research-article

Free access

Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale

Authors:

Alejandro Gómez-Boix,

Pierre Laperdrix,

Benoit BaudryAuthors Info & Claims

WWW '18: Proceedings of the 2018 World Wide Web Conference

Pages 309 - 318

https://doi.org/10.1145/3178876.3186097

Published: 23 April 2018 Publication History

All formats PDF

Abstract

Browser fingerprinting is a stateless technique, which consists in collecting a wide range of data about a device through browser APIs. Past studies have demonstrated that modern devices present so much diversity that fingerprints can be exploited to identify and track users online. With this work, we want to evaluate if browser fingerprinting is still effective at uniquely identifying a large group of users when analyzing millions of fingerprints over a few months. We collected 2,067,942 browser fingerprints from one of the top 15 French websites. The analysis of this novel dataset sheds a new light on the ever-growing browser fingerprinting domain. The key insight is that the percentage of unique fingerprints in our dataset is much lower than what was reported in the past: only 33.6% of fingerprints are unique by opposition to over 80% in previous studies. We show that non-unique fingerprints tend to be fragile. If some features of the fingerprint change, it is very probable that the fingerprint will become unique. We also confirm that the current evolution of web technologies is benefiting users» privacy significantly as the removal of plugins brings down substantively the rate of unique desktop machines.

References

[1]

2015. Pale Moon browser - Version 25.6.0 adds a canvas poisoning feature. (2015). https://www.palemoon.org/releasenotes.shtml.

[2]

2017. Fingerprinting protection in Firefox as part of the Tor Uplift Project -- Mozilla Wiki. (2017). https://wiki.mozilla.org/Security/Fingerprinting.

[3]

2017. Fingerprinting Protection Mode -- Brave browser. (2017). https: //github.com/brave/browser-laptop/wiki/Fingerprinting-Protection-Mode.

[4]

2017. Flash & The Future of Interactive Content -- Adobe. (2017). https: //blogs.adobe.com/conversations/2017/07/adobe-flash-update.html.

[5]

2017. Mitigating Browser Fingerprinting in Web Specifications -- W3C Draft. (2017). https://w3c.github.io/fingerprinting-guidance/.

[6]

2017. Operating System Market Share Worldwide -- StatCounter. (2017). http: //gs.statcounter.com/os-market-share.

[7]

2017. The Design and Implementation of the Tor Browser {DRAFT} 'CrossOrigin Fingerprinting Unlinkability' -- Tor Project Official website. (2017). https: //www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability.

[8]

2017. The state of the blocked web - 2017 Global Adblock Report by PageFair. (2017). https://pagefair.com/downloads/2017/01/PageFair-2017-AdblockReport.pdf.

[9]

2017. Tor Uplift Project -- Mozilla Wiki. (2017). https://wiki.mozilla.org/Security/ TorUplift.

[10]

Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). ACM, New York, NY, USA, 674--689.

Digital Library

[11]

Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 1129--1140.

Digital Library

[12]

Peter Baumann, Stefan Katzenbeisser, Martin Stopczynski, and Erik Tews. 2016. Disguised Chromium Browser: Robust Browser, Flash and Canvas Fingerprinting Protection. In Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society (WPES '16). ACM, New York, NY, USA, 37--46.

Digital Library

[13]

Károly Boda, Ádám Máté Földes, Gábor György Gulyás, and Sándor Imre. 2012. User Tracking on the Web via Cross-Browser Fingerprinting. Lecture Notes in Computer Science, Vol. 7161. Springer Berlin Heidelberg, Berlin, Heidelberg, 31--46.

[14]

Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In 24nd Annual Network and Distributed System Security Symposium, NDSS.

[15]

Peter Eckersley. 2010. How Unique is Your Web Browser?. In Proceedings of the 10th International Conference on Privacy Enhancing Technologies (PETS'10). Springer-Verlag, Berlin, Heidelberg, 1--18. http://dl.acm.org/citation.cfm?id= 1881151.1881152

Digital Library

[16]

Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, New York, NY, USA, 1388--1401.

Digital Library

[17]

Amin FaizKhademi, Mohammad Zulkernine, and Komminist Weldemariam. 2015. FPGuard: Detection and Prevention of Browser Fingerprinting. In Data and Applications Security and Privacy XXIX. Lecture Notes in Computer Science, Vol. 9149. Springer International Publishing, 293--308.

[18]

David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In Proceedings of the 19th international conference on Financial Cryptography and Data Security. Springer-Verlag, Berlin, Heidelberg.

[19]

Ugo Fiore, Aniello Castiglione, Alfredo De Santis, and Francesco Palmieri. 2014. Countering Browser Fingerprinting Techniques: Constructing a Fake Profile with Google Chrome. In Network-Based Information Systems (NBiS), 2014 17th International Conference on. IEEE, 355--360.

Digital Library

[20]

Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In 9th International Symposium on Engineering Secure Software and Systems (ESSoS 2017). Bonn, Germany. https://hal.inria.fr/hal-01527580

[21]

Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2015. Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification. In 10th International Symposium on Software Engineering for Adaptive and SelfManaging Systems (SEAMS 2015). Firenze, Italy. https://hal.inria.fr/hal-01121108

Digital Library

[22]

Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In 37th IEEE Symposium on Security and Privacy (S&P 2016). San Jose, United States. https://hal.inria.fr/hal-01285470

[23]

Rob McCarney, James Warner, Steve Iliffe, Robbert Van Haselen, Mark Griffin, and Peter Fisher. 2007. The Hawthorne Effect: a randomised, controlled trial. BMC medical research methodology 7, 1 (2007), 30.

[24]

Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham. 2011. Fingerprinting Information in JavaScript Implementations. In Proceedings of W2SP 2011, Helen Wang (Ed.). IEEE Computer Society.

[25]

Keaton Mowery and Hovav Shacham. 2012. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP 2012, Matt Fredrikson (Ed.). IEEE Computer Society.

[26]

Martin Mulazzani, Philipp Reschl, Markus Huber, Manuel Leithner, Sebastian Schrittwieser, Edgar Weippl, and FH Campus Wien. 2013. Fast and reliable browser identification with javascript engine fingerprinting. In Web 2.0 Workshop on Security and Privacy (W2SP), Vol. 5.

[27]

Mozilla Developer Network and individual contributors. 2017. Firefox 52 for developers. (2017). https://developer.mozilla.org/en-US/Firefox/Releases/52

[28]

Nick Nikiforakis, Wouter Joosen, and Benjamin Livshits. 2015. PriVaricator: Deceiving Fingerprinters with Little White Lies. In Proceedings of the 24th International Conference on World Wide Web (WWW '15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 820--830.

Digital Library

[29]

Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP '13). IEEE Computer Society, Washington, DC, USA, 541--555.

Digital Library

[30]

Łukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2016. The Leaking Battery. Springer International Publishing, Cham, 254--263.

[31]

Lukasz Olejnik, Steven Englehardt, and Arvind Narayanan. 2017. Battery Status Not Included: Assessing Privacy in Web Standards. In 3rd International Workshop on Privacy Engineering (IWPE'17). San Jose, United States.

[32]

Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. 2017. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC. https://www.usenix.org/conference/usenixsecurity17/technicalsessions/presentation/sanchez-rola

[33]

J. Schuh. 2013. Saying Goodbye to Our Old Friend NPAPI. (September 2013). https: //blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html.

[34]

Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld. 2017. Discovering Browser Extensions via Web Accessible Resources. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy (CODASPY '17). ACM, New York, NY, USA, 329--336.

Digital Library

[35]

Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2015. Mobile Device Fingerprinting Considered Harmful for Risk-based Authentication. In Proceedings of the Eighth European Workshop on System Security (EuroSec '15). ACM, New York, NY, USA, Article 6, 6 pages.

Digital Library

[36]

Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In 38th IEEE Symposium on Security and Privacy (S&P 2017). San Jose, United States.

[37]

Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking Browser Fingerprint Evolutions. In 39th IEEE Symposium on Security and Privacy (S&P 2018). San Fransisco, United States.

[38]

W. Wu, J. Wu, Y. Wang, Z. Ling, and M. Yang. 2016. Efficient Fingerprinting-Based Android Device Identification With Zero-Permission Identifiers. IEEE Access 4 (2016), 8073--8083.

Cited By

Sim KHeo HCho H(2024)Combating Web Tracking: Analyzing Web Tracking Technologies for User PrivacyFuture Internet10.3390/fi1610036316:10(363)Online publication date: 5-Oct-2024
https://doi.org/10.3390/fi16100363
Yan YZhao HQu H(2024)A Browser Fingerprint Authentication Scheme Based on the Browser Cache Side-Channel TechnologyElectronics10.3390/electronics1314272813:14(2728)Online publication date: 11-Jul-2024
https://doi.org/10.3390/electronics13142728
Guo ZKang MVenkatakrishnan VGjomemo RCao YLuo BLiao XXu JKirda ELie D(2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670331
Show More Cited By

Index Terms

Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale
1. Information systems
  1. World Wide Web
    1. Web interfaces
      1. Browsers
    2. Web searching and information discovery
2. Security and privacy
  1. Human and societal aspects of security and privacy

Recommendations

A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication
Modern browsers give access to several attributes that can be collected to form a browser fingerprint. Although browser fingerprints have primarily been studied as a web tracking tool, they can contribute to improve the current state of web security by ...
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

We present the first large-scale studies of three advanced web tracking mechanisms - canvas fingerprinting, evercookies and use of "cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser ...
Web-based Fingerprinting Techniques
ICETE 2016: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications

The concept of device fingerprinting is based in the assumption that each electronic device holds a unique set

of physical and/or logical features that others can capture and use to differentiate it from the whole. Web-based

fingerprinting, a particular ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '18: Proceedings of the 2018 World Wide Web Conference

April 2018

2000 pages

ISBN:9781450356398

General Chairs:
Pierre-Antoine Champin
Universitè Claude Bernard Lyon 1, France
,
Fabien Gandon
Inria, Université Côte d'Azur, CNRS, I3S, France
,
Lionel Médini
Université Claude Bernard Lyon 1, France
,
Program Chairs:
Mounia Lalmas
Spotify, UK
,
Panagiotis G. Ipeirotis
New York University, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

IW3C2: International World Wide Web Conference Committee

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

International World Wide Web Conferences Steering Committee

Republic and Canton of Geneva, Switzerland

Publication History

Published: 23 April 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '18

Sponsor:

IW3C2

WWW '18: The Web Conference 2018

April 23 - 27, 2018

Lyon, France

Acceptance Rates

WWW '18 Paper Acceptance Rate 170 of 1,155 submissions, 15%;

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

73
Total Citations
View Citations
3,844
Total Downloads

Downloads (Last 12 months)1,082
Downloads (Last 6 weeks)96

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sim KHeo HCho H(2024)Combating Web Tracking: Analyzing Web Tracking Technologies for User PrivacyFuture Internet10.3390/fi1610036316:10(363)Online publication date: 5-Oct-2024
https://doi.org/10.3390/fi16100363
Yan YZhao HQu H(2024)A Browser Fingerprint Authentication Scheme Based on the Browser Cache Side-Channel TechnologyElectronics10.3390/electronics1314272813:14(2728)Online publication date: 11-Jul-2024
https://doi.org/10.3390/electronics13142728
Guo ZKang MVenkatakrishnan VGjomemo RCao YLuo BLiao XXu JKirda ELie D(2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670331
Vigl WAbramova SMonga MLonati VBarendsen ESheard JPaterson J(2024)Design and Use of Privacy Capture-the-Flag Challenges in an Introductory Class on Information Privacy and SecurityProceedings of the 2024 on Innovation and Technology in Computer Science Education V. 110.1145/3649217.3653572(618-624)Online publication date: 3-Jul-2024
https://dl.acm.org/doi/10.1145/3649217.3653572
Huyghe MQuinton CRudametkin W(2024)Taming the Variability of Browser FingerprintsProceedings of the 28th ACM International Systems and Software Product Line Conference10.1145/3646548.3672591(66-71)Online publication date: 2-Sep-2024
https://dl.acm.org/doi/10.1145/3646548.3672591
Kalantari FZaeifi MSafaei YBitaab MOest AStringhini GShoshitaishvili YDoupé AVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Browser Polygraph: Efficient Deployment of Coarse-Grained Browser Fingerprints for Web-Scale Detection of Fraud BrowsersProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688455(681-703)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688455
Bacis EBilogrevic IBusa-Fekete RHerath ASartori ASyed UChua TNgo CKumar RLauw HKa-Wei Lee R(2024)Assessing Web Fingerprinting RiskCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3648322(245-254)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3648322
Chang YShih HLin T(2024)AI-URG: Account Identity-Based Uncertain Graph Framework for Fraud DetectionIEEE Transactions on Computational Social Systems10.1109/TCSS.2023.332573911:3(3706-3728)Online publication date: Jun-2024
https://doi.org/10.1109/TCSS.2023.3325739
Callejo PGómez Fernández IBagnulo M(2024)“Animation” URL in NFT marketplaces considered harmful for privacyInternational Journal of Information Security10.1007/s10207-024-00908-x23:6(3749-3763)Online publication date: 17-Sep-2024
https://doi.org/10.1007/s10207-024-00908-x
Torres CWilli FShinde SCalandrino JTroncoso C(2023)Is your wallet snitching on you? an analysis on the privacy implications of web3Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620281(769-786)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620281
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten