Poster: Detection and Prevention of Web-based Device Fingerprinting

I. MOTIVATION Web tracking is a set of technologies that allows websites to create profiles of their visitors. While a website owner might utilize such profile to provide its users with personalized advertisements or anti-fraud feature, tracking of users is generally considered a problem that brings user privacy under attack. According to a recent survey by Mayer et al. [1], web tracking technologies can be roughly divided into two groups: stateful and stateless. In stateful tracking, a tracking company utilizes stateful information that can be gathered from browser cookies, Flash cookies, ETag cookies, and HTML5 local storage. Evercookie [2] provides a reference implementation for many stateful tracking techniques. On the other hand, stateless tracking, also called device fingerprinting, captures the properties of browser elements through JavaScript, Flash, or other plugins and forms a nearly unique identifier. In [3], Eckersley shows that user’s device can be uniquely identified with stateless properties including user-agent, time zone, screen resolution, fonts installed, plugins installed, and cookies enabled. Also, recent studies [4], [5] show that stateless tracking methods are used by various tracking companies in the wild. Several groups of researcher have considered countermeasures against stateful web tracking and policy makers in U.S. and European Union have attempted to regulate it. Also, most modern web browsers supports the opt-out feature for stateful web tracking. For example, a web browser can disallow thirdparty websites from utilizing cookie information and the Do Not Track (DNT) HTTP header field allows users to signal their tracking preferences to websites. However, these countermeasures are not suitable for stateless web tracking since they mostly focus on stateful information such as browser cookies. Among the fingerprinting information captured for uniquely identifying a device, it has been shown that the list of installed fonts and plugins provide relatively more unique values [3]. In order to fingerprint the list of font from the web browser, tracking scripts have to utilize a combination of properties of HTML elements such as fontFamily, offsetHeight, and offsetWidth. Unfortunately, since these properties are widely used for both tracking and nontracking scripts, it is difficult to distinguish a fingerprinting JavaScript code from a normal script code. Several countermeasures against device fingerprinting have been proposed. Some web browser extensions and plugins would randomize the value of user-agent, screen resolution, or properties of HTML element when their values are retrieved. However, these countermeasures may not be effective because they often cause breakage of the rendered web page and the existence of such extensions can be another kind of fingerprint. In addition, although users can tell their tracking preferences to websites through the DNT header, it has been shown that DNT preferences are usually ignored by web trackers [5]. In this study, we present FPBlock, a system that detects web-based device fingerprinting and prevents users from being fingerprinted. FPBlock takes a different approach from those of existing countermeasures, which randomize the value of properties or rely on a blacklist and the DNT header. FPBlock detects fingerprinting scripts based on a dynamic analysis of JavaScript codes embedded in the websites; it then prevents those codes from leaking the user’s fingerprint to the third-party server. Since FPBlock automatically detects fingerprinting functionalities included in any JavaScript and uses them as features, we believe that it provides a more practical, effective and robust method than those of existing approaches. In this poster, we focus on detecting JavaScript based fingerprinters; we are currently exploring countermeasures against other types of fingerprinters.