ABSTRACT
We conduct the first systematic study of the effectiveness of Web Audio API-based browser fingerprinting mechanisms and present new insights. First, we show that audio fingerprinting vectors, unlike other prior vectors, reveal an apparent fickleness with some users' browsers giving away differing fingerprints in repeated attempts. However, we show that it is possible to devise a graph-based analysis mechanism to collectively consider all the different fingerprints left by users' browsers and thus craft a highly stable fingerprinting mechanism. Next, we investigate the diversity of audio fingerprints and compare this with prior fingerprinting techniques. Our results show that audio fingerprints are much less diverse than other vectors with only 95 distinct fingerprints among 2093 users. At the same time, further analysis shows that web audio fingerprinting can potentially bring considerable additive value to existing fingerprinting mechanisms. For instance, our results show that the addition of web audio fingerprinting causes a 9.6% increase in entropy when compared to using Canvas fingerprinting alone. We also show that our results contradict the current security and privacy recommendations provided by W3C regarding audio fingerprinting.
Supplemental Material
- [n. d.]. FingerprintJS. ([n. d.]). https://github.com/fingerprintjs/fingerprintjsGoogle Scholar
- [n. d.]. Floating point differences between platforms. https://bugzilla.mozilla.org/show_bug.cgi?id=531915. ([n. d.]).Google Scholar
- Brave. 2020. Fingerprinting 2.0: Web Audio • Issue #9187. (Apr 2020). https://github.com/brave/brave-browser/issues/9187Google Scholar
- Brave. 2021. Html5 Canvas Web Font Alignment is off • Issue #15326 • brave/brave-browser. (Apr 2021). https://github.com/brave/brave-browser/issues/15326Google Scholar
- Brave. 2021. Rendering issue on Google Sheets • Issue #13448 • brave/brave-browser. (Jan 2021). https://github.com/brave/brave-browser/issues/13448Google Scholar
- Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society. https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/cross-browser-fingerprinting-os-and-hardware-level-features/Google ScholarCross Ref
- Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The Web's Sixth Sense: A Study of Scripts Accessing Smartphone Sensors. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, David Lie, Mohammad Mannan, Michael Backes, and XiaoFeng Wang (Eds.). ACM, 1515--1532. Google ScholarDigital Library
- Amit Datta, Jianan Lu, and Michael Carl Tschantz. 2019. Evaluating Anti-Fingerprinting Privacy Enhancing Technologies. In The World Wide Web Conference, WWW 2019, San Francisco, CA, USA, May 13-17, 2019. 351--362. Google ScholarDigital Library
- Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, Edgar R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi (Eds.). ACM, 1388--1401. Google ScholarDigital Library
- Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In Proceedings of the 2018 World Wide Web Conference on World Wide Web, WWW 2018, Lyon, France, April 23-27, 2018, Pierre-Antoine Champin, Fabien Gandon, Mounia Lalmas, and Panagiotis G. Ipeirotis (Eds.). ACM, 309--318. Google ScholarDigital Library
- Jacob Holm, Kristian de Lichtenberg, and Mikkel Thorup. 2001. Polylogarithmic deterministic fully-dynamic algorithms for connectivity, minimum spanning tree, 2-edge, and biconnectivity. J. ACM 48, 4 (2001), 723--760. Google ScholarDigital Library
- Umar Iqbal, Steven Englehardt, and Zubair Shafiq. 2020. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. CoRR abs/2008.04480 (2020). arXiv:2008.04480 https://arxiv.org/abs/2008.04480Google Scholar
- Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing Core Browser Objects to Break Advanced Device Fingerprinting Techniques. In Engineering Secure Software and Systems - 9th International Symposium, ESSoS 2017, Bonn, Germany, July 3-5, 2017, Proceedings (Lecture Notes in Computer Science), Eric Bodden, Mathias Payer, and Elias Athanasopoulos (Eds.), Vol. 10379. Springer, 97--114. Google ScholarCross Ref
- Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. 2020. Browser Fingerprinting: A Survey. ACM Trans. Web 14, 2 (2020), 8:1--8:33. Google ScholarDigital Library
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2015. Mitigating Browser Fingerprint Tracking: Multi-level Reconfiguration and Diversification. In 10th IEEE/ACM International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS 2015, Florence, Italy, May 18-19, 2015. 98--108. Google ScholarDigital Library
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. In IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22-26, 2016. IEEE Computer Society, 878--894. Google ScholarCross Ref
- Keaton Mowery and Hovav Shacham. 2012. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP 2012, Matt Fredrikson (Ed.). IEEE Computer Society.Google Scholar
- Xuan Vinh Nguyen, Julien Epps, and James Bailey. 2009. Information theoretic measures for clusterings comparison: is a correction for chance necessary?. In Proceedings of the 26th Annual International Conference on Machine Learning, ICML 2009, Montreal, Quebec, Canada, June 14-18, 2009 (ACM International Conference Proceeding Series), Andrea Pohoreckyj Danyluk, Léon Bottou, and Michael L. Littman (Eds.), Vol. 382. ACM, 1073--1080. Google ScholarDigital Library
- Nick Nikiforakis, Wouter Joosen, and Benjamin Livshits. 2015. PriVaricator: Deceiving Fingerprinters with Little White Lies. In Proceedings of the 24th International Conference on World Wide Web, WWW 2015, Florence, Italy, May 18-22, 2015. 820--830. Google ScholarDigital Library
- Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013. 541--555. Google ScholarDigital Library
- Jordan S Queiroz and Eduardo L Feitosa. 2019. A Web Browser Fingerprinting Method Based on the Web Audio API. Comput. J. 62, 8 (01 2019), 1106--1120. arXiv:https://academic.oup.com/comjnl/article-pdf/62/8/1106/29162322/bxy146.pdf Google ScholarCross Ref
- Chris Rogers. [n. d.]. Web Audio API is now available in Chrome. https://lists.w3.org/Archives/Public/public-xg-audio/2011Feb/0000.html. ([n. d.]).Google Scholar
- Simone Romano, Xuan Vinh Nguyen, James Bailey, and Karin Verspoor. 2016. Adjusting for Chance Clustering Comparison Measures. J. Mach. Learn. Res. 17 (2016), 134:1--134:32. http://jmlr.org/papers/v17/15-627.htmlGoogle Scholar
- Takamichi Saito, Takafumi Noda, Ryohei Hosoya, Kazuhisa Tanabe, and Yuta Saito. 2018. On estimating platforms of web user with JavaScript math object. In International Conference on Network-Based Information Systems. Springer, 407--418.Google Scholar
- Raimund Seidel and Micha Sharir. 2005. Top-Down Analysis of Path Compression. SIAM J. Comput. 34, 3 (2005), 515--525. Google ScholarDigital Library
- Chrome Web Store. [n. d.]. User-Agent Switcher for Chrome. ([n. d.]). https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg?hl=en-USGoogle Scholar
- Christof Ferreira Torres, Hugo L. Jonker, and Sjouke Mauw. 2015. FP-Block: Usable Web Privacy by Controlling Browser Fingerprinting. In Computer Security - ESORICS 2015 - 20th European Symposium on Research in Computer Security, Vienna, Austria, September 21-25, 2015, Proceedings, Part II, Vol. 9327. 3--19. Google ScholarCross Ref
- Princeton CITP's Web Transparency and Accountability Project. [n. d.]. Audio-Context Fingerprint Test Page. ([n. d.]). https://audiofingerprint.openwpm.com/Google Scholar
- Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking Browser Fingerprint Evolutions. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA. IEEE Computer Society, 728--741. Google ScholarCross Ref
- WWWC. 2021. (May 2021). https://web.archive.org/web/20210517012714/https://www.w3.org/TR/webaudio/#priv-secGoogle Scholar
Recommendations
A proposed likelihood transformation for speaker verification
ICASSP '00: Proceedings of the Acoustics, Speech, and Signal Processing, 2000. on IEEE International Conference - Volume 02Most of current normalisation methods for speaker verification are based on the ratio of the claimed speaker's and impostors' likelihood functions. As an extension, we propose alternative normalisation methods, which are based on the ratio of functions ...
A systematic method for fingerprint ridge orientation estimation and image segmentation
This paper proposes a scheme for systematically estimating fingerprint ridge orientation and segmenting fingerprint image by means of evaluating the correctness of the ridge orientation based on neural network. The neural network is used to learn the ...
Audio-visual active speaker tracking in cluttered indoors environments
Special issue on human computingWe propose a system for detecting the active speaker in cluttered and reverberant environments where more than one person speaks and moves. Rather than using only audio information, the system utilizes audiovisual information from multiple acoustic and ...
Comments