Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools

In this paper, we quantify the effectiveness of third-party tracker blockers on a large scale. First, we analyze the architecture of various state-of-the-art blocking solutions and discuss the advantages and disadvantages of each method. Second, we perform a two-part measurement study on the effectiveness of popular tracker-blocking tools. Our analysis quantifies the protection offered against trackers present on more than 100,000 popular websites and 10,000 popular Android applications. We provide novel insights into the ongoing arms race between trackers and developers of blocking tools as well as which tools achieve the best results under what circumstances. Among others, we discover that rule-based browser extensions outperform learning-based ones, trackers with smaller footprints are more successful at avoiding being blocked, and CDNs pose a major threat towards the future of tracker-blocking tools. Overall, the contributions of this paper advance the field of web privacy by providing not only the largest study to date on the effectiveness of tracker-blocking tools, but also by highlighting the most pressing challenges and privacy issues of third-party tracking.

[1]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[2]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[3]  Yang Wang,et al.  Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising , 2012, CHI.

[4]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Nathaniel Good,et al.  Behavioral Advertising: The Offer You Can't Refuse , 2012 .

[6]  Информатика Public Suffix List , 2010 .

[7]  Saikat Guha,et al.  Privad: Practical Privacy in Online Advertising , 2011, NSDI.

[8]  Xiang Pan I Do Not Know What You Visited Last Summer : Protecting Users from Third-party Web Tracking with TrackingFree Browser , 2015 .

[9]  Vern Paxson,et al.  An Analysis of China's "Great Cannon" , 2015 .

[10]  Xiang Pan,et al.  I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser , 2015, NDSS.

[11]  Joseph Bonneau,et al.  Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning , 2015, NDSS.

[12]  Martín Abadi,et al.  Host Fingerprinting and Tracking on the Web: Privacy and Security Implications , 2012, NDSS.

[13]  R. Shay,et al.  Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising , 2012 .

[14]  Bernhard Ager,et al.  An Automated Approach for Complementing Ad Blockers’ Blacklists , 2015, Proc. Priv. Enhancing Technol..

[15]  Balachander Krishnamurthy,et al.  Privacy awareness about information leakage: who knows what about me? , 2013, WPES.

[16]  A. Narayanan,et al.  OpenWPM : An automated platform for web privacy measurement , 2016 .

[17]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[18]  Balachander Krishnamurthy,et al.  Privacy leakage vs . Protection measures : the growing disconnect , 2011 .

[19]  Steve Uhlig,et al.  Anatomy of the Third-Party Web Tracking Ecosystem , 2014, ArXiv.

[20]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[21]  Chris Kanich,et al.  Leveraging Machine Learning to Improve Unwanted Resource Filtering , 2014, AISec '14.

[22]  Jonathan Mayer,et al.  A Promising Direction for Web Tracking Countermeasures , 2013 .

[23]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[24]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  E. Felten,et al.  Cookies that give you away : Evaluating the surveillance implications of web tracking ( Draft : April 2 , 2014 ) , 2016 .

[26]  Georgios Kontaxis,et al.  Tracking Protection in Firefox For Privacy and Performance , 2015, ArXiv.

[27]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[28]  Lorrie Faith Cranor,et al.  Can Users Control Online Behavioral Advertising Effectively? , 2012, IEEE Security & Privacy.

[29]  Chris Palmer,et al.  Public Key Pinning Extension for HTTP , 2015, RFC.

[30]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[31]  Balachander Krishnamurthy,et al.  Generating a privacy footprint on the internet , 2006, IMC '06.

[32]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[33]  Dan S. Wallach,et al.  Longitudinal Analysis of Android Ad Library Permissions , 2013, ArXiv.

[34]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[35]  Wouter Joosen,et al.  PriVaricator: Deceiving Fingerprinters with Little White Lies , 2015, WWW.

[36]  Sjouke Mauw,et al.  FP-Block: Usable Web Privacy by Controlling Browser Fingerprinting , 2015, ESORICS.