Abstract
With this article, we survey the research performed in the domain of browser fingerprinting, while providing an accessible entry point to newcomers in the field. We explain how this technique works and where it stems from. We analyze the related work in detail to understand the composition of modern fingerprints and see how this technique is currently used online. We systematize existing defense solutions into different categories and detail the current challenges yet to overcome.
- IETF. 1995. RFC 1866-Hypertext Markup Language 2.0. Retrieved from https://tools.ietf.org/html/rfc1866.Google Scholar
- IETF. 1996. RFC 1945-Hypertext Transfer Protocol-HTTP/1.0. Retrieved from https://tools.ietf.org/html/rfc1945.Google Scholar
- ECMA. 1997. ECMA-262, 1st Edition, June 1997. Retrieved from https://www.ecma-international.org/publications/files/ECMA-ST-ARCH/ECMA-262,%201st%20edition,%20June%201997.pdf.Google Scholar
- WebAIM. 2008. History of the Browser User-agent String. Retrieved from http://webaim.org/blog/user-agent-string-history/.Google Scholar
- Human who Codes. 2010. History of the User-agent String. Retrieved from https://humanwhocodes.com/blog/2010/01/12/history-of-the-user-agent-string/.Google Scholar
- W3C. 2011. Battery Status Event Specification-W3C Working Draft 26 April 2011. Retrieved from https://www.w3.org/TR/2011/WD-battery-status-20110426/.Google Scholar
- W3C. 2011. Informative Historical Notes-List of Known CSS Prefixes by W3C. Retrieved from https://www.w3.org/TR/CSS21/syndata.html#vendor-keyword-history.Google Scholar
- W3C. 2012. Battery Status API-W3C Candidate Recommendation 08 May 2012. Retrieved from https://www.w3.org/TR/2012/CR-battery-status-20120508/.Google Scholar
- European Commission. 2012. WP29 Opinion 04/2012 on the Cookie Consent Exemption-ARTICLE 29 DATA PROTECTION WORKING PARTY. Retrieved from https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf.Google Scholar
- European Commission. 2014. Opinion 9/2014 on the Application of Directive 2002/58/EC to Device Fingerprinting-ARTICLE 29 DATA PROTECTION WORKING PARTY. Retrieved from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp224_en.pdf.Google Scholar
- Duo Security. 2015. Detecting Out of Date and Vulnerable Flash Versions on Your Network-Duo Security. Retrieved from https://duo.com/blog/detecting-out-of-date-and-vulnerable-flash-versions-on-your-network.Google Scholar
- W3C. 2015. HTML Canvas 2D Context-W3C Recommendation 19 November 2015. Retrieved from https://www.w3.org/TR/2dcontext/.Google Scholar
- Mozilla. 2015. NPAPI Plugins in Firefox. Retrieved from https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/.Google Scholar
- W3C. 2016. Battery Status API - W3C Candidate Recommendation 07 July 2016. Retrieved from https://www.w3.org/TR/battery-status/.Google Scholar
- Yandex Browser. 2016. Beware Evil APIs. Retrieved from https://web.archive.org/web/20180626203349/ https://browser.yandex.com/blog/beware-evil-apis.Google Scholar
- Firefox Bugzilla. 2016. Bug 1313580-Remove Web Content Access to Battery API. Retrieved from https://bugzilla.mozilla.org/show_bug.cgi?id=1313580.Google Scholar
- WebKit Bugzilla. 2016. Bug 164213-Remove Battery Status API from the Tree. Retrieved from https://bugs.webkit.org/show_bug.cgi?id=164213.Google Scholar
- W3C. 2016. Geolocation API. Retrieved from https://www.w3.org/TR/geolocation-API/.Google Scholar
- Malwarebytes. 2016. Operation Fingerprint-A Look into Several Angler Exploit Kit Malvertising Campaigns. Retrieved from https://malwarebytes.app.box.com/v/operation-fingerprint.Google Scholar
- Add-ons for Firefox. 2016. Random Agent Spoofer-Firefox Extension. Retrieved from https://web.archive.org/web/20170314014230/ https://addons.mozilla.org/en-US/firefox/addon/random-agent-spoofer/.Google Scholar
- EUR-Lex. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data. and Repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA Relevance). Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679.Google Scholar
- Add-ons for Firefox. 2017. Canvas Defender - Firefox Add-on that Adds Unique and Persistent Noise to a Canvas Element. Retrieved from https://addons.mozilla.org/en-US/firefox/addon/no-canvas-fingerprinting/.Google Scholar
- European Commission. 2017. Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC). Retrieved from http://ec.europa.eu/newsroom/document.cfm?doc_id=44103.Google Scholar
- European Commission. 2017. Proposal for a Regulation of the European Parliament and of the Council. Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC(Regulation on Privacy and Electronic Communications). COM(2017) 10 Final.Retrieved from http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241.Google Scholar
- European Parliament. 2017. Report on the Proposal for a Regulation of the European Parliament and of the Council concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (COM(2017)0010 ? C8-0009/2017 ? 2017/0003(COD)). 23 October 2017. Retrieved from https://www.europarl.europa.eu/doceo/document/A-8-2017-0324_EN.html.Google Scholar
- PageFair. 2017. The State of the Blocked Web-2017 Global Adblock Report by PageFair. Retrieved from https://web.archive.org/web/20170201002220/ https://pagefair.com/downloads/2017/01/PageFair-2017-Adblock-Report.pdf.Google Scholar
- Acceptable Ads. 2018. Acceptable Ads Initiative. Retrieved from https://acceptableads.com/.Google Scholar
- Adblock Plus. 2018. Adblock Plus Official Website. Retrieved from https://adblockplus.org/.Google Scholar
- CVE Details. 2018. Adobe Flash Player: List of Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html.Google Scholar
- GitHub. 2018. Anonymous Browser Fingerprint—Fingerprintjs. Retrieved from https://github.com/Valve/fingerprintjs.Google Scholar
- Gizmodo. 2018. Apple Declares War on “Browser Fingerprinting.” the Sneaky Tactic That Tracks You in Incognito Mode. Retrieved from https://gizmodo.com/apple-declares-war-on-browser-fingerprinting-the-sneak-1826549108.Google Scholar
- PerimeterX. 2018. Bot Detection and Botnet Protection. Retrieved from https://www.perimeterx.com/products/bot-defender/.Google Scholar
- ShieldSquare. 2018. Bot Prevention Technology. Retrieved from https://www.shieldsquare.com/bot-prevention-technology/.Google Scholar
- Brave. 2018. Brave Official Website—Browse Faster and Safer with Brave. Retrieved from https://brave.com/.Google Scholar
- Add-ons for Firefox. 2018. CanvasBlocker—Firefox Extension to Block the Canvas API. Retrieved from https://addons.mozilla.org/fr/firefox/addon/canvasblocker/.Google Scholar
- Iovation. 2018. ClearKey. Retrieved from https://www.iovation.com/clearkey-two-factor-authentication.Google Scholar
- CLIQZ. 2018. CLIQZ Official Website—Secure Browser with Built-in Quick Search. Retrieved from https://cliqz.com/en/.Google Scholar
- Coalition for Better Ads. 2018. Coalition for Better Ads Initiative. Retrieved from https://www.betterads.org/.Google Scholar
- CVE. 2018. Common Vulnerabilities and Exposures-The Standard for Information Security Vulnerability Names. Retrieved from https://cve.mitre.org/.Google Scholar
- Iovation. 2018. Customer Authentication Datasheet. Retrieved from https://www.iovation.com/authentication/clearkey.Google Scholar
- SecurAuth. 2018. Device/Browser Fingerprinting-Heuristic-based Authentication. Retrieved from https://docs.secureauth.com/pages/viewpage.action?pageId=40045162.Google Scholar
- Sift Science. 2018. Device Fingerprinting and Fraud Detection Software. Retrieved from https://web.archive.org/web/20170409213006/ https://siftscience.com/device-fingerprinting.Google Scholar
- IPQualityScore. 2018. Device fingerprinting. Device signature fraud Detection. Fraud Prevention. Retrieved from https://www.ipqualityscore.com/device-fingerprinting.Google Scholar
- MaxMind. 2018. Device Tracking Add-on for Minfraud Services. Retrieved from https://dev.maxmind.com/minfraud/device/.Google Scholar
- Disconnect. 2018. Disconnect Official Website. Retrieved from https://disconnect.me/.Google Scholar
- GitHub. 2018. Fingerprinting Protection Mode—Brave Browser. Retrieved from https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections.Google Scholar
- Ghostery 2018. Ghostery Official Website. Retrieved from https://www.ghostery.com/.Google Scholar
- Dan's Tools. 2018. JavaScript Obfuscator. Retrieved from https://www.cleancss.com/javascript-obfuscate/.Google Scholar
- jQuery. 2018. jQuery Official Website. Retrieved from https://jquery.com/.Google Scholar
- Mozilla Developer Network. 2018. Mozilla CSS Extensions. Retrieved from https://developer.mozilla.org/en-US/docs/Web/CSS/Mozilla_Extensions.Google Scholar
- Nmap. 2018. Nmap: The Network Mapper-OS Detection. Retrieved from https://nmap.org/book/man-os-detection.html.Google Scholar
- NoScript. 2018. NoScript Official Website. Retrieved from https://noscript.net/.Google Scholar
- GitHub. 2018. OpenWPM - A Web Privacy Measurement Framework. Retrieved from https://github.com/mozilla/OpenWPM.Google Scholar
- Add-ons for Firefox. 2018. Popular Extensions-Add-ons for Firefox. Retrieved from https://addons.mozilla.org/firefox/search/?sort=users8type=extension.Google Scholar
- EFF. 2018. Privacy Badger Official Website-Electronic Frontier Foundation. Retrieved from https://www.eff.org/privacybadger.Google Scholar
- Mozilla. 2018. Security/Fingerprinting—Mozilla Wiki. Retrieved from https://wiki.mozilla.org/Security/Fingerprinting.Google Scholar
- Mozilla. 2018. Security/Fusion—Mozilla Wiki. Retrieved from https://wiki.mozilla.org/Security/Fusion.Google Scholar
- Mozilla. 2018. Security/Tor Uplift—Mozilla Wiki. Retrieved from https://wiki.mozilla.org/Security/Tor_Uplift.Google Scholar
- The Tor Project. 2018. The Design and Implementation of the Tor Browser [DRAFT]- Tor Project Official Website. Retrieved from https://www.torproject.org/projects/torbrowser/design/.Google Scholar
- Distil Networks. 2018. The Evolution of Hi-Def Fingerprinting in Bot Mitigation. Retrieved from https://resources.distilnetworks.com/all-blog-posts/device-fingerprinting-solution-bot-mitigation.Google Scholar
- ThreatMetrix. 2018. ThreatMetrix Announces Cookieless Device Identification to Prevent Online Fraud While Protecting Customer Privacy. Retrieved from https://www.threatmetrix.com/press-releases/threatmetrix-announces-cookieless-device-identification-to-prevent-online-fraud-while-protecting-customer-privacy/.Google Scholar
- The Tor Project. 2018. Tor Browser—Tor Project Official Website. Retrieved from https://www.torproject.org/projects/torbrowser.html.Google Scholar
- GitHub. 2018. uBlock Origin—An Efficient Blocker for Chromium and Firefox. Fast and Lean. Retrieved from https://github.com/gorhill/uBlock.Google Scholar
- W3C. 2018. Web Audio API. Retrieved from https://www.w3.org/TR/webaudio/.Google Scholar
- W3C. 2018. Web Payments API. Retrieved from https://www.w3.org/TR/payment-request/.Google Scholar
- WebAssembly. 2018. WebAssembly API. Retrieved from http://webassembly.org/.Google Scholar
- Khronos Group. 2018. WebGL—OpenGL ES for the Web. Retrieved from https://www.khronos.org/webgl/.Google Scholar
- W3C. 2018. WebRTC API. Retrieved from https://www.w3.org/TR/webrtc/.Google Scholar
- W3C. 2018. WebXR Device API. Retrieved from https://www.w3.org/TR/webxr/.Google Scholar
- StatCounter. 2019. Browser Market Share Worldwide. Retrieved from https://gs.statcounter.com/browser-market-share.Google Scholar
- Google. 2019. Building a More Private Web. Retrieved from https://www.blog.google/products/chrome/building-a-more-private-web/.Google Scholar
- Mozilla. 2019. Firefox Now Available with Enhanced Tracking Protection by Default Plus Updates to Facebook Container. Firefox Monitor and Lockwise. Retrieved from https://blog.mozilla.org/blog/2019/06/04/firefox-now-available-with-enhanced-tracking-protection-by-default/.Google Scholar
- Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 674--689. DOI:https://doi.org/10.1145/2660267.2660347Google Scholar
Digital Library
- Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: Dusting the web for fingerprinters. In Proceedings of the ACM SIGSAC Conference on Computer 8 Communications Security (CCS’13). ACM, New York, NY, 1129--1140. DOI:https://doi.org/10.1145/2508859.2516674Google Scholar
Digital Library
- Jagdish Prasad Achara, Gergely Ács, and Claude Castelluccia. 2015. On the unicity of smartphone applications. Retrieved from http://arxiv.org/abs/1507.07851.Google Scholar
- Nasser Mohammed Al-Fannah, Wanpeng Li, and Chris J. Mitchell. 2018. Beyond cookie monster amnesia: Real world persistent online tracking. In Proceedings of the 21st International Conference on Information Security (ISC’18). 481--501. DOI:https://doi.org/10.1007/978-3-319-99136-8_26Google Scholar
- Furkan Alaca and P. C. van Oorschot. 2016. Device fingerprinting for augmenting web authentication: Classification and analysis of methods. In Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC’16). ACM, New York, NY, 289--301. DOI:https://doi.org/10.1145/2991079.2991091Google Scholar
Digital Library
- Mika D. Ayenson, Dietrich James Wambach, Ashkan Soltani, Nathan Good, and Chris Jay Hoofnagle. 2011. Flash cookies and privacy II: Now with HTML5 and ETag respawning. Retrieved from https://dx.doi.org/10.2139/ssrn.1898390.Google Scholar
- Peter Baumann, Stefan Katzenbeisser, Martin Stopczynski, and Erik Tews. 2016. Disguised chromium browser: Robust browser, flash and canvas fingerprinting protection. In Proceedings of the ACM on Workshop on Privacy in the Electronic Society (WPES’16). ACM, New York, NY, 37--46. DOI:https://doi.org/10.1145/2994620.2994621Google Scholar
Digital Library
- Károly Boda, Ádám Máté Földes, Gábor György Gulyás, and Sándor Imre. 2012. User Tracking on the Web via Cross-Browser Fingerprinting. Lecture Notes in Computer Science, Vol. 7161. Springer, Berlin, 31--46. DOI:https://doi.org/10.1007/978-3-642-29615-4_4Google Scholar
- Elie Bursztein, Artem Malyshev, Tadek Pietraszek, and Kurt Thomas. 2016. Picasso: Lightweight device class fingerprinting for web clients. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM’16). ACM, New York, NY, 93--102. DOI:https://doi.org/10.1145/2994459.2994467Google Scholar
Digital Library
- Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)browser fingerprinting via OS and hardware level features. In Proceedings of the 24th Annual Network and Distributed System Security Symposium (NDSS’17).Google Scholar
Cross Ref
- Amit Datta, Jianan Lu, and Michael Carl Tschantz. 2019. Evaluating anti-fingerprinting privacy enhancing technologies. In Proceedings of the World Wide Web Conference (WWW’19). ACM, New York, NY, 351--362. DOI:https://doi.org/10.1145/3308558.3313703Google Scholar
Digital Library
- Peter Eckersley. 2010. How unique is your web browser? In Proceedings of the 10th International Conference on Privacy Enhancing Technologies (PETS’10). Springer-Verlag, Berlin, 1--18. http://dl.acm.org/citation.cfm?id=1881151.1881152.Google Scholar
Digital Library
- Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, New York, NY, 1388--1401. DOI:https://doi.org/10.1145/2976749.2978313Google Scholar
Digital Library
- Amin FaizKhademi, Mohammad Zulkernine, and Komminist Weldemariam. 2015. FPGuard: Detection and prevention of browser fingerprinting. In Proceedings of the 29th Data and Applications Security and Privacy Conference. Lecture Notes in Computer Science, Vol. 9149. Springer International Publishing, 293--308. DOI:https://doi.org/10.1007/978-3-319-20810-7_21Google Scholar
- David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In Proceedings of the 19th International Conference on Financial Cryptography and Data Security. Springer-Verlag, Berlin.Google Scholar
Cross Ref
- Ugo Fiore, Aniello Castiglione, Alfredo De Santis, and Francesco Palmieri. 2014. Countering browser fingerprinting techniques: Constructing a fake profile with Google Chrome. In Proceedings of the 17th International Conference on Network-Based Information Systems (NBiS’14). IEEE, 355--360.Google Scholar
Digital Library
- Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the crowd: An analysis of the effectiveness of browser fingerprinting at large scale. In Proceedings of the World Wide Web Conference (WWW’18). DOI:https://doi.org/10.1145/3178876.3186097Google Scholar
Digital Library
- Gábor György Gulyás, Dolière Francis Somé, Nataliia Bielova, and Claude Castelluccia. 2018. To extend or not to extend: On the uniqueness of browser extensions and web logins. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES’18). ACM, 14--27.Google Scholar
Digital Library
- Sheharbano Khattak, David Fifield, Sadia Afroz, Mobin Javed, Srikanth Sundaresan, Damon McCoy, Vern Paxson, and Steven J. Murdoch. 2016. Do you see what I see? Differential treatment of anonymous users. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS’16). Retrieved from http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/do-you-see-what-i-see-differential-treatment-anonymous-users.pdf.Google Scholar
- Andreas Kurtz, Hugo Gascon, Tobias Becker, Konrad Rieck, and Felix Freiling. 2016. Fingerprinting mobile devices using personalized configurations. Proc. Priv. Enhanc. Technol. 2016, 1 (2016), 4--19.Google Scholar
Cross Ref
- Pierre Laperdrix, Gildas Avoine, Benoit Baudry, and Nick Nikiforakis. 2019. Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. In Proceedings of the 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’19). 43--66. DOI:https://doi.org/10.1007/978-3-030-22038-9_3Google Scholar
Cross Ref
- Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In Proceedings of the 9th International Symposium on Engineering Secure Software and Systems (ESSoS’17). Retrieved from https://hal.inria.fr/hal-01527580.Google Scholar
Cross Ref
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2015. Mitigating browser fingerprint tracking: Multi-level reconfiguration and diversification. In Proceedings of the 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS’15). Retrieved from https://hal.inria.fr/hal-01121108.Google Scholar
Digital Library
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S8P 2016). Retrieved from https://hal.inria.fr/hal-01285470.Google Scholar
Cross Ref
- Jonathan R. Mayer. 2009. Any person a pamphleteer: Internet Anonymity in the Age of Web 2.0. Undergraduate Senior Thesis, Princeton University.Google Scholar
- Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. 2017. Block me if you can: A large-scale study of tracker-blocking tools. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy.Google Scholar
Cross Ref
- Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham. 2011. Fingerprinting information in JavaScript implementations. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP’11), Helen Wang (Ed.). IEEE Computer Society.Google Scholar
- Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP’12), Matt Fredrikson (Ed.). IEEE Computer Society.Google Scholar
- Martin Mulazzani, Philipp Reschl, Markus Huber, Manuel Leithner, Sebastian Schrittwieser, Edgar Weippl, and FH Campus Wien. 2013. Fast and reliable browser identification with javascript engine fingerprinting. In Proceedings of the Web 2.0 Workshop on Security and Privacy (W2SP), Vol. 5.Google Scholar
- Gabi Nakibly, Gilad Shelef, and Shiran Yudilevich. 2015. Hardware fingerprinting using HTML5. Retrieved from http://arxiv.org/abs/1503.01408.Google Scholar
- Nick Nikiforakis, Wouter Joosen, and Benjamin Livshits. 2015. PriVaricator: Deceiving fingerprinters with little white lies. In Proceedings of the 24th International Conference on World Wide Web (WWW’15). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 820--830. DOI:https://doi.org/10.1145/2736277.2741090Google Scholar
Digital Library
- Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy (SP’13). IEEE Computer Society, Washington, DC, 541--555. DOI:https://doi.org/10.1109/SP.2013.43Google Scholar
Digital Library
- Łukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2016. The Leaking Battery. Springer International Publishing, Cham, 254--263. DOI:https://doi.org/10.1007/978-3-319-29883-2_18Google Scholar
- Lukasz Olejnik, Steven Englehardt, and Arvind Narayanan. 2017. Battery status not included: Assessing privacy in web standards. In Proceedings of the 3rd International Workshop on Privacy Engineering (IWPE’17).Google Scholar
- Florentin Rochet, Kyriakos Efthymiadis, François Koeune, and Olivier Pereira. 2019. SWAT: Seamless web authentication technology. In Proceedings of the World Wide Web Conference (WWW’19). ACM, New York, NY, 1579--1589. DOI:https://doi.org/10.1145/3308558.3313637Google Scholar
Digital Library
- T. Saito, K. Yasuda, T. Ishikawa, R. Hosoi, K. Takahashi, Y. Chen, and M. Zalasiński. 2016. Estimating CPU features by browser fingerprinting. In Proceedings of the 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS’16). 587--592. DOI:https://doi.org/10.1109/IMIS.2016.108Google Scholar
- Takamichi Saito, Koki Yasuda, Kazuhisa Tanabe, and Kazushi Takahashi. 2017. Web browser tampering: Inspecting CPU features from side-channel information. In Proceedings of the 12th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA’17). 392--403. DOI:https://doi.org/10.1007/978-3-319-69811-3_36Google Scholar
- Iskander Sánchez-Rola, Igor Santos, and Davide Balzarotti. 2017. Extension breakdown: Security analysis of browsers extension resources control policies. In Proceedings of the 26th USENIX Security Symposium. 679--694.Google Scholar
- Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. 2018. Clock around the clock: Time-based device fingerprinting. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’18). ACM, New York, NY, 1502--1514. DOI:https://doi.org/10.1145/3243734.3243796Google Scholar
Digital Library
- J. Schuh. 2013. Saying Goodbye to Our Old Friend NPAPI. Retrieved from https://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html.Google Scholar
- Michael Schwarz, Florian Lackner, and Daniel Gruss. 2019. JavaScript template attacks: Automatically inferring host information for targeted exploits. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS’19). Retrieved from https://www.ndss-symposium.org/ndss-paper/javascript-template-attacks-automatically-inferring-host-information-for-targeted-exploits/.Google Scholar
Cross Ref
- Suphannee Sivakorn, Jason Polakis, and Angelos D. Keromytis. 2016. I’m not a human: Breaking the Google reCAPTCHA. Retrieved from https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf.Google Scholar
- Alexander Sjösten, Steven Van Acker, Pablo Picazo-Sanchez, and Andrei Sabelfeld. 2019. Latex gloves: Protecting browser extensions from probing and revelation attacks. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS’19). Retrieved from https://www.ndss-symposium.org/ndss-paper/latex-gloves-protecting-browser-extensions-from-probing-and-revelation-attacks/.Google Scholar
Cross Ref
- Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld. 2017. Discovering browser extensions via web accessible resources. In Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy (CODASPY’17). ACM, New York, NY, 329--336. DOI:https://doi.org/10.1145/3029806.3029820Google Scholar
Digital Library
- Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. 2010. Flash cookies and privacy. In Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management, Vol. 2010. 158--163.Google Scholar
- Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2015. Mobile device fingerprinting considered harmful for risk-based authentication. In Proceedings of the 8th European Workshop on System Security (EuroSec’15). ACM, New York, NY. DOI:https://doi.org/10.1145/2751323.2751329Google Scholar
Digital Library
- Jan Spooren, Davy Preuveneers, and Wouter Joosen. 2017. Leveraging battery usage from mobile devices for active authentication. Mobile Info. Syst. 2017 (2017), 1367064:1--1367064:14. DOI:https://doi.org/10.1155/2017/1367064Google Scholar
- Oleksii Starov, Pierre Laperdrix, Alexandros Kapravelos, and Nick Nikiforakis. 2019. Unnecessarily identifiable: Quantifying the fingerprintability of browser extensions due to bloat. In Proceedings of the World Wide Web Conference (WWW’19). ACM, New York, NY, 3244--3250. DOI:https://doi.org/10.1145/3308558.3313458Google Scholar
Digital Library
- Oleksii Starov and Nick Nikiforakis. 2017. XHOUND: Quantifying the fingerprintability of browser extensions. In Proceedings of the 38th IEEE Symposium on Security and Privacy (S8P’17).Google Scholar
Cross Ref
- N. Takei, T. Saito, K. Takasu, and T. Yamada. 2015. Web browser fingerprinting using only cascading style sheets. In Proceedings of the 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA’15). 57--63. DOI:https://doi.org/10.1109/BWCCA.2015.105Google Scholar
- Christof Torres, Hugo Jonker, and Sjouke Mauw. 2015. FP-Block: Usable web privacy by controlling browser fingerprinting. In Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS’15).Google Scholar
Cross Ref
- Erik Trickel, Oleksii Starov, Alexandros Kapravelos, Nick Nikiforakis, and Adam Doupé. 2019. Everyone is different: Client-side diversification for defending against extension fingerprinting. In Proceedings of the 28th USENIX Security Symposium (USENIXSecurity’19). USENIX Association, 1679--1696. https://www.usenix.org/conference/usenixsecurity19/presentation/trickel.Google Scholar
- T. Unger, M. Mulazzani, D. Frühwirt, M. Huber, S. Schrittwieser, and E. Weippl. 2013. SHPF: Enhancing HTTP(S) session security with browser fingerprinting. In Proceedings of the International Conference on Availability, Reliability and Security. 255--261. DOI:https://doi.org/10.1109/ARES.2013.33Google Scholar
- Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-Scanner: The privacy implications of browser fingerprint inconsistencies. In Proceedings of the 27th USENIX Security Symposium (USENIXSecurity’18). USENIX Association, 135--150. https://www.usenix.org/conference/usenixsecurity18/presentation/vastel.Google Scholar
- Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking browser fingerprint evolutions. In Proceedings of the 39th IEEE Symposium on Security and Privacy (S8P’18).Google Scholar
Cross Ref
- Shujiang Wu, Song Li, Yinzhi Cao, and Ningfei Wang. 2019. Rendered private: Making GLSL execution uniform to prevent WebGL-based browser fingerprinting. In Proceedings of the 28th USENIX Security Symposium (USENIXSecurity’19). USENIX Association, 1645--1660. https://www.usenix.org/conference/usenixsecurity19/presentation/wu.Google Scholar
- W. Wu, J. Wu, Y. Wang, Z. Ling, and M. Yang. 2016. Efficient fingerprinting-based android device identification with zero-permission identifiers. IEEE Access 4 (2016), 8073--8083. DOI:https://doi.org/10.1109/ACCESS.2016.2626395Google Scholar
Cross Ref
- Zhonghao Yu, Sam Macbeth, Konark Modi, and Josep M. Pujol. 2016. Tracking the trackers. In Proceedings of the 25th International Conference on World Wide Web (WWW’16). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland, 121--132. DOI:https://doi.org/10.1145/2872427.2883028Google Scholar
Index Terms
Browser Fingerprinting: A Survey
Recommendations
Online Tracking: A 1-million-site Measurement and Analysis
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityWe present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-...
FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security
Detection of Intrusions and Malware, and Vulnerability AssessmentAbstractBrowser fingerprinting has established itself as a stateless technique to identify users on the Web. In particular, it is a highly criticized technique to track users. However, we believe that this identification technique can serve more virtuous ...
Web-based Fingerprinting Techniques
ICETE 2016: Proceedings of the 13th International Joint Conference on e-Business and TelecommunicationsThe concept of device fingerprinting is based in the assumption that each electronic device holds a unique set
of physical and/or logical features that others can capture and use to differentiate it from the whole. Web-based
fingerprinting, a particular ...






Comments