FP-STALKER: Tracking Browser Fingerprint Evolutions

Browser fingerprinting has emerged as a technique to track users without their consent. Unlike cookies, fingerprinting is a stateless technique that does not store any information on devices, but instead exploits unique combinations of attributes handed over freely by browsers. The uniqueness of fingerprints allows them to be used for identification. However, browser fingerprints change over time and the effectiveness of tracking users over longer durations has not been properly addressed. In this paper, we show that browser fingerprints tend to change frequently—from every few hours to days—due to, for example, software updates or configuration changes. Yet, despite these frequent changes, we show that browser fingerprints can still be linked, thus enabling long-term tracking. FP-STALKER is an approach to link browser fingerprint evolutions. It compares fingerprints to determine if they originate from the same browser. We created two variants of FP-STALKER, a rule-based variant that is faster, and a hybrid variant that exploits machine learning to boost accuracy. To evaluate FP-STALKER, we conduct an empirical study using 98,598 fingerprints we collected from 1, 905 distinct browser instances. We compare our algorithm with the state of the art and show that, on average, we can track browsers for 54.48 days, and 26 % of browsers can be tracked for more than 100 days.

[1]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[2]  Benoit Baudry,et al.  FPRandom: Randomizing Core Browser Objects to Break Advanced Device Fingerprinting Techniques , 2017, ESSoS.

[3]  Martín Abadi,et al.  Host Fingerprinting and Tracking on the Web: Privacy and Security Implications , 2012, NDSS.

[4]  Thorsten Holz,et al.  On the Robustness of Mobile Device Fingerprinting: Can Mobile Users Escape Modern Web-Tracking Mechanisms? , 2015, ACSAC 2015.

[5]  Laurent Heutte,et al.  Influence of Hyperparameters on Random Forest Accuracy , 2009, MCS.

[6]  José Francisco Martínez Trinidad,et al.  An Empirical Study of Oversampling and Undersampling Methods for LCMine an Emerging Pattern Based Classifier , 2013, MCPR.

[7]  Sándor Imre,et al.  User Tracking on the Web via Cross-Browser Fingerprinting , 2011, NordSec.

[8]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[9]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  Sjouke Mauw,et al.  FP-Block: Usable Web Privacy by Controlling Browser Fingerprinting , 2015, ESORICS.

[11]  Walter Rudametkin,et al.  Mitigating Browser Fingerprint Tracking: Multi-level Reconfiguration and Diversification , 2015, 2015 IEEE/ACM 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems.

[12]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[13]  Serge Egelman,et al.  Fingerprinting Web Users Through Font Metrics , 2015, Financial Cryptography.

[14]  E. Weippl,et al.  Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting , 2013 .

[15]  Gilles Louppe,et al.  Understanding variable importances in forests of randomized trees , 2013, NIPS.

[16]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[17]  Ming Yang,et al.  Efficient Fingerprinting-Based Android Device Identification With Zero-Permission Identifiers , 2016, IEEE Access.

[18]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[19]  Paul C. van Oorschot,et al.  Device fingerprinting for augmenting web authentication: classification and analysis of methods , 2016, ACSAC.

[20]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[21]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[22]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .