CS Table: Browser Fingerprinting and Web Tracking

This Friday in CS Table, we will consider recent trends in browser tracking. That is, we will explore the ways in which people who want to know what you are doing on the Web can keep track of you. We have one popular CS article and one research paper.

Nikiforakis, Nick & Güner Acar (2014). Browser Fingerprinting and the Online Tracking Arms Race. IEEE Spectrum, August 2014. Also available at http://spectrum.ieee.org/computing/software/browser-fingerprinting-and-the-onlinetracking-arms-race.

In July 1993, The New Yorker published a cartoon by Peter Steiner that depicted a Labrador retriever sitting on a chair in front of a computer, paw on the keyboard, as he turns to his beagle companion and says, “On the Internet, nobody knows you’re a dog.” Two decades later, interested parties not only know you’re a dog, they also have a pretty good idea of the color of your fur, how often you visit the vet, and what your favorite doggy treat is.

How do they get all that information? In a nutshell: Online advertisers collaborate with websites to gather your browsing data, eventually building up a detailed profile of your interests and activities. These browsing profiles can be so specific that they allow advertisers to target populations as narrow as mothers with teenage children or people who require allergy-relief products. When this tracking of our browsing habits is combined with our self-revelations on social media, merchants’ records of our off-line purchases, and logs of our physical whereabouts derived from our mobile phones, the information that commercial organizations, much less government snoops, can compile about us becomes shockingly revealing.

Here we examine the history of such tracking on the Web, paying particular attention to a recent phenomenon called fingerprinting, which enables companies to spy on people even when they configure their browsers to avoid being tracked.

Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayana, Claudia Diaz. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. Preprint available at https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html.

We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies and use of “cookie syncing” in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it. We then present the first automated study of evercookies and respawning and the discovery of a new evercookie vector, IndexedDB. Turning to cookie syncing, we present novel techniques for detection and analysing ID flows and we quantify the amplification of privacy-intrusive tracking practices due to cookie syncing.

Our evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls — such as failing to clear state on multiple browsers at once — in which a single lapse in judgement can shatter privacy defenses. This suggests that even sophisticated users face great difficulties in evading tracking techniques.

Computer science table is a weekly meeting of Grinnell College community members (students, faculty, staff, etc.) interested in discussing topics related to computing and computer science. CS Table meets Fridays at noon in the Day PDR (JRC 224A). Contact Sam Rebelsky rebelsky@grinnell.edu for the weekly reading. Students on meal plans, faculty, and staff are expected to cover the cost of their meals. Students not on meal plans can charge their meals to the department.