- From: Greg Norcie <gnorcie@cdt.org>
- Date: Wed, 25 May 2016 14:53:54 -0400
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CAMJgV7Y3Bs05HEiGt7m7RYNXqr+=beKSSMq+qnR7yumbbyRcxA@mail.gmail.com>
Hi all, Steven Englehart and Arvind Narayanan have a great new paper out: http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf There's so much gold in this paper (the OpenWPM tool alone is itself is a great gift to privacy researchers), but I especially want to call attention to the mentions of canvas, battery status, and audio fingerprinting, as well as the abuse of WebRTC to punch through proxies and VPNS. To summarize: - Different devices can render the same custom HTML canvas elements in different ways, and these differences can be used to fingerprint. (Individual GPUs seem to each render in their own idiosyncratic ways.) While the most popular trackers seem to be moving away from this technique, it is definitely being used. - Additionally, along similar lines trackers are abusing the audio API to fingerprint by calling the audio API to process an audio signal, reading the resulting signal, and storing a hash. This can even be done without ever playing an audible tone that alerts the user. - Finally, they were able to document that the Battery API is being abused to fingerprint users. (This had been proposed before, but as far as I know not documented in the wild) These techniques are not mutually exclusive, so even if one of them isn't 100% effective, combining two or three together can be very, very effective. That, combined with the fact that WebRTC is apparently being abused to reveal local IPs (regardless of if you're using a proxy of VPN. I hope that by seeing these real world examples of how APIs can be abused, we can be on the lookout when future proposals come across PING's radar, and try to reduce the attack surface as much as possible. /********************************************/ Greg Norcie (norcie@cdt.org) Staff Technologist Center for Democracy & Technology District of Columbia office (p) 202-637-9800 PGP: http://norcie.com/pgp.txt /*******************************************/
Received on Wednesday, 25 May 2016 18:54:41 UTC