Amit Datta
ABSTRACT
We study how to evaluate Anti-Fingerprinting Privacy Enhancing Technologies (AFPETs). Experimental methods have the advantage of control and precision, and can be applied to new AFPETs that currently lack a user base. Observational methods have the advantage of scale and drawing from the browsers currently in real-world use. We propose a novel combination of these methods, offering the best of both worlds, by applying experimentally created models of a AFPET's behavior to an observational dataset. We apply our evaluation methods to a collection of AFPETs to find the Tor Browser Bundle to be the most effective among them. We further uncover inconsistencies in some AFPETs' behaviors.
- Absolute Double. 2017. HideMyFootprint: Protect your privacy. https://hmfp.absolutedouble.co.uk. (2017). Accessed Dec. 25, 2017.Google Scholar
- Absolute Double. 2018. Trace: Browse online without leaving a Trace. https://absolutedouble.co.uk/trace/. (2018). Accessed Jan. 12, 2018.Google Scholar
- Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 674-689. Google ScholarDigital Library
- Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 1129-1140. Google ScholarDigital Library
- Alexei “ghostwords”. 2018. Support navigator.doNotTrack. Pull request #1861 for the EFForg/privacybadger project on GitHub: https://github.com/EFForg/privacybadger/pull/1861. (July 2018).Google Scholar
- Andrew. 2017. Scriptsafe: andryou. https://www.andryou.com/scriptsafe/. (2017). Accessed Dec. 25, 2017.Google Scholar
- Anonymous. 2018. Comment 276687 on “New Release: Tor Browser 8.0a10”. Tor Blog: https://blog.torproject.org/comment/276424#comment-276424. (Aug. 2018). See responses as well.Google Scholar
- appodrome.net. 2017. CanvasFingerprintBlock: Chrome Web Store. https://chrome.google.com/webstore/detail/canvasfingerprintblock/ipmjngkmngdcdpmgmiebdmfbkcecdndc?hl=en. (2017). Accessed Dec. 25, 2017.Google Scholar
- Brave Browser. 2017. Fingerprint Protection Mode. https://github.com/brave/browser-laptop/wiki/Fingerprinting-Protection-Mode. (2017). Accessed Dec. 19, 2017.Google Scholar
- Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In 24th Annual Network and Distributed System Security SymposiumNDSS. http://www.yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdfGoogle ScholarCross Ref
- Disconnect. 2017. Disconnect. https://disconnect.me. (2017). Accessed Jan. 12, 2017.Google Scholar
- Peter Eckersley. 2010. How unique is your web browser?. In Privacy Enhancing Technologies, Vol. 6205. Springer, 1-18. Google ScholarDigital Library
- Electronic Frontier Foundation. 2017. Panopticlick. https://panopticlick.eff.org. (2017). Accessed Dec 12, 2017.Google Scholar
- Electronic Frontier Foundation. 2017. Privacy Badger. https://www.eff.org/privacybadger. (2017). Accessed Jan. 13, 2017.Google Scholar
- Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1388-1401. Google ScholarDigital Library
- eyeo GmbH. 2017. Adblock Plus: Surf the web without annoying ads!https://adblockplus.org. (2017). Accessed Dec. 27, 2017.Google Scholar
- Amin FaizKhademi, Mohammad Zulkernine, and Komminist Weldemariam. 2015. FPGuard: Detection and prevention of browser fingerprinting. In IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 293-308.Google ScholarCross Ref
- David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In International Conference on Financial Cryptography and Data Security. Springer, 107-124.Google ScholarCross Ref
- fonk. 2017. TotalSpoof Add-on Homepage. http://fonk.wz.cz/totalspoof. (2017). Accessed Dec. 25, 2017.Google Scholar
- Cliqz International GmbH. 2017. Ghostery Makes the Web Cleaner, Faster and Safer!https://www.ghostery.com. (2017). Accessed Dec. 27, 2017.Google Scholar
- Google. 2017. Chrome web store. https://chrome.google.com/webstore/category/extensions. (Dec. 2017).Google Scholar
- Gábor György Gulyás, Dolière Francis Some´, Nataliia Bielova, and Claude Castelluccia. 2018. To Extend or Not to Extend: On the Uniqueness of Browser Extensions and Web Logins. In Proceedings of the 2018 Workshop on Privacy in the Electronic Society (WPES'18). ACM, New York, NY, USA, 14-27. Google ScholarDigital Library
- Raymond Hill. 2015. uBlock and others: Blocking ads, trackers, malwares. https://github.com/gorhill/uBlock/wiki/uBlock-and-others%3A-Blocking-ads%2C-trackers%2C-malwares. (May 2015). Accessed July 5, 2017.Google Scholar
- Raymond Hill. 2017. uBlock Origin: An efficient blocker for Chromium and Firefox.https://github.com/gorhill/uBlock. (2017). Accessed Dec. 27, 2017.Google Scholar
- Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kaafar, Anirban Mahanti, and Balachandar Krishnamurthy. 2017. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. Proceedings on Privacy Enhancing Technologies 2017, 1(2017), 79-99.Google ScholarCross Ref
- InformAction. 2017. NoScript: JavaScript/Java/Flash blocker for a safer Firefox experience!https://noscript.net. (2017). Accessed Dec. 27, 2017.Google Scholar
- kkapsner. 2017. CanvasBlocker: A Firefox Plugin to block the canvas-API. https://github.com/kkapsner/CanvasBlocker/. (2017). Accessed Dec. 25, 2017.Google Scholar
- Georgios Kontaxis and Monica Chew. 2015. Tracking protection in Firefox for privacy and performance. arXiv preprint arXiv:1506.04104(2015).Google Scholar
- Balachander Krishnamurthy and Craig E Wills. 2006. Generating a privacy footprint on the internet. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement. ACM, 65-70. Google ScholarDigital Library
- Pierre Laperdrix. 2017. Fingerprint Central. https://fpcentral.irisa.fr/. (2017). Accessed Oct 31, 2017.Google Scholar
- Pierre Laperdrix, Benoit Baudry, and Vikas Mishra. 2017. FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques. In 9th International Symposium on Engineering Secure Software and Systems (ESSoS 2017).Google ScholarCross Ref
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2015. Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification. In Proceedings of the 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems. IEEE Press, 98-108. Google ScholarDigital Library
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 878-894.Google ScholarCross Ref
- Pedro Leon, Blase Ur, Richard Shay, Yang Wang, Rebecca Balebako, and Lorrie Cranor. 2012. Why Johnny can't opt out: a usability evaluation of tools to limit online behavioral advertising. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 589-598. Google ScholarDigital Library
- Jonathan R Mayer and John C Mitchell. 2012. Third-party web tracking: Policy and technology. In Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 413-427. Google ScholarDigital Library
- meh. 2017. Blender: Blend in the crowd by faking to be the most common Firefox browser version, operating system and other stuff.https://github.com/meh/blender. (2017). Accessed Dec. 25, 2017.Google Scholar
- Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. 2017. Block me if you can: A large-scale study of tracker-blocking tools. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy (IEEE EuroS&P).Google ScholarCross Ref
- Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. Proceedings of W2SP(2012), 1-12.Google Scholar
- Mozilla. 2017. Firefox Add-ons. https://addons.mozilla.org/en-US/firefox/. (Dec. 2017).Google Scholar
- Multiloginapp. 2017. How Canvas Fingerprint Blockers Make You Easily Trackable. https://multiloginapp.com/how-canvas-fingerprint-blockers-make-you-easily-trackable/. (2017). Accessed Dec 19, 2017.Google Scholar
- Net-Comet. 2017. Glove: Chrome Web Store. https://chrome.google.com/webstore/detail/glove/abdgoalibdacpnmknnpkgnfllphboefb?hl=en. (2017). Accessed Dec. 25, 2017.Google Scholar
- Nick Nikiforakis, Wouter Joosen, and Benjamin Livshits. 2015. Privaricator: Deceiving fingerprinters with little white lies. In Proceedings of the 24th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 820-830. Google ScholarDigital Library
- NiklasG. 2017. Stop Fingerprinting: Add-ons for Firefox. https://addons.mozilla.org/en-US/firefox/addon/stop-fingerprinting/. (2017). Accessed Dec. 25, 2017.Google Scholar
- Liam Paninski. 2003. Estimation of entropy and mutual information. Neural computation 15, 6 (2003), 1191-1253. Google ScholarDigital Library
- Mike Perry, Erinn Clark, Steven Murdoch, and Georg Koppen. 2017. The Design and Implementation of the Tor Browser. https://www.torproject.org/projects/torbrowser/design/#privacy. (2017). Accessed Jul 21, 2017.Google Scholar
- Resat. 2017. Blend In: Add-ons for Firefox. https://addons.mozilla.org/en-US/firefox/addon/blend-in/. (2017). Accessed Dec. 25, 2017.Google Scholar
- Franziska Roesner, Tadayoshi Kohno, and David Wetherall. 2012. Detecting and Defending Against Third-party Tracking on the Web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation(NSDI'12). USENIX Association, Berkeley, CA, USA, 12-12. http://dl.acm.org/citation.cfm?id=2228298.2228315 Google ScholarDigital Library
- Samy Sadi. 2017. No Enumerable Extensions: Firefox addon that lets you hide installed extensions and avoid being fingerprinted based on them. https://github.com/samysadi/no-enumerable-extensions. (2017). Accessed Jan. 13, 2017.Google Scholar
- Sagar Shivaji Salunke. 2014. Selenium Webdriver in Python: Learn with Examples (1st ed.). CreateSpace Independent Publishing Platform, USA. Google ScholarDigital Library
- Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. 2017. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 679-694. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/sanchez-rola Google ScholarDigital Library
- Martin Springwald. 2017. Privacy-Extension-Chrome: Provides Privacy for Chrome. https://github.com/marspr/privacy-extension-chrome. (2017). Accessed Dec. 25, 2017.Google Scholar
- Oleksii Starov and Nick Nikiforakis. 2017. Xhound: Quantifying the fingerprintability of browser extensions. In Security and Privacy (SP), 2017 IEEE Symposium on. IEEE, 941-956.Google ScholarCross Ref
- StatCounter. 2018. StatCounter Global Stats. http://gs.statcounter.com/. (2018). Accessed Feb. 12, 2018.Google Scholar
- Mozilla Support. 2017. Tracking Protection. https://support.mozilla.org/en-US/kb/tracking-protection. (2017). Accessed Dec. 27, 2017.Google Scholar
- The Tor Project. 2017. Users. Tor Metrics page: https://metrics.torproject.org/userstats-relay-country.html. (Dec. 2017).Google Scholar
- Christof Ferreira Torres, Hugo Jonker, and Sjouke Mauw. 2015. FP-Block: usable web privacy by controlling browser fingerprinting. In European Symposium on Research in Computer Security. Springer, 3-19.Google ScholarCross Ref
- Hamilton Ulmer. 2010. Browsing Sessions. Mozilla's Blog of Metrics: https://blog.mozilla.org/metrics/2010/12/22/browsing-sessions/. (Dec. 2010).Google Scholar
- Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. Fp-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 135-150. https://www.usenix.org/conference/usenixsecurity18/presentation/vastel Google ScholarDigital Library
- Jon Watson. 2008. VirtualBox: Bits and Bytes Masquerading As Machines. Linux J. 2008, 166 (Feb. 2008). http://dl.acm.org/citation.cfm?id=1344209.1344210 Google ScholarDigital Library
- Ting-Fang Yen, Yinglian Xie, Fang Yu, Roger Peng Yu, and Martin Abadi. 2012. Host Fingerprinting and Tracking on the Web: Privacy and Security Implications.. In NDSS.Google Scholar
Recommendations
What Makes a Technology Privacy Enhancing? Laypersons’ and Experts’ Descriptions, Uses, and Perceptions of Privacy Enhancing Technologies
Information for a Better World: Normality, Virtuality, Physicality, InclusivityAbstractWhat makes a technology privacy-enhancing? In this study, we construct an explanation grounded in the technologies and practices that people report using to enhance their privacy. We conducted an online survey of privacy experts (i.e., privacy ...
Privacy-enhancing technologies: approaches and development
In this paper, we discuss privacy threats on the Internet and possible solutions to this problem. Examples of privacy threats in the communication networks are identity disclosure, linking data traffic with identity, location disclosure in connection ...
PPINA – a forensic investigation protocol for privacy enhancing technologies
CMS'06: Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia SecurityAlthough privacy is often seen as an essential right for internet users, the provision of anonymity can also provide the ultimate cover for malicious users. Privacy Enhancing Technologies (PETs) should not only hide the identity of legitimate users but ...
Comments