comments