research-article

Don’t Count Me Out: On the Relevance of IP Address in the Tracking Ecosystem

Authors:

Pierre Laperdrix,

Antoine Vastel,

Walter Rudametkin,

Martin LopatkaAuthors Info & Claims

WWW '20: Proceedings of The Web Conference 2020

Pages 808 - 815

https://doi.org/10.1145/3366423.3380161

Published: 20 April 2020 Publication History

Abstract

Targeted online advertising has become an inextricable part of the way Web content and applications are monetized. At the beginning, online advertising consisted of simple ad-banners broadly shown to website visitors. Over time, it evolved into a complex ecosystem that tracks and collects a wealth of data to learn user habits and show targeted and personalized ads. To protect users against tracking, several countermeasures have been proposed, ranging from browser extensions that leverage filter lists, to features natively integrated into popular browsers like Firefox and Brave to combat more modern techniques like browser fingerprinting. Nevertheless, few browsers offer protections against IP address-based tracking techniques. Notably, the most popular browsers, Chrome, Firefox, Safari and Edge do not offer any.

In this paper, we study the stability of the public IP addresses a user device uses to communicate with our server. Over time, a same device communicates with our server using a set of distinct IP addresses, but we find that devices reuse some of their previous IP addresses for long periods of time. We call this IP address retention and, the duration for which an IP address is retained by a device, is named the IP address retention period.

We present an analysis of 34,488 unique public IP addresses collected from 2,230 users over a period of 111 days and we show that IP addresses remain a prime vector for online tracking. 87 % of participants retain at least one IP address for more than a month and 45 % of ISPs in our dataset allow keeping the same IP address for more than 30 days. Furthermore, we also detect the presence of cycles of IP addresses in a user’s history and highlight their potential to be abused to infer traits of the user behaviour, as well as mobility traces. Our findings paint a bleak picture of the current state of online tracking at a time where IP addresses are overlooked compared to other techniques like cookies or fingerprinting.

References

[1]

2019. Tor Browser - Tor Project Official website. https://www.torproject.org/projects/torbrowser.html.

[2]

Accessed on 2019-10-04. AmIUnique: Platform to collect browser fingerprints. https://amiunique.org

[3]

AdBlock. 2018. AdBlock. https://getadblock.com/

[4]

Miguel E. Andrés, Nicolás E. Bordenabe, Konstantinos Chatzikokolakis, and Catuscia Palamidessi. 2013. Geo-indistinguishability: Differential Privacy for Location-based Systems. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security(CCS ’13). ACM, New York, NY, USA, 901–914. https://doi.org/10.1145/2508859.2516735

Digital Library

[5]

Mika D Ayenson, Dietrich James Wambach, Ashkan Soltani, Nathan Good, and Chris Jay Hoofnagle. 2011. Flash cookies and privacy II: Now with HTML5 and ETag respawning. Available at SSRN 1898390(2011).

[6]

Facebook business. 2019. Help your ads find the people who will love your business.https://www.facebook.com/business/ads/ad-targeting

[7]

Yves-Alexandre De Montjoye, César A Hidalgo, Michel Verleysen, and Vincent D Blondel. 2013. Unique in the crowd: The privacy bounds of human mobility. Scientific reports 3(2013), 1376.

[8]

Arthur Edelstein. 2019. Protections Against Fingerprinting and Cryptocurrency Mining Available in Firefox Nightly and Beta. https://blog.mozilla.org/futurereleases/2019/04/09/protections-against-fingerprinting-and-cryptocurrency-mining-available-in-firefox-nightly-and-beta/

[9]

Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, 1388–1401.

Digital Library

[10]

Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. 2015. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 289–299.

Digital Library

[11]

Electronic Frontier Foundation. 2018. Privacy Badger. https://www.eff.org/fr/node/99095

[12]

Cliqz International GmbH. 2018. Ghostery. https://www.ghostery.com

[13]

Eyeo GmbH. 2018. Adblock Plus. https://adblockplus.org/

[14]

Raymond Hill. 2018. uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean.https://github.com/gorhill/uBlock

[15]

Umar Iqbal, Peter Snyder, Shitong Zhu, Benjamin Livshits, Zhiyun Qian, and Zubair Shafiq. 2020. ADGRAPH: A Graph-Based Approach to Ad and Tracker Blocking. IEEE Security and Privacy(2020).

[16]

Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 878–894.

[17]

Timothy Libert. 2015. Exposing the Invisible Web: An Analysis of Third-Party HTTP Requests on 1 Million Websites. International Journal of Communication 9, 0 (2015). https://ijoc.org/index.php/ijoc/article/view/3646

[18]

Ioana Livadariu, Karyn Benson, Ahmed Elmokashfi, Amogh Dhamdhere, and Alberto Dainotti. 2018. Inferring carrier-grade NAT deployment in the wild. In IEEE INFOCOM 2018-IEEE Conference on Computer Communications. IEEE, 2249–2257.

[19]

Gregor Maier, Anja Feldmann, Vern Paxson, and Mark Allman. 2009. On dominant characteristics of residential broadband internet traffic. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement. ACM, 90–102.

Digital Library

[20]

Jonathan R Mayer and John C Mitchell. 2012. Third-party web tracking: Policy and technology. In 2012 IEEE symposium on security and privacy. IEEE, 413–427.

Digital Library

[21]

Xianghang Mi, Ying Liu, Xuan Feng, Xiaojing Liao, Baojun Liu, XiaoFeng Wang, Feng Qian, Zhou Li, Sumayah Alrwais, and Limin Sun. 2019. Resident Evil: Understanding residential ip proxy as a dark service. In Resident Evil: Understanding Residential IP Proxy as a Dark Service. IEEE, 0.

[22]

Opera. 2019. Free VPN | Browser with built-in VPN | Download | Opera. https://www.opera.com/computer/features/free-vpn

[23]

Ramakrishna Padmanabhan, Amogh Dhamdhere, Emile Aben, kc claffy, and Neil Spring. 2016. Reasons Dynamic Addresses Change. In Proceedings of the 2016 Internet Measurement Conference(IMC ’16). ACM, New York, NY, USA, 183–198. https://doi.org/10.1145/2987443.2987461

Digital Library

[24]

Justin Schuh. 2019. Building a more private web. https://www.blog.google/products/chrome/building-a-more-private-web/

[25]

Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking Browser Fingerprint Evolutions. In IEEE S&P 2018-39th IEEE Symposium on Security and Privacy. IEEE, 1–14.

[26]

John Wilander. 2017. Intelligent Tracking Prevention | WebKit. https://webkit.org/blog/7675/intelligent-tracking-prevention/

[27]

Philipp Winter, Richard Köwer, Martin Mulazzani, Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, and Edgar Weippl. 2014. Spoiled onions: Exposing malicious Tor exit relays. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 304–331.

[28]

Yinglian Xie, Fang Yu, Kannan Achan, Eliot Gillum, Moises Goldszmidt, and Ted Wobber. 2007. How dynamic are IP addresses?. In ACM SIGCOMM Computer Communication Review, Vol. 37. ACM, 301–312.

[29]

Ting-Fang Yen, Yinglian Xie, Fang Yu, Roger Peng Yu, and Martin Abadi. 2012. Host Fingerprinting and Tracking on the Web: Privacy and Security Implications. In NDSS, Vol. 62. Citeseer, 66.

[30]

Sebastian Zimmeck, Jie S Li, Hyungtae Kim, Steven M Bellovin, and Tony Jebara. 2017. A privacy analysis of cross-device tracking. In 26th USENIX Security Symposium (USENIX Security 17). 1391–1408.

Digital Library

Cited By

Chang YShih HLin T(2024)AI-URG: Account Identity-Based Uncertain Graph Framework for Fraud DetectionIEEE Transactions on Computational Social Systems10.1109/TCSS.2023.332573911:3(3706-3728)Online publication date: Jun-2024
https://doi.org/10.1109/TCSS.2023.3325739
Vänskä ARauti SHeino TCarlsson RMickelsson SSärmäkari N(2024)Fair Data is the New Black: Online Shopping, Data Leaks, and Broadening the Understanding of Sustainable FashionFashion Theory10.1080/1362704X.2024.2339251(1-29)Online publication date: 26-Apr-2024
https://doi.org/10.1080/1362704X.2024.2339251
Bou Abdo JZeadally S(2024)Disposable identities: Solving web trackingJournal of Information Security and Applications10.1016/j.jisa.2024.10382184(103821)Online publication date: Aug-2024
https://doi.org/10.1016/j.jisa.2024.103821
Show More Cited By

Index Terms

Don’t Count Me Out: On the Relevance of IP Address in the Tracking Ecosystem

Index terms have been assigned to the content through auto-classification.

Recommendations

IP routing on logical address group
IC3N '97: Proceedings of the 6th International Conference on Computer Communications and Networks

In principle, more than one routers are intervened between different IP subnets. IETF RFC1577 "Classical IP and ARP over ATM", which is specified to provide IP services on an ATM network, also requires that the router be used between different logical ...
Extending the IP internet through address reuse

The two most compelling problems facing the IP Internet are IP address depletion and scaling in routing. This paper discusses the characteristics of one of the proposed solutions---address reuse. The solution is to place Network Address Translators (Nat)...
RFC3022: Traditional IP Network Address Translator (Traditional NAT)

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '20: Proceedings of The Web Conference 2020

April 2020

3143 pages

ISBN:9781450370233

DOI:10.1145/3366423

Editors:
Yennun Huang
Acadmica sinica, Taiwan
,
Irwin King
The Chinese University of Hong Kong, Hong Kong
,
Tie-Yan Liu
Microsoft Research Asia, China
,
Maarten van Steen
University of Twente, Netherlands

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 April 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

WWW '20

Sponsor:

SIGWEB

WWW '20: The Web Conference 2020

April 20 - 24, 2020

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
586
Total Downloads

Downloads (Last 12 months)134
Downloads (Last 6 weeks)8

Reflects downloads up to 01 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chang YShih HLin T(2024)AI-URG: Account Identity-Based Uncertain Graph Framework for Fraud DetectionIEEE Transactions on Computational Social Systems10.1109/TCSS.2023.332573911:3(3706-3728)Online publication date: Jun-2024
https://doi.org/10.1109/TCSS.2023.3325739
Vänskä ARauti SHeino TCarlsson RMickelsson SSärmäkari N(2024)Fair Data is the New Black: Online Shopping, Data Leaks, and Broadening the Understanding of Sustainable FashionFashion Theory10.1080/1362704X.2024.2339251(1-29)Online publication date: 26-Apr-2024
https://doi.org/10.1080/1362704X.2024.2339251
Bou Abdo JZeadally S(2024)Disposable identities: Solving web trackingJournal of Information Security and Applications10.1016/j.jisa.2024.10382184(103821)Online publication date: Aug-2024
https://doi.org/10.1016/j.jisa.2024.103821
Rauti SCarlsson RMickelsson SMäkilä THeino TPirjatanniemi ELeppänen V(2024)Analyzing third-party data leaks on online pharmacy websitesHealth and Technology10.1007/s12553-024-00819-w14:2(375-392)Online publication date: 3-Feb-2024
https://doi.org/10.1007/s12553-024-00819-w
Buchet ASnyder PHaddadi HPelsser C(2023)Detecting IP-tracking proof interfaces by looking for NATs2023 7th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA58422.2023.10198950(1-4)Online publication date: 26-Jun-2023
https://doi.org/10.23919/TMA58422.2023.10198950
Carlsson RRauti SHeino T(2023)Data leaks to third parties in web services for vulnerable groups2023 46th MIPRO ICT and Electronics Convention (MIPRO)10.23919/MIPRO57284.2023.10159942(1208-1212)Online publication date: 22-May-2023
https://doi.org/10.23919/MIPRO57284.2023.10159942
Carlsson RRauti SLaato SHeino TLeppänen V(2023)Privacy in Popular Children’s Mobile Applications: A Network Traffic Analysis2023 46th MIPRO ICT and Electronics Convention (MIPRO)10.23919/MIPRO57284.2023.10159753(1213-1218)Online publication date: 22-May-2023
https://doi.org/10.23919/MIPRO57284.2023.10159753
Tan KLogeswaran R(2023)Machine Learning for Browser PrivacyEmerging Technologies for Digital Infrastructure Development10.2174/9789815080957123010012(117-126)Online publication date: 14-Sep-2023
https://doi.org/10.2174/9789815080957123010012
Dockendorf MDantu R(2023)k-Anonymity in Federated Heterogenous Graphs and k-Core Anonymization2023 5th IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)10.1109/TPS-ISA58951.2023.00046(314-323)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TPS-ISA58951.2023.00046
Lin XAraujo FTaylor TJang JPolakis J(2023)Fashion Faux Pas: Implicit Stylistic Fingerprints for Bypassing Browsers' Anti-Fingerprinting Defenses2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179437(987-1004)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179437
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents