research-article

The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

Authors:

Christian Eubank,

Steven Englehardt,

Arvind Narayanan, and

Claudia DiazAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

Pages 674 - 689

https://doi.org/10.1145/2660267.2660347

Published: 03 November 2014 Publication History

Abstract

We present the first large-scale studies of three advanced web tracking mechanisms - canvas fingerprinting, evercookies and use of "cookie syncing" in conjunction with evercookies. Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it. We then present the first automated study of evercookies and respawning and the discovery of a new evercookie vector, IndexedDB. Turning to cookie syncing, we present novel techniques for detection and analysing ID flows and we quantify the amplification of privacy-intrusive tracking practices due to cookie syncing.

Our evaluation of the defensive techniques used by privacy-aware users finds that there exist subtle pitfalls --- such as failing to clear state on multiple browsers at once - in which a single lapse in judgement can shatter privacy defenses. This suggests that even sophisticated users face great difficulties in evading tracking techniques.

References

[1]

Privacychoice - get a free privacy scan of your site. http://privacychoice.org/assessment.

[2]

Bug 757726 - disallow enumeration of navigator.plugins. https://bugzilla.mozilla.org/show_bug.cgi?id=757726, May 2012.

[3]

Manage, disable Local Shared Objects j Flash Player. http://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html, 2014.

[4]

Doubleclick ad exchange real-time bidding protocol: Cookie matching. https://developers.google.com/ad-exchange/rtb/cookie-guide, February 2014.

[5]

Selenium - Web Browser Automation. http://docs.seleniumhq.org/, 2014. 24In fact, there is a fledgling commercial market for such tools {1}, but they are not very sophisticated.

[6]

G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gurses, F. Piessens, and B. Preneel. FPDetective: Dusting the Web for fingerprinters. In ACM Conference on Computer and Communications Security (CCS), pages 1129--1140. ACM, 2013.

Digital Library

[7]

M. Ayenson, D. J. Wambach, A. Soltani, N. Good, and C. J. Hoofnagle. Flash cookies and privacy II: Now with HTML5 and ETag respawning. World Wide Web Internet and Web Information Systems, 2011.

[8]

M. Backes, A. Kate, M. Maffei, and K. Pecina. Obliviad: Provably secure and practical online behavioral advertising. In IEEE Security and Privacy (S&P), pages 257--271. IEEE, 2012.

Digital Library

[9]

R. Balebako, P. Leon, R. Shay, B. Ur, Y. Wang, and L. Cranor. Measuring the effectiveness of privacy tools for limiting behavioral advertising. In Web 2.0 Workshop on Security and Privacy (W2SP). IEEE, 2012.

[10]

F. Besson, N. Bielova, T. Jensen, et al. Enforcing Browser Anonymity with Quantitative Information Flow. 2014.

[11]

M. Bilenko, M. Richardson, and J. Y. Tsai. Targeted, not tracked: Client-side solutions for privacy-friendly behavioral advertising. In Privacy Enhancing Technologies (PETS). Springer, 2011.

[12]

P. E. Black. Ratcliff/Obershelp pattern recognition. http://xlinux.nist.gov/dads/HTML/ratcliffObershelp.html, December 2004.

[13]

K. Brade. gitweb.torproject.org - torbrowser.git/blob - src/current-patches/refox/0019-add-canvas-imageextraction- prompt.patch. https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/src/current-patches/firefox/0019-Add-canvas-image-extraction-prompt.patch, November 2012.

[14]

W. Davis. KISSmetrics Finalizes Supercookies Settlement. http://www.mediapost.com/ publications/article/191409/kissmetrics- finalizes-supercookies-settlement.html, 2013. {Online; accessed 12-May-2014}.

[15]

N. Doty. Fingerprinting Guidance for Web Specification Authors. http://w3c.github.io/fingerprinting-guidance/, 2014.

[16]

P. Eckersley. How unique is your web browser? In Privacy Enhancing Technologies (PETs), pages 1{18. Springer, 2010.

Digital Library

[17]

C. Eubank, M. Melara, D. Perez-Botero, and A. Narayanan. Shining the floodlights on mobile web tracking - a privacy survey. In "Web 2.0 Security and Privacy", May 2013.

[18]

E. W. Felten. If You're Going to Track Me, Please Use Cookies. https://freedom-to-tinker.com/blog/felten/if-youre-going-track-me-please-use-cookies/, 2009.

[19]

M. Fredrikson and B. Livshits. Repriv: Re-imagining content personalization and in-browser privacy. In IEEE Security and Privacy (S&P), pages 131--146. IEEE, 2011.

Digital Library

[20]

S. Guha, B. Cheng, and P. Francis. Privad: practical privacy in online advertising. In USENIX Conference on Networked Systems Design and Implementation, pages 169{182. USENIX Association, 2011.

Digital Library

[21]

S. Kamkar. Evercookie - virtually irrevocable persistent cookies. http://samy.pl/evercookie/, Sep 2010.

[22]

M. Kerrisk. strace(1) - linux manual page. http://man7.org/linux/man-pages/man1/strace.1.html, May 2014.

[23]

T. Kohno, A. Broido, and K. C. Claffy. Remotephysical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2):93--108, 2005.

Digital Library

[24]

R. Kotcher, Y. Pei, P. Jumde, and C. Jackson. Cross-origin pixel stealing: timing attacks using CSS filters. In ACM Conference on Computer and Communications Security (CCS), pages 1055--1062. ACM, 2013.

Digital Library

[25]

B. Krishnamurthy and C. Wills. Privacy diffusion on the Web: a longitudinal perspective. In International Conference on World Wide Web, pages 541--550. ACM, 2009.

Digital Library

[26]

B. Krishnamurthy and C. E. Wills. On the leakage of personally identifiable information via online social networks. In ACM Workshop on Online Social Networks, pages 7--12. ACM, 2009.

Digital Library

[27]

B. Liu, A. Sheth, U. Weinsberg, J. Chandrashekar, and R. Govindan. AdReveal: Improving transparency into online targeted advertising. In ACM Workshop on Hot Topics in Networks, page 12. ACM, 2013.

Digital Library

[28]

J. Mayer. Tracking the trackers: Self-help tools. https://cyberlaw.stanford.edu/blog/2011/09/tracking-trackers-self-help-tools, September 2011.

[29]

J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In IEEE Symposium on Security and Privacy (S&P)), pages 413--427. IEEE, 2012.

Digital Library

[30]

A. M. McDonald and L. F. Cranor. Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies, A. ISJLP, 7:639, 2011.

[31]

K. Mowery, D. Bogenreif, S. Yilek, and H. Shacham. Fingerprinting information in JavaScript implementations. In Web 2.0 Workshop on Security and Privacy (W2SP), volume 2. IEEE, 2011.

[32]

K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in HTML5. In Web 2.0 Workshop on Security and Privacy (W2SP). IEEE, 2012.

[33]

M. Mulazzani, P. Reschl, M. Huber, M. Leithner, S. Schrittwieser, E. Weippl, and F. C. Wien. Fast and reliable browser identification with JavaScript engine fingerprinting. In Web 2.0 Workshop on Security and Privacy (W2SP), volume 1. IEEE, 2013.

[34]

A. Narayanan, J. Mayer, and S. Iyengar. Tracking Not Required: Behavioral Targeting. http://33bits.org/2012/06/11/tracking-not-required-behavioral-targeting/, 2012.

[35]

N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote javascript inclusions. In ACM Conference on Computer and Communications Security (CCS), pages 736--747. ACM, 2012.

Digital Library

[36]

N. Nikiforakis, W. Joosen, and B. Livshits. PriVaricator: Deceiving Fingerprinters with Little White Lies. Available at http://research.microsoft.com/en-us/um/people/livshits/papers%5Ctr%5Cprivaricator.pdf.

[37]

N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In IEEE Symposium on Security and Privacy, pages 541--555. IEEE, 2013.

Digital Library

[38]

L. Olejnik, T. Minh-Dung, and C. Castelluccia. Selling Off Privacy at Auction. In Annual Network and Distributed System Security Symposium (NDSS). IEEE, 2014.

[39]

C. R. Orr, A. Chauhan, M. Gupta, C. J. Frisz, and C. W. Dunn. An approach for identifying JavaScript-loaded advertisements through static program analysis. In ACM Workshop on Privacy in the Electronic Society (WPES), pages 1--12. ACM, 2012.

Digital Library

[40]

M. Perry, E. Clark, and S. Murdoch. The design and implementation of the Tor browser {draft}. https:// www.torproject.org/projects/torbrowser/design, 2013.

[41]

F. Roesner, T. Kohno, and D. Wetherall. Detecting and Defending Against Third-Party Tracking on the Web. In Symposium on Networking Systems Design and Implementation. USENIX Association, 2012.

Digital Library

[42]

N. Singer. Do Not Track? Advertisers Say 'Don't Tread on Us'. http://www.nytimes.com/2012/10/14/technology/do-not-track-movement-is-drawing- advertisers-fire.html, 2012.

[43]

A. Soltani, S. Canty, Q. Mayo, L. Thomas, and C. J. Hoofnagle. Flash Cookies and Privacy. In AAAI Spring Symposium: Intelligent Information Privacy Management. AAAI, 2010.

[44]

O. Sorensen. Zombie-cookies: Case studies and mitigation. In Internet Technology and Secured Transactions (ICITST), pages 321--326. IEEE, 2013.

[45]

P. Stone. Pixel perfect timing attacks with HTML5. Context Information Security (White Paper), 2013.

[46]

A. Taly, J. C. Mitchell, M. S. Miller, J. Nagra, et al. Automated analysis of security-critical javascript apis. In IEEE Security and Privacy (S&P), pages 363--378. IEEE, 2011.

Digital Library

[47]

J. Temple. Stale Cookies: How companies are tracking you online today. http://blog.sfgate.com/techchron/2013/10/02/stale-cookies-how-companies-are-tracking-you-online-today/, 2013.

[48]

M. Tran, X. Dong, Z. Liang, and X. Jiang. Tracking the trackers: Fast and scalable dynamic analysis of web content for privacy violations. In Applied Cryptography and Network Security, pages 418--435. Springer, 2012.

Digital Library

[49]

M.-D. Tran, G. Acs, and C. Castelluccia. Retargeting without tracking. arXiv preprint arXiv:1404.4533, 2014.

[50]

T. Unger, M. Mulazzani, D. Fruhwirt, M. Huber, S. Schrittwieser, and E. Weippl. SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting. In Availability, Reliability and Security (ARES), pages 255--261. IEEE, 2013.

Digital Library

[51]

V. Vasilyev. Valve/fingerprintjs. https://github.com/Valve/fingerprintjs, 2012.

Cited By

Bacis EBilogrevic IBusa-Fekete RHerath ASartori ASyed UChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Assessing Web Fingerprinting RiskCompanion Proceedings of the ACM on Web Conference 202410.1145/3589335.3648322(245-254)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3648322
Matsubayashi MKoyama TTanaka M(2024)In-Vehicle Network Inspector Utilizing Diagnostic Communications and Web Scraping for Estimating ECU Functions and CAN TopologyIEEE Access10.1109/ACCESS.2024.335117512(6239-6250)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3351175
Radivojevic KClark NKlempay ABrenner P(2024)Defending novice user privacy: An evaluation of default web browser configurationsComputers & Security10.1016/j.cose.2024.103784(103784)Online publication date: Feb-2024
https://doi.org/10.1016/j.cose.2024.103784
Show More Cited By

Index Terms

The Web Never Forgets: Persistent Tracking Mechanisms in the Wild

Recommendations

FPDetective: dusting the web for fingerprinters
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

In the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly ...
Read More
CookieGraph: Understanding and Detecting First-Party Tracking Cookies
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

As third-party cookie blocking is becoming the norm in mainstream web browsers, advertisers and trackers have started to use first-party cookies for tracking. To understand this phenomenon, we conduct a differential measurement study with versus without ...
Read More
The Representativeness of Automated Web Crawls as a Surrogate for Human Browsing
WWW '20: Proceedings of The Web Conference 2020

Large-scale Web crawls have emerged as the state of the art for studying characteristics of the Web. In particular, they are a core tool for online tracking research. Web crawling is an attractive approach to data collection, as crawls can be run at ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

285
Total Citations
View Citations
3,944
Total Downloads

Downloads (Last 12 months)535
Downloads (Last 6 weeks)41

Other Metrics

View Author Metrics

Citations

Cited By

Bacis EBilogrevic IBusa-Fekete RHerath ASartori ASyed UChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Assessing Web Fingerprinting RiskCompanion Proceedings of the ACM on Web Conference 202410.1145/3589335.3648322(245-254)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3648322
Matsubayashi MKoyama TTanaka M(2024)In-Vehicle Network Inspector Utilizing Diagnostic Communications and Web Scraping for Estimating ECU Functions and CAN TopologyIEEE Access10.1109/ACCESS.2024.335117512(6239-6250)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3351175
Radivojevic KClark NKlempay ABrenner P(2024)Defending novice user privacy: An evaluation of default web browser configurationsComputers & Security10.1016/j.cose.2024.103784(103784)Online publication date: Feb-2024
https://doi.org/10.1016/j.cose.2024.103784
Rodríguez-Galán GTorres J(2024)Personal data filtering: a systematic literature review comparing the effectiveness of XSS attacks in web applications vs cookie stealingAnnals of Telecommunications10.1007/s12243-024-01022-8Online publication date: 18-Apr-2024
https://doi.org/10.1007/s12243-024-01022-8
Wang LYan HLin XXiong P(2024)Protecting Bilateral Privacy in Machine Learning-as-a-Service: A Differential Privacy Based DefenseArtificial Intelligence Security and Privacy10.1007/978-981-99-9785-5_17(237-252)Online publication date: 4-Feb-2024
https://doi.org/10.1007/978-981-99-9785-5_17
Kar PRoy MDatta SKar PRoy MDatta S(2024)A Surveillance Framework of Suspicious Browsing Activities on the Internet Using Recommender Systems: A Case StudyRecommender Systems: Algorithms and their Applications10.1007/978-981-97-0538-2_11(131-141)Online publication date: 12-Jun-2024
https://doi.org/10.1007/978-981-97-0538-2_11
Wittig MKesdoğan D(2024)Detecting Web Tracking at the Network LayerICT Systems Security and Privacy Protection10.1007/978-3-031-56326-3_10(131-148)Online publication date: 24-Apr-2024
https://doi.org/10.1007/978-3-031-56326-3_10
Sanchez-Rola IBilge LBalzarotti DBuesche AEfstathopoulos PCalandrino JTroncoso C(2023)Rods with laser beamsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620470(4157-4173)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620470
Torres CWilli FShinde SCalandrino JTroncoso C(2023)Is your wallet snitching on you? an analysis on the privacy implications of web3Proceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620281(769-786)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620281
Kunimoto MOkubo T(2023)Analysis and Consideration of Detection Methods to Prevent Fraudulent Access by Utilizing Attribute Information and the Access Log HistoryJournal of Information Processing10.2197/ipsjjip.31.60231(602-608)Online publication date: 2023
https://doi.org/10.2197/ipsjjip.31.602
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents