1. bookVolume 2022 (2022): Issue 2 (April 2022)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

FP-Radar: Longitudinal Measurement and Early Detection of Browser Fingerprinting

Published Online: 03 Mar 2022
Volume & Issue: Volume 2022 (2022) - Issue 2 (April 2022)
Page range: 557 - 577
Received: 31 Aug 2021
Accepted: 16 Dec 2021
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Browser fingerprinting is a stateless tracking technique that aims to combine information exposed by multiple different web APIs to create a unique identifier for tracking users across the web. Over the last decade, trackers have abused several existing and newly proposed web APIs to further enhance the browser fingerprint. Existing approaches are limited to detecting a specific fingerprinting technique(s) at a particular point in time. Thus, they are unable to systematically detect novel fingerprinting techniques that abuse different web APIs. In this paper, we propose FP-Radar, a machine learning approach that leverages longitudinal measurements of web API usage on top-100K websites over the last decade for early detection of new and evolving browser fingerprinting techniques. The results show that FP-Radar is able to early detect the abuse of newly introduced properties of already known (e.g., WebGL, Sensor) and as well as previously unknown (e.g., Gamepad, Clipboard) APIs for browser fingerprinting. To the best of our knowledge, FP-Radar is the first to detect the abuse of the Visibility API for ephemeral fingerprinting in the wild.

Keywords

[1] Modern & flexible browser fingerprinting library. https://github.com/Valve/fingerprintjs2. Search in Google Scholar

[2] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In CCS, 2014.10.1145/2660267.2660347 Search in Google Scholar

[3] G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, and B. Preneel. FPDetective: dusting the web for fingerprinters. In ACM CCS, 2013.10.1145/2508859.2516674 Search in Google Scholar

[4] F. Alaca and P. van Oorschot. Device Fingerprinting for Augmenting Web Authentication: Classification and Analysis of Methods. In ACSAC, 2016.10.1145/2991079.2991091 Search in Google Scholar

[5] P. Baumann, S. Katzenbeisser, M. Stopczynski, and E. Tews. Disguised Chromium Browser: Robust Browser, Flash and Canvas Fingerprinting Protection. In ACM on Workshop on Privacy in the Electronic Society, 2016.10.1145/2994620.2994621 Search in Google Scholar

[6] V. D. Blondel, J.-L. Guillaume, R. Lambiotte, and E. Lefebvre. Fast unfolding of communities in large networks. Journal of statistical mechanics: theory and experiment, 2008(10):P10008, 2008.10.1088/1742-5468/2008/10/P10008 Search in Google Scholar

[7] H. Bojinov, Y. Michalevsky, G. Nakibly, and D. Boneh. Mobile Device Identification via Sensor Fingerprinting. arXiv preprint arXiv:1408.1416, 2014. Search in Google Scholar

[8] L. Breiman. Random Forests. In Machine learning, 2001. Search in Google Scholar

[9] J. F. Brunelle, M. Kelly, H. SalahEldeen, M. C. Weigle, and M. L. Nelson. Not all mementos are created equal: Measuring the impact of missing resources. International Journal on Digital Libraries, 16(3):283–301, 2015. Search in Google Scholar

[10] WebRTC Internal IP Address Leakage. https://bugzilla.mozilla.org/show_bug.cgi?id=959893. Search in Google Scholar

[11] Remove web content access to Battery API. https://bugzilla.mozilla.org/show_bug.cgi?id=1313580, 2016. Search in Google Scholar

[12] Bug 1372072 - Neutralize the threat of fingerprinting of network information API When ’privacy.resistFingerprinting’ is true. https://bugzilla.mozilla.org/show_bug.cgi?id=1372072, 2017. Search in Google Scholar

[13] E. Bütün, M. Kaya, and R. Alhajj. Extension of neighbor-based link prediction methods for directed, weighted and temporal social networks. Information Sciences, 463:152–165, 2018.10.1016/j.ins.2018.06.051 Search in Google Scholar

[14] M. Caceres. Securing Gamepad API. https://hacks.mozilla.org/2020/07/securing-gamepad-api/, 2020. Search in Google Scholar

[15] D. Cameron. Apple Declares War on Browser Fingerprinting, the Sneaky Tactic That Tracks You in Incognito Mode. https://gizmodo.com/apple-declares-war-on-browser-fingerprinting-the-sneak-1826549108. Search in Google Scholar

[16] Y. Cao, S. Li, and E. Wijmans. (Cross-) browser fingerprinting via OS and hardware level features. In NDSS, 2017.10.14722/ndss.2017.23152 Search in Google Scholar

[17] A. Das, G. Acar, N. Borisov, and A. Pradeep. The Web’s Sixth Sense:A Study of Scripts Accessing Smartphone Sensors. In CCS, 2018.10.1145/3243734.3243860 Search in Google Scholar

[18] DuckDuckGo’s Tracker Radar. https://github.com/duckduckgo/tracker-radar/blob/3c82647d3a5ea16ab6408cad2a52ba4b72f66637/docs/FAQ.md. Search in Google Scholar

[19] DuckDuckGo’s Tracker Radar Detected Fingerprinting APIs. https://github.com/duckduckgo/tracker-radar/blob/main/build-data/generated/api_fingerprint_weights.json. Search in Google Scholar

[20] J. G. Dean Jackson. WebGL 2 Specification. https://www.khronos.org/registry/webgl/specs/2.0/. Search in Google Scholar

[21] J. G. Dean Jackson. WebGL specification. https://www.khronos.org/registry/webgl/specs/latest/1.0. Search in Google Scholar

[22] Disconnect tracking protection lists. https://disconnect.me/trackerprotection. Search in Google Scholar

[23] N. Doty. W3C Fingerprinting Guidance. https://w3c.github.io/fingerprinting-guidance. Search in Google Scholar

[24] P. Eckersley. How unique is your web browser? In International Symposium on Privacy Enhancing Technologies Symposium, 2010.10.1007/978-3-642-14527-8_1 Search in Google Scholar

[25] S. Englehardt and A. Narayanan. Online Tracking: A 1-million-site Measurement and Analysis. In ACM Conference on Computer and Communications Security (CCS), 2016.10.1145/2976749.2978313 Search in Google Scholar

[26] A. FaizKhademi, M. Zulkernine, and K. Weldemariam. Fp-guard: Detection and prevention of browser fingerprinting. In IFIP Annual Conference on Data and Applications Security and Privacy, 2015.10.1007/978-3-319-20810-7_21 Search in Google Scholar

[27] D. Fifield and S. Egelman. Fingerprinting web users through font metrics. In International Conference on Financial Cryptography and Data Security, pages 107–124. Springer, 2015.10.1007/978-3-662-47854-7_7 Search in Google Scholar

[28] G. A. Fowler. Think you’re anonymous online? A third of popular websites are ’fingerprinting’ you. https://www.washingtonpost.com/technology/2019/10/31/think-youre-anonymous-online-third-popular-websites-are-fingerprinting-you/, 2019. Search in Google Scholar

[29] E. Gasperowicz. OffscreenCanvas — Speed up Your Canvas Operations with a Web Worker. https://developers.google.com/web/updates/2018/08/offscreen-canvas, 2020. Search in Google Scholar

[30] M. Graham. robots.txt meant for search engines don’t work well for web archives. https://blog.archive.org/2017/04/17/robots-txt-meant-for-search-engines-dont-work-well-for-web-archives/, 2017. Search in Google Scholar

[31] I. Grigorik. Quickstart guide to exploring the HTTP Archive. https://discuss.httparchive.org/t/quickstart-guide-to-exploring-the-http-archive/682. Search in Google Scholar

[32] I. Grigorik. Network Information API. https://wicg.github.io/netinfo/, 2020. Search in Google Scholar

[33] A. Grover and J. Leskovec. node2vec: Scalable feature learning for networks. In KDD, 2016.10.1145/2939672.2939754510865427853626 Search in Google Scholar

[34] N. H. Hashim, J. Murphy, and P. O’Connor. Take me back: Validating the wayback machine as a measure of website evolution. In Information and Communication Technologies in Tourism 2007, 2007. Search in Google Scholar

[35] A. Herath. Ephemeral Fingerprinting On The Web. https://github.com/asankah/ephemeral-fingerprinting, 2020. Search in Google Scholar

[36] I. Hickson. Web Workers. https://www.w3.org/TR/2009/WD-workers-20090423, 2009. Search in Google Scholar

[37] W. Hsieh. Async Clipboard API. https://webkit.org/blog/10855/async-clipboard-api, 2020. Search in Google Scholar

[38] HTTP Archive. https://httparchive.org/. Search in Google Scholar

[39] HTTP Archive Data. https://github.com/HTTPArchive/httparchive.org/blob/main/docs/gettingstarted_bigquery.md#understanding-how-the-tables-are-structured. Search in Google Scholar

[40] J. M. Ilya Grigorik, James Simonsen. High Resolution Time Level 3. https://www.w3.org/TR/2016/WD-hr-time-3-20161031/#privacy-security, 2016. Search in Google Scholar

[41] U. Iqbal, S. Englehardt, and Z. Shafiq. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In Proceedings of the IEEE Symposium on Security & Privacy, 2021.10.1109/SP40001.2021.00017 Search in Google Scholar

[42] U. Iqbal, Z. Shafiq, and Z. Qian. The Ad Wars: Retrospective Measurement and Analysis of Anti-Adblock Filter Lists. In IMC, 2017.10.1145/3131365.3131387 Search in Google Scholar

[43] U. Iqbal, P. Snyder, S. Zhu, B. Livshits, Z. Qian, and Z. Shafiq. AdGraph: A Graph-Based Approach to Ad and Tracker Blocking. In Proceedings of the IEEE Symposium on Security & Privacy, 2020.10.1109/SP40000.2020.00005 Search in Google Scholar

[44] A. J. Jatinder Mann. Page Visibility. https://www.w3.org/TR/2011/WD-page-visibility-20110602/, 2011. Search in Google Scholar

[45] Z. W. Jatinder Mann. Performance Timeline. https://www.w3.org/TR/2011/WD-performance-timeline-20110811/, 2011. Search in Google Scholar

[46] John Ross Quinlan. Induction of decision trees. Kluwer Academic Publisher, 1986.10.1007/BF00116251 Search in Google Scholar

[47] M. Kelly, J. F. Brunelle, M. C. Weigle, and M. L. Nelson. On the change in archivability of websites over time. In International Conference on Theory and Practice of Digital Libraries, pages 35–47. Springer, 2013.10.1007/978-3-642-40501-3_5 Search in Google Scholar

[48] Khronos releases Final WebGL 1.0 specification. https://www.khronos.org/news/press/khronos-releases-final-webgl-1.0-specification, 2011. Search in Google Scholar

[49] A. Kostiainen. Battery status event specification. https://www.w3.org/TR/2011/WD-battery-status-20110426/, 2011. Search in Google Scholar

[50] M. Lamouri. The Network Information API. https://www.w3.org/TR/2012/WD-netinfo-api-20121129/#security-and-privacy-considerations, 2012. Search in Google Scholar

[51] M. Lamouri. The Network Information API. https://dvcs.w3.org/hg/dap/raw-file/tip/network-api/Overview.html, 2014. Search in Google Scholar

[52] P. Laperdrix, G. Avoine, B. Baudry, and N. Nikiforakis. Morellian Analysis for Browsers: Making Web Authentication Stronger with Canvas Fingerprinting. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2019.10.1007/978-3-030-22038-9_3 Search in Google Scholar

[53] P. Laperdrix, B. Baudry, and V. Mishra. Fprandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In International Symposium on Engineering Secure Software and Systems, pages 97–114. Springer, 2017.10.1007/978-3-319-62105-0_7 Search in Google Scholar

[54] P. Laperdrix, N. Bielova, B. Baudry, and G. Avoine. Browser fingerprinting: A survey. ACM Transactions on the Web, 2020.10.1145/3386040 Search in Google Scholar

[55] A. B. Lassey. Combating Fingerprinting with a Privacy Budget Explainer. https://github.com/bslassey/privacy-budget. Search in Google Scholar

[56] A. Lerner, A. K. Simpson, T. Kohno, and F. Roesner. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In USENIX Security Symposium, 2016. Search in Google Scholar

[57] J. R. Mayer. Any person... a pamphleteer”: Internet anonymity in the age of web 2.0. Undergraduate Senior Thesis, Princeton University, page 85, 2009. Search in Google Scholar

[58] CanvasRenderingContext2D.font. https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/font. Search in Google Scholar

[59] Clipboard API. https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API. Search in Google Scholar

[60] DeviceMotionEvent. https://developer.mozilla.org/en-US/docs/Web/API/DeviceMotionEvent. Search in Google Scholar

[61] HTMLElement.style. https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/style. Search in Google Scholar

[62] Navigator - Web APIs: MDN. https://developer.mozilla.org/en-US/docs/Web/API/Navigator. Search in Google Scholar

[63] Network Information API - Web APIs: MDN. https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API. Search in Google Scholar

[64] PerformancePaintTiming. https://developer.mozilla.org/en-US/docs/Web/API/PerformancePaintTiming. Search in Google Scholar

[65] Sensor APIs. https://developer.mozilla.org/en-US/docs/Web/API/Sensor_APIs. Search in Google Scholar

[66] TouchEvent. https://developer.mozilla.org/en-US/docs/Web/API/TouchEvent. Search in Google Scholar

[67] Touch Events Specification. https://www.w3.org/TR/2011/WD-touch-events-20110505, 2011. Search in Google Scholar

[68] Battery Status API removed from Firefox. https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/52#other_apis, 2016. Search in Google Scholar

[69] MDN Web APIs., https://developer.mozilla.org/en-US/docs/Web/API. Search in Google Scholar

[70] G. Merzdovnik, M. Huber, D. Buhov, N. Nikiforakis, S. Neuner, M. Schmiedecker, and E. Weippl. Block Me If You Can: A Large-Scale Study of Tracker-Blocking Tools. In IEEE European Symposium on Security and Privacy, 2017.10.1109/EuroSP.2017.26 Search in Google Scholar

[71] K. Mowery, D. Bogenreif, S. Yilek, and H. Shacham. Fingerprinting information in javascript implementations. In Web 2.0 Workshop on Security and Privacy (W2SP), 2011. Search in Google Scholar

[72] K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in html5. Proceedings of W2SP, 2012. Search in Google Scholar

[73] How to block fingerprinting with Firefox. https://blog.mozilla.org/firefox/how-to-block-fingerprinting-with-firefox/. Search in Google Scholar

[74] Removing the Battery Status API? https://groups.google.com/g/mozilla.dev.platform/c/5U8NHoUY-1k/m/9ybyzQIYCAAJ?pli=1, 2016. Search in Google Scholar

[75] Nick Nikiforakis and Wouter Joosen and Benjamin Livshits. PriVaricator: Deceiving Fingerprinters with Little White Lies. In WWW, 2015.10.1145/2736277.2741090 Search in Google Scholar

[76] N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In 2013 IEEE Symposium on Security and Privacy, pages 541–555. IEEE, 2013.10.1109/SP.2013.43 Search in Google Scholar

[77] M. Nottingham. Unsanctioned Web Tracking. https://www.w3.org/2001/tag/doc/unsanctioned-tracking/, 2015. Search in Google Scholar

[78] L. Olejnik, G. Acar, C. Castelluccia, and C. Diaz. The leaking battery: A privacy analysis of the HTML5 Battery Status API. In Proceedings of the 10th International Workshop Data Privacy Management, and Security Assurance, 2015.10.1007/978-3-319-29883-2_18 Search in Google Scholar

[79] L. Olejnik, S. Englehardt, and A. Narayanan. Battery Status Not Included: Assessing Privacy in Web Standards. In International Workshop on Privacy Engineering, 2017. Search in Google Scholar

[80] B. Perozzi, R. Al-Rfou, and S. Skiena. Deepwalk: Online learning of social representations. In KDD, 2014.10.1145/2623330.2623732 Search in Google Scholar

[81] M. Perry, E. Clark, S. Murdoch, and G. Koppen. Fingerprinting defenses in the tor browser. https://www.torproject.org/projects/torbrowser/design/#fingerprinting-defenses. Search in Google Scholar

[82] A. Popescu. geolocation api specification. https://www.w3.org/TR/2008/WD-geolocation-API-20081222/, 2008. Search in Google Scholar

[83] Princeton Web Transparency & Accountability Project. https://webtap.princeton.edu/. Search in Google Scholar

[84] M. Pusara and C. E. Brodley. User re-authentication via mouse movements. In 2004 ACM workshop on Visualization and data mining for computer security, 2004.10.1145/1029208.1029210 Search in Google Scholar

[85] N. Reitinger and M. L. Mazurek. Ml-cb: Machine learning canvas block. Proceedings on Privacy Enhancing Technologies, 2021.10.2478/popets-2021-0056 Search in Google Scholar

[86] V. Rizzo, S. Traverso, and M. Mellia. Unveiling web fingerprinting in the wild via code mining and machine learning. PETS, 2021.10.2478/popets-2021-0004 Search in Google Scholar

[87] T. Saito, K. Yasuda, K. Tanabe, and K. Takahashi. Web browser tampering: inspecting cpu features from side-channel information. In International Conference on Broadband and Wireless Computing, Communication and Applications, 2017.10.1007/978-3-319-69811-3_36 Search in Google Scholar

[88] I. Sanchez-Rola, I. Santos, and D. Balzarotti. Clock around the clock: Time-based device fingerprinting. In ACM CCS, 2018.10.1145/3243734.3243796 Search in Google Scholar

[89] S. Sarker, J. Jueckstock, and A. Kapravelos. Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage. In ACM Internet Measurement Conference (IMC), 2020.10.1145/3419394.3423616 Search in Google Scholar

[90] J. Schuh. Building a more private web: A path towards making third party cookies obsolete. https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html, 2020. Search in Google Scholar

[91] T. M. Scott Graham. Gamepad. https://www.w3.org/TR/2014/WD-gamepad-20140225. Search in Google Scholar

[92] M. Shahzad, A. X. Liu, and A. Samuel. Secure unlocking of mobile touch screen devices by simple gestures: You can see it but you can not do it. In Proceedings of the 19th annual international conference on Mobile computing & networking, 2013.10.1145/2500423.2500434 Search in Google Scholar

[93] P. Skolka, C.-A. Staicu, and M. Pradel. Anything to Hide? Studying Minified and Obfuscated Code in the Web. In World Wide Web (WWW) Conference, 2019.10.1145/3308558.3313752 Search in Google Scholar

[94] Apple Declined To Implement 16 Web APIs in Safari Due To Privacy Concerns. https://apple.slashdot.org/story/20/06/29/1456247/apple-declined-to-implement-16-web-apis-in-safari-due-to-privacy-concerns, 2020. Search in Google Scholar

[95] P. Snyder, L. Ansari, C. Taylor, and C. Kanich. Browser feature usage on the modern web. In Proceedings of the 2016 Internet Measurement Conference, 2016.10.1145/2987443.2987466 Search in Google Scholar

[96] O. Starov and N. Nikiforakis. Xhound: Quantifying the fingerprintability of browser extensions. In 2017 IEEE Symposium on Security and Privacy (SP), pages 941–956. IEEE, 2017.10.1109/SP.2017.18 Search in Google Scholar

[97] H. R. M. Steen. Clipboard API and events. https://www.w3.org/TR/2015/WD-clipboard-apis-20151215/, 2015. Search in Google Scholar

[98] H. M. Thang, V. Q. Viet, N. D. Thuc, and D. Choi. Gait identification using accelerometer on mobile phone. In International Conference on Control, Automation and Information Sciences (ICCAIS), pages 344–348. IEEE, 2012.10.1109/ICCAIS.2012.6466615 Search in Google Scholar

[99] P. A. Thomas and K. P. Mathew. A broad review on non-intrusive active user authentication in biometrics. Journal of Ambient Intelligence and Humanized Computing, 2021.10.1007/s12652-021-03301-x817727034109006 Search in Google Scholar

[100] Tor browser canvas font fingerprinting. https://gitlab.torproject.org/legacy/trac/-/issues/13400. Search in Google Scholar

[101] C. F. Torres, H. Jonker, and S. Mauw. FP-Block: Usable web privacy by controlling browser fingerprinting. In ESORICS, 2015.10.1007/978-3-319-24177-7_1 Search in Google Scholar

[102] D. D. Tran. Sensor API Specification. https://dvcs.w3.org/hg/dap/raw-file/default/sensor-api/Overview.html, 2012. Search in Google Scholar

[103] umar iqbal. FP-Inspector Code and Data. https://uiowa-irl.github.io/FP-Inspector/. Search in Google Scholar

[104] T. Van Goethem, W. Scheepers, D. Preuveneers, and W. Joosen. Accelerometer-based device fingerprinting for multi-factor mobile authentication. In International Symposium on Engineering Secure Software and Systems. Springer, 2016.10.1007/978-3-319-30806-7_7 Search in Google Scholar

[105] Wayback Machine API. https://archive.org/help/wayback_api.php. Search in Google Scholar

[106] Wayback Machine. https://archive.org/web/. Search in Google Scholar

[107] Y. Weiss. High Resolution Time, Privacy and Security. https://www.w3.org/TR/hr-time-3/#sec-privacy-security. Search in Google Scholar

[108] J. Wilander. Full Third-Party Cookie Blocking and More. https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/. Search in Google Scholar

[109] J. Wilander. Full third-party cookie blocking and more. https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more, 2020. Search in Google Scholar

[110] M. Wood. Today’s Firefox Blocks Third-Party Tracking Cookies and Cryptomining by Default. https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/, 2019. Search in Google Scholar

[111] S. Wu, S. Li, Y. Cao, and N. Wang. Rendered private: Making GLSL execution uniform to prevent WebGL-based browser fingerprinting. In Proceedings of the 28th USENIX Security Symposium (USENIX Security), 2019. Search in Google Scholar

[112] Z. Yu, S. Macbeth, K. Modi, and J. M. Pujol. Tracking the Trackers. In World Wide Web (WWW) Conference, 2016.10.1145/2872427.2883028 Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo