Abstract
Browser fingerprinting is a relatively new method of uniquely identifying browsers that can be used to track web users. In some ways it is more privacy-threatening than tracking via cookies, as users have no direct control over it. A number of authors have considered the wide variety of techniques that can be used to fingerprint browsers; however, relatively little information is available on how widespread browser fingerprinting is, and what information is collected to create these fingerprints in the real world. To help address this gap, we crawled the 10,000 most popular websites; this gave insights into the number of websites that are using the technique, which websites are collecting fingerprinting information, and exactly what information is being retrieved. We found that approximately 69% of websites are, potentially, involved in first-party or third-party browser fingerprinting. We further found that third-party browser fingerprinting, which is potentially more privacy-damaging, appears to be predominant in practice. We also describe FingerprintAlert, a freely available browser add-on we developed that detects and, optionally, blocks fingerprinting attempts by visited websites.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The most commonly used browser data was retrieved from https://www.netmarketshare.com/browser-market-share.aspx [accessed on 01/07/2018].
- 3.
Firefox has a limited set of options to thwart fingerprinting.
- 4.
A web cookie is a small amount of data sent by a website as part of an HTTP response and then stored by the browser. The browser then provides the contents of the cookie back to the same server in subsequent HTTP requests [6].
- 5.
Modes of this type, which have various names, are intended to enhance the privacy properties of the browser [42].
- 6.
A demonstration of the wide range of information collectable from any browser is available at https://fingerprintable.org/test.
- 7.
Majestic is a website specializing in web usage statistics, and provides a daily-updated list of the top one million websites, https://majestic.com/reports/majestic-million [accessed on 09/10/2017].
- 8.
Selenium is open-source software used to automate browsers for testing purposes—see https://www.seleniumhq.org.
- 9.
The quantity of data that can be relayed using GET or HEAD is very limited, whereas POST allows the transmission of very large volumes (megabytes) of data.
- 10.
- 11.
- 12.
A JavaScript library that help websites detect the availability of css and html5 features in a visitor’s browser https://modernizr.com.
- 13.
It is a relatively new full-duplex TCP communication protocol [14].
- 14.
- 15.
- 16.
- 17.
http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm [accessed on 14/04/2018].
References
Acar, G., Eubank, C., Englehardt, S., Juárez, M., Narayanan, A., Díaz, C.: The web never forgets: persistent tracking mechanisms in the wild. In: ACM SIGSAC 2014, Scottsdale, AZ, USA, 3–7 November 2014, pp. 674–689. ACM (2014)
Acar, G., et al.: FPDetective: dusting the web for fingerprinters. In: ACM SIGSAC CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 1129–1140. ACM (2013)
Al-Fannah, N.M.: Making defeating captchas harder for bots. In: Computing Conference 2017, London, UK, 18–20 July 2017, pp. 775–782. IEEE Computer Society, July 2017
Al-Fannah, N.M., Li, W.: Not all browsers are created equal: comparing web browser fingerprintability. In: Obana, S., Chida, K. (eds.) IWSEC 2017. LNCS, vol. 10418, pp. 105–120. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-64200-0_7
Alaca, F., van Oorschot, P.C.: Device fingerprinting for augmenting web authentication: classification and analysis of methods. In: ACSAC 2016, Los Angeles, CA, USA, 5–9 December 2016, pp. 289–301. ACM (2016)
Barth, A., Berkeley, U.: HTTP State Management Mechanism. RFC 6265, RFC Editor, April 2011
Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: User tracking on the web via cross-browser fingerprinting. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 31–46. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29615-4_4
Cao, Y., Li, S., Wijmans, E.: (Cross-)browser fingerprinting via OS and hardware level features. In: NDSS 2017, San Diego, California, USA, February 26–March 1 2017. The Internet Society (2017)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1
Englehardt, S., Narayanan, A.: Online tracking: a 1-million-site measurement and analysis. In: ACM SIGSAC CCS 2016, Vienna, Austria, 24–28 October 2016, pp. 1388–1401. ACM (2016)
FaizKhademi, A., Zulkernine, M., Weldemariam, K.: FPGuard: detection and prevention of browser fingerprinting. In: Samarati, P. (ed.) DBSec 2015. LNCS, vol. 9149, pp. 293–308. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20810-7_21
Falahrastegar, M., Haddadi, H., Uhlig, S., Mortier, R.: Tracking personal identifiers across the web. In: Karagiannis, T., Dimitropoulos, X. (eds.) PAM 2016. LNCS, vol. 9631, pp. 30–41. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30505-9_3
Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: ACM CCS 2000, Athens, Greece, 1–4 November 2000, pp. 25–32. ACM (2000)
Fette, I., Melnikov, A.: The WebSocket Protocol. RFC 6455, RFC Editor, December 2011
Fielding, R., et al.: Hypertext Transfer Protocol - HTTP/1.1. RFC 2616, RFC Editor, June 1999
Fifield, D., Egelman, S.: Fingerprinting web users through font metrics. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 107–124. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_7
Fiore, U., Castiglione, A., Santis, A.D., Palmieri, F.: Countering browser fingerprinting techniques: constructing a fake profile with Google chrome. In: NBiS 2014, Salerno, Italy, 10–12 September 2014, pp. 355–360. IEEE Computer Society (2014)
Franklin, J., McCoy, D.: Passive data link layer 802.11 wireless device driver fingerprinting. In: USENIX Security 2006, Vancouver, BC, Canada, July 31–August 4, 2006. USENIX Association (2006)
Krishnamurthy, B., Wills, C.E.: Generating a privacy footprint on the internet. In: ACM SIGCOMM IMC 2006, Rio de Janeriro, Brazil, 25–27 October 2006, pp. 65–70. ACM (2006)
Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: IEEE S&P 2016, San Jose, CA, USA, 22–26 May 2016, pp. 878–894. IEEE Computer Society (2016)
Le, H., Fallace, F., Barlet-Ros, P.: Towards accurate detection of obfuscated web tracking. In: IEEE MN 2017, Naples, Italy, 27–29 September 2017, pp. 1–6. IEEE (2017)
Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: USENIX Security 2016, Austin, TX, USA, 10–12 August 2016. USENIX Association (2016)
Libert, T.: Exposing the invisible web: an analysis of third-party http requests on 1 million websites. Int. J. Commun. 9, 18 (2015). http://ijoc.org/index.php/ijoc/article/view/3646
Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: IEEE S&P 2012, San Francisco, California, USA, 21–23 May 2012, pp. 413–427 (2012)
Merzdovnik, G., et al.: Block me if you can: a large-scale study of tracker-blocking tools. In: IEEE EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 319–333. IEEE (2017)
Metwalley, H., Traverso, S., Mellia, M., Miskovic, S., Baldi, M.: The online tracking horde: a view from passive measurements. In: Steiner, M., Barlet-Ros, P., Bonaventure, O. (eds.) TMA 2015. LNCS, vol. 9053, pp. 111–125. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17172-2_8
Mowery, K., Bogenreif, D., Yilek, S., Shacham, H.: Fingerprinting information in JavaScript implementations. In: W2SP 2011, Oakland, CA, USA, 26 May 2011, vol. 2, pp. 180–193 (2011)
Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: W2SP 2012, San Francisco, CA, USA, 24 May 2012. IEEE Computer Society (2012)
Mulazzani, M., et al.: Fast and reliable browser identification with JavaScript engine fingerprinting. In: W2SP 2013, San Francisco, CA, USA, 24 May 2013, vol. 5 (2013)
Nikiforakis, N., Joosen, W., Livshits, B.: PriVaricator: Deceiving fingerprinters with little white lies. In: WWW 2015, Florence, Italy, 18–22 May 2015, pp. 820–830. ACM (2015)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: IEEE S&P 2013, Berkeley, CA, USA, 19–22 May 2013, pp. 541–555. IEEE Computer Society (2013)
Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29883-2_18
Portokalidis, G., Polychronakis, M., Keromytis, A.D., Markatos, E.P.: Privacy-preserving social plugins. In: USENIX Security 2012, Bellevue, WA, USA, 8–10 August 2012, pp. 631–646. USENIX Association (2012)
Rescorla, E.: HTTP over TLS. RFC 2818, RFC Editor, May 2000
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: USENIX NSDI 2012, San Jose, CA, USA, 25–27 April 2012, pp. 155–168. USENIX Association (2012)
Takei, N., Saito, T., Takasu, K., Yamada, T.: Web browser fingerprinting using only cascading style sheets. In: BWCCA 2015, Krakow, Poland, 4–6 November 2015, pp. 57–63. IEEE Computer Society (2015)
Torres, C.F., Jonker, H., Mauw, S.: FP-Block: Usable web privacy by controlling browser fingerprinting. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 3–19. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_1
Unger, T., Mulazzani, M., Fruhwirt, D., Huber, M., Schrittwieser, S., Weippl, E.R.: SHPF: enhancing HTTP(S) session security with browser fingerprinting. In: ARES 2013, Regensburg, Germany, 2–6 September 2013, pp. 255–261. IEEE Computer Society (2013)
Upathilake, R., Li, Y., Matrawy, A.: A classification of web browser fingerprinting techniques. In: NTMS 2015, Paris, France, 27–29 July 2015, pp. 1–5. IEEE (2015)
Ur, B., Leon, P.G., Cranor, L.F., Shay, R., Wang, Y.: Smart, useful, scary, creepy: perceptions of online behavioral advertising. In: SOUPS 2012, Washington, DC, USA, 11–13 July 2012, p. 4. ACM (2012)
Vastel, A., Laperdrix, P., Rudametkin, W., Rouvoy, R.: FP-STALKER: tracking browser fingerprint evolutions. In: IEEE S&P 2018, San Fransisco, CA, USA, 21–23 May 2018, pp. 1–14. IEEE (2018)
Zhao, B., Liu, P.: Private browsing mode not really that private: dealing with privacy breach caused by browser extensions. In: IEEE/IFIP DSN 2015, Rio de Janeiro, Brazil, 22–25 June 2015, pp. 184–195 (2015)
Zimmeck, S., Li, J.S., Kim, H., Bellovin, S.M., Jebara, T.: A privacy analysis of cross-device tracking. In: USENIX Security 2017, Vancouver, BC, Canada, 16–18 August 2017, pp. 1391–1408. USENIX Association (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Crawling Components and Environment
1.1 A.1 Prepopulated List of Attributes
Resolution, OS, OS Version, User-Agent, Browser Name, Browser Version, WebGL Renderer, WebGL Vendor, WebGL Version, GPU, GPU Vendor, Installed Plugins, Language, Geolocation, City, IP Addresses, and Charset.
1.2 A.2 Crawler Software Components
Component | Details |
|---|---|
Browser add-on | FingerprintAlert 1.0 |
Programming language | Phython 3.6.3 |
Automation tool | Selenium 3.8.1 |
1.3 A.3 Computing Environment
Component | Details |
|---|---|
Device | MacBook Pro (10.1.1) |
OS | MacOS Sierra 12.1 |
Browser | Chrome 62.0.3202.94 |
B Attributes Collected by Fingerprinters
1.1 B.1 WebGL
aliased line width range, aliased point size range, alpha bits, angle instanced arrays, antialiasing, blue bits, depth bits, experimental-webgl, ext blend min max, ext disjoint timer query, ext frag depth, ext shader texture lod, ext srgb, ext texture filter anisotropic, fragment shader high float precision, fragment shader high float precision range max, fragment shader high float precision range min, fragment shader high int precision, fragment shader high int precision range max, fragment shader high int precision range min, fragment shader low float precision, fragment shader low float precision range max, fragment shader low float precision range min, fragment shader low int precision, fragment shader low int precision range max, fragment shader low int precision range min, fragment shader medium float precision, fragment shader medium float precision range max, fragment shader medium float precision range min, fragment shader medium int precision, fragment shader medium int precision range max, fragment shader medium int precision range min, green bits, max 3d texture size, max anisotropy, max array texture layers, max color attachments, max combined fragment uniform components, max combined texture image units, max combined vertex uniform components, max cube map texture size, max draw buffers, max fragment input components, max fragment uniform blocks, max fragment uniform components, max fragment uniform vectors, max program texel offset, max render buffer size, max samples, max texture image units, max texture lodbias, max texture size, max transform feedback interleaved components, max transform feedback separate attribs, max transform feedback separate components, max uniform block size, max uniform buffer bindings, max varying components, max varying vectors, max vertex attribs, max vertex output components, max vertex texture image units, max vertex uniform blocks, max vertex uniform components, max vertex uniform vectors, max view port dims, min program texel offset, oes element index uint, oes standard derivatives, oes texture float, oes texture float linear, oes texture half float, oes texture half float linear, oes vertex array object, performance caveat, red bits, renderer, shading language version, stencil bits, unmasked renderer webgl, unmasked vendor webgl, vendor, version, vertex shader high float precision, vertex shader high float precision range max, vertex shader high float precision range min, vertex shader high int precision, vertex shader high int precision range max, vertex shader high int precision range min, vertex shader low float precision, vertex shader low float precision range max, vertex shader low float precision range min, vertex shader low int precision, vertex shader low int precision range max, vertex shader low int precision range min, vertex shader medium float precision, vertex shader medium float precision range max, vertex shader medium float precision range min, vertex shader medium int precision, vertex shader medium int precision range max, vertex shader medium int precision range min, webgl, webgl compressed texture s3tc, webgl compressed texture s3tc srgb, webgl debug renderer info, webgl debug shaders, webgl depth texture, webgl draw buffers, webgl lose context, webgl2, webkit ext texture filter anisotropic, webkit webgl compressed texture s3tc, webkit webgl depth texture, webkit webgl lose context.
1.2 B.2 Features
adblock, application cache, background size, blending, bluetooth, border image, border radius, box shadow, budget, canvas winding, credentials, css animations, css columns, css gradients, css reflections, css transforms, css transforms 3dc, css transitions, drag and drop, flex box, flex box legacy, font face, generated content, get battery, get game pads, get user media, hash change, history, hsla, img hash, inline svg, installed fonts, installed plugins, java enabled, js, media devices, mime types, multiple bgs, opacity, permissions, post message, presentation, register protocol handler, request media key system access, request midi access, rgba, send beacon, service worker, shockwave flash, smil, svg, svg clip paths, text shadow, towebp, unregister protocol handler, usb, vibrate, web sql database, web workers, webkit get user media, webkit persistent storage, webkit temporary storage, webrtc, websockets.
1.3 B.3 Media
ac-base latency, ac-channel count, ac-channel count mode, ac-channel interpretation, ac-max channel count, ac-number of inputs, ac-number of outputs, ac-sampler ate, ac-state, an-channel count, an-channel count mode, an-channel interpretation, an-fft size, an-frequency bin count, an-max decibels, an-min decibels, an-number of inputs, an-number of outputs, an-smoothing time constant, audio ogg, avc1.42c00d, avc1.42e01e (mp4a.40.2), codecs1, dynamiccompressor, h264, hybridoscillator, mp3, mp4a.40.2, mpeg, opus, oscillator, theora, video mp4, video ogg, vorbis (ogg), vorbis (vp8), vorbis (vp9), vorbis (wav), wav, webm, wm4a.
1.4 B.4 Miscellaneous
app code name, battery level, charging, charging time, charset, collect time, cookie enabled, cpu cores, discharging time, do not track, geolocation, graphics card vendor, hardware concurrency, has timezone mismatch, incognito, indexed db, js heap size limit, languages, local storage, navigator, online, open data base, platform, product, product sub, referrer, renderer, session storage, timestamp, timezone, total js heap size, used js heap size, user agent, vendor, vendor sub.
1.5 B.5 Network
downlink, effectivetype, is proxied, is tor, is using tor exit node, local ip, onchange, public ipv4, public ipv6, rtt.
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Al-Fannah, N.M., Li, W., Mitchell, C.J. (2018). Beyond Cookie Monster Amnesia: Real World Persistent Online Tracking. In: Chen, L., Manulis, M., Schneider, S. (eds) Information Security. ISC 2018. Lecture Notes in Computer Science(), vol 11060. Springer, Cham. https://doi.org/10.1007/978-3-319-99136-8_26
Download citation
DOI: https://doi.org/10.1007/978-3-319-99136-8_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99135-1
Online ISBN: 978-3-319-99136-8
eBook Packages: Computer ScienceComputer Science (R0)