- From: Joseph Lorenzo Hall <joe@cdt.org>
- Date: Tue, 01 Oct 2013 14:39:46 -0700
- To: Mike O'Neill <michael.oneill@baycloud.com>
- CC: 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org>, public-tracking@w3.org
On 10/1/13 11:57 AM, Mike O'Neill wrote: > Justin, > > Accurate fingerprinting does not at the moment rely on IP addresses > because with IPv4 reuse and sharing is common due to the limited address > space. The usual technique is to use rendered script to return more > detailed information about the user-agent i.e. fonts employed etc. which > tend to uniquely identify the device. This was how the EFF’s > panopticlick project did it. Yes, this is my understanding. The recent research (two articles in a series below, published in top computer security conferences) uses font enumeration as the basis for detecting robust fingerprinting. Eckersley used Java and Flash to get at fonts, but now days it is easier to use JavaScript to do so. Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., & Preneel, B. (2013). FPDetective: Dusting the Web for Fingerprinters. In ACM Conference on Computer and Communications Security. Retrieved from https://www.cosic.esat.kuleuven.be/publications/article-2334.pdf Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., & Vigna, G. (2013). Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In IEEE Symposium on Security and Privacy. Retrieved from http://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf > With IPv6 there is a way to do fingerprinting using the IP address which > on some devices is unique (derived from the device MAC address)., but > many devices now employ the IPv6 privacy extensions that create short > duration random addresses and use them. Hopefully this will become the > norm, I know IE defaults to that – though android does not. I don't think this is still a problem. We wrote last year: "Microsoft has long led the charge on IPv6 privacy, with privacy extensions on by default in all versions of Microsoft Windows since the release of Windows XP nearly a decade ago. Apple followed suit last year, with privacy extensions activated by default in all versions of Mac OS X since 10.7 (Lion) and with the release of iOS 4.3 for iPhone and iPad. Google did likewise in its Android 4.0 release last year." https://www.cdt.org/blogs/alissa-cooper/0706privacy-future-forever Please do let me know if this has changed! > I agree with Jeff that we need to have something in the text that rules > out fingerprinting when DNT:1, like my proposal on unique identifiers > (issue-199) I don't see why this isn't currently covered, but I may be dense. best, Joe -- Joseph Lorenzo Hall Senior Staff Technologist Center for Democracy & Technology 1634 I ST NW STE 1100 Washington DC 20006-4011 (p) 202-407-8825 (f) 202-637-0968 joe@cdt.org PGP: https://josephhall.org/gpg-key fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8
Received on Tuesday, 1 October 2013 21:40:18 UTC