skip to main content
tutorial

Browser Fingerprinting: A Survey

Published:09 April 2020Publication History
Skip Abstract Section

Abstract

With this article, we survey the research performed in the domain of browser fingerprinting, while providing an accessible entry point to newcomers in the field. We explain how this technique works and where it stems from. We analyze the related work in detail to understand the composition of modern fingerprints and see how this technique is currently used online. We systematize existing defense solutions into different categories and detail the current challenges yet to overcome.

References

  1. IETF. 1995. RFC 1866-Hypertext Markup Language 2.0. Retrieved from https://tools.ietf.org/html/rfc1866.Google ScholarGoogle Scholar
  2. IETF. 1996. RFC 1945-Hypertext Transfer Protocol-HTTP/1.0. Retrieved from https://tools.ietf.org/html/rfc1945.Google ScholarGoogle Scholar
  3. ECMA. 1997. ECMA-262, 1st Edition, June 1997. Retrieved from https://www.ecma-international.org/publications/files/ECMA-ST-ARCH/ECMA-262,%201st%20edition,%20June%201997.pdf.Google ScholarGoogle Scholar
  4. WebAIM. 2008. History of the Browser User-agent String. Retrieved from http://webaim.org/blog/user-agent-string-history/.Google ScholarGoogle Scholar
  5. Human who Codes. 2010. History of the User-agent String. Retrieved from https://humanwhocodes.com/blog/2010/01/12/history-of-the-user-agent-string/.Google ScholarGoogle Scholar
  6. W3C. 2011. Battery Status Event Specification-W3C Working Draft 26 April 2011. Retrieved from https://www.w3.org/TR/2011/WD-battery-status-20110426/.Google ScholarGoogle Scholar
  7. W3C. 2011. Informative Historical Notes-List of Known CSS Prefixes by W3C. Retrieved from https://www.w3.org/TR/CSS21/syndata.html#vendor-keyword-history.Google ScholarGoogle Scholar
  8. W3C. 2012. Battery Status API-W3C Candidate Recommendation 08 May 2012. Retrieved from https://www.w3.org/TR/2012/CR-battery-status-20120508/.Google ScholarGoogle Scholar
  9. European Commission. 2012. WP29 Opinion 04/2012 on the Cookie Consent Exemption-ARTICLE 29 DATA PROTECTION WORKING PARTY. Retrieved from https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf.Google ScholarGoogle Scholar
  10. European Commission. 2014. Opinion 9/2014 on the Application of Directive 2002/58/EC to Device Fingerprinting-ARTICLE 29 DATA PROTECTION WORKING PARTY. Retrieved from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp224_en.pdf.Google ScholarGoogle Scholar
  11. Duo Security. 2015. Detecting Out of Date and Vulnerable Flash Versions on Your Network-Duo Security. Retrieved from https://duo.com/blog/detecting-out-of-date-and-vulnerable-flash-versions-on-your-network.Google ScholarGoogle Scholar
  12. W3C. 2015. HTML Canvas 2D Context-W3C Recommendation 19 November 2015. Retrieved from https://www.w3.org/TR/2dcontext/.Google ScholarGoogle Scholar
  13. Mozilla. 2015. NPAPI Plugins in Firefox. Retrieved from https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/.Google ScholarGoogle Scholar
  14. W3C. 2016. Battery Status API - W3C Candidate Recommendation 07 July 2016. Retrieved from https://www.w3.org/TR/battery-status/.Google ScholarGoogle Scholar
  15. Yandex Browser. 2016. Beware Evil APIs. Retrieved from https://web.archive.org/web/20180626203349/ https://browser.yandex.com/blog/beware-evil-apis.Google ScholarGoogle Scholar
  16. Firefox Bugzilla. 2016. Bug 1313580-Remove Web Content Access to Battery API. Retrieved from https://bugzilla.mozilla.org/show_bug.cgi?id=1313580.Google ScholarGoogle Scholar
  17. WebKit Bugzilla. 2016. Bug 164213-Remove Battery Status API from the Tree. Retrieved from https://bugs.webkit.org/show_bug.cgi?id=164213.Google ScholarGoogle Scholar
  18. W3C. 2016. Geolocation API. Retrieved from https://www.w3.org/TR/geolocation-API/.Google ScholarGoogle Scholar
  19. Malwarebytes. 2016. Operation Fingerprint-A Look into Several Angler Exploit Kit Malvertising Campaigns. Retrieved from https://malwarebytes.app.box.com/v/operation-fingerprint.Google ScholarGoogle Scholar
  20. Add-ons for Firefox. 2016. Random Agent Spoofer-Firefox Extension. Retrieved from https://web.archive.org/web/20170314014230/ https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer/.Google ScholarGoogle Scholar
  21. EUR-Lex. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data. and Repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA Relevance). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679.Google ScholarGoogle Scholar
  22. Add-ons for Firefox. 2017. Canvas Defender - Firefox Add-on that Adds Unique and Persistent Noise to a Canvas Element. Retrieved from https://addons.mozilla.org/en-US/firefox/addon/no-canvas-fingerprinting/.Google ScholarGoogle Scholar
  23. European Commission. 2017. Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC). Retrieved from http://ec.europa.eu/newsroom/document.cfm?doc_id=44103.Google ScholarGoogle Scholar
  24. European Commission. 2017. Proposal for a Regulation of the European Parliament and of the Council. Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC(Regulation on Privacy and Electronic Communications). COM(2017) 10 Final.Retrieved from http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241.Google ScholarGoogle Scholar
  25. European Parliament. 2017. Report on the Proposal for a Regulation of the European Parliament and of the Council concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (COM(2017)0010 ? C8-0009/2017 ? 2017/0003(COD)). 23 October 2017. Retrieved from https://www.europarl.europa.eu/doceo/document/A-8-2017-0324_EN.html.Google ScholarGoogle Scholar
  26. PageFair. 2017. The State of the Blocked Web-2017 Global Adblock Report by PageFair. Retrieved from https://web.archive.org/web/20170201002220/ https://pagefair.com/downloads/2017/01/PageFair-2017-Adblock-Report.pdf.Google ScholarGoogle Scholar
  27. Acceptable Ads. 2018. Acceptable Ads Initiative. Retrieved from https://acceptableads.com/.Google ScholarGoogle Scholar
  28. Adblock Plus. 2018. Adblock Plus Official Website. Retrieved from https://adblockplus.org/.Google ScholarGoogle Scholar
  29. CVE Details. 2018. Adobe Flash Player: List of Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html.Google ScholarGoogle Scholar
  30. GitHub. 2018. Anonymous Browser Fingerprint—Fingerprintjs. Retrieved from https://github.com/Valve/fingerprintjs.Google ScholarGoogle Scholar
  31. Gizmodo. 2018. Apple Declares War on “Browser Fingerprinting.” the Sneaky Tactic That Tracks You in Incognito Mode. Retrieved from https://gizmodo.com/apple-declares-war-on-browser-fingerprinting-the-sneak-1826549108.Google ScholarGoogle Scholar
  32. PerimeterX. 2018. Bot Detection and Botnet Protection. Retrieved from https://www.perimeterx.com/products/bot-defender/.Google ScholarGoogle Scholar
  33. ShieldSquare. 2018. Bot Prevention Technology. Retrieved from https://www.shieldsquare.com/bot-prevention-technology/.Google ScholarGoogle Scholar
  34. Brave. 2018. Brave Official Website—Browse Faster and Safer with Brave. Retrieved from https://brave.com/.Google ScholarGoogle Scholar
  35. Add-ons for Firefox. 2018. CanvasBlocker—Firefox Extension to Block the Canvas API. Retrieved from https://addons.mozilla.org/fr/firefox/addon/canvasblocker/.Google ScholarGoogle Scholar
  36. Iovation. 2018. ClearKey. Retrieved from https://www.iovation.com/clearkey-two-factor-authentication.Google ScholarGoogle Scholar
  37. CLIQZ. 2018. CLIQZ Official Website—Secure Browser with Built-in Quick Search. Retrieved from https://cliqz.com/en/.Google ScholarGoogle Scholar
  38. Coalition for Better Ads. 2018. Coalition for Better Ads Initiative. Retrieved from https://www.betterads.org/.Google ScholarGoogle Scholar
  39. CVE. 2018. Common Vulnerabilities and Exposures-The Standard for Information Security Vulnerability Names. Retrieved from https://cve.mitre.org/.Google ScholarGoogle Scholar
  40. Iovation. 2018. Customer Authentication Datasheet. Retrieved from https://www.iovation.com/authentication/clearkey.Google ScholarGoogle Scholar
  41. SecurAuth. 2018. Device/Browser Fingerprinting-Heuristic-based Authentication. Retrieved from https://docs.secureauth.com/pages/viewpage.action?pageId=40045162.Google ScholarGoogle Scholar
  42. Sift Science. 2018. Device Fingerprinting and Fraud Detection Software. Retrieved from https://web.archive.org/web/20170409213006/ https://siftscience.com/device-fingerprinting.Google ScholarGoogle Scholar
  43. IPQualityScore. 2018. Device fingerprinting. Device signature fraud Detection. Fraud Prevention. Retrieved from https://www.ipqualityscore.com/device-fingerprinting.Google ScholarGoogle Scholar
  44. MaxMind. 2018. Device Tracking Add-on for Minfraud Services. Retrieved from https://dev.maxmind.com/minfraud/device/.Google ScholarGoogle Scholar
  45. Disconnect. 2018. Disconnect Official Website. Retrieved from https://disconnect.me/.Google ScholarGoogle Scholar
  46. GitHub. 2018. Fingerprinting Protection Mode—Brave Browser. Retrieved from https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections.Google ScholarGoogle Scholar
  47. Ghostery 2018. Ghostery Official Website. Retrieved from https://www.ghostery.com/.Google ScholarGoogle Scholar
  48. Dan's Tools. 2018. JavaScript Obfuscator. Retrieved from https://www.cleancss.com/javascript-obfuscate/.Google ScholarGoogle Scholar
  49. jQuery. 2018. jQuery Official Website. Retrieved from https://jquery.com/.Google ScholarGoogle Scholar
  50. Mozilla Developer Network. 2018. Mozilla CSS Extensions. Retrieved from https://developer.mozilla.org/en-US/docs/Web/CSS/Mozilla_Extensions.Google ScholarGoogle Scholar
  51. Nmap. 2018. Nmap: The Network Mapper-OS Detection. Retrieved from https://nmap.org/book/man-os-detection.html.Google ScholarGoogle Scholar
  52. NoScript. 2018. NoScript Official Website. Retrieved from https://noscript.net/.Google ScholarGoogle Scholar
  53. GitHub. 2018. OpenWPM - A Web Privacy Measurement Framework. Retrieved from https://github.com/mozilla/OpenWPM.Google ScholarGoogle Scholar
  54. Add-ons for Firefox. 2018. Popular Extensions-Add-ons for Firefox. Retrieved from https://addons.mozilla.org/firefox/search/?sort=users8type=extension.Google ScholarGoogle Scholar
  55. EFF. 2018. Privacy Badger Official Website-Electronic Frontier Foundation. Retrieved from https://www.eff.org/privacybadger.Google ScholarGoogle Scholar
  56. Mozilla. 2018. Security/Fingerprinting—Mozilla Wiki. Retrieved from https://wiki.mozilla.org/Security/Fingerprinting.Google ScholarGoogle Scholar
  57. Mozilla. 2018. Security/Fusion—Mozilla Wiki. Retrieved from https://wiki.mozilla.org/Security/Fusion.Google ScholarGoogle Scholar
  58. Mozilla. 2018. Security/Tor Uplift—Mozilla Wiki. Retrieved from https://wiki.mozilla.org/Security/Tor_Uplift.Google ScholarGoogle Scholar
  59. The Tor Project. 2018. The Design and Implementation of the Tor Browser [DRAFT]- Tor Project Official Website. Retrieved from https://www.torproject.org/projects/torbrowser/design/.Google ScholarGoogle Scholar
  60. Distil Networks. 2018. The Evolution of Hi-Def Fingerprinting in Bot Mitigation. Retrieved from https://resources.distilnetworks.com/all-blog-posts/device-fingerprinting-solution-bot-mitigation.Google ScholarGoogle Scholar
  61. ThreatMetrix. 2018. ThreatMetrix Announces Cookieless Device Identification to Prevent Online Fraud While Protecting Customer Privacy. Retrieved from https://www.threatmetrix.com/press-releases/threatmetrix-announces-cookieless-device-identification-to-prevent-online-fraud-while-protecting-customer-privacy/.Google ScholarGoogle Scholar
  62. The Tor Project. 2018. Tor Browser—Tor Project Official Website. Retrieved from https://www.torproject.org/projects/torbrowser.html.Google ScholarGoogle Scholar
  63. GitHub. 2018. uBlock Origin—An Efficient Blocker for Chromium and Firefox. Fast and Lean. Retrieved from https://github.com/gorhill/uBlock.Google ScholarGoogle Scholar
  64. W3C. 2018. Web Audio API. Retrieved from https://www.w3.org/TR/webaudio/.Google ScholarGoogle Scholar
  65. W3C. 2018. Web Payments API. Retrieved from https://www.w3.org/TR/payment-request/.Google ScholarGoogle Scholar
  66. WebAssembly. 2018. WebAssembly API. Retrieved from http://webassembly.org/.Google ScholarGoogle Scholar
  67. Khronos Group. 2018. WebGL—OpenGL ES for the Web. Retrieved from https://www.khronos.org/webgl/.Google ScholarGoogle Scholar
  68. W3C. 2018. WebRTC API. Retrieved from https://www.w3.org/TR/webrtc/.Google ScholarGoogle Scholar
  69. W3C. 2018. WebXR Device API. Retrieved from https://www.w3.org/TR/webxr/.Google ScholarGoogle Scholar
  70. StatCounter. 2019. Browser Market Share Worldwide. Retrieved from https://gs.statcounter.com/browser-market-share.Google ScholarGoogle Scholar
  71. Google. 2019. Building a More Private Web. Retrieved from https://www.blog.google/products/chrome/building-a-more-private-web/.Google ScholarGoogle Scholar
  72. Mozilla. 2019. Firefox Now Available with Enhanced Tracking Protection by Default Plus Updates to Facebook Container. Firefox Monitor and Lockwise. Retrieved from https://blog.mozilla.org/blog/2019/06/04/firefox-now-available-with-enhanced-tracking-protection-by-default/.Google ScholarGoogle Scholar
  73. Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 674--689. DOI:https://doi.org/10.1145/2660267.2660347Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: Dusting the web for fingerprinters. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13). ACM, New York, NY, 1129--1140. DOI:https://doi.org/10.1145/2508859.2516674Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. Jagdish Prasad Achara, Gergely Ács, and Claude Castelluccia. 2015. On the unicity of smartphone applications. Retrieved from http://arxiv.org/abs/1507.07851.Google ScholarGoogle Scholar
  76. Nasser Mohammed Al-Fannah, Wanpeng Li, and Chris J. Mitchell. 2018. Beyond cookie monster amnesia: Real world persistent online tracking. In Proceedings of the 21st International Conference on Information Security (ISC’18). 481--501. DOI:https://doi.org/10.1007/978-3-319-99136-8_26Google ScholarGoogle Scholar
  77. Furkan Alaca and P. C. van Oorschot. 2016. Device fingerprinting for augmenting web authentication: Classification and analysis of methods. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC’16). ACM, New York, NY, 289--301. DOI:https://doi.org/10.1145/2991079.2991091Google ScholarGoogle ScholarDigital LibraryDigital Library
  78. Mika D. Ayenson, Dietrich James Wambach, Ashkan Soltani, Nathan Good, and Chris Jay Hoofnagle. 2011. Flash cookies and privacy II: Now with HTML5 and ETag respawning. Retrieved from https://dx.doi.org/10.2139/ssrn.1898390.Google ScholarGoogle Scholar
  79. Peter Baumann, Stefan Katzenbeisser, Martin Stopczynski, and Erik Tews. 2016. Disguised chromium browser: Robust browser, flash and canvas fingerprinting protection. In Proceedings of the ACM on Workshop on Privacy in the Electronic Society (WPES’16). ACM, New York, NY, 37--46. DOI:https://doi.org/10.1145/2994620.2994621Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. Károly Boda, Ádám Máté Földes, Gábor György Gulyás, and Sándor Imre. 2012. User Tracking on the Web via Cross-Browser Fingerprinting. Lecture Notes in Computer Science, Vol. 7161. Springer, Berlin, 31--46. DOI:https://doi.org/10.1007/978-3-642-29615-4_4Google ScholarGoogle Scholar
  81. Elie Bursztein, Artem Malyshev, Tadek Pietraszek, and Kurt Thomas. 2016. Picasso: Lightweight device class fingerprinting for web clients. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’16). ACM, New York, NY, 93--102. DOI:https://doi.org/10.1145/2994459.2994467Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)browser fingerprinting via OS and hardware level features. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS’17).Google ScholarGoogle ScholarCross RefCross Ref
  83. Amit Datta, Jianan Lu, and Michael Carl Tschantz. 2019. Evaluating anti-fingerprinting privacy enhancing technologies. In Proceedings of the World Wide Web Conference (WWW’19). ACM, New York, NY, 351--362. DOI:https://doi.org/10.1145/3308558.3313703Google ScholarGoogle ScholarDigital LibraryDigital Library
  84. Peter Eckersley. 2010. How unique is your web browser? In Proceedings of the 10th International Conference on Privacy Enhancing Technologies (PETS’10). Springer-Verlag, Berlin, 1--18. http://dl.acm.org/citation.cfm?id=1881151.1881152.Google ScholarGoogle ScholarDigital LibraryDigital Library
  85. Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, New York, NY, 1388--1401. DOI:https://doi.org/10.1145/2976749.2978313Google ScholarGoogle ScholarDigital LibraryDigital Library
  86. Amin FaizKhademi, Mohammad Zulkernine, and Komminist Weldemariam. 2015. FPGuard: Detection and prevention of browser fingerprinting. In Proceedings of the 29th Data and Applications Security and Privacy Conference. Lecture Notes in Computer Science, Vol. 9149. Springer International Publishing, 293--308. DOI:https://doi.org/10.1007/978-3-319-20810-7_21Google ScholarGoogle Scholar
  87. David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In Proceedings of the 19th International Conference on Financial Cryptography and Data Security. Springer-Verlag, Berlin.Google ScholarGoogle ScholarCross RefCross Ref
  88. Ugo Fiore, Aniello Castiglione, Alfredo De Santis, and Francesco Palmieri. 2014. Countering browser fingerprinting techniques: Constructing a fake profile with Google Chrome. In Proceedings of the 17th International Conference on Network-Based Information Systems (NBiS’14). IEEE, 355--360.Google ScholarGoogle ScholarDigital LibraryDigital Library
  89. Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the crowd: An analysis of the effectiveness of browser fingerprinting at large scale. In Proceedings of the World Wide Web Conference (WWW’18). DOI:https://doi.org/10.1145/3178876.3186097Google ScholarGoogle ScholarDigital LibraryDigital Library
  90. Gábor György Gulyás, Dolière Francis Somé, Nataliia Bielova, and Claude Castelluccia. 2018. To extend or not to extend: On the uniqueness of browser extensions and web logins. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES’18). ACM, 14--27.Google ScholarGoogle ScholarDigital LibraryDigital Library
  91. Sheharbano Khattak, David Fifield, Sadia Afroz, Mobin Javed, Srikanth Sundaresan, Damon McCoy, Vern Paxson, and Steven J. Murdoch. 2016. Do you see what I see? Differential treatment of anonymous users. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS’16). Retrieved from http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/do-you-see-what-i-see-differential-treatment-anonymous-users.pdf.Google ScholarGoogle Scholar
  92. Andreas Kurtz, Hugo Gascon, Tobias Becker, Konrad Rieck, and Felix Freiling. 2016. Fingerprinting mobile devices using personalized configurations. Proc. Priv. Enhanc. Technol. 2016, 1 (2016), 4--19.Google ScholarGoogle ScholarCross RefCross Ref
  93. Pierre Laperdrix, Gildas Avoine, Benoit Baudry, and Nick Nikiforakis. 2019. Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. In Proceedings of the 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’19). 43--66. DOI:https://doi.org/10.1007/978-3-030-22038-9_3Google ScholarGoogle ScholarCross RefCross Ref
  94. Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In Proceedings of the 9th International Symposium on Engineering Secure Software and Systems (ESSoS’17). Retrieved from https://hal.inria.fr/hal-01527580.Google ScholarGoogle ScholarCross RefCross Ref
  95. Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2015. Mitigating browser fingerprint tracking: Multi-level reconfiguration and diversification. In Proceedings of the 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS’15). Retrieved from https://hal.inria.fr/hal-01121108.Google ScholarGoogle ScholarDigital LibraryDigital Library
  96. Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S8P 2016). Retrieved from https://hal.inria.fr/hal-01285470.Google ScholarGoogle ScholarCross RefCross Ref
  97. Jonathan R. Mayer. 2009. Any person a pamphleteer: Internet Anonymity in the Age of Web 2.0. Undergraduate Senior Thesis, Princeton University.Google ScholarGoogle Scholar
  98. Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. 2017. Block me if you can: A large-scale study of tracker-blocking tools. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy.Google ScholarGoogle ScholarCross RefCross Ref
  99. Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham. 2011. Fingerprinting information in JavaScript implementations. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP’11), Helen Wang (Ed.). IEEE Computer Society.Google ScholarGoogle Scholar
  100. Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP’12), Matt Fredrikson (Ed.). IEEE Computer Society.Google ScholarGoogle Scholar
  101. Martin Mulazzani, Philipp Reschl, Markus Huber, Manuel Leithner, Sebastian Schrittwieser, Edgar Weippl, and FH Campus Wien. 2013. Fast and reliable browser identification with javascript engine fingerprinting. In Proceedings of the Web 2.0 Workshop on Security and Privacy (W2SP), Vol. 5.Google ScholarGoogle Scholar
  102. Gabi Nakibly, Gilad Shelef, and Shiran Yudilevich. 2015. Hardware fingerprinting using HTML5. Retrieved from http://arxiv.org/abs/1503.01408.Google ScholarGoogle Scholar
  103. Nick Nikiforakis, Wouter Joosen, and Benjamin Livshits. 2015. PriVaricator: Deceiving fingerprinters with little white lies. In Proceedings of the 24th International Conference on World Wide Web (WWW’15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 820--830. DOI:https://doi.org/10.1145/2736277.2741090Google ScholarGoogle ScholarDigital LibraryDigital Library
  104. Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy (SP’13). IEEE Computer Society, Washington, DC, 541--555. DOI:https://doi.org/10.1109/SP.2013.43Google ScholarGoogle ScholarDigital LibraryDigital Library
  105. Łukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2016. The Leaking Battery. Springer International Publishing, Cham, 254--263. DOI:https://doi.org/10.1007/978-3-319-29883-2_18Google ScholarGoogle Scholar
  106. Lukasz Olejnik, Steven Englehardt, and Arvind Narayanan. 2017. Battery status not included: Assessing privacy in web standards. In Proceedings of the 3rd International Workshop on Privacy Engineering (IWPE’17).Google ScholarGoogle Scholar
  107. Florentin Rochet, Kyriakos Efthymiadis, François Koeune, and Olivier Pereira. 2019. SWAT: Seamless web authentication technology. In Proceedings of the World Wide Web Conference (WWW’19). ACM, New York, NY, 1579--1589. DOI:https://doi.org/10.1145/3308558.3313637Google ScholarGoogle ScholarDigital LibraryDigital Library
  108. T. Saito, K. Yasuda, T. Ishikawa, R. Hosoi, K. Takahashi, Y. Chen, and M. Zalasiński. 2016. Estimating CPU features by browser fingerprinting. In Proceedings of the 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS’16). 587--592. DOI:https://doi.org/10.1109/IMIS.2016.108Google ScholarGoogle Scholar
  109. Takamichi Saito, Koki Yasuda, Kazuhisa Tanabe, and Kazushi Takahashi. 2017. Web browser tampering: Inspecting CPU features from side-channel information. In Proceedings of the 12th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA’17). 392--403. DOI:https://doi.org/10.1007/978-3-319-69811-3_36Google ScholarGoogle Scholar
  110. Iskander Sánchez-Rola, Igor Santos, and Davide Balzarotti. 2017. Extension breakdown: Security analysis of browsers extension resources control policies. In Proceedings of the 26th USENIX Security Symposium. 679--694.Google ScholarGoogle Scholar
  111. Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. 2018. Clock around the clock: Time-based device fingerprinting. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, New York, NY, 1502--1514. DOI:https://doi.org/10.1145/3243734.3243796Google ScholarGoogle ScholarDigital LibraryDigital Library
  112. J. Schuh. 2013. Saying Goodbye to Our Old Friend NPAPI. Retrieved from https://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html.Google ScholarGoogle Scholar
  113. Michael Schwarz, Florian Lackner, and Daniel Gruss. 2019. JavaScript template attacks: Automatically inferring host information for targeted exploits. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS’19). Retrieved from https://www.ndss-symposium.org/ndss-paper/javascript-template-attacks-automatically-inferring-host-information-for-targeted-exploits/.Google ScholarGoogle ScholarCross RefCross Ref
  114. Suphannee Sivakorn, Jason Polakis, and Angelos D. Keromytis. 2016. I’m not a human: Breaking the Google reCAPTCHA. Retrieved from https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf.Google ScholarGoogle Scholar
  115. Alexander Sjösten, Steven Van Acker, Pablo Picazo-Sanchez, and Andrei Sabelfeld. 2019. Latex gloves: Protecting browser extensions from probing and revelation attacks. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS’19). Retrieved from https://www.ndss-symposium.org/ndss-paper/latex-gloves-protecting-browser-extensions-from-probing-and-revelation-attacks/.Google ScholarGoogle ScholarCross RefCross Ref
  116. Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld. 2017. Discovering browser extensions via web accessible resources. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY’17). ACM, New York, NY, 329--336. DOI:https://doi.org/10.1145/3029806.3029820Google ScholarGoogle ScholarDigital LibraryDigital Library
  117. Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. 2010. Flash cookies and privacy. In Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management, Vol. 2010. 158--163.Google ScholarGoogle Scholar
  118. Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2015. Mobile device fingerprinting considered harmful for risk-based authentication. In Proceedings of the 8th European Workshop on System Security (EuroSec’15). ACM, New York, NY. DOI:https://doi.org/10.1145/2751323.2751329Google ScholarGoogle ScholarDigital LibraryDigital Library
  119. Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2017. Leveraging battery usage from mobile devices for active authentication. Mobile Info. Syst. 2017 (2017), 1367064:1--1367064:14. DOI:https://doi.org/10.1155/2017/1367064Google ScholarGoogle Scholar
  120. Oleksii Starov, Pierre Laperdrix, Alexandros Kapravelos, and Nick Nikiforakis. 2019. Unnecessarily identifiable: Quantifying the fingerprintability of browser extensions due to bloat. In Proceedings of the World Wide Web Conference (WWW’19). ACM, New York, NY, 3244--3250. DOI:https://doi.org/10.1145/3308558.3313458Google ScholarGoogle ScholarDigital LibraryDigital Library
  121. Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the fingerprintability of browser extensions. In Proceedings of the 38th IEEE Symposium on Security and Privacy (S8P’17).Google ScholarGoogle ScholarCross RefCross Ref
  122. N. Takei, T. Saito, K. Takasu, and T. Yamada. 2015. Web browser fingerprinting using only cascading style sheets. In Proceedings of the 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA’15). 57--63. DOI:https://doi.org/10.1109/BWCCA.2015.105Google ScholarGoogle Scholar
  123. Christof Torres, Hugo Jonker, and Sjouke Mauw. 2015. FP-Block: Usable web privacy by controlling browser fingerprinting. In Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS’15).Google ScholarGoogle ScholarCross RefCross Ref
  124. Erik Trickel, Oleksii Starov, Alexandros Kapravelos, Nick Nikiforakis, and Adam Doupé. 2019. Everyone is different: Client-side diversification for defending against extension fingerprinting. In Proceedings of the 28th USENIX Security Symposium (USENIXSecurity’19). USENIX Association, 1679--1696. https://www.usenix.org/conference/usenixsecurity19/presentation/trickel.Google ScholarGoogle Scholar
  125. T. Unger, M. Mulazzani, D. Frühwirt, M. Huber, S. Schrittwieser, and E. Weippl. 2013. SHPF: Enhancing HTTP(S) session security with browser fingerprinting. In Proceedings of the International Conference on Availability, Reliability and Security. 255--261. DOI:https://doi.org/10.1109/ARES.2013.33Google ScholarGoogle Scholar
  126. Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-Scanner: The privacy implications of browser fingerprint inconsistencies. In Proceedings of the 27th USENIX Security Symposium (USENIXSecurity’18). USENIX Association, 135--150. https://www.usenix.org/conference/usenixsecurity18/presentation/vastel.Google ScholarGoogle Scholar
  127. Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking browser fingerprint evolutions. In Proceedings of the 39th IEEE Symposium on Security and Privacy (S8P’18).Google ScholarGoogle ScholarCross RefCross Ref
  128. Shujiang Wu, Song Li, Yinzhi Cao, and Ningfei Wang. 2019. Rendered private: Making GLSL execution uniform to prevent WebGL-based browser fingerprinting. In Proceedings of the 28th USENIX Security Symposium (USENIXSecurity’19). USENIX Association, 1645--1660. https://www.usenix.org/conference/usenixsecurity19/presentation/wu.Google ScholarGoogle Scholar
  129. W. Wu, J. Wu, Y. Wang, Z. Ling, and M. Yang. 2016. Efficient fingerprinting-based android device identification with zero-permission identifiers. IEEE Access 4 (2016), 8073--8083. DOI:https://doi.org/10.1109/ACCESS.2016.2626395Google ScholarGoogle ScholarCross RefCross Ref
  130. Zhonghao Yu, Sam Macbeth, Konark Modi, and Josep M. Pujol. 2016. Tracking the trackers. In Proceedings of the 25th International Conference on World Wide Web (WWW’16). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 121--132. DOI:https://doi.org/10.1145/2872427.2883028Google ScholarGoogle Scholar

Index Terms

  1. Browser Fingerprinting: A Survey

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on the Web
          ACM Transactions on the Web  Volume 14, Issue 2
          May 2020
          149 pages
          ISSN:1559-1131
          EISSN:1559-114X
          DOI:10.1145/3382502
          Issue’s Table of Contents

          Copyright © 2020 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 9 April 2020
          • Accepted: 1 January 2020
          • Revised: 1 October 2019
          • Received: 1 August 2018
          Published in tweb Volume 14, Issue 2

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • tutorial
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!