Abstract
Third party tracking is the practice by which third parties recognize users accross different websites as they browse the web. Recent studies show that more than 90% of Alexa top 500 websites [38] contain third party content that is tracking its users across the web. Website developers often need to include third party content in order to provide basic functionality. However, when a developer includes a third party content, she cannot know whether the third party contains tracking mechanisms. If a website developer wants to protect her users from being tracked, the only solution is to exclude any third-party content, thus trading functionality for privacy. We describe and implement a privacy-preserving web architecture that gives website developers a control over third party tracking: developers are able to include functionally useful third party content, the same time ensuring that the end users are not tracked by the third parties.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For example, see https://duckduckgo.com/.
- 2.
Tracking is often defined as the ability of a third party to recognize a user through different websites. However, being able to identify the websites a user is interacting with is equally crucial for the effectiveness of tracking.
- 3.
Origin header is also automatically generated by the browser when the third party content is trying to access data using Cross-Origin Resource Sharing [4] mechanism.
References
Browsing Contexts. https://www.w3.org/TR/html51/browsers.html
Cascading Style Sheets. https://www.w3.org/Style/CSS/
CLIQZ. https://cliqz.com
Cross-origin-resource sharing. https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
CSS Parser for Node.js. https://github.com/reworkcss/css
Disconnect. https://disconnect.me/
Ghostery. https://www.ghostery.com/
HTML Parser for Node.js. https://github.com/tmpvar/jsdom
Iframe Sandbox Attribute. https://www.w3.org/TR/2011/WD-html5-20110525/the-iframe-element.html#attr-iframe-sandbox
Node.js. https://nodejs.org/en/
Node.js Proxy. https://newspaint.wordpress.com/2012/11/05/node-js-http-and-https-proxy
PostMessage - Cross-Origin Iframe Secure Communication. https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Privacy Badger. https://www.eff.org/fr/privacybadger
Reverse Proxy. https://en.wikipedia.org/wiki/Revers_proxy
Same Origin Policy. https://www.w3.org/Security/wiki/Same_Origin_Policy
Service Worker API. https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API
Tor Browser. https://www.torproject.org/projects/torbrowser/design/
Tracking Compliance and Scope. https://www.w3.org/TR/tracking-compliance/
Tracking Preference Expression. https://www.w3.org/TR/tracking-dnt/
uBlock Origin. https://www.ublock.org/
Abgrall, E., Traon, Y.L., Monperrus, M., Gombault, S., Heiderich, M., Ribault, A.: XSS-FP: browser fingerprinting using HTML parser quirks. CoRR (2012)
Acar, G., Eubank, C., Englehardt, S., Juárez, M., Narayanan, A., Díaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: Proceedings of CCS 2014 (2014)
Acar, G., Juárez, M., Nikiforakis, N., Díaz, C., Gürses, S.F., Piessens, F., Preneel, B.: FPDetective: dusting the web for fingerprinters. In: Proceedings of CCS 2013 (2013)
Achara, J.P., Parra-Arnau, J., Castelluccia, C.: Mytrackingchoices: pacifying the ad-block war by enforcing user privacy preferences. CoRR (2016)
Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: User tracking on the web via cross-browser fingerprinting. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 31–46. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29615-4_4
Cao, Y., Li, S., Wijmans, E.: (cross-)browser fingerprinting via os and hardware level features. In: Proceedings of the 24th NDSS (2017)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14527-8_1
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: Proceedings of the 2016 CCS, pp. 1388–1401 (2016)
Englehardt, S., Reisman, D., Eubank, C., Zimmerman, P., Mayer, J., Narayanan, A., Felten, E.W.: Cookies that give you away: The surveillance implications of web tracking. In: Proceedings of the 24th WWW, pp. 289–299 (2015)
Krishnamurthy, B., Wills, C.E.: Privacy diffusion on the web: a longitudinal perspective. In: Proceedings of the 18th WWW, pp. 541–550 (2009)
Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: Proceedings of IEEE SP 2016 (2016)
Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: Proceedings of the 25th USENIX Security, Austin, TX (2016)
Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 2012 IEEE SP, pp. 413–427 (2012)
Merzdovnik, G., Huber, M., Buhov, D., Nikiforakis, N., Neuner, S., Schmiedecker, M., Weippl, E.: Block me if you can: a large-scale study of tracker-blocking tools. In: Proceedings of the 2nd EuroSP, Paris, France (2017)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 2013 IEEE SP, pp. 541–555 (2013)
Pan, X., Cao, Y., Chen, Y.: I do not know what you visited last summer: protecting users from stateful third-party web tracking with trackingfree browser. In: Proceedings of the 22nd NDSS (2015)
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th NSDI, pp. 155–168 (2012)
Soltani, A., Canty, S., Mayo, Q., Thomas, L., Hoofnagle, C.J.: Flash cookies and privacy. In: AAAI Spring Symposium: Intelligent Information Privacy Management, pp. 158–163 (2010)
Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: Proceedings of the 2017 WWW (2017)
Takei, N., Saito, T., Takasu, K., Yamada, T.: Web browser fingerprinting using only cascading style sheets. In: Proceedings of the 10th BWCCA, pp. 57–63 (2015)
Upathilake, R., Li, Y., Matrawy, A.: A classification of web browser fingerprinting techniques. In: Proceedings of the 7th NTMS, pp. 1–5 (2015)
West, M.: Mixed Content (2016). https://www.w3.org/TR/mixed-content/
West, M., Barth, A., Veditz, D.: Content Security Policy Level 2 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Screenshots of the demo website map console (Fig. 5).
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Somé, D.F., Bielova, N., Rezk, T. (2017). Control What You Include!. In: Bodden, E., Payer, M., Athanasopoulos, E. (eds) Engineering Secure Software and Systems. ESSoS 2017. Lecture Notes in Computer Science(), vol 10379. Springer, Cham. https://doi.org/10.1007/978-3-319-62105-0_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-62105-0_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-62104-3
Online ISBN: 978-3-319-62105-0
eBook Packages: Computer ScienceComputer Science (R0)