The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

We present the first large-scale studies of three advanced web tracking mechanisms - canvas fingerprinting, evercookies and use of "cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it. We then present the first automated study of evercookies and respawning and the discovery of a new evercookie vector, IndexedDB. Turning to cookie syncing, we present novel techniques for detection and analysing ID flows and we quantify the amplification of privacy-intrusive tracking practices due to cookie syncing. Our evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls --- such as failing to clear state on multiple browsers at once - in which a single lapse in judgement can shatter privacy defenses. This suggests that even sophisticated users face great difficulties in evading tracking techniques.

[1]  Paul Henman Targeted! , 2004 .

[2]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[3]  Balachander Krishnamurthy,et al.  On the leakage of personally identifiable information via online social networks , 2009, CCRV.

[4]  Balachander Krishnamurthy,et al.  WWW 2009 MADRID! Track: Security and Privacy / Session: Web Privacy Privacy Diffusion on the Web: A Longitudinal Perspective , 2022 .

[5]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[6]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy , 2009, AAAI Spring Symposium: Intelligent Information Privacy Management.

[7]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[8]  Benjamin Livshits,et al.  RePriv: Re-imagining Content Personalization and In-browser Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[9]  Matthew Richardson,et al.  Targeted, Not Tracked: Client-Side Solutions for Privacy-Friendly Behavioral Advertising , 2011 .

[10]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning , 2011 .

[11]  Saikat Guha,et al.  Privad: Practical Privacy in Online Advertising , 2011, NSDI.

[12]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[13]  Lorrie Faith Cranor,et al.  A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies , 2011 .

[14]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[15]  R. Shay,et al.  Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising , 2012 .

[16]  Arun Chauhan,et al.  An approach for identifying JavaScript-loaded advertisements through static program analysis , 2012, WPES '12.

[17]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[18]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Zhenkai Liang,et al.  Tracking the Trackers: Fast and Scalable Dynamic Analysis of Web Content for Privacy Violations , 2012, ACNS.

[20]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[21]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[22]  Aniket Kate,et al.  ObliviAd: Provably Secure and Practical Online Behavioral Advertising , 2012, 2012 IEEE Symposium on Security and Privacy.

[23]  Edgar R. Weippl,et al.  SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting , 2013, 2013 International Conference on Availability, Reliability and Security.

[24]  Collin Jackson,et al.  Cross-origin pixel stealing: timing attacks using CSS filters , 2013, CCS.

[25]  A. Narayanan,et al.  Shining the Floodlights on Mobile Web Tracking — A Privacy Survey , 2013 .

[26]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[27]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[28]  E. Weippl,et al.  Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting , 2013 .

[29]  Ramesh Govindan,et al.  AdReveal: improving transparency into online targeted advertising , 2013, HotNets.

[30]  O. Sørensen Zombie-cookies: Case studies and mitigation , 2013, 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013).

[31]  Nikita Borisov,et al.  Fingerprinting Smart Devices Through Embedded Acoustic Components , 2014, ArXiv.

[32]  Claude Castelluccia,et al.  Retargeting Without Tracking , 2014, ArXiv.

[33]  Nataliia Bielova,et al.  Enforcing Browser Anonymity with Quantitative Information Flow , 2014 .

[34]  Claude Castelluccia,et al.  Selling Off Privacy at Auction , 2014, NDSS 2014.

[35]  Wouter Joosen,et al.  PriVaricator: Deceiving Fingerprinters with Little White Lies , 2015, WWW.