RE: Font Based Fingerprinting Papers from Mike O'Neill on 2019-04-19 (public-privacy@w3.org from April to June 2019)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 19 Apr 2019 17:39:14 +0100
To: <jnovak@apple.com>, "'Pete Snyder'" <psnyder@brave.com>
Cc: <public-privacy@w3.org>
Message-ID: <075a01d4f6ce$6dd4b760$497e2620$@baycloud.com>

This and the Princeton study conclude that most fingerprinting techniques are not very effective at getting unique identifiers, and the Princeton found only 2.5% of sites had font fingerprinting.

 

http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf

 

There is no JS function to enumerate fonts, and the early studies e.g. the EFF’s, had to use Flash, luckily no longer very common. The usual way now is for script to try different fonts in a canvas contained <span>, then measure how big the resulting text is in pixels.

 

The script then has to deliver the resulting fingerprint ID via another HTTP transaction (XHR, Fetch, Image etc.) and then has to link it to the initiating browsing context with a cookie UID.

 

They found non-font canvas fingerprinting was twice as common, a bit over 5%, but was in fact was usually being used for fraud detection, because there is not enough entropy to be commercially useful for tracking.

 

Cookies, on the other hand, are used for tracking on >>95% of sites, including the ones supposedly using fingerprinting.

 

Mike

 

 

From: jnovak@apple.com <jnovak@apple.com> 
Sent: 19 April 2019 15:29
To: Pete Snyder <psnyder@brave.com>
Cc: public-privacy@w3.org
Subject: Re: Font Based Fingerprinting Papers

 

Thanks for the links Pete.  Here’s another paper on fingerprinting more generally that has some interesting stats on font fingerprinting.

 

Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry’s "Hiding in the Crowd: an Analysis of the Eectiveness of Browser Fingerprinting at Large Scale” — https://www.doc.ic.ac.uk/~maffeis/331/EffectivenessOfFingerprinting.pdf.

 

J

 

 

On Apr 19, 2019, at 9:06 AM, Pete Snyder <psnyder@brave.com <mailto:psnyder@brave.com> > wrote:

 

Hi all,

As promised, here are some papers describing the accuracy and (in two cases) frequency of using font enumeration to finger print browsers.

I’ll try to come up with a first, goof-attempt at a proposed change well in advance of our next call too.

Laperdrix, Pierre, Walter Rudametkin, and Benoit Baudry. "Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints." 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 2016.
https://hal.inria.fr/hal-01285470/document

Nikiforakis, Nick, et al. "Cookieless monster: Exploring the ecosystem of web-based device fingerprinting." 2013 IEEE Symposium on Security and Privacy. IEEE, 2013.
https://ieeexplore.ieee.org/iel7/6547086/6547088/06547132.pdf

Eckersley, Peter. "How unique is your web browser?." International Symposium on Privacy Enhancing Technologies Symposium. Springer, Berlin, Heidelberg, 2010.
https://panopticlick.eff.org/static/browser-uniqueness.pdf


Pete Snyder
{pes,psnyder}@brave.com
Brave Software
Privacy Researcher

Received on Friday, 19 April 2019 16:39:42 UTC