"Online Tracking - A 1 Million-site measurment and analysis"

Hi all,

Steven Englehart and Arvind Narayanan have a great new paper out:


There's so much gold in this paper (the OpenWPM tool alone is itself is a
great gift to privacy researchers), but I especially want to call attention
to the mentions of canvas, battery
status, and audio fingerprinting, as well as the abuse of WebRTC to punch
through proxies and VPNS.

To summarize:

   - Different devices can render the same custom HTML canvas elements in
   different ways, and these differences can be used to fingerprint.
   (Individual GPUs seem to each render in their own idiosyncratic ways.)
   While the most popular trackers seem to be moving away from this technique,
   it is definitely being used.

   - Additionally, along similar lines trackers are abusing the audio API
   to fingerprint by calling the audio API to process an audio signal, reading
   the resulting signal, and storing a hash. This can even be done without
   ever playing an audible tone that alerts the user.

   - Finally, they were able to document that the Battery API is being
   abused to fingerprint users. (This had been proposed before, but as far as
   I know not documented in the wild)

These techniques are not mutually exclusive, so even if one of them isn't
100% effective, combining two or three together can be very, very
effective. That, combined with the fact that WebRTC is apparently being
abused to reveal local IPs (regardless of if you're using a proxy of VPN.

I hope that by seeing these real world examples of how APIs can be abused,
we can be on the lookout when future proposals come across PING's radar,
and try to reduce the attack surface as much as possible.

Greg Norcie (norcie@cdt.org)
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt


Received on Wednesday, 25 May 2016 18:54:41 UTC