A Privacy Analysis of Cross-device Tracking

Online tracking is evolving from browserand devicetracking to people-tracking. As users are increasingly accessing the Internet from multiple devices this new paradigm of tracking—in most cases for purposes of advertising—is aimed at crossing the boundary between a user’s individual devices and browsers. It establishes a person-centric view of a user across devices and seeks to combine the input from various data sources into an individual and comprehensive user profile. By its very nature such cross-device tracking can principally reveal a complete picture of a person and, thus, become more privacy-invasive than the siloed tracking via HTTP cookies or other traditional and more limited tracking mechanisms. In this study we are exploring cross-device tracking techniques as well as their privacy implications. Particularly, we demonstrate a method to detect the occurrence of cross-device tracking, and, based on a cross-device tracking dataset that we collected from 126 Internet users, we explore the prevalence of cross-device trackers on mobile and desktop devices. We show that the similarity of IP addresses and Internet history for a user’s devices gives rise to a matching rate of F-1 = 0.91 for connecting a mobile to a desktop device in our dataset. This finding is especially noteworthy in light of the increase in learning power that cross-device companies may achieve by leveraging user data from more than one device. Given these privacy implications of cross-device tracking we also examine compliance with applicable self-regulation for 40 cross-device companies and find that some are not transparent about their practices.

[1]  Claude Castelluccia,et al.  Near-Optimal Fingerprinting with Constraints , 2016, Proc. Priv. Enhancing Technol..

[2]  Wouter Joosen,et al.  PriVaricator: Deceiving Fingerprinters with Little White Lies , 2015, WWW.

[3]  Ya Xu,et al.  Computers and iphones and mobile phones, oh my!: a logs-based comparison of search users on different devices , 2009, WWW '09.

[4]  Jeremy Walthers,et al.  Learning to Rank for Cross-Device Identification , 2015, 2015 IEEE International Conference on Data Mining Workshop (ICDMW).

[5]  Konrad Rieck,et al.  Privacy Threats through Ultrasonic Side Channels on Mobile Devices , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Jiwei Liu,et al.  Connecting Devices to Cookies via Filtering, Feature Engineering, and Boosting , 2015, 2015 IEEE International Conference on Data Mining Workshop (ICDMW).

[7]  George Danezis,et al.  k-fingerprinting: A Robust Scalable Website Fingerprinting Technique , 2015, USENIX Security Symposium.

[8]  Susan T. Dumais,et al.  Large scale analysis of web revisitation patterns , 2008, CHI.

[9]  Michael Carl Tschantz,et al.  A Methodology for Information Flow Experiments , 2014, 2015 IEEE 28th Computer Security Foundations Symposium.

[10]  Yong Yu,et al.  Recovering Cross-Device Connections via Mining IP Footprints with Ensemble Learning , 2015, 2015 IEEE International Conference on Data Mining Workshop (ICDMW).

[11]  Paul Johns,et al.  Exploring Cross-Device Web Use on PCs and Mobile Devices , 2009, INTERACT.

[12]  Tara Matthews,et al.  "She'll just grab any device that's closer": A Study of Everyday Device & Account Sharing in Households , 2016, CHI.

[13]  Roxana Geambasu,et al.  XRay: Enhancing the Web's Transparency with Differential Correlation , 2014, USENIX Security Symposium.

[14]  Christopher Krügel,et al.  On the Privacy and Security of the Ultrasound Ecosystem , 2017, Proc. Priv. Enhancing Technol..

[15]  Saul Greenberg,et al.  How people revisit web pages: empirical findings and implications for the design of history systems , 1997, Int. J. Hum. Comput. Stud..

[16]  Xiang Cai,et al.  CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense , 2014, WPES.

[17]  Tao Wang,et al.  A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses , 2014, CCS.

[18]  Dan S. Wallach,et al.  An Empirical Study of Mobile Ad Targeting , 2015, ArXiv.

[19]  A. Chao,et al.  Nonparametric estimation of Shannon’s index of diversity when there are unseen species in sample , 2004, Environmental and Ecological Statistics.

[20]  Tadayoshi Kohno,et al.  Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016 , 2016, USENIX Security Symposium.

[21]  Mark Landry,et al.  Multi-layer Classification: ICDM 2015 Drawbridge Cross-Device Connections Competition , 2015, 2015 IEEE International Conference on Data Mining Workshop (ICDMW).

[22]  Nikita Borisov,et al.  Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses , 2016, NDSS.

[23]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[24]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[25]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[26]  Rachel Greenstadt,et al.  A Critical Evaluation of Website Fingerprinting Attacks , 2014, CCS.

[27]  Klaus Wehrle,et al.  Website Fingerprinting at Internet Scale , 2016, NDSS.

[28]  Wenke Lee,et al.  The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads , 2016, NDSS.

[29]  Edward W. Felten,et al.  Cookies That Give You Away: The Surveillance Implications of Web Tracking , 2015, WWW.

[30]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[31]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[32]  Claude Castelluccia,et al.  On the uniqueness of Web browsing history patterns , 2014, Ann. des Télécommunications.

[33]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[34]  J. LaFountain Inc. , 2013, American Art.

[35]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[36]  David Dearman,et al.  It's on my other computer!: computing with multiple devices , 2008, CHI.

[37]  Tomasz Wiktorski,et al.  AFFM: Auto feature engineering in field-aware factorization machines for predictive analytics , 2015, 2015 IEEE International Conference on Data Mining Workshop (ICDMW).

[38]  Felix C. Freiling,et al.  Fingerprinting Mobile Devices Using Personalized Configurations , 2016, Proc. Priv. Enhancing Technol..

[39]  Roxana Geambasu,et al.  Sunlight: Fine-grained Targeting Detection at Scale with Statistical Confidence , 2015, CCS.

[40]  Thakur Raj Anand,et al.  Machine Learning Approach to Identify Users Across Their Digital Devices , 2015, 2015 IEEE International Conference on Data Mining Workshop (ICDMW).

[41]  Aaron Alva,et al.  Cross-Device Tracking: Measurement and Disclosures , 2017, Proc. Priv. Enhancing Technol..

[42]  Roberto Díaz-Morales Cross-Device Tracking: Matching Devices and Cookies , 2015, 2015 IEEE International Conference on Data Mining Workshop (ICDMW).

[43]  Wenke Lee,et al.  Your Online Interests: Pwned! A Pollution Attack Against Targeted Advertising , 2014, CCS.

[44]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[45]  Giovanni Cherubin,et al.  Website Fingerprinting Defenses at the Application Layer , 2017, Proc. Priv. Enhancing Technol..

[46]  Chunming Rong,et al.  Cross-Device Consumer Identification , 2015, 2015 IEEE International Conference on Data Mining Workshop (ICDMW).

[47]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.