W3C home > Mailing lists > Public > public-tracking@w3.org > October 2013

Re: Issue:? Fingerprinting

From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Tue, 01 Oct 2013 14:39:46 -0700
Message-ID: <524B4122.3090405@cdt.org>
To: Mike O'Neill <michael.oneill@baycloud.com>
CC: 'Justin Brookman' <jbrookman@cdt.org>, 'Jeffrey Chester' <jeff@democraticmedia.org>, public-tracking@w3.org


On 10/1/13 11:57 AM, Mike O'Neill wrote:
> Justin,
> 
> Accurate fingerprinting does not at the moment rely on IP addresses
> because with IPv4 reuse and sharing is common due to the limited address
> space. The usual technique is to use rendered script to return more
> detailed information about the user-agent i.e. fonts employed etc. which
> tend to uniquely identify the device. This was how the EFF’s
> panopticlick project did it.

Yes, this is my understanding. The recent research (two articles in a
series below, published in top computer security conferences) uses font
enumeration as the basis for detecting robust fingerprinting. Eckersley
used Java and Flash to get at fonts, but now days it is easier to use
JavaScript to do so.

Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens,
F., & Preneel, B. (2013). FPDetective: Dusting the Web for
Fingerprinters. In ACM Conference on Computer and Communications
Security. Retrieved from
https://www.cosic.esat.kuleuven.be/publications/article-2334.pdf

Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F.,
& Vigna, G. (2013). Cookieless monster: Exploring the ecosystem of
web-based device fingerprinting. In IEEE Symposium on Security and
Privacy. Retrieved from
http://seclab.cs.ucsb.edu/media/uploads/papers/sp2013_cookieless.pdf


> With IPv6 there is a way to do fingerprinting using the IP address which
> on some devices is unique (derived from the device MAC address)., but
> many devices now employ the IPv6 privacy extensions that create short
> duration random addresses and use them. Hopefully this will become the
> norm, I know IE defaults to that – though android does not.

I don't think this is still a problem. We wrote last year:

"Microsoft has long led the charge on IPv6 privacy, with privacy
extensions on by default in all versions of Microsoft Windows since the
release of Windows XP nearly a decade ago. Apple followed suit last
year, with privacy extensions activated by default in all versions of
Mac OS X since 10.7 (Lion) and with the release of iOS 4.3 for iPhone
and iPad. Google did likewise in its Android 4.0 release last year."

https://www.cdt.org/blogs/alissa-cooper/0706privacy-future-forever

Please do let me know if this has changed!

> I agree with Jeff that we need to have something in the text that rules
> out fingerprinting when DNT:1, like my proposal on unique identifiers
> (issue-199)

I don't see why this isn't currently covered, but I may be dense.

best, Joe

-- 
Joseph Lorenzo Hall
Senior Staff Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8
Received on Tuesday, 1 October 2013 21:40:18 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:19 UTC