Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors

Iqbal, Umar; Englehardt, Steven; Shafiq, Zubair

doi:10.1109/sp40001.2021.00017

Cited by 76 publications

(98 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While cookies and other types of client-side storage mechanisms (e.g., localStorage, In-dexedDB) can be directly observed and removed at the client-side, a browser's fingerprint is not readily visible at the client-side and it cannot be trivially removed or even modified. As web browsers have started to implement aggressive countermeasures against stateful track-ing [90,108,110], it has encouraged trackers to migrate to more opaque and invasive stateless tracking [41,90]. Browser fingerprinting is already being used for crosssite tracking [4,41,52] and is universally regarded as an abusive practice by standards bodies [23,77] and web browsers [15,55,73].…”

Section: Background and Related Work 21 Backgroundmentioning

confidence: 99%

“…As web browsers have started to implement aggressive countermeasures against stateful track-ing [90,108,110], it has encouraged trackers to migrate to more opaque and invasive stateless tracking [41,90]. Browser fingerprinting is already being used for crosssite tracking [4,41,52] and is universally regarded as an abusive practice by standards bodies [23,77] and web browsers [15,55,73].…”

Section: Background and Related Work 21 Backgroundmentioning

confidence: 99%

“…Similarly, the countermeasures against Battery Status, canvas, AudioContext, and WebGL fingerprinting were first proposed in 2016 [68], 2016 [5], 2017 [53], and 2019 [111], respectively, which is nearly 1-7 years after their adoption. Some recent heuristics and machine learning approaches [18,25,41,85,86] have attempted to detect known fingerprinting techniques and block the scripts that implement them. Englehardt and Narayanan [25] proposed heuristics to detect fingerprinting scripts that implement canvas, canvas Font, and webRTC fingerprinting techniques.…”

Section: Countermeasuresmentioning

confidence: 99%

“…While cookies are directly observable and removable at the client-side, a browser's fingerprint is not readily visible at the client-side and it cannot be trivially removed or even modified. As web browsers have started to implement aggressive countermeasures against stateful tracking [90,108,110], it has encouraged trackers to migrate to more opaque and invasive stateless tracking [41,90].…”

Section: Introductionmentioning

confidence: 99%

“…Browser fingerprinting and its privacy implications have received much attention from the research community. Researchers have conducted large-scale measurements to study the prevalence of browser fingerprinting [2,3,17,25,26,28,41,76,79]. However, prior research on browser fingerprinting is lacking in two major ways.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting

Bahrami

Iqbal

Shafiq

2022

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

Browser fingerprinting is a stateless tracking technique that aims to combine information exposed by multiple different web APIs to create a unique identifier for tracking users across the web. Over the last decade, trackers have abused several existing and newly proposed web APIs to further enhance the browser fingerprint. Existing approaches are limited to detecting a specific fingerprinting technique(s) at a particular point in time. Thus, they are unable to systematically detect novel fingerprinting techniques that abuse different web APIs. In this paper, we propose FP-Radar, a machine learning approach that leverages longitudinal measurements of web API usage on top-100K websites over the last decade for early detection of new and evolving browser fingerprinting techniques. The results show that FP-Radar is able to early detect the abuse of newly introduced properties of already known (e.g., WebGL, Sensor) and as well as previously unknown (e.g., Gamepad, Clipboard) APIs for browser fingerprinting. To the best of our knowledge, FP-Radar is the first to detect the abuse of the Visibility API for ephemeral fingerprinting in the wild.

show abstract

Section: Background and Related Work 21 Backgroundmentioning

confidence: 99%

Section: Background and Related Work 21 Backgroundmentioning

confidence: 99%

Section: Countermeasuresmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting

Bahrami

Iqbal

Shafiq

2022

Proceedings on Privacy Enhancing Technologies

Self Cite

View full text Add to dashboard Cite

show abstract

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security

Durey

Laperdrix

Rudametkin

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Browser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous purposes, such as bot detection or multi-factor authentication. In this paper, we explore the adoption of browser fingerprinting for security-oriented purposes. More specifically, we study 4 types of web pages that require security mechanisms to process user data: sign-up, sign-in, basket and payment pages. We visited 1, 485 pages on 446 domains and we identified the acquisition of browser fingerprints from 405 pages. By using an existing classification technique, we identified 169 distinct browser fingerprinting scripts included in these pages. By investigating the origins of the browser fingerprinting scripts, we identified 12 security-oriented organizations who collect browser fingerprints on sign-up, sign-in, and payment pages. Finally, we assess the effectiveness of browser fingerprinting against two potential attacks, namely stolen credentials and cookie hijacking. We observe browser fingerprinting being successfully used to enhance web security.

show abstract

Socially-Critical Software Systems: Is Extended Regulation Required?

Dagg

Kostick

Fallon

et al. 2022

Communications in Computer and Information Science

View full text Add to dashboard Cite

Data has become a prevailing aspect of our daily lives, becoming ever more present since the beginning of the 21st century. It is a commodity in today's world and the amount of data being produced has increased enormously. One of the major ways data is produced and collected is from the use of websites and web-based applications. This data is later used for many different purposes. This paper presents findings from a multivocal literature review, exploring the methods of how this data is collected, what the data is used for once it has been collected, the ethics of data and its collection, and the future of data collection. Among the possible futures, we introduce the concept of socially-critical applications, where data harvesting in web-based applications might require premarket disclosure and evaluation by notified bodies (instructed by regulation) as a means to break the existing cycle of technology companies outpacing underresourced and ill-equipped regulators. Rather than regulators continually falling short of enacting laws to satisfy the common good, a new class of socially-critical application could be created in law to permit pre-market evaluation of applications (or versions of applications) that could undermine or interrupt the common good.

show abstract

Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors

Cited by 76 publications

References 37 publications

FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting

FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security

Socially-Critical Software Systems: Is Extended Regulation Required?

Contact Info

Product

Resources

About