More Web Proxy on the site http://driver.im/

research-article

Who Touched My Browser Fingerprint?: A Large-scale Measurement Study and Classification of Fingerprint Dynamics

Authors:

Yinzhi CaoAuthors Info & Claims

IMC '20: Proceedings of the ACM Internet Measurement Conference

Pages 370 - 385

https://doi.org/10.1145/3419394.3423614

Published: 27 October 2020 Publication History

Abstract

Browser fingerprints are dynamic, evolving with feature values changed over time. Previous fingerprinting datasets are either small-scale with only thousands of browser instances or without considering fingerprint dynamics. Thus, it remains unclear how an evolution-aware fingerprinting tool behaves in a real-world setting, e.g., on a website with millions of browser instances, let alone how fingerprint dynamics implicate privacy and security.

In this paper, we perform the first, large-scale study of millions of fingerprints to analyze fingerprint dynamics in a real-world website. Our measurement study answers the question of how and why fingerprints change over time by classifying fingerprint dynamics into three categories based on their causes. We also observed several insights from our measurement, e.g., we show that state-of-the-art fingerprinting tool performs poorly in terms of F1-Score and matching speed in this real-world setting.

Supplementary Material

MP4 File (long_version.mp4)

This is the video presentation for the paper "Who Touched My Browser Fingerprint?".

Download
463.13 MB

MP4 File (teaser.mp4)

This is the video presentation for the paper "Who Touched My Browser Fingerprint?".

Download
111.28 MB

References

[1]

Brave browser. https://brave.com/.

[2]

Canvas defender. https://chrome.google.com/webstore/detail/canvas-defender/obdbgnebcljmgkoljcdddaopadkifnpm?hl=en.

[3]

Detecting system fonts without flash. https://www.bramstein.com/writing/detecting-system-fonts-without-flash.html.

[4]

Device / browser fingerprinting - heuristic-based authentication. https://docs.secureauth.com/pages/viewpage.action?pageId=33063454.

[5]

Github repository of our measurement tool. https://github.com/bfMeasurement/bfMeasurement.

[6]

Intelligent tracking prevention. https://webkit.org/blog/7675/intelligent-tracking-prevention/.

[7]

Mitigating browser fingerprinting in web specifications. https://www.w3.org/TR/fingerprinting-guidance/.

[8]

Modern & flexible browser fingerprinting library. https://github.com/Valve/fingerprintjs2.

[9]

Online comments on firefox 57. https://www.cnet.com/forums/discussions/firefox-57-is-awful/.

[10]

Panopticlick: Is your browser safe against tracking? https://panopticlick.eff.org/.

[11]

Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., and Diaz, C. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), CCS '14, pp.674--689.

[12]

Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., and Preneel, B. FPDetective: Dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (2013), CCS '13, pp.1129--1140.

[13]

Ayenson, M., Wambach, D., Soltani, A., Good, N., and Hoofnagle, C. Flash cookies and privacy ii: Now with html5 and etag respawning. Available at SSRN 1898390 (2011).

[14]

Boda, K., Földes, A. M., Gulyás, G. G., and Imre, S. User tracking on the web via cross-browser fingerprinting. In Proceedings of the 16th Nordic Conference on Information Security Technology for Applications (2012), NordSec'11, pp.31--46.

Digital Library

[15]

Cao, Y., Chen, Z., Li, S., and Wu, S. Deterministic browser. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017 (2017), pp.163--178.

Digital Library

[16]

Cao, Y., Li, S., and Wijmans, E. (cross-)browser fingerprinting via os and hardware level features. In Annual Network and Distributed System Security Symposium (2017), NDSS.

[17]

Eckersley, P. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium (2010), Springer, pp.1--18.

Digital Library

[18]

Englehardt, S., and Narayanan, A. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (2016), CCS '16.

[19]

Fifield, D., and Egelman, S. Fingerprinting web users through font metrics. In Financial Cryptography and Data Security. Springer, 2015, pp.107--124.

[20]

Gómez-Boix, A., Laperdrix, P., and Baudry, B. Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In WWW2018 - TheWebConf 2018: 27th International World Wide Web Conference (Lyon, France, Apr. 2018), pp.1--10.

Digital Library

[21]

Krishnamurthy, B., Naryshkin, K., and Wills, C. Privacy leakage vs. protection measures: the growing disconnect. In Web 2.0 Security and Privacy Workshop (2011).

[22]

Krishnamurthy, B., and Wills, C. Privacy diffusion on the web: a longitudinal perspective. In Proceedings of the 18th international conference on World wide web (2009), ACM, pp.541--550.

Digital Library

[23]

Krishnamurthy, B., and Wills, C. E. Generating a privacy footprint on the internet. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement (2006), ACM, pp.65--70.

Digital Library

[24]

Krishnamurthy, B., and Wills, C. E. Characterizing privacy in online social networks. In Proceedings of the first workshop on Online social networks (2008), ACM, pp.37--42.

Digital Library

[25]

Laperdrix, P., Rudametkin, W., and Baudry, B. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In 37th IEEE Symposium on Security and Privacy (S&P 2016) (2016).

[26]

Lerner, A., Simpson, A. K., Kohno, T., and Roesner, F. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In 25th USENIX Security Symposium (USENIX Security 16) (Austin, TX, 2016).

Digital Library

[27]

Meng, W., Lee, B., Xing, X., and Lee, W. Trackmeornot: Enabling flexible control on web tracking. In Proceedings of the 25th International Conference on World Wide Web (2016), WWW '16, pp.99--109.

[28]

Metwalley, H., and Traverso, S. Unsupervised detection of web trackers. In Globecom (2015).

[29]

Mowery, K., Bogenreif, D., Yilek, S., and Shacham, H. Fingerprinting information in javascript implementations.

[30]

Mowery, K., and Shacham, H. Pixel perfect: Fingerprinting canvas in html5.

[31]

Mulazzani, M., Reschl, P., Huber, M., Leithner, M., Schrittwieser, S., Weippl, E., and Wien, F. Fast and reliable browser identification with javascript engine fingerprinting. In W2SP (2013).

[32]

Nakibly, G., Shelef, G., and Yudilevich, S. Hardware fingerprinting using html5. arXiv preprint arXiv:1503.01408 (2015).

[33]

Nikiforakis, N., Joosen, W., and Livshits, B. Privaricator: Deceiving finger-printers with little white lies. In Proceedings of the 24th International Conference on World Wide Web (2015), WWW '15, pp.820--830.

[34]

Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In IEEE Symposium on Security and Privacy (2013).

Digital Library

[35]

Pan, X., Cao, Y., and Chen, Y. I do not know what you visited last summer - protecting users from third-party web tracking with trackingfree browser. In NDSS (2015).

[36]

Perry, M., Clark, E., and Murdoch, S. The design and implementation of the tor browser [draft][online], united states, 2015.

[37]

Pugliese, G., Riess, C., Gassmann, F., and Benenson, Z. Long-term observation on browser fingerprinting: Users' trackability and perspective. Proceedings on Privacy Enhancing Technologies 2 (2020), 558--577.

[38]

Roesner, F., Kohno, T., and Wetherall, D. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation (2012), NSDI'12, pp.12--12.

Digital Library

[39]

Soltani, A., Canty, S., Mayo, Q., Thomas, L., and Hoofnagle, C. J. Flash cookies and privacy. In AAAI Spring Symposium: Intelligent Information Privacy Management (2010).

[40]

Vastel, A., Laperdrix, P., Rudametkin, W., and Rouvoy, R. Fp-stalker: Tracking browser fingerprint evolutions along time. In 2018 IEEE Symposium on Security and Privacy (SP), vol. 00, pp.54--67.

[41]

Vastel, A., Laperdrix, P., Rudametkin, W., and Rouvoy, R. Fp-scanner: the privacy implications of browser fingerprint inconsistencies. In Proceedings of the 27th USENIX Security Symposium (2018).

[42]

Wang, J., Zhang, W., and Yuan, S. Display Advertising with Real-Time Bidding (RTB) and Behavioural Targeting. Now Publishers Inc., Hanover, MA, USA, 2017.

[43]

Wikipedia. Do Not Track Policy. http://en.wikipedia.org/wiki/Do_Not_Track_Policy.

[44]

Wikipedia. Privacy Mode. http://en.wikipedia.org/wiki/Privacy_mode.

[45]

Wu, S., Li, S., Cao, Y., and Wang, N. Rendered private: Making GLSL execution uniform to prevent webgl-based browser fingerprinting. In 28th USENIX Security Symposium (USENIX Security 19) (Santa Clara, CA, Aug. 2019), USENIX Association, pp.1645--1660.

[46]

Xu, M., Jang, Y., Xing, X., Kim, T., and Lee, W. Ucognito: Private browsing without tears. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (2015), CCS '15, pp.438--449.

[47]

Yen, T.-F., Xie, Y., Yu, F., Yu, R. P., and Abadi, M. Host fingerprinting and tracking on the web: Privacy and security implications. In Proceedings of NDSS (2012).

[48]

Yuan, S., Wang, J., and Zhao, X. Real-time bidding for online advertising: Measurement and analysis. In Proceedings of the Seventh international Workshop on Data Mining for Online Advertising (New York, NY, USA, 2013), ADKDD '13, ACM, pp. 3:1--3:8.

Digital Library

Cited By

Bacis EBilogrevic IBusa-Fekete RHerath ASartori ASyed UChua TNgo CKumar RLauw HKa-Wei Lee R(2024)Assessing Web Fingerprinting RiskCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3648322(245-254)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3648322
Zhang BXu CShi F(2024)Accurate DNS server fingerprinting based on borderline behavior analysisInternational Conference on Computer Graphics, Artificial Intelligence, and Data Processing (ICCAID 2023)10.1117/12.3026357(38)Online publication date: 27-Mar-2024
https://doi.org/10.1117/12.3026357
Fouquet RLaperdrix PRouvoy R(2023)Breaking Bad: Quantifying the Addiction of Web Elements to JavaScriptACM Transactions on Internet Technology10.1145/357984623:1(1-28)Online publication date: 12-Jan-2023
https://dl.acm.org/doi/10.1145/3579846
Show More Cited By

Recommendations

Latent Fingerprint Matching

Latent fingerprint identification is of critical importance to law enforcement agencies in identifying suspects: Latent fingerprints are inadvertent impressions left by fingers on surfaces of objects. While tremendous progress has been made in plain and ...
Combining features for distorted fingerprint matching

Extracting and fusing discriminative features in fingerprint matching, especially in distorted fingerprint matching, is a challenging task. In this paper, we introduce two novel features to deal with nonlinear distortion in fingerprints. One is finger ...
Fingerprint Reconstruction: From Minutiae to Phase

Fingerprint matching systems generally use four types of representation schemes: grayscale image, phase image, skeleton image, and minutiae, among which minutiae-based representation is the most widely adopted one. The compactness of minutiae ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '20: Proceedings of the ACM Internet Measurement Conference

October 2020

751 pages

ISBN:9781450381383

DOI:10.1145/3419394

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

NSF

Conference

IMC '20

Sponsor:

IMC '20: ACM Internet Measurement Conference

October 27 - 29, 2020

Virtual Event, USA

Acceptance Rates

IMC '20 Paper Acceptance Rate 53 of 216 submissions, 25%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
698
Total Downloads

Downloads (Last 12 months)105
Downloads (Last 6 weeks)9

Reflects downloads up to 07 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bacis EBilogrevic IBusa-Fekete RHerath ASartori ASyed UChua TNgo CKumar RLauw HKa-Wei Lee R(2024)Assessing Web Fingerprinting RiskCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3648322(245-254)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3648322
Zhang BXu CShi F(2024)Accurate DNS server fingerprinting based on borderline behavior analysisInternational Conference on Computer Graphics, Artificial Intelligence, and Data Processing (ICCAID 2023)10.1117/12.3026357(38)Online publication date: 27-Mar-2024
https://doi.org/10.1117/12.3026357
Fouquet RLaperdrix PRouvoy R(2023)Breaking Bad: Quantifying the Addiction of Web Elements to JavaScriptACM Transactions on Internet Technology10.1145/357984623:1(1-28)Online publication date: 12-Jan-2023
https://dl.acm.org/doi/10.1145/3579846
Kuchhal DSaad MOest ALi FMeng WJensen CCremers CKirda E(2023)Evaluating the Security Posture of Real-World FIDO2 DeploymentsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623063(2381-2395)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623063
Zhang DZhang JBu YChen BSun CWang T(2022)A Survey of Browser Fingerprint Research and ApplicationWireless Communications & Mobile Computing10.1155/2022/33633352022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3363335
Durey ALaperdrix PRudametkin WRouvoy R(2021)FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web SecurityDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-80825-9_12(237-257)Online publication date: 9-Jul-2021
https://doi.org/10.1007/978-3-030-80825-9_12

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents