De-Anonymizing Web Browsing Data with Social Networks | Su, Shukla, Goel, Narayanan

Jessica Su, Ansh Shukla, Sharad Goel, Arvind Narayanan; De-Anonymizing Web Browsing Data with Social Networks; draft; In Some Venue Surely (they will publish this somewhere, it is so very nicely formatted); 2017-05; 9 pages.

Abstract

Can online trackers and network adversaries de-anonymize web browsing data readily available to them? We show—theoretically, via simulation, and through experiments on real user data—that de-identified web browsing histories can be linked to social media profiles using only publicly available data. Our approach is based on a simple observation: each person has a distinctive social network, and thus the set of links appearing in one’s feed is unique. Assuming users visit links in their feed with higher probability than a random user, browsing histories contain tell-tale marks of identity. We formalize this intuition by specifying a model of web browsing behavior and then deriving the maximum likelihood estimate of a user’s social profile. We evaluate this strategy on simulated browsing histories, and show that given a history with 30 links originating from Twitter, we can deduce the corresponding Twitter profile more than 50% of the time. To gauge the real-world e↵ectiveness of this approach, we recruited nearly 400 people to donate their web browsing histories, and we were able to correctly identify more than 70% of them. We further show that several online trackers are embedded on sufficiently many websites to carry out this attack with high accuracy. Our theoretical contribution applies to any type of transactional data and is robust to noisy observations, generalizing a wide range of previous de-anonymization attacks. Finally, since our attack attempts to find the correct Twitter profile out of over 300 million candidates, it is—to our knowledge—the largest-scale demonstrated de-anonymization to date.

Mentions

yes.

Quotes

  • <quote>Network adversaries—including government surveillance agencies, Internet service providers, and co↵ee shop eavesdroppers—also see URLs of unencrypted web traffic. The adversary may also be a cross-device tracking company aiming to link two di↵erent browsing histories (e.g., histories generated by the same user on di↵erent devices). For such an adversary, linking to social media profiles is a stepping stone.</quote>

Headline

374 people confirmed the accuracy of our deanonymization attempt.
268 people (72%) were the top candidate generated by the MLE when using t.co links.
303 people (81%) were among the top 15 candidates generated by the MLE when using t.co links.
Yet only 49% de-anonymization when using fully expanded links (the redirect target of the t.co link)
Background

<paraphrasing>We recruited participants by advertising the experiment on a variety of websites, including

  • Twitter,
  • Facebook,
  • Quora,
  • Hacker News,
  • Freedom to Tinker
Story Line
649
people submitted web browsing histories.
119 cases (18%)
the application encountered a fatal error (e.g., because the Twitter API was temporarily unavailable), and it was unable to run the de-anonymization algorithm.
530 cases
remaining are useful.

87 users (16%)
had fewer than four informative links, and so no attempt to de-anonymize them was made.
443 users
remaining are useful.

374 users (84%)
confirmed whether or not our de-anonymization attempt was successful.
77 users (21%),/dt>
additionally disclosed their identity by signing into Twitter.

Apology: noted that the users who participated in our experiment are not representative of the Twitter population. In particular, they are quite active: the users who reported their identity had a median number of 378 followers and posted a median number of 2,041 total tweets.

</paraphrasing>

Framing (Environment)

  • TargetConsumer is a Registered Twitter User,
    with activity and warm content selection algo in operation at Twitter HQ
  • Twitter algo selects snippets for presentation to TargetConsumer.
  • TargetConsumer either elects to read or discards the linked page.
  • An URL trail is recorded by The Panopticon Surveillance Machinery in The Record
  • Adversary has access to The Record across long spans of time and large numbers of TargetConsumers.

Problem Statement

  • Can one or many TargetConsumers be distinguished solely by URL traces in The Record?

Algorithm (Conceptual)

See C. Y. Ma, D. K. Yau, N. K. Yip, N. S. Rao. “Privacy vulnerability of published anonymous mobility traces,” In IEEE/ACM Transactions on Networking, 21(3):720–733, 2013.
<paraphrasing>

  1. The simple model of web browsing behavior in which a user’s likelihood of visiting a URL is governed by the URL’s overall popularity and whether the URL appeared in the TargetConsumer’s Twitter feed.
  2. For each TargetConsumer, we compute their likelihood (under the model) of generating a given anonymous browsing history.
  3. Identify the TargetConsumer most likely to have generated that history.

</paraphrasing>

Argot

  • Cookie Syncing
  • E-Tag
  • HTML5 localStorage
  • HTTP (HTTP)
  • Jaccard Similarity
  • Maximum Liklihood Estimate (MLE)
  • URL (URL)

Promotions

  • Ad Networks Can Personally Identify Web Users; Wendy Davis; In MediaPost; 2017-01-20.
    <quote> The authors tested their theory by recruiting 400 people who allowed their Web browsing histories to be tracked, and then comparing the sites they visited to sites mentioned in Twitter accounts they followed. The researchers say they were able to use that method to identify more than 70% of the volunteers.</quote>

References

  • G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, C. Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of ACM Conference on Computer Communications & Security (CCS), pages 674–689. ACM, 2014.
  • G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, B. Preneel. Fpdetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS), pages 1129–1140. ACM, 2013.
  • M. D. Ayenson, D. J. Wambach, A. Soltani, N. Good, C. J. Hoofnagle. Flash cookies and privacy II: Now with HTML5 and ETag respawning. 2011.
  • C. Budak, S. Goel, J. Rao, G. Zervas. Understanding emerging threats to online advertising. In Proceedings of the ACM Conference on Economics and Computation, 2016.
  • M. Chew, S. Stamm. Contextual identity: Freedom to be all your selves. In Proceedings of the Workshop on Web,/em>, volume 2. Citeseer, 2013.
  • ] N. Christin, S. S. Yanagihara, K. Kamataki. Dissecting one click frauds. In Proceedings of the 17th ACM conference on Computer and Communications Security
  • Y.-A. De Montjoye, C. A. Hidalgo, M. Verleysen, V. D. Blondel. Unique in the crowd: The privacy bounds of human mobility. In Scientific Reports, 3, 2013.
  • Y.-A. De Montjoye, L. Radaelli, V. K. Singh, et al. Unique in the shopping mall: On the reidentifiability of credit card metadata. In Science, 347(6221), 2015.
  • P. Eckersley. How unique is your web browser? In, pages 1–18. Springer, 2010.
  • S. Englehardt, A. Narayanan. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2016.
  • S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th Conference on World Wide Web (WWW), 2015.
  • Ú. Erlingsson, V. Pihur, A. Korolova. Rappor: Randomized aggregatable privacy-preserving ordinal response. In Proceedings of the Conference on Computer and Communications Security (CCS), 2014.
  • D. Fifield, S. Egelman. Fingerprinting web users through font metrics. In Proceedings of the International Conference on Financial Cryptography and Data Security, 2015.
  • S. Hill, F. Provost. The myth of the double-blind review?: Author identification using only citations. In SIGKDD Explor(ification) Newsletter, 5(2):179–184, Dec. 2003.
  • M. Korayem, D. J. Crandall. De-anonymizing users across heterogeneous social computing platforms. In Proceedings of the Internation Conference on W(something) S(something) M(something) as “Some Acronym” (ICWSM), 2013.
  • A. Korolova, K. Kenthapadi, N. Mishra, A. Ntoulas. Releasing search queries and clicks privately. In Proceedings of the 18th International Conference on World Wide Web (WWW). ACM, 2009.
  • B. Krishnamurthy, K. Naryshkin, C. Wills. Privacy leakage vs. protection measures: the growing disconnect. In Proceedings of the Web
  • B. Krishnamurthy, C. E. Wills. On the leakage of personally identifiable information via online social networks. In Proceedings of the 2nd ACM Workshop on Online Social Networks (WOSN), pages 7–12. ACM, 2009.
  • P. Laperdrix, W. Rudametkin, B. Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the 37th IEEE Symposium on Security and Privacy, 2016.
  • A. Lerner, A. K. Simpson, T. Kohno, F. Roesner. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In Proceedings of the 25th USENIX Security Symposium, 2016.
  • T. Libert. Exposing the invisible web: An analysis of third-party http requests on 1 million websites. In International Journal of Communication, 9:18, 2015.
  • C. Y. Ma, D. K. Yau, N. K. Yip, N. S. Rao. Privacy vulnerability of published anonymous mobility traces. In IEEE/ACM Transactions on Networking, 21(3):720–733, 2013.
  • A. Marthews, C. Tucker. Government surveillance and internet search behavior. Available at ssrn:2412564, 2015.
  • N. Mathewson, R. Dingledine. Practical traffic analysis: Extending and resisting statistical disclosure. In Proceedings of the International Workshop on Privacy Enhancing Technologies (PETS), pages 17–34. Springer, 2004.
  • J. R. Mayer, J. C. Mitchell. Third-party web tracking: Policy and technology. In Proceedings of the 2012 IEEE Symposium on Security and Privacy. IEEE, 2012.
  • K. Mowery, H. Shacham. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of the Conference with the Acronym “W2SP” (W2SP), 2012.
  • A. Narayanan, H. Paskov, N. Z. Gong, J. Bethencourt, E. Stefanov, E. C. R. Shin, D. Song. On the feasibility of internet-scale author identification. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.
  • A. Narayanan, V. Shmatikov. Robust de-anonymization of large sparse datasets. In Proceedings of the 2008 IEEE Symposium on Security and Privacy (SP), pages 111–125. IEEE, 2008.
  • N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the 2013 IEEE symposium on Security and Privacy (SP), pages 541–555. IEEE, 2013.
  • L. Olejnik, G. Acar, C. Castelluccia, C. Diaz. The leaking battery A privacy analysis of the HTML5 Battery Status API. Technical Report, WHERE? 2015.
  • L. Olejnik, C. Castelluccia, A. Janc. Why Johnny can’t browse in peace: On the uniqueness of web browsing history patterns. In Proceedings of the 5th Workshop on Hot Topics in Privacy Enhancing Technologies (PETS), 2012.
  • J. Penney. Chilling effects: Online surveillance and wikipedia use. In Berkeley Technology Law Journal, 2016.
  • A. Ramachandran, Y. Kim, A. Chaintreau. “I knew they clicked when I saw them with their friends”. In Proceedings of the 2nd Conference on Online Social Networks, 2014.
  • F. Roesner, T. Kohno, D. Wetherall. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, pages 12–12. USENIX Association, 2012.
  • K. Sharad, G. Danezis. An automated social graph de-anonymization technique. In Proceedings of the 13th Workshop on Privacy in the Electronic Society (WPES), pages 47–58. ACM, 2014.
  • A. Soltani, S. Canty, Q. Mayo, L. Thomas, C. J. Hoofnagle. Flash cookies and privacy. In Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management, volume 2010, pages 158–163, 2010.
  • J. Su, A. Sharma, S. Goel. The effect of recommendations on network structure. In Proceedings of the 25th Conference on World Wide Web (WWW), 2016.
  • G. Wondracek, T. Holz, E. Kirda, C. Kruegel. A practical attack to de-anonymize social network users. In Proceedings of the IEEE Symposium on Security and Privacy, 2010.

Previously filled.

(Cross-)Browser Fingerprinting via OS and Hardware Level Features | Cao, Song, Wijmans

Yinzhi Cao, Song Li, Erik Wijmans; (Cross-)Browser Fingerprinting via OS and Hardware Level Features; In Proceedings of the Network & Distributed System Security Symposium (NSDI); 2017-02-26; 15 pages.

Abstract

In this paper, we propose a browser fingerprinting technique that can track users not only within a single browser but also across different browsers on the same machine. Specifically, our approach utilizes many novel OS and hardware level features, such as those from graphics cards, CPU, and installed writing scripts. We extract these features by asking browsers to perform tasks that rely on corresponding OS and hardware functionalities.

Our evaluation shows that our approach can successfully identify 99.24% of users as opposed to 90.84% for state of the art on single-browser fingerprinting against the same dataset. Further, our approach can achieve higher uniqueness rate than the only cross-browser approach in the literature with similar stability.

Mentions

Browsers

  • Chrome
  • Edge
  • Firefox
  • Internet Explorer
  • Opera
  • Safari
  • Other
    • Maxthon
    • Tor
    • UC

Population

  • Amazon Mechanical Turk
  • MacroWorkers

Others

  • AmIUnique
  • Panopticlick
  • Boda

Actualities

Who

Yinzhi Cao, Assistant Professor, Computer Science and Engineering Department, Lehigh University.

Promotions

New Fingerprinting Techniques Identify Users Across Different Browsers on the Same PC; ; In BleepingComputer; 2017-01-12.

References

  • Core estimator.
  • [email threads] proposal: navigator.cores; InArchives of WhatWG of the W3C, circa 2014-05.
  • Am I Unique?, at GitHub.
  • anti-aliasing, at Graphics Wikia.
  • Panopticlick: Is your browser safe against tracking?
  • Watched; Wall Street Journal (WSJ).
  • cube mapping; In Jimi Wales’ Wiki.
  • list of writing systems; In Jimi Wales’ Wiki.
  • G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, C. Diaz; “The web never forgets: Persistent tracking mechanisms in the wild,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14), 2014, pp. 674–689.
  • G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, B. Preneel; “FPDetective: Dusting the web for fingerprinters,” in Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS ’13), 2013, pp. 1129–1140.
  • M. Ayenson, D. Wambach, A. Soltani, N. Good, C. Hoofnagle; “Flash cookies and privacy II: Now with HTML5 and ETag respawning,” Available at SSRN 1898390, 2011.
  • S. Berger. You should install two browsers.
  • T. Bigelajzen. Cross browser zoom and pixel ratio detector.
  • K. Boda, A. M. F ̈oldes, G. G. Gulyás, S. Imre, “User tracking on the web via cross-browser fingerprinting,” in Proceedings of the 16th Nordic Conference on Information Security Technology for Applications, (NordSec’11), 2012, pp. 31–46.
  • F. Boesch. Soft shadow mapping.
  • Federal Trade Commission (FTC). Cross-device tracking. A celebration. 2015-11.
  • P. Eckersley, “How unique is your web browser?” in Proceedings of the 10th International Conference on Privacy Enhancing Technologies (PETS’10), 2010.
  • S. Englehardt A. Narayanan, “Online tracking: A 1-million-site measurement and analysis,” in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, (CCS ’16), 2016.
  • A. Etienne J. Etienne. Classical suzanne monkey from blender to get your game started with threex.suzanne
  • D. Fifield S. Egelman, “Fingerprinting web users through font metrics,” in Financial Cryptography and Data Security. Springer, 2015, pp. 107–124.
  • S. Kamkar. Evercookie.
  • B. Krishnamurthy, K. Naryshkin, C. Wills, “Privacy leakage vs. protection measures: the growing disconnect,” in Web 2.0 Security and Privacy Workshop, 2011.
  • B. Krishnamurthy C. Wills, “Privacy diffusion on the web: a longitudinal perspective,” in Proceedings of the 18th International Conference on World Wide Web (WWW). ACM, 2009, pp. 541–550.
  • B. Krishnamurthy C. E. Wills. “Generating a privacy footprint on the internet,” in Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (IM). ACM, 2006, pp. 65–70.
  • B. Krishnamurthy C. E. Wills. “Characterizing privacy in online social networks,” in Proceedings of the First Workshop on Online Social Networks. ACM, 2008, pp. 37–42.
  • P. Laperdrix, W. Rudametkin, B. Baudry, “Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints”, in Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P 2016), 2016.
  • A. Lerner, A. K. Simpson, T. Kohno, F. Roesner, “Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016,” in Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, 2016.
  • J. R. Mayer J. C. Mitchell, “Third-party web tracking: Policy and technology,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), 2012, pp. 413–427.
  • W. Meng, B. Lee, X. Xing, W. Lee, “Trackmeornot: Enabling flexible control on web tracking,” in Proceedings of the 25th International Conference on World Wide Web (WWW ’16), 2016, pp. 99–109.
  • H. Metwalley, S. Traverso, “Unsupervised detection of web track- ers,” in Globecom, 2015.
  • K. Mowery, D. Bogenreif, S. Yilek, H. Shacham, “Fingerprinting information in javascript implementations,” 2011.
  • K. Mowery, H. Shacham, “Pixel perfect: Fingerprinting canvas in HTML5,” In Some Venue, 2012.
  • M. Mulazzani, P. Reschl, M. Huber, M. Leithner, S. Schrittwieser, E. Weippl, F. Wien, “Fast and reliable browser identification with javascript engine fingerprinting,” in Proceedings of W2SP, 2013.
  • G. Nakibly, G. Shelef, S. Yudilevich, “Hardware fingerprinting using HTML5,” arXiv preprint arXiv:1503.01408, 2015.
  • N. Nikiforakis, W. Joosen, B. Livshits, “Privaricator: Deceiving fingerprinters with little white lies,” in Proceedings of the 24th International Conference on World Wide Web, (WWW ’15), 2015, pp. 820–830.
  • N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, G. Vigna, “Cookieless monster: Exploring the ecosystem of web-based device fingerprinting,” in In Proceedings of the IEEE Symposium on Security and Privacy (SP), 2013.
  • X. Pan, Y. Cao, Y. Chen, “I do not know what you visited last summer – protecting users from third-party web tracking with trackingfree browser,” in Proceedings of the Network & Distributed Systems Symposium (NDSS), 2015.
  • M. Perry, E. Clark, S. Murdoch, “The design and implementation of the Tor Browser [draft][online], United States,” 2015.
  • F. Roesner, T. Kohno, D. Wetherall, “Detecting and defending against third-party tracking on the web,” in Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation (NSDI’12), 2012, pp. 12–12.
  • I. Sánchez-Rola, X. Ugarte-Pedrero, I. Santos, P. G. Bringas “Tracking users like there is no tomorrow: Privacy on the current internet,” in International Joint Conference,/em>. Springer, 2015, pp. 473– 483.
  • A. Soltani, S. Canty, Q. Mayo, L. Thomas, C. J. Hoofnagle. “Flash cookies and privacy,” in Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management,/em>, 2010.
  • US-CERT. Securing your web browser.
  • Do Not Track Policy. In Jimi Wales’ Wiki.
  • Privacy Mode
  • M. Xu, Y. Jang, X. Xing, T. Kim, W. Lee, “Ucognito: Private browsing without tears,” in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS ’15), 2015, pp. 438–449.
  • T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, M. Abadi, “Host fingerprinting and tracking on the web: Privacy and security implications,” in Proceedings of the Network & Distributed Systems Symposium (NDSS), 2012.

FreeSense:Indoor Human Identification with WiFi Signals | Xin, Guo, Wang, Li, Yu

Tong Xin, Bin Guo, Zhu Wang, Mingyang Li, Zhiwen Yu; FreeSense:Indoor Human Identification with WiFi Signals; 2016-08-11; arxiv:1608.03430.

Abstract

Human identification plays an important role in human-computer interaction. There have been numerous methods proposed for human identification (e.g., face recognition, gait recognition, fingerprint identification, etc.). While these methods could be very useful under different conditions, they also suffer from certain shortcomings (e.g., user privacy, sensing coverage range). In this paper, we propose a novel approach for human identification, which leverages WIFI signals to enable non-intrusive human identification in domestic environments. It is based on the observation that each person has specific influence patterns to the surrounding WIFI signal while moving indoors, regarding their body shape characteristics and motion patterns. The influence can be captured by the Channel State Information (CSI) time series of WIFI. Specifically, a combination of Principal Component Analysis (PCA), Discrete Wavelet Transform (DWT) and Dynamic Time Warping (DTW) techniques is used for CSI waveform-based human identification. We implemented the system in a 6m*5m smart home environment and recruited 9 users for data collection and evaluation. Experimental results indicate that the identification accuracy is about 88.9% to 94.5% when the candidate user set changes from 6 to 2, showing that the proposed human identification method is effective in domestic environments.

The Web never forgets: Persistent tracking mechanisms in the wild | Acar, Eubank, Englehardt, Juarez, Narayanan, Diaz

Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, Claudia Diaz; The Web never forgets: Persistent tracking mechanisms in the wild; In Proceedings of the Conference on Computer & Communication Security (CCS); 2014-11, draft of 2014-07-24; 16 pages; landing including some data in tabular format.

Abstract

We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies and use of “cookie syncing” in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it. We then present the first automated study of evercookies and respawning and the discovery of a new evercookie vector, IndexedDB. Turning to cookie syncing, we present novel techniques for detection and analysing ID flows and we quantify the amplification of privacy-intrusive track- ing practices due to cookie syncing.

Our evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls — such as failing to clear state on multiple browsers at once — in which a single lapse in judgement can shatter privacy defenses. This suggests that even sophisticated users face great difficulties in evading tracking techniques.

References

  • Bug 757726 – disallow enumeration of navigator.plugins. Mozilla. 2012-05.
  • Manage, disable Local Shared Objects | Flash Player. Adobe. 2014.
  • Doubleclick ad exchange real-time bidding protocol: Cookie matching. Google. 2014-02.
  • Selenium – Web Browser Automation. 2014.
  • G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, B. Preneel. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pages 1129–1140. ACM, 2013.
  • M. Ayenson, D. J. Wambach, A. Soltani, N. Good, C. J. Hoofnagle. Flash cookies and Privacy II: Now with HTML5 and ETag Respawning. World Wide Web Internet And Web Information Systems, 2011.
  • M. Backes, A. Kate, M. Maffei, K. Pecina. Obliviad: Provably Secure and Practical Online Behavioral Advertising. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), pages 257–271. IEEE, 2012.
  • R. Balebako, P. Leon, R. Shay, B. Ur, Y. Wang, L. Cranor. Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising. In Proceedings of the Web 2.0 Workshop on Security and Privacy, 2012.
  • F. Besson, N. Bielova, T. Jensen. Enforcing Browser Anonymity with Quantitative Information Flow. INRIA; 2014-05; 13 pages. landing
  • M. Bilenko, M. Richardson, J. Y. Tsai. Targeted, Not Tracked: Client-Side Solutions For Privacy-Friendly Behavioral Advertising. In Proceedings of the 11th Privacy Enhancing Technologies Symposium (PETS 2011), 2011.
  • P. E. Black. Ratcliff/Obershelp pattern recognition. 2004-12.
  • K. Brade. gitweb.torproject.org – torbrowser.git/blob – src/current-patches/firefox/0019-add-canvas-image-extraction-prompt.patch. 2012-11.
  • A. Das, N. Borisov, and M. Caesar. Fingerprinting Smart Devices Through Embedded Acoustic Components. arXiv preprint arXiv:1403.3366. 2014-03-13.
  • W. Davis. KISSmetrics Finalizes Supercookies Settlement. 2013.
  • P. Eckersley. How unique is your web browser? In Proceedings of Privacy Enhancing Technologies (PETS), pages 1–18. Springer, 2010.
  • C. Eubank, M. Melara, D. Perez-Botero, A. Narayanan. Shining The Floodlights on Mobile Web Tracking – A Privacy Survey. In Proceedings of the Web 2.0 Conference on Security and Privacy, 2013-05.
  • E. W. Felten. If You’re Going to Track Me, Please Use Cookies. In Freedom to Tinker. 2009.
  • M. Fredrikson, B. Livshits. Repriv: Re-imagining Content Personalization and In-browser Privacy. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP), pages 131–146. IEEE, 2011.
  • S. Guha, B. Cheng, P. Francis. Privad: Practical Privacy In Online Advertising. In Proceedings of the 8th USENIX Conference on Networked Systems Design and Implementation. pages 169–182. USENIX Association, 2011.
  • S. Kamkar. Evercookie – virtually irrevocable persistent cookies. In His Blog. 2010-09.
  • M. Kerrisk. strace(1) – linux manual page, 2014-05.
  • T. Kohno, A. Broido, and K. C. Claffy. Remote Physical Device Fingerprinting. In Transactions on Dependable and Secure Computing. IEEE. 2(2):93–108, 2005.
  • B. Krishnamurthy, C. Wills. Privacy Diffusion on the Web: A Longitudinal Perspective. In Proceedings of the 18th International Conference on World Wide Web. pages 541–550. ACM, 2009.
  • B. Krishnamurthy, C. E. Wills. On the Leakage Of Personally Identifiable Information Via Online Social Networks. In Proceedings of the 2nd ACM Workshop on Online Social Networks. pages 7–12. ACM, 2009.
  • B. Liu, A. Sheth, U. Weinsberg, J. Chandrashekar, R. Govindan. AdReveal: Improving Transparency Into Online Targeted Advertising. In Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks. page 12. ACM, 2013.
  • J. Mayer. Tracking the Trackers: Self-help Tools. 2011-09.
  • J. R. Mayer, J. C. Mitchell. Third-party web tracking: Policy and technology. In IEEE Symposium on Security and Privacy, pages 413–427. IEEE, 2012.
  • A. M. McDonald, L. F. Cranor. Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies. In Proceedings of ISJLP, 7:639, 2011. landing.
  • K. Mowery, D. Bogenreif, S. Yilek, H. Shacham. Fingerprinting Information in JavaScript Implementations. In Proceedings of W2SP, Volume 2. 2011
  • K. Mowery, H. Shacham. Pixel Perfect: Fingerprinting Canvas in HTML5. In Proceedings of W2SP, 2012.
  • M. Mulazzani, P. Reschl, M. Huber, M. Leithner, S. Schrittwieser, E. Weippl, F. C. Wien. Fast and Reliable Browser Identification With JavaScript Engine Fingerprinting. In Proceedings of the Web 2.0 Workshop on Security and Privacy (W2SP), Volume 1, 2013.
  • A. Narayanan, J. Mayer, S. Iyengar. Tracking Not Required: Behavioral Targeting, 2012.
  • N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, G. Vigna. You Are What You Include: Large-scale Evaluation Of Remote JavaScript Inclusions. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 736–747. ACM, 2012.
  • N. Nikiforakis, W. Joosen, B. Livshits. PriVaricator: Deceiving Fingerprinters with Little White Lies. Microsoft. 2014-02. landing.
  • N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, G. Vigna. Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy, pages 541–555. IEEE, 2013.
  • L. Olejnik, T. Minh-Dung, C. Castelluccia. Selling Off Privacy at Auction. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS), 2013.
  • C. R. Orr, A. Chauhan, M. Gupta, C. J. Frisz, C. W. Dunn. An Approach for Identifying JavaScript-loaded Advertisements Through Static Program Analysis. In Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society. pages 1–12. ACM, 2012.
  • M. Perry, E. Clark, S. Murdoch. The design and implementation of the Tor browser [draft]. 2013-03.
  • F. Roesner, T. Kohno, D. Wetherall. Detecting and Defending Against Third-Party Tracking on the Web. In Proceedings of the Symposium on Networking Systems Design and Implementation. USENIX, 2012.
  • A. Soltani, S. Canty, Q. Mayo, L. Thomas, C. J. Hoofnagle. Flash Cookies and Privacy. In Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management, 2010.
  • O. Sorensen. Zombie-cookies: Case studies and Mitigation. In Proceedings of the 2013 8th International Conference for Internet Technology and Secured Transactions (ICITST), pages 321–326. IEEE, 2013.
  • A. Taly, J. C. Mitchell, M. S. Miller, J. Nagra, et al. Automated Analysis of Security-Critical JavaScript APIs. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (SP). pages 363–378. IEEE, 2011.
  • J. Temple. Stale Cookies: How Companies Are Tracking You Online Today. In SFGate, a newspaper. 2013
  • M. Tran, X. Dong, Z. Liang, X. Jiang. Tracking the trackers: Fast and scalable dynamic analysis of web content for privacy violations. In Applied Cryptography and Network Security, pages 418–435. Springer, 2012.
  • M.-D. Tran, G. Acs, C. Castelluccia. Retargeting Without Tracking. arXiv preprint arXiv:1404.4533. 2014-04-17;
  • T. Unger, M. Mulazzani, D. Fruhwirt, M. Huber, S. Schrittwieser, E. Weippl. SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting. In Proceedings of the 2013 Eighth International Conference on Availability, Reliability and Security (ARES), pages 255–261. IEEE, 2013.
  • V. Vasilyev. Valve/fingerprintjs. 2012.

Via: backfill

Graph Processing Using Big Data Technologies | InfoQ

Tapad’s Graph Processing Using Big Data Technologies; Charles Menguy; In InfoQ; 2014-03-17.

Mentioned

  • The article appears to be an interview with Dag Liodden, but rambles on into a general overview of the genre
    • Big Data (which is big)
    • Graph
    • JVM Culture
  • Tapad
    • Dag Liodden
    • Quoted for color, background & verisimilitude.
    • Testifies to participation in the genre.
  • Facebook
  • Factoids
    • U.S. Graph
      • 1.1×109 nodes.
      • “multiple” TB
        • stored in <= 20TB Flash SSD
        • 2TB working RAM
      • 100,000 q/s
      • multiple data centers
      • geographic replication
  • Nodes are classed
    • transient,
    • persistent (non-transient)
  • Persistent
    • 5 edges (around, average)
    • 500 profile facts
  • Scheme
    • Online truth maintenance (real-time serving)
    • Offline usage (dump to HDFS)

Referenced, Cited

Via: backfill, backfill

Symposium on Obfuscation | New York University, 2014-02-15

Symposium on Obfuscation; At New York University; 2014-02-15.

Exhibitions

Overview

  • Vortex, a game
    • Rachel Law
    • Rachel Law; Vortex; On Vimeo; “7 months ago” (so … 2013-05?); 05:19
      </quote>Vortex is a browser extension game that empowers you to change how you are identified by networks</quote>
    • Rachel Law; The Vortex & Meshtectonics; Thesis Documentation; MFA Design & Technology; Parsons New School of Design; 2013; 22 pages.
      Theory:

      • Bruno Latour, Actor Network Theory (ANT)
      • Giles Deleuze
  • Ad Nauseam
  • Anonymouth

Opinement

Previously

Recitations of previously-aired ideas.

Participants

  • Finn Brunton (NYU),
  • Günes Acar (KU Leuven),
  • Claudia Diaz (KU Leuven),
  • Carl DiSalvo (Georgia Tech),
  • Rachel Greenstadt (DrexelU),
  • Daniel Howe (City University of Hong Kong),
  • Laura Kurgan (Columbia),
  • Rachel Law (Milkred),
  • Nick Montfort (MIT),
  • Helen Nissenbaum (NYU),
  • Hanna Rose Shell (MIT),
  • Susan Stryker (UArizona),
  • Joseph Turow (UPenn),
  • Vincent Toubiana (CNIL).

Support

Observation

  • Heavy on the activism & policy
  • Accent towards “art” and “protest”
  • Light on (ad)tech & math.

Related & Unmentioned

Via: backfill, backfill

ViewWho

ViewWho of AdDynamo

Status

  • Moribund since 2012-05
  • Has released no code.

Documentation

Who

Referenced

Device fingerprinting

Data matching

Smart Store Privacy

 Program

Title: Future of Privacy Foundation (FPF)’s Mobile Location Analytics (MLA) Working Group

Related

Intellectual Property Claims

  • Patent 8,335,174, promotional site (redirects to the patent claims at the USPTO, here)
  • U.S. Patent 8,335,174 System and method for registering network information strings; Stillman Bradish, Scott A. Smith; Radius Networks; Granted: 2012-12-18; Filed: 2011-11-15.
  • U.S. Patent 8,335,174, noted.
  • Abstract: A system and method for registering network information strings. An information string server device receives a request to register a network information string from a computing device. The network information string may be included in a message broadcast by a string broadcast station. The information string server device determines whether the network information string has been previously registered with the information string server device. The information string server device stores the network information string in a record of an information string datastore when the network information string has not been previously registered with the information string server device. A registration acceptance message may be sent by the information string server device to the computing device when the network information string has not been previously registered with the information string server device.

Outreach

Collateral

  • Mobile Location Analytics Code of Conduct; 6 pages
    Outline

    • Preamble
    • Who is Covered
    • Principle One: Notice
    • Principle Two: Limited Collection
    • Principle Three: Choice
    • Principle Four: Limitation on Collection and Use
    • Principle Five: Onward Transfer
    • Principle Six: Limited Retention
    • Principle Seven: Consumer Education
    • Exceptions ot the Principles
    • Definitions
  • Sample MLA Reports, 7 images
    1. Slide 1
    2. Slide 2
    3. Slide 3
    4. Slide 4
    5. Slide 5
    6. Slide 6
    7. Slide 7
  • Mobile Location Analytics (MLA), an overview; undated (2013-10-23); 5 slides (4 of content).
    1. Problem Statement (technology scope: WiFi, Bluetooth, MAC)
    2. Logging Practices (operational overview)
    3. Principles for a Code
    4. Opt-Out
Blessings
  • Jessica Rich (FTC); Director of the FTC Bureau of Consumer Protection Comments on MLA Code; 2013-10-23.
    Jessica Rich is Director of Consumer Protection. Federal Trade commission (FTC).

    • A quote, inline, 70 words.
    • Bites
      • <quote>It’s great that industry <snip/> has taken a positive step forward in developing a self-regulatory code of conduct</quote>
      • <quote>Our staff appreciated the opportunity to provide feedback in the process of creating the code.</quote>
    • via Politico Morning Tech.

Warinesses

  • Mallory Duncan, Senior Vice President and General Counsel, National Retail Federation ref
    • <quote>Very few companies have had any involvement with this process.</quote>
    • <quote>Our members are still examining it.</quote>
    • <quote>It strikes us at first glance that we’re not sure you want to regulate technology that is designed to provide customer benefit before even they get off the ground.</quote>

Participants

Who

(alphabetical)

  • Liz Eversoll, CEO, SOLOMO.
  • Steve Jeffery, CEO, Brickstream.
  • Jules Polonetsky, Executive Director, Future of Privacy Forum (FPF).
  • Jim Riesenbach, CEO, iInside Inc.
  • Charles E. Schumer, United States Senator (NY D)
  • Will Smith, CEO, Euclid.
  • Glenn Tinley, President & Founder, Mexia Interactive.
  • Marc Wallace, Co-Founder & CEO, Radius Networks, Inc.
  • Devon Wright, Co-Founder, Turnstyle Solutions.
  • Christopher Wolf, TITLE, Future of Privacy Forum (FPF).

Promotions

(owned, earned, purchased)

Self

Trade

Via: backfill

Inferring Trip Destinations From Driving Habits Data | Dewri, Annadata, Eltarjaman, Thurimella

Rinku Dewri, Prasad Annadata, Wisam Eltarjaman, Ramakrishna Thurimella; Inferring Trip Destinations From Driving Habits Data; In Proceedings of Workshop on Privacy in the Electronic Society (WPES); 2013; 9 pages.

Abstract

The collection of driving habits data is gaining momentum as vehicle telematics based solutions become popular in consumer markets such as auto-insurance and driver assistance services. These solutions rely on driving features such as time of travel, speed, and braking to assess accident risk and driver safety. Given the privacy issues surrounding the geographic tracking of individuals, many solutions explicitly claim that the customer’s GPS coordinates are not recorded. Although revealing driving habits can give us access to a number of innovative products, we believe that the disclosure of this data only offers a false sense of privacy. Using speed and time data from real world driving trips, we show that the destinations of trips may also be determined without having to record GPS coordinates. Based on this, we argue that customer privacy expectations in non-tracking telematics applications need to be reset, and new policies need to be implemented to inform customers of possible risks.

Mentions

  • Products
    • Progressive’sSnapshot,
    • AllState’s Drivewise,
    • State Farm’s In-Drive,
    • National General Insurance’s Low-Mileage Discount,
    • Travelers’ Intellidrive,
    • Esurance’s Drivesense,
    • Safeco’s Rewind,
    • Aviva’s Drive,
    • Amaguiz PAYD,
    • Insure The Box,
    • Cover-box,
    • Ingenie,
    • MyDrive.
  • Quasi-identifiers
  • Telematics
  • OnStar
  • OBD-II
  • LandAirSea GPS Tracking Key
  • OpenStreetMap
  • Stop Points
  • Depth-First Search (DFS)

Via: backfill, backfill

Sensor-ID, some trials

Verdict

Does. Not. Work.

Move along, nothing to see here.

Previously noted.

Results

Time X Coordinate Y Coordinate Unique
Among
2013-10-13T12:21:29 -0.33926094532 1.0011098617 996
2013-10-13T12:23:19 -0.305329995155 1.00342984584 996
2013-10-13T12:24:45 -0.275689446926 1.00383234309 996
2013-10-13T17:11:54 -0.307242288589 1.00406484151 1000

Experiment

Atrix 2, stock Android, with AT&T crapware; i.e. not CyanogenMod

Actualities

User Experience

Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting | Nikiforakis, Kapravelos, Joosens, Kruegel, Piessens, Vigna

Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna; Cookieless Monster: Exploring the ecosystem of web-based device fingerprinting; In Proceedings of the IEEE Symposium on Security and Privacy; 2013; pages 541–555 (15 pages).

Abstract

The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users.

In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins.

At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser-identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.

Conclusion

<quote>In this paper, we first investigated the real-life implementations of fingerprinting libraries, as deployed by three popular commercial companies. We focused on their differences when compared to Panopticlick and discovered increased use of Flash, backup solutions for when Flash is absent, broad use of Internet Explorer’s special features, and the existence of intrusive system-fingerprinting plugins.

Second, we created our own fingerprinting script, using multiple novel features that mainly focused on the differences between special objects, like the navigator and screen, as implemented and handled by different browsers. We identified that each browser deviated from all the rest in a consistent and measurable way, allowing scripts to almost instantaneously discover the true nature of a browser, regardless of a browser’s attempts to hide it. To this end, we also analyzed eleven popular user-agent spoofing extensions and showed that, even without our newly proposed fingerprinting techniques, all of them fall short of properly hiding a browser’s identity.

The purpose of our research was to demonstrate that when considering device identification through fingerprinting, user-privacy is currently on the losing side. Given the complexity of fully hiding the true nature of a browser, we believe that this can be efficiently done only by the browser vendors. Regardless of their complexity and sophistication, browser-plugins and extensions will never be able to control everything that a browser vendor can. At the same time, it is currently unclear whether browser vendors would desire to hide the nature of their browsers, thus the discussion of web-based device fingerprinting, its implications and possible countermeasures against it, must start at a policy-making level in the same way that stateful user-tracking is currently discussed.</quote>

Related

Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, Bart Preneel; FPDetective: Dusting the Web for Fingerprinters; In Proceedings of Computer and Communications Security (CCS); 2013-11-04; 13 pages.

Noted nearby.

Framing

  • Fingerprinting is used constructive or destructively.
  • Framing of Mowery et al.
  • <quote>Destructively, device identification through fingerprinting can be used to track users between sites, without their knowledge and without a simple way of opting-out. Additionally, device identification can be used by attackers in order to deliver exploits, tailored for specific combinations of browsers, plugins and operating systems. The line between the constructive and destructive use is, however, largely artificial, because the same technology is used in both cases.</quote>

Fingerprinters

Mentions

  • Fingerprinting is used for Ad Block detection
    • Presence or absence of iframes or DOM elements in the rendered page.
    • iatrogenesis => use of Ad Block makes you more unique, more special.
  • Used Ghostery as a knowledge source
    • Rules to identify tracking & fingerprinting.
    • Rules to identify and extract fingerprinting code fragments
  • DOM Elements
    • navigator
    • screen
    • navigator.securityPolicy (IE)
    • navigator.systemLanguage
    • CLSID for Browser Helper Objects (BHO)
  • Claim: cookie churn is 33% /month

Result

A taxonomy of features that acquirable via any fingerprinting library.

  • Browser Customizations
    • Plugins
    • MIME types
    • ActiveX, CLSID
    • Google Gears
    • Flash (primary or clone vendor)
  • Browser User-level Configurations
    • Language
    • Cookies
    • Timezone
    • Flash
    • Do-Not-Track
    • Proxy
    • (Windows) Security Policy
  • Browser Family & Version
    • User Agent
    • ACCEPT
    • Browser Quirks
    • Math Constants
  • Operating System & Applications
    • User Agent
    • Font
    • Flash, Java
    • (Windows) Registry
  • Hardware & Network
    • Screen
    • IP addresses

Delivery

  1. First Party Site Not Involved
    • The fingerprinting code was delivered by an advertising
      syndicator, and the resulting fingerprint was sent back to the
      fingerprinting company
  2. First Party Site Requested the Fingerprint #1 (BlueCava, iovation)
    • BlueCava’s code develops a fingerprint payload
    • DES-encrypted (something about “on the fly” and “then with a public key”)
    • Concatenate the keys into the payload
    • Base64
    • Add the paylod to a hidden DOM element in the First Party’s login form
    • User “voluntarily” submits the fingerprint upon login with name+password from the form.
    • Only the fingerprinter (BlueCava) can decrypt the payload.  They limit the queries against the payload.
  3. First Party Site Requested the Fingerprint #2 (ThreatMetrix)
    • A <div> tag is created by the First Party with a session code and (customer account) validation code.
    • The ThreatMetrix code recovers the <div> tag, sends the data home.
    • The first party may query ThreatMetrics about the session, but not the user.

Procedure

<quote><snip/>crawled up to 20 pages for each of the Alexa top 10,000 sites.</quote>

Previous Work

  • K. Mowery, H. Shacham, “Pixel perfect: Fingerprinting canvas in HTML5,” In Proceedings of W2SP; 2012-05; M. Fredrikson, Editor. IEEE Computer Society, 2012-05.
  • T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, M. Abadi; “Host Fingerprinting and Tracking on the Web: Privacy and Security Implications”; In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS), 2012
  • J. R. Mayer, J. C. Mitchell, “Third-party web tracking: Policy and technology”; In Proceedings of IEEE Symposium on Security and Privacy; 2012; pages 413–427.
  • K. Mowery, D. Bogenreif, S. Yilek, H. Shacham, “Fingerprinting information in JavaScript implementations”; In Proceedings of W2SP 2011-05; H. Wang, Ed. IEEE Computer Society, 2011-05.
  • M. Cova, C. Kruegel, G. Vigna, “Detection and analysis of drive-by-download attacks and malicious javascript code”; In Proceedings of the 19th International Conference on World Wide Web (WWW); 2010; pages 281–290 (9 pages).
  • Eckersley, EFF, Panopticlick, 2010.
  • Mayer, Stanford, Senior thesis, 2009.

See notes nearby.

 

Destructively, device

identification through fingerprinting can be used to track
users between sites, without their knowledge and without
a simple way of opting-out. Additionally, device identifica-
tion can be used by attackers in order to deliver exploits,
tailored for specific combinations of browsers, plugins and
operating systems [14]. The line between the constructive
and destructive use is, however, largely artificial, because
the same technology is used in both cases.

FPDetective: Dusting the Web for Fingerprinters | Acar, Juarez, Nikiforakis, Diaz, Gürses, Piessens

Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, Bart Preneel; FPDetective: Dusting the Web for Fingerprinters; In Proceedings of Computer and Communications Security (CCS); 2013-11-04; 13 pages.

Abstract

In the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly fi ngerprint the user: a practice that may have serious privacy and security implications. In this paper, we report on the design, implementation and deployment of FPDetective, a framework for the detection and analysis of web-based fingerprinters. Instead of relying on information about known fingerprinters or third- party-tracking blacklists, FPDetective focuses on the detection of the fi ngerprinting itself. By applying our framework with a focus on font detection practices, we were able to conduct a large scale analysis of the million most popular websites of the Internet, and discovered that the adoption of fingerprinting is much higher than previous studies had estimated. Moreover, we analyze two countermeasures that have been proposed to defend against fingerprinting and find weaknesses in them that might be exploited to bypass their protection. Finally, based on our findings, we discuss the current understanding of fingerprinting and how it is related to Personally Identifi able Information, showing that there needs to be a change in the way users, companies and legislators engage with fingerprinting.

Conclusion

<quote>User tracking is becoming pervasive as advertisers and tracking companies seek to refine their targeting, detect fraud, or offer new services. While most of today’s tracking is done through third-party cookies, prior research has shown that browser and system attributes can be used to uniquely identify devices through fingerprints. Even though these fingerprints are less accurate than stateful identifiers such as cookies, their main advantage is that device fingerprinting is harder to detect and to defend against. In this paper we presented FPDetective, a fingerprinting-detection framework that identifies web based fingerprinters. Using FPDetective, we performed a large-scale crawl of the Internet’s most popular websites, and showed that the adoption of fingerprinting is significantly higher than what previous research estimated. Among others, we identified large commercial companies involved in fingerprinting, a complete disregard towards the DNT header, and the use of anti-debugging techniques, most commonly associated with JavaScript malware. Moreover, we showed that dedicated fingerprinters can bypass existing privacy-protecting technologies. Overall, our findings demonstrate that web fingerprinting is a real and growing issue, deserving the attention of both policymakers and the research community. We hope that our framework, which is freely available to other researchers and can easily be extended to conduct further studies, will contribute to addressing this issue by providing a means to shed light on web fingerprinting practices and techniques.</quote>

Framing

  • “fingerprinting is all about devices”
  • “we track these devices for user convenience”

Related

Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna; Cookieless Monster: Exploring the ecosystem of web-based device fingerprinting; In Proceedings of the IEEE Symposium on Security and Privacy; 2013; pages 541–555 (15 pages).

Noted nearby.

Mentions

  • FPDetective, binary only, source code is not available (yet?).
    • Scheme:
      • Cluster support
      • Crawls pages
      • Tags sites with a label if a known fingerprinting script is found in the HTTP requests made for this visit.
    • Two browsers
    • Instrumented WebKit
    • Uses
    • Technologies (what is it made out of)
      • Python,
      • C++(browser modifications),
      • JavaScript
      • MySQL
  • Results
    • 16 new fingerprint engines in action (a.k.a. “fingerprinters”, “fingerprinting scripts”)
    • Commercial fingerprinting, “in house” fingerprinting.
    • Activity on the Top 500 Web Sites
    • Evasion practices
      • Removal of the fingerprint script after detection has completion
      • Fingerprinting activity via 3rd party widgets
  • Analyses
    • Tor Browser (Firefox 17)
    • Firegloves
    • Do Not Track does not affect fingerprinters
    • Alexa Top Million Web Sites

Previous Work

Current Work

  • Firegloves
    • a proof-of-concept
    • Returns randomized for certain attributes
    • Limits the number of fonts
    • Reports values for the offsetWidth and offsetHeight
    • Demonstration, something about getBoundingClientRect in lieu of offsetWidth, offsetHeight.

Technologies

Tickets

  • 55084 Apply content scripts to about: and data: urlsthing

Procedure

<quote>We were able to run 200 parallel PhantomJS instances <snip/> With these settings we were able to complete a homepage crawl of the Alexa top million sites in a period of four days.</quote>

Identified Fingerprinters

  • Alipay
  • Anonymizer
  • AFK Media
  • Analytics-engine
  • Analyticsengine (second)
  • BBelements
  • BlueCava
  • Bluecava (second)
  • Cdn.net
  • CoinBase
  • Inside graph
  • MaxMind
  • MEB (Turkish Ministry of Education)
  • Mindshare Tech
  • Myfreecams
  • Piano Media
  • Preferencement
  • SiteBlackBox
  • ThreatMetrix

Actualities



Via: backfill

Don’t Want Trackers Watching Your Web And Smartphone Activity? This Start-up’s For You. | Forbes

Kashmir Hill; Don’t Want Trackers Watching Your Web And Smartphone Activity? This Start-up’s For You.; In Forbes; 2013-07-24 (appears in print 2013-08-12).

Mentions

  • A hagiography of Disconnect
  • Disconnect
    • Casey Oppenheim
      • Founder
      • Age 39
      • Consumer advocate lawyer
      • from Minnesota
    • Brian Kennish
      • Founder
      • Age 37
      • ex-Google (2003-)
    • Dan Kwon
      • mentioned
    • Patrick Jackson
      • engineer
      • ex-NSA
    • Located Palo Alto, CA
    • Funding
      • $600,000
      • two venture capital firms and six angel investors
        • Charles River Ventures
        • FirstMark Capital
    • 1x year incubating at Charles River Ventures
    • Claim: <quote>Jackson has come up with a way to manipulate Apple’s operating system into letting Disconnect block advertisers and analytics companies from getting the location, user ID or other info from a person’s phone.</quote>
  • Counterpoint
    • Mike Zaneis, general counsel for the Interactive Advertising Bureau (IAB)

Via backfill

Online Ads Can Now Follow You Home | Spencer E. Ante, WSJ

Spencer E. Ante; Online Ads Can Now Follow You Home; In The Wall Street Journal (WSJ); 2013-04-29
Teaser: Firms Are Helping Brands Like Expedia Serve Ads to Users Across PCs and Mobile Devices

Mentions

  • Expedia Inc.
    • Jeff Warren, vice president of mobile and online partner marketing
    • Uses Drawbridge Inc.
  • eMarketer Inc.
    • factoids
  • Drawbridge Inc.
    • <quote>which uses a “triangulation” method to try to figure out when a mobile user is the same person as a desktop user.</quote>
    • <quote>Drawbridge sends cookies to desktop and mobile browsers to track the ads being requested by the devices. If the patterns show enough in common—using the same Internet address at similar times, for instance—the company figures there is a good chance they are from one anonymous user.</quote>
  • Apple
    • Advertising Identifier (IDFA)
  • MoPub Inc.
    • Paul Gelb, “head” of strategy.
  • Facebook
    • Gokul Rajaram, product director for ads.
    • Mobile was 23% of Facebook revenue 2012-Q4.
    • Mobile was 0% of Facebook revenue 2012-Q2.
  • Google
    • “enhanced campaigns”
      • Launch 2013-02
      • target ad bids by multiple locations and specific days and times of the week all within one campaign.
    • Not clear why G. is mentioned in the article on “device graph” & “triangulation”
  • Tapad Inc.
    • Are Traasdahl, CEO.
    • Imputes purchasing intent to view & visitation behavior.
    • Has 75 advertisers buying their segments.
    • Had zero business 18 months ago

Drawbridge, TRUSTe, AdChoices for Opt-Out of Cross-Device Fingerprinting & Tracking

Via

Mentions

Drawbridge

TRUSTe

Actualities

drawbridge demo

TRUSTe Mobile Ads

Fingerprinting And Beyond: The Mobile Ad Targeting Trade-Off | Ad Exchanger

Judith Aquino; Fingerprinting And Beyond: The Mobile Ad Targeting Trade-Off; In Ad Exchanger; 2013-03-29.

Citations & Mentions

  • Judith Aquino; Apple Sets Cut-off for UDID Apps; In Ad Exchanger; 2013-03-22.
  • Adelphic Mobile
    • Ray Colwell, CRO
    • Waltham, MA
    • Founders: “ex Quattro”
    • Funding: $10M, Series A “recently”
    • AudienceCube (product)
      • “real-time mobile signature”
    • Claim
      • Accuracy: 80%-100%
    • Promotion: AdExchanger Q&A 2012-03
  • Drawbridge
    • Kamakshi Sivaramakrishnan, founder
    • Founders: “ex AdMob”
    • San Mateo, CA
    • Funding: $14M “recently”
    • Products
      • “Drawbridge for Mobile Marketing”
      • “Drawbridge for Cross‑Screen Marketing”
    • Claims:
      • Accuracy: 60%-90%
      • Uses “clickstream behavior”; no clicks, no data
      • Accents the opt-out; if opted out on one device, assumes all
    • Promotion: AdExchanger Q&A 2012-11
  • BlueCava
  • TapAd
  • Ringleader Digital (defunct)

Samy Kamkar’s Proofs Of Concept (Evercookie, NAT Pin, NAT Pwn)

Site

samy.pl

Menu

Articles

iPhone/Android Tracking Research + Wardriving Database

Code at http://samy.pl/androidmap
I discovered that both the Apple iPhone and Google Android phones constantly send geolocation/GPS and wifi router information back up to Apple and Google. The iPhone does this even when the user has chosen to turn GPS/Location Services off. Since my release of this research, Apple and Google have both testified in front of Congress and are now involved in various lawsuits due to potential invasion of privacy. Besides the companies tracking the locations of all of these phones, I’ve created a tool that exposes not only the GPS data, but the wifi data Google has been collecting from virtually all Android devices and street view cars, using them essentially as global wardriving machines. When the phone detects any wireless network, encrypted or not, it sends the BSSID (MAC address) of the router along with signal strength, and most importantly, GPS coordinates up to the mothership. My tool allows you to ping that database and find exactly where any wifi router in the world is located. You can enter any router BSSID/MAC address to locate the exact physical location of the router. Try it here.

posted on 2011-04-21

evercookie: Extremely persistent virtually-irrevocable cookies

Code at http://samy.pl/evercookie
evercookie is a javascript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (LSOs), and others. It currently stores cookies in standard HTTP cookies, Local Shared Objects (Flash Cookies), storing in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out, storing in web history, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, and HTML5 Database Storage via SQLite.

posted on 2010-09-20

The MySpace Worm: the fastest spreading worm in history

Code at http://namb.la/popular
I developed the MySpace worm, the first XSS worm based on AJAX which proliferated through the MySpace network. Learn how I made over one million friends in less than 24 hours.

posted on 2009-12-20

peepmail: Discover private email addresses

Code at http://samy.pl/peepmail/
Peepmail is a tool that allows you to discover business email addresses for users, even if their email address may not be publicly available or shared.

posted on 2011-04-20

jiagra: Website+Javascript Performance Enhancement API

Code at http://samy.pl/jiagra
jiagra is a stand-alone javascript API for automatic website performance enhancement. It currently features cross-browser pre-rendering/pre-fetching (allowing pages on your site to load in the background before the user has clicked on them), advanced setTimeout and setInterval control (detecting which timers/intervals are still running, have been cleared, or fired) which can allow for greater understanding of when *all* requests of a page have completed, and improved script tag support, allowing you to enter Javascript code in a single script tag that calls out to a remote URL, where the inline Javascript gets executed after the remote JS is executed, e.g.
< script src="path/to/script.js" >
this_is_called_after_script_is_loaded();
< /script >

posted on 2011-06-15

phpwn: Attack on PHP sessions and random numbers

Code at http://samy.pl/phpwn
Studying PHP’s LCG (linear congruential generator, a pseudorandom number generator), I discovered that there are weaknesses that reduce the complexity of determining the sequence of pseudorandom numbers. What this means is that PHP is severely deficient in producing random session IDs or random numbers, leading to the possibility of stealing sessions or other sensitive information. The initial seed can be reduced from 64-bits to 35-bits, and with PHP code execution, can be reduced further down to just under 20-bits, which takes only seconds to recreate the initial seed.

posted on 2009-08-20

proxmark3: RFID penetration testing tool

Code at http://code.google.com/p/proxmark3/wiki/HomePage
I’m one of the primary developers of the proxmark3, a penetration testing tool for low and high-frequency RFID tags and readers, developed on an ARM7 microprocessor and Xilinx Spartan II FPGA. The device is capable of doing such things as read tags, simulate tags (such as HID badges), eavesdrop on transactions between another reader and tag, analyze a tag or signal passively, and more.

posted on 2009-12-20

NAT Pinning: Forcing Remote Routers to Port Forward

Code at http://samy.pl/natpin
My NAT Pinning technique is a method that forces a user’s router or firewall, unbeknownst to them, to port forward any port number back to the user’s machine, simply by the user visiting a web page. If the user had FTP/ssh/etc open but blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.

posted on 2010-01-05

quickjack: Automated Clickjack and Frame Slicing Tool

Code at http://samy.pl/quickjack
Quickjack is a tool developed to easily create pages with the capability to clickjack users no matter where they click on the page. The tool has an extremely intuitive interface and is literally a point-and-click tool. It also allows frame slicing and other features such as referral scrubing and more.

posted on 2010-02-01

pwnat: Advanced client-server NAT-to-NAT penetration

Code at http://samy.pl/pwnat
pwnat allows full client-server tunneling and proxying even when both server and client are behind separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the server side requires no information on the client.

posted on 2010-01-22

chownat: Peer-to-peer communication through NATs

Code at http://samy.pl/chownat
chownat allows two peers behind two separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the application runs as an unprivileged user on both ends.

posted on 2009-12-20

mapxss: Accurate Geolocation via Router Exploitation

Code at http://samy.pl/mapxss
By using XSS exploitation of a user’s router, I’ve created a proof of concept which acquires the MAC address of the router of a web surfer, then uses the Google Service API to acquire geographic coordinates of the user (determined by the Google van driving around and seeing MAC address while tying it to coordinates.) This emulates Firefox’s Location-Aware Browsing without requiring any permission from the user or requiring Firefox.

posted on 2010-01-04

Packet: Perl modules for low-level packet injection/sniffing

Code at http://samy.pl/packet
Packet is a suite of portable Perl modules for encoding, decoding, injecting and sniffing low-level network packets. Packet also provides functionality for other low-level network tasks such as retrieving network device information and working directly with ARP cache tables..

posted on 2009-12-09

airsamy: Automated WEP injection and cracking via aircrack

Code at http://samy.pl/airsamy.pl
airsamy provides a simple interface to quickly and automatically crack a WEP network in minutes. It displays a list of available WEP networks and once selected, it automatically places your driver in monitor mode, tests packet injection, fake authenticates with the AP, captures IVs for cracking, captures ARP packets and replays them to introduce more IVs into the network, and cracks using the PTW attack.

posted on 2009-10-24

ORYX Stream Cipher Implementation and Attack

Code at http://samy.pl/oryx-attack.pl
I’ve implemented the ORYX stream cipher and a cryptanalytic attack able to recover the 96-bit internal key state in less than 2^20 ORYX operations. The ORYX stream cipher is used to encrypt data transmissions for the North American Cellular system.

posted on 2009-10-24

Anti-MITMA: Preventing Man in the Middle Attacks

Code at http://samy.pl/anti-mitma.pdf
I’ve described a simple method for authentication based protocols (e.g., ssh) to prevent man in the middle attacks. Rather than establishing a potentially MITMA’d connection, then authenticating, you can authenticate the initial key exchange. More details in the pdf.

posted on 2009-10-15

weap: WEP (RC4) Key Recovery (Cryptanalytic Attack)

Code at http://samy.pl/weap
I’ve implemented a version of Shamir’s attack on WEP, easily recovering a WEP key from encrypted wireless traffic due to weak keys and poor IV mixing into the RC4 key.

posted on october 15, 2009-10-15

AI::NS: Perl module providing Genetic Algorithms

Code at http://samy.pl/ains/
AI::NaturalSelection provides a series of Perl modules using Genetic Algorithms to allow breeding and mutation to arise and emulate natural selection. Resultant honing can minimize the work required to solve certain fitness-testable problems.

posted on 2009-12-20

sql++: cross-database command line SQL client

Code at http://samy.pl/sql++/
sql++ is an easily configurable, feature-rich, portable command-line SQL tool. It can be used with many different databases and in place of other command line tools such as MySQL’s mysql-client, Microsoft SQL, PostgreSQL’s psql, and Oracle’s sqlplus. It has features such as multiple connections, multi-database interfacing, subselects for all databases, regardless of whether the database has native subselects or not, and much more.

posted on 2009-12-20

DISS: Download shared iTunes music automatically (Win32)

Code at http://samy.pl/diss.zip
DISS (Download iTunes Shared Songs) automatically hooks into iTunes’ memory (winsock) on Windows and downloads any shared music you play into the DISS playlist. No user intervention is required for this to happen, it’s entirely automatic and typically only takes a second or two per song. Full C++ source and Windows binary included.

posted on 2005-11-20

Footer