• Skip navigation
  • Skip to navigation
  • Skip to the bottom
Simulate organization breadcrumb open Simulate organization breadcrumb close
IT Security Infrastructures Lab
  • FAUTo the central FAU website
  1. Friedrich-Alexander-Universität
  2. Faculty of Engineering
  3. Department Computer Science
  • Campo
  • UnivIS
  • Jobs
  • Map
  • Help
  1. Friedrich-Alexander-Universität
  2. Faculty of Engineering
  3. Department Computer Science

IT Security Infrastructures Lab

Navigation Navigation close
  • Research
    • Forensic Computing Group
    • Human Factors in Security and Privacy Group
    • Multimedia Security
    • Security Education Development Group
    • System Security Group
    • Archive
    • Funded Projects
    • Publications
    Portal Research
  • Lab
    • Staff & Research Groups
    • Alumni
    • Partners
    Portal Lab
  • Teaching
    • Courses
    • Hinweise zu den Lehrveranstaltungen
    • Notes on Examinations
    • eTeaching
    • Theses
    • Writing a Thesis at Informatik 1
    Portal Teaching
  • How to reach us
  1. Home
  2. Research
  3. Human Factors in Security and Privacy Group
  4. Browser Fingerprinting

Browser Fingerprinting

In page navigation: Research
  • Forensic Computing Group
    • DiOS: Dynamic Privacy Analysis of iOS Applications
    • Fingerprinting Mobile Devices Using Personalized Configurations
    • Selective Deletion
  • Human Factors in Security and Privacy Group
    • Antivirus Usability
    • Browser Fingerprinting
    • IoT Security Update Labels
    • Phishing Susceptibility
    • Security Experts
    • ZigBee Security Research
  • Multimedia Security
    • Image & Video Forensics
    • Image Analysis & Enhancement
    • X-ray Phase Contrast
    • Blog
    • Code and Data
      • Copy-Move Forgery Detectors and Ground Truth Generator
      • Image Manipulation Dataset
    • Colloquium
  • Security Education Development Group
    • Open C3S Overview
    • Open-C3S-Projektergebnisse
    • Ulix – a Literate OS
  • System Security Group
    • AppAuth: On App-based Matrix Code Authentication in Online Banking
    • AppTAN (In)Security: (In)Security of App-based TAN Methods in Online Banking
    • AVX Crypto: AVX Instructions to Accelerate Crypto Primitives
    • Bispe: A Bytecode Interpreter for Secure Program Execution in Untrusted Main Memory
    • Centroid
    • CPU-bound Encryption (TRESOR, TreVisor, ARMORED)
    • FROST: Forensic Recovery Of Scrambled Telephones
    • How Android’s UI Security is Undermined by Accessibility
    • HyperCrypt: Hypervisor-based Encryption of Kernel and User Space
    • N26
    • Nomorp
    • One Key to Rule Them All: Recovering the Master Key from RAM to break Android’s File-Based Encryption
    • RamCrypt: Kernel-based Address Space Encryption for User-mode Processes
    • ReFuzz — Structure Aware Fuzzing of the Resilient File System (ReFS)
    • RISCoT – Security Analysis of Trusted Execution Environments on RISC-V
    • SED (In)Security: Hardware-based Full Disk Encryption (In)Security
    • SGX-Kernel: Isolating Operating System Components with Intel SGX
    • SGX-Timing: Cache Attacks on Intel SGX
    • SoK: The Evolution of Trusted UI on Mobile
    • Soteria: Offline Software Protection within Low-cost Embedded Devices
    • STARK / MARK: Tamperproof/Mutual Authentication to Resist Keylogging
    • TEEshift: Protecting Code Confidentiality by Selectively Shifting Functions into TEEs
    • VMAttack: Deobfuscating Virtualization-Based Packed Binaries
  • Archive
    • ContrOWL: A new security app based on crowed intelligence
    • Ext4 File Recovery
    • Forensic Email Visualization
    • Forensic RAID Recovery
    • Forensig²: File System Images for Training Courses in Forensic Computing
    • Mobile Hotspots
    • Mobile-Sandbox & ADEL: Automated Malware Analyses / Mobile Phone Forensics
    • Privacy Aspects of Forensic Computing
    • PyBox – A Python Sandbox
    • TrustedPals: Framework to Help Establish Security in a Mutually Untrusted Distributed System
    • VirMA: Windows NT pagefile.sys Virtual Memory Analysis
    • Win Vista/7/8/10 Thumbnails Analyzer
  • Funded Projects
  • Publications
    • Technische Berichte in Digitaler Forensik

Browser Fingerprinting

Browser Fingerprinting

Browser fingerprinting, as a stateless tracking technique, can be used to recognize users based on the characteristics and behavior of their browser instances.

Fingerprint

Unlike cookies, no data needs to be stored on the client side to track users. The browser attributes required to compile a vector of characteristics, i.e., a fingerprint, can be harvested passively from the client’s HTTP request headers, or actively by running a script on the client side and querying the browser’s Web APIs or probing its behavior and capabilities.

Although dependent on the given feature set used to compile such fingerprints, the majority of fingerprints tend to be unique amongst users, which is a privacy issue.

Online Study

Study on Browser Fingerprinting

Since 2016, we are running a long-term study on browser fingerprinting. To the best of our knowledge, our study is the first to provide longitudinal observations with ground truth on user level as well as to report the demographics of the user sample.

Participants are required to sign up with their email addresses so we can send them a weekly email with a personalized link to test their fingerprint. In this way, we not only control the stimuli for periodic measurements and establish ground truth for long-term observations, but also enable participants to use as many devices and browsers as they wish.

When participants visit their personalized links to test their fingerprints, we provide them an extensive overview on features that were collected and tell them whether their current fingerprint is unique amongst the participants of our study and whether it can be used to track them uniquely over time. Furthermore, participants can browse historic data about their observed fingerprints. Additionally, we share statistics on preliminary results of our study with the general public.

Long-Term Observation on Browser Fingerprinting: Users’ Trackability and Perspective

In the following, we provide a high-level description of some of the findings reported in our paper “Long-Term Observation on Browser Fingerprinting: Users’ Trackability and Perspective” which got accepted at PETS 2020 (Privacy Enhancing Technologies Symposium).

Technical Findings

Long-Term Observation on Browser Fingerprinting: Users’ Trackability and Perspective (PETS 2020)

In our paper, we propose formal definitions to characterize fingerprints within datasets as unique-by-appearance, unique-by-entity, stable, and trackable.

Further, we introduce a technique called feature stemming which can be used to remove mutating parts from individual features (e.g., varying version numbers) to increase their stability over time and thus making them comparable despite of inequality (e.g., for establishing linkability between fingerprints that evolved over time).

Based on data we collected between 2016 and 2019, we show that a greedy sequential search approach can be used to optimize device-type-dependent and device-type-independent feature sets for fingerprinting towards an optimization criterion for a given dataset, such as the stability of unique fingerprints that are stable over time. Since such feature set optimizations might be applied by trackers to increase users’ trackability, we think that such optimization approaches for feature selection should be considered in risk and privacy assessments.

User-Centered Findings

Most participants of our study indicated to have learned something new, e.g., how fingerprinting works or about their individual trackability. When asked whether the participation changed any of their thoughts or feelings regarding the Web, the majority of those who answered in the affirmative indicated their disappointment about the state of privacy, e.g., by realizing the magnitude of tracking; the majority of those who answered in the negative indicated that they were not surprised as they were already aware about tracking, browser fingerprinting, and data collection on the Web. Further, the majority negated that they have changed their behavior on the Web, e.g., because they indicated to not know how to protect themselves or because they are already cautious enough when browsing the Web. When asked about the countermeasures that they applied to protect themselves against browser fingerprinting, a noticeable number of reported countermeasures were not effective against browser fingerprinting.

Further Information

  • Online study: browser-fingerprint.cs.fau.de
  • Paper: Long-Term Observation on Browser Fingerprinting: Users’ Trackability and Perspective (PETS 2020)
 

Contact

  • Gaston Pugliese
  • Zinaida Benenson

BibTeX

@article{pugliese:2020:PETS,
      title={{Long-Term Observation on Browser Fingerprinting: 
             Users’ Trackability and Perspective}},
     author={Pugliese, Gaston and Riess, Christian 
             and Gassmann, Freya and Benenson, Zinaida},
    journal={{Proceedings on Privacy Enhancing Technologies (PoPETs),
              Privacy Enhancing Technologies Symposium (PETS)}},
     volume={2020},
     number={2},
      pages={558--577},
       year={2020},
  publisher={Sciendo}
}

Image credits

Material Icon “fingerprint” by Google · Apache license version 2.0
 
Lehrstuhl für Informatik 1
Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)

Martensstrasse 3
91058 Erlangen
  • Impressum
  • Datenschutz
Up