715 research outputs found
Case study: disclosure of indirect device fingerprinting in privacy policies
Recent developments in online tracking make it harder for
individuals to detect and block trackers. This is especially true for de-
vice fingerprinting techniques that websites use to identify and track
individual devices. Direct trackers { those that directly ask the device
for identifying information { can often be blocked with browser configu-
rations or other simple techniques. However, some sites have shifted to
indirect tracking methods, which attempt to uniquely identify a device
by asking the browser to perform a seemingly-unrelated task. One type
of indirect tracking known as Canvas fingerprinting causes the browser
to render a graphic recording rendering statistics as a unique identifier.
Even experts find it challenging to discern some indirect fingerprinting
methods. In this work, we aim to observe how indirect device fingerprint-
ing methods are disclosed in privacy policies, and consider whether the
disclosures are sufficient to enable website visitors to block the track-
ing methods. We compare these disclosures to the disclosure of direct
fingerprinting methods on the same websites.
Our case study analyzes one indirect ngerprinting technique, Canvas
fingerprinting. We use an existing automated detector of this fingerprint-
ing technique to conservatively detect its use on Alexa Top 500 websites
that cater to United States consumers, and we examine the privacy poli-
cies of the resulting 28 websites. Disclosures of indirect fingerprinting
vary in specificity. None described the specific methods with enough
granularity to know the website used Canvas fingerprinting. Conversely,
many sites did provide enough detail about usage of direct fingerprint-
ing methods to allow a website visitor to reliably detect and block those
techniques.
We conclude that indirect fingerprinting methods are often technically
difficult to detect, and are not identified with specificity in legal privacy
notices. This makes indirect fingerprinting more difficult to block, and
therefore risks disturbing the tentative armistice between individuals and
websites currently in place for direct fingerprinting. This paper illustrates
differences in fingerprinting approaches, and explains why technologists,
technology lawyers, and policymakers need to appreciate the challenges
of indirect fingerprinting.Accepted manuscrip
Fingerprinting Mobile Browsers
Nowadays, billions of people access the Internet on mobile phones and a significant portion of the traffic comes from browsers. Mobile browsers could be used as a gateway to access the underlying resources of mobile devices for fingerprinting purposes. Browsers include APIs to access the underlying hardware and software resources, such as sensors, audio and media devices, battery, and so on. The growing number of APIs have created new opportunities for browser fingerprinting mechanisms. However, the widely used browser fingerprint systems are designed for the desktop environment and the identifying information gathered using these systems do not include the unique features of mobile phones such as device sensors. The goal of this thesis is to explore additional fingerprintable metrics in the mobile context and analyze their contribution in fingerprinting browsers. In this thesis, we investigated time evolution of browser's features fingerprints and fingerprinting in the wild in the context of mobile devices.
In time evolution of feature's fingerprinting, we have examined the change in permission requirements of browsers over time and evolution of browser's features fingerprints for both Google Chrome and Firefox. In our experiment, we have seen that permission requirements have increased over time, e.g. Firefox 4.0 requires only four permissions, while Firefox 55.0 requires 24 permissions. In evolution of browser's features, we have seen fingerprints that are related to media, audio, WebGL, and canvas elements of the browser show a frequent change across versions. In addition, we have seen, for both Chrome and Firefox, the user agent string is unique for each version and media devices for Chrome is unique for each version as well in our dataset.
In fingerprinting in the wild, we have collected fingerprints from 134 browsing sessions of which 96 were unique. From the gathered dataset, we have calculated the identifying information, entropy, contribution of each browser's feature in our test. The result shows that IP address, user agent, and media devices are the highest entropy contributors. In addition, we have observed that the maximum possible entropy gain in our dataset, 6.58 bits, can be obtained by joining only media devices and user agent strings.
To sum up, in our experiment, we have acquired additional fingerprintable metrics form modern APIs, such as sensors, audio and media devices, and battery. In time evolution of browser feature's fingerprint experiments, we have seen that modern API feature's fingerprints show frequent change across versions. Similarly, in fingerprinting in the wild experiments, these APIs are among the highest entropy contributors
Web Tracking: Mechanisms, Implications, and Defenses
This articles surveys the existing literature on the methods currently used
by web services to track the user online as well as their purposes,
implications, and possible user's defenses. A significant majority of reviewed
articles and web resources are from years 2012-2014. Privacy seems to be the
Achilles' heel of today's web. Web services make continuous efforts to obtain
as much information as they can about the things we search, the sites we visit,
the people with who we contact, and the products we buy. Tracking is usually
performed for commercial purposes. We present 5 main groups of methods used for
user tracking, which are based on sessions, client storage, client cache,
fingerprinting, or yet other approaches. A special focus is placed on
mechanisms that use web caches, operational caches, and fingerprinting, as they
are usually very rich in terms of using various creative methodologies. We also
show how the users can be identified on the web and associated with their real
names, e-mail addresses, phone numbers, or even street addresses. We show why
tracking is being used and its possible implications for the users (price
discrimination, assessing financial credibility, determining insurance
coverage, government surveillance, and identity theft). For each of the
tracking methods, we present possible defenses. Apart from describing the
methods and tools used for keeping the personal data away from being tracked,
we also present several tools that were used for research purposes - their main
goal is to discover how and by which entity the users are being tracked on
their desktop computers or smartphones, provide this information to the users,
and visualize it in an accessible and easy to follow way. Finally, we present
the currently proposed future approaches to track the user and show that they
can potentially pose significant threats to the users' privacy.Comment: 29 pages, 212 reference
Sounds of Silence: A Study of Stability and Diversity of Web Audio Fingerprints
Browser fingerprinting presents a grave threat to privacy as it allows user tracking even in private browsing modes. Prior measurement studies on HTML5-based fingerprinting have been limited to Canvas and WebGL but not Web Audio APIs. We aim to fill this gap by conducting the first large-scale systematic study of web audio fingerprints and studying their stability as well as diversity properties. Using MTurk and social media platforms, we collected 8 different audio fingerprints from 694 users.
Firstly, we show that the audio fingerprints are unstable unlike other fingerprinting methods with some users having as many as 20 different fingerprints. Despite this, we show that audio fingerprinting can still be used as an effective fingerprinting vector as most fingerprints tend to repeat quite often. We devised a graph-based fingerprint matching mechanism to measure the diversity of audio fingerprints. Our results show that audio fingerprints are much less diverse with only 45 distinct fingerprints among 694 users
- …