The Elephant In The Background: Empowering Users Against Browser Fingerprinting
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 275 | |
| Autor | ||
| Mitwirkende | ||
| Lizenz | CC-Namensnennung 4.0 International: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/51953 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
| |
| Schlagwörter |
00:00
BrowserVerschlingungElektronischer FingerabdruckObjektverfolgungFormale GrammatikAbfrageBenutzerprofilProgrammierspracheDichte <Stochastik>ViewerOSARechenbuchHash-AlgorithmusVideokonferenzNormalvektorMAPMultiplikationsoperatorBrowserUbiquitous ComputingBitWeg <Topologie>PaarvergleichBenutzerbeteiligungInhalt <Mathematik>Elektronischer FingerabdruckResultanteCookie <Internet>PunktElement <Gruppentheorie>EchtzeitsystemZweiSchnittmengeGruppenoperationTextur-MappingProjektive EbeneObjekt <Kategorie>SoftwareHardwareUmwandlungsenthalpieInstantiierungNavigierenWeb SiteEinfach zusammenhängender RaumTVD-VerfahrenProgrammierspracheKartesische KoordinatenComputersicherheitInterface <Schaltung>GeradeCASE <Informatik>Hinterlegungsverfahren <Kryptologie>Zentrische StreckungTelekommunikationMomentenproblemBeanspruchungProfil <Aerodynamik>Service providerProzess <Informatik>DatenmissbrauchAnalysisDruckspannungNichtlinearer OperatorHash-AlgorithmusDienst <Informatik>HochdruckRechenbuchFamilie <Mathematik>BitrateIdentifizierbarkeitRechenwerkSoftwareentwicklerLesen <Datenverarbeitung>ComputervirusCoxeter-GruppeLeistung <Physik>AuswahlaxiomSystemaufrufFokalpunktProdukt <Mathematik>AggregatzustandÄhnlichkeitsgeometrieSystem FEinflussgrößeSkriptspracheComputeranimation
06:42
Dienst <Informatik>Elektronischer FingerabdruckContent providerSkriptspracheWeb SiteProzess <Informatik>Service providerHash-AlgorithmusWeb-SeiteDatenbankFunktion <Mathematik>LeckBrowserDatenmodellMaßerweiterungGraphische BenutzeroberflächeErweiterungMessage-PassingOrdnung <Mathematik>Mobiles InternetBus <Informatik>Public-domain-SoftwareWeg <Topologie>RechenwerkGleitkommarechnungWechselseitige InformationCookie <Internet>SchlussregelSchreib-Lese-KopfElektronischer FingerabdruckFunktionalMaßerweiterungBrowserDienst <Informatik>AnalysisService providerWeb SiteTouchscreenProfil <Aerodynamik>DatenbankSkriptspracheSharewareBenutzerbeteiligungHash-AlgorithmusInteraktives FernsehenEinheitliche ZeichenschnittstellePhysikalischer EffektWeb-SeiteMailing-ListeLeckWurzel <Mathematik>BildschirmsymbolRückkopplungDeskriptive StatistikIndexberechnungCookie <Internet>StapeldateiEinflussgrößeGraphische BenutzeroberflächeSystemaufrufSchwellwertverfahrenDefaultLaufzeitfehlerStochastische AbhängigkeitProzess <Informatik>CodeInjektivitätStrahlensätzeMechanismus-Design-TheorieReelle ZahlEndliche ModelltheorieKontextbezogenes SystemMultiplikationsoperatorSpeicherabzugGrenzschichtablösungEinsKomplex <Algebra>AdditionOrdnung <Mathematik>VektorraumProgrammierspracheInstantiierungResultanteRichtungIdentifizierbarkeitInhalt <Mathematik>LastOpen SourceHochdruckDatensatzGruppenoperationZahlenbereichSprachsyntheseWeg <Topologie>Familie <Mathematik>Klassische PhysikRechenwerkLesen <Datenverarbeitung>BitrateInformationVierzigDifferenteDialektProjektive EbeneSummierbarkeitVerschiebungsoperatorKonfiguration <Informatik>Wiederkehrender ZustandMAPComputeranimation
12:54
Cookie <Internet>SchlussregelSchreib-Lese-KopfLokales MinimumSerielle SchnittstelleMobiles InternetDrucksondierungKette <Mathematik>Baum <Mathematik>p-BlockPlastikkarteComputervirusBetragsflächeDatenverwaltungRundungKonvexe HülleWeb-SeiteVollständiger VerbandMarketinginformationssystemEchtzeitsystemComputeranimation
13:30
Cookie <Internet>Lokales MinimumProgrammierspracheBefehlsprozessorPhysikalisches SystemVersionsverwaltungComputerspielBitWurm <Informatik>Web SiteTouchscreenWMLInformationsspeicherungIkosaederVorzeichen <Mathematik>E-MailNormierter RaumLesen <Datenverarbeitung>Hardware-in-the-loopProgrammGruppoidVollständiger VerbandOperations ResearchMeta-TagSkriptspracheSystemaufrufCAN-BusSprachsyntheseWeb-SeiteFrequenzGoogolBenutzerbeteiligungWeb SiteComputeranimationXMLProgramm/Quellcode
14:11
Cookie <Internet>VideokonferenzSoziale SoftwareGewebe <Mathematik>Lokales MinimumUnordnungWeb logDatenmissbrauchLeistungsbewertungHypermediaObjektverfolgungWeb-SeitePublic-domain-SoftwareDienst <Informatik>Web SiteZahlenbereichAnalysisMaßstabElektronischer FingerabdruckSchätzungROM <Informatik>BefehlsprozessorFontRechnernetzSkriptspracheBenutzerprofilOrakel <Informatik>Gerichteter GraphMarketinginformationssystemAnalog-Digital-UmsetzerInverser LimesGoogolProjektive EbenePunktspektrumLeckWeb SiteBitSkriptspracheNummernsystemZahlenbereichLeistungsbewertungDistributionenraumBitrateMedianwertStandardabweichungSoftwareZentrische StreckungSchwellwertverfahrenSensitivitätsanalyseStatistikWeb-SeiteKartesische KoordinatenDatensatzElektronischer FingerabdruckZweiMaßerweiterungSelbst organisierendes SystemBrowserÄhnlichkeitsgeometrieOrdnung <Mathematik>DatenmissbrauchKategorie <Mathematik>SoftwaretestDifferenteInternetworkingTabelleMailing-ListeElektronische UnterschriftLanding PageMultiplikationsoperatorSoftwareentwicklerPunktElektronische PublikationEinfach zusammenhängender RaumSystemprogrammCASE <Informatik>HypermediaRechenwerkUnrundheitPrinzip der gleichmäßigen BeschränktheitOktaederTouchscreenMomentenproblemQuadratzahlBenutzerschnittstellenverwaltungssystemStichprobenumfangHalbleiterspeicherQuantisierung <Physik>HochdruckBeobachtungsstudieFamilie <Mathematik>Total <Mathematik>BestimmtheitsmaßFormation <Mathematik>Quick-SortTopologieSprachsyntheseAbgeschlossene MengeBenutzerbeteiligungComputeranimation
19:46
LeistungsbewertungElektronischer FingerabdruckRechnernetzSkriptspracheWeb SiteBenutzerprofilWeb-SeiteOrakel <Informatik>Public-domain-SoftwareGerichteter GraphMarketinginformationssystemAnalog-Digital-UmsetzerDivergente ReiheInverser LimesGoogolObjektverfolgungDatenmissbrauchWeb-SeiteWeg <Topologie>BenutzerbeteiligungFunktionalElektronischer FingerabdruckBrowserBildschirmmaskeZahlenbereichCASE <Informatik>Plug inHypermediaKonfigurationsraumRoboterATMService providerInhalt <Mathematik>DatenmissbrauchSensitivitätsanalyseTabelleServerPhysikalisches SystemMereologieSoftwaretestFlickrEinsElektronische UnterschriftAnalysisClientPublic-domain-SoftwareSoftwareDienst <Informatik>InternetworkingMomentenproblemSkriptspracheProfil <Aerodynamik>MaßerweiterungWeb SiteOnline-DienstEinfache GenauigkeitInterface <Schaltung>ResultanteE-MailComputersicherheitUmwandlungsenthalpiePackprogrammAnalytische MengeInstantiierungKanalkapazitätLeistung <Physik>SystemverwaltungSystemidentifikationProjektive EbeneInteraktives FernsehenRegulator <Mathematik>Orakel <Informatik>Delisches ProblemHochdruckGruppenoperationMultiplikationsoperatorQuadratzahlSystemaufrufMinkowski-MetrikNatürliche SprachePersonal Area NetworkTopologieDeskriptive StatistikWort <Informatik>WinkelMailing-ListeCAN-BusIntelligentes NetzDezimalzahlFamilie <Mathematik>System FComputeranimation
25:09
MaßerweiterungSoftwareHochdruckProzess <Informatik>Deskriptive StatistikWebcamEinfach zusammenhängender RaumBenutzerbeteiligungMomentenproblemSystemplattformRechenschieberDifferenteOrdnung <Mathematik>BestimmtheitsmaßMechanismus-Design-TheorieSuite <Programmpaket>CASE <Informatik>RichtungPunktMetrisches SystemMathematikSoundverarbeitungElektronischer FingerabdruckEinsMatrizenrechnungSchießverfahrenSkriptspracheInformationsspeicherungDemoszene <Programmierung>Wort <Informatik>Twitter <Softwareplattform>Hecke-OperatorBrowserPublic-domain-SoftwareAutomatische HandlungsplanungRechter WinkelBandmatrixBildschirmsymbolFirewallMinimumSelbst organisierendes SystemSymboltabelleErweiterungIsing-ModellInverser LimesGemeinsamer SpeicherSystemaufrufFunktionalGraphische BenutzeroberflächeProgrammierspracheSichtenkonzeptTelekommunikationInterface <Schaltung>EinflussgrößeSoftwaretestPlug inComputeranimationBesprechung/Interview
31:51
Cookie <Internet>CASE <Informatik>SchnittmengeDefaultATMDienst <Informatik>Strategisches SpielAnalysisEinflussgrößePublic-domain-SoftwareInterface <Schaltung>p-BlockGruppenoperationElektronischer FingerabdruckRechter WinkelEinfach zusammenhängender RaumBandmatrixSoundverarbeitungVirtualisierungBitComputersicherheitVirtuelle MaschineErweiterungBildschirmmaskeSkriptspracheMereologieBrowserDualitätKartesische KoordinatenBeobachtungsstudieProzess <Informatik>Güte der AnpassungPhysikalisches SystemRoboterMaßerweiterungIntegralWeb SiteDatenmissbrauchTwitter <Softwareplattform>DifferenteMAPMultiplikationsoperatorTermDeskriptive StatistikAggregatzustandFamilie <Mathematik>PunktChatten <Kommunikation>SoftwaretestHochdruckBitrateWinkelNichtunterscheidbarkeitBesprechung/Interview
38:33
Public-domain-SoftwareDruckspannungBitProzess <Informatik>Elektronischer FingerabdruckProjektive EbeneMaßerweiterungPunktInformationsspeicherungSoftwareentwicklerMomentenproblemATMInternetworkingGruppenoperationVarietät <Mathematik>URLMultiplikationsoperatorRechter WinkelHidden-Markov-ModellEinfache GenauigkeitMathematikDefaultBrowserSeitenkanalattackeErweiterungStellenringInterface <Schaltung>GraphikprozessorGatewayGrundraumFunktionalPhysikalisches SystemProgrammierspracheDatenmissbrauchMAPSchlüsselverwaltungDatensatzVererbungshierarchieBenutzerbeteiligungResultanteKontextbezogenes SystemQuantenzustandEinfacher RingProdukt <Mathematik>KonditionszahlAusnahmebehandlungForcingOrdnungsreduktionWeb SiteHochdruckVersionsverwaltungAggregatzustandExistenzsatzProgramm/QuellcodeBesprechung/Interview
45:14
FreewareSteuerwerkComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:31
Welcome back at the Kars West Tifau stage. Second day, hopefully you didn't lose your sense of time already. That seems to be happening to people at the congress quite often. But if you haven't
00:45
and you found your martyr and a good place to sit and watch, we'll have the next talk for you, held by Julian Fitkau. It's called The Elephant in the Background, empowering users against browser fingerprinting. So most of you probably know cookies and that cookies are
01:05
a slightly misused tool by the advertising industry, violating your privacy. And there are many tools against cookies and it's quite easy to defend against that with some tools.
01:20
But of course the advertisement industry is resourceful as ever and they have their new tools called browser fingerprinting. And that's a little bit harder to do. And Julian is from a group of four people that developed this tool called FPMON that will show you when you are being tracked. And you can check what's happening there. And there's a pre-recorded
01:44
talk that Julian held and I would say let's watch what Julian has to show to us. Community and welcome to our talk about The Elephant in the Background, a quantitative approach to empower users against browser fingerprinting. My name is Julian and I'm the project lead of the
02:01
research project that I would like to present you in the next half an hour. Before we start I would like to introduce you to my team that has worked on this project for almost one year now. In the beginning me and Felix have kick-started the project and later on Sebastian and Kashyap have joined our efforts because the workload has grown tremendously over time. During the project we all have been associated to the security and telecommunications research
02:23
group that is led by Professor Seifert. This is actually a very good moment to thank all of these people for your commitment and support that made this project such a great success even these difficult times. But now let's start our story. Tracking users is an ubiquitous practice in web today. These activities recorded on large scale and analyzed by
02:45
various actors to create personalized products, forecast future behavior and prevent online fraud. While so far HTTP cookies have been a weapon of choice, new and more pervasive techniques such as browser fingerprinting are gaining traction. Browser fingerprinting is very similar
03:05
to cookies but works quite differently. Instead of just receiving a unique identifier, for a device fingerprint we need to collect tiny pieces of device specific data that can uniquely identify a user all together. Similar to cookies, fingerprinting does not always mean
03:26
identification or tracking. It is just a technical process of collecting a lot of device data. The lines between using this data for benign operations and tracking are very blurry hence in most cases we can only speculate on how this data is used.
03:44
There are many reasonable applications for fingerprinting such as content tailoring to personalize your browsing experience or to prevent malicious behavior for security reasons. But it can also be used to analyze and identify users. In this talk we want to describe how users
04:03
can be empowered against browser fingerprinting by showing them when, how and who is analyzing them. To this end we conduct a systematic analysis of various browser fingerprinting tools. Based on this analysis we introduce you to FPMON, a lightweight and comprehensive detection tool
04:24
that measures and rates JavaScript fingerprinting activity on any given website and in real time. With FPMON we will evaluate the Alexa 10k most popular websites to study the pervasiveness of JavaScript fingerprinting, review the latest fingerprinting countermeasures
04:44
and identify the major networks that foster the use of fingerprinting. Before we go deeper into this let's first of all get everybody on the same page and let us understand how browser fingerprinting really works. So let's start with a quick example on how
05:03
fingerprinting can be done on your local device. This process can be described in three steps. First of all we will query the device data via JavaScript which gives us a unified interface to an enormous amount of device specific data. An easy example can be executed by just calling
05:24
navigator user agent, navigator languages or navigator connection to get some of the various device specific values. More advanced techniques will leverage variations in hardware and software to generate a device specific value. For instance using the WebGL RP we can apply a set
05:44
of textures and ambient lights to a 3D object. By analyzing the generated picture we will get a slightly different result on every device that can be used to improve the user fingerprint by just another data point. Similar methods have been shown for the HTML canvas element
06:01
and the Web Audio RP. In the next step all the collected device data is combined to a comprehensive device profile. At best this profile is unique and reproducible. In the last step the device profile is used to calculate a hash value that represents the
06:21
fingerprint. In the last step the device profile is used to calculate a hash value that represents the fingerprint. Most of all this is done for a quick and easy comparison. Now we want you to show how this fingerprinting process is embedded in the web. Most typically there are three
06:41
parties involved. A web user, a first party content provider and a third party fingerprinting service. First of all the content provider needs to embed a fingerprinting script into the content of its service. When a user visits his web page the browser will download and execute each script included in the loaded page source. As a result the fingerprinting script will be executed
07:04
on the user device and starts to collect the device features. Either all the collected data or a simple profile hash is sent to the fingerprinting service. Afterwards the service provider matches the received identifier against its database of known profiles. If the profile
07:22
matches the user is identified or a new profile will be created. In the end the content provider can access the results of the analysis or receives direct insights for instance if a user can be trusted or not. The service provider will be paid by the content provider or monetize its
07:41
service in some other ways. The first step on our mission to empower users against this practice was to understand and classify the javascript functions that are most typically used for fingerprinting. To this end we have systematically analyzed multiple commercial and public fingerprinting tools that are created by companies like Zift, Iovation, Xeon and Datadome.
08:05
In addition we analyzed several open implementations like fingerprint.js, miyuniq, browser leaks and the panopticlick project. Hereby we obtained a collection of 115 js functions that are used by those fingerprinting tools. Indeed not every function is responsible for fingerprinting
08:25
but when combined in a specific order these functions are indicative of fingerprinting activity. In the next step we classified those 115 functions into 40 different features where each feature represents an individual vector to fingerprint a user. Some of these features cover
08:44
functions that read out device screen information, the configured languages or more complex ones like functions that are used for web gl and audio fingerprints. To account for the different capabilities of these features we applied a simple vaping mechanism by labeling each feature with
09:00
a severity rating. Less critical features have been labeled sensitive while more problematic ones are labeled aggressive. Clearly none of the classified features is only related to fingerprinting. More importantly it's even fundamentally impossible for a user who visits a website to know whether she's fingerprinted or not unless it is explicitly stated. However we
09:22
argue that the combined use of the javascript functions is a strong indicator of fingerprinting activity especially as more aggressive features are being used. When a website uses many of the sensitive and aggressive features in a particular composition and in a very short time it becomes very likely that the device fingerprint has been created. This idea is the fundamental
09:45
core of our quantitative fingerprinting model. After studying all existing tools and classifying all the JS features our next step was to develop a browser extension that can record the javascript functions and analyze them based on our quantitative model. The core idea to
10:04
implement this was to dynamically add an interception mechanism in front of the classified functions especially before the real web page context is executed. By modifying the javascript runtime with code injections we were able to intercept and record the functions without altering the
10:21
default runtime behavior. Another major benefit of this approach is browser independence. This means that fpmon can be easily integrated into any up-to-date browser. When using fpmon the browser extension will inject a script that is executed before any page script. This injected script modifies all the monitored javascript functions to log any function call. While recording
10:44
each call we can evaluate the classified features according to our fingerprinting model and hence calculate a fingerprinting score. Based on some well-defined thresholds we can change the extension icon to be green, yellow or red. This easy to understand indicator will show you if the currently measured fingerprinting activity is low, medium or high. In the icon batch text we
11:05
can additionally show how many of the fingerprinting features have been called. To get more details about the measurement you can click the extension icon. But before we get more into this let's go ahead and see how fpmon works in reality. Now we will see how fpmon works when visiting a website.
11:25
Reload the page and get an immediate feedback on what's happening in the background. The scripts in the background are executed so quickly that the website is not even fully visible to the user but the device features are already extracted. When clicking the extension icon we
11:40
can see more details about the process that just happened in the blink of an eye. The fpmon chrome extension will show you how many of the tracked javascript functions have been called, how this relates to our fingerprinting features meaning how many features have been activated and how many of those features are labeled aggressive. Furthermore we show a
12:03
descriptive list of features that are accessed when visiting the website and the top three highest scoring scripts that are active on the page which helps to identify the root cause of the fingerprinting activity. While we now understand how fpmon works and how to use it let's start to browse the web. We will have a short demo to showcase some interesting examples we found
12:26
while browsing the web with our fpmon browser extension. Before we start I want you to notice that we don't have any cookies stored, we haven't given any user consent and there's almost no user interaction with the website we will load. First of all we will visit washerjournal.com.
12:46
By just loading the page 25 out of 40 fingerprinting features will be activated. We go ahead and visit nasdaq.com and 30 out of 40 features will be activated. We load easyjet.com
13:07
and 22 features will be activated. We load bankofamerica.com and 19 features will be activated. When loading newyorktimes.com 25 features will be activated. When loading coinbase.com
13:29
25 features will be activated. When loading savethechildren.com 26 features will be activated
13:41
and when loading healthcare.gov 21 features will be activated. Before you start to think that every page uses all of these features let us check some other examples. When loading google.com only 12 features will be activated. When loading wikipedia.org only seven features will be activated.
14:05
When loading nsa.gov six features will be activated. When loading the website of the European Parliament only three features will be activated. By loading tourproject.org just a single feature will be activated
14:23
and when loading wikileaks.org not even a single feature will be activated. So as you can see there's a wide spectrum of scores through a diverse set of websites. What we now need to ask is what is a good and what is a bad score. So let us draw a baseline to
14:44
understand the fingerprinting score. In this table we put all the previous examples into a sorted list. To this list we added the panopticlick privacy test which is a tool that has proven to be able to identify you by just using js fingerprinting. If we visit panopticlick using
15:04
our browser extension 21 out of 40 features will be activated. This relates to a total score of 53 percent. When we visit similar websites such as fingerprint.js or miuniq.org we reach roughly the same scores of more or less 50 percent. If we consider this as our baseline we
15:24
can define that scores of around and above 50 percent are somehow concerning. Looking at the examples we have seen previously there are many pages that score even higher than this baseline. These websites belong to financial institutions, news media, online shopping and even NGOs. We have
15:43
to ask why so many device data are collected when visiting these pages. Do they identify us? Who has access to all this data? Luckily there are also much more pages with lower scores that drive very similar applications. To improve our understanding of this let us increase the
16:02
sample size. To see the bigger picture we have automated fpemon to browse the 10k most popular websites and record how much fingerprinting is applied against the user by just visiting the landing page for 60 seconds. From our data we can conclude that around 500 pages don't use
16:20
any of the monitored features. On the other side of the scale the highest score has been reached by only five websites for example Breitbart, Foursquare and Politifact.com. They make use of 38 features which relates to a score of 95 percent. When looking into these statistics we see that the biggest majority of the websites almost 57 percent use around 7 to 15 features.
16:45
The median amount of features is 11 with an absolute deviation of 5.2. Based on this statistic we more or less defined the thresholds for our website rating. A website activity is rated low if the number of features is less or equal to the median feature use. A website is rated
17:03
medium if it uses more features than the median website uses but still less than the upper bound of the absolute deviation. Every website's going above this rate is rated high. Like the webmasters tell us the distribution for sensitive and aggressive features is very different
17:20
hence we also make this distinction when rating a website. Based on our rating scheme we labeled 53 percent of the 10k most popular websites to be low, 28 percent to be medium and 90 percent to be high. We also found 10 percent of the websites to score the same or worse than our baseline such as the Panopticlick project. In another evaluation we had a closer look
17:47
on how many websites use each of the monitored features. We see various features are used by many websites regardless of how they are rated but if we look into the right half of the chart we also see that almost half of the features appear to never be used by websites that score
18:04
medium or low. It seems that those features are used against the interest of the user and never serve a benign purpose. For these cases we have to ask how important are these features? What website really needs to know CPU, audio, memory, connection and battery details in such a
18:22
short time and when just visiting their landing page? When comparing with previous research we can also see that the utilization of these techniques has grown tremendously. In six to seven years there's 10 times more font fingerprinting going on and three times more canvas fingerprinting. We think this development is quite concerning and this is a good point to start thinking about
18:44
what really needs to be accessible by a website. In another experiment with FP1 we wanted to figure out who's profiting from this technology. Therefore we started to analyze all scripts that we discovered when crawling the 10k most popular websites. First of all we noticed that
19:03
the majority of aggressive fingerprinting attempts is only caused by less than one percent of the scripts. When analyzing each of the scripts we were able to identify some of the major networks that foster the use of fingerprinting. To do this we classified each script based on its host name,
19:20
file name, its fingerprinting score and a fingerprinting signature. The signature is basically a list of all the features accessed in their particular order. By combining all these properties we found more than 100 networks of different sizes. None of these networks that reach a high score is present on a sufficiently large number of pages to reliably track users
19:41
across the internet. However some organizations are on the edge of becoming a real threat to internet users. Their network size might be comparatively small at the moment but they include high-profile pages and hence can analyze millions of users every day. The most harmful networks we discovered were created by Mode that is now part of Oracle and a company
20:02
called Zift. They both reach a score of 50% and above and are present on roughly 50 websites. If you visit one of their client's websites their scripts will collect your device profile and send it to their own network. Some of the affected domains are Breitbart, Wall Street Journal, New York Post, Udemy, Patreon, Kickstarter, Flickr and so on.
20:23
However while they are the most threatening ones smaller networks are following their lead such as Datadome or Adform. Another interesting one is the Lalaping network, a network of 17 streaming websites that share a common fingerprinting signature with a score of 88%. In the bottom part of the table we also find less harmful networks such as Akamai.
20:44
The fingerprinting script reaches a concerning score but at least the collected data is only sent to the content provider and not to third-party servers. Today we know that the data collection is part of their bot detection service. However we need to ask if harvesting such vast amounts of device data without user consent does justify its purpose.
21:06
Another example is the network of Google and its subsidiary DoubleClick. Despite their huge network size they seem to not analyze users based on the monitored fingerprinting features. In our last experiment with Epimon we have evaluated how well a user is protected by some
21:24
of the most popular anti-tracking tools. For this test we evaluated EFF's Privacy Badger, DuckDuckGo's Privacy Essentials, Firefox with its strict privacy mode and the Apple Safari browser against a set of 20 test cases. Unfortunately most of these tools do not provide
21:43
sufficient protection with respect to browser fingerprinting but are hopefully still useful against other forms of tracking. The best solution that we found to work in most of our test cases was the Apple Safari browser. The underlying reason becomes clear if we look at how these solutions are implemented. While the plugins and Firefox work only based on blacklisting of
22:03
well-known fingerprinting services, Apple has integrated a new and very different approach based on unification and herd immunity. Apple Safari browser only supports a very simple and unified system configuration which makes most Apple devices look identical. This reduces the capability of finger printers to identify a single device without breaking web
22:25
functionality. In conclusion Apple has simply implemented what we have seen earlier in our feature analysis. There are too many features that don't have any value for the web user and are maybe even used exclusively against their interest. Hence the best solution against
22:40
the growing threat of browser fingerprinting is to unify and reduce the amount of data that is collectible via JavaScript. To conclude our findings we have seen that fingerprinting is present on many websites with sensitive contents such as health insurance, financial institutions, news media and NGOs. In many cases the number of collected device data is
23:04
so extensive that user identification might be easily possible when comparing this behavior to research that have been done by projects like panoptically. Furthermore fingerprinting is very stealthy and concealed. Many of the websites collect sprawling amounts of user data and send
23:20
it away within milliseconds often before the page is even fully visible to the user. In our experiments no user interaction takes place and no concept is given. We think this practice of concealed data collection clearly subverts privacy regulations such as GDPR or CCPA. Based on our experiments we want to question the capacity in which
23:41
owners know the practices and true power of the third-party services embedded on their websites. For some of these networks fingerprinting seems to be part of tools that are used by website administrators to maintain their services. For instance for bot detection analytics or security many fingerprinting scripts seem to be part of specific online services that ultimately collect vast amounts of user data. For example archive.org has almost no
24:05
fingerprinting activity 7% but their donation page scores 90% because of a single third-party fingerprinting script. On the other side the New York Times scores 60% across their website but deliberately disables all data collection on the dedicated wisdom blowing page 0%.
24:22
These are just two examples of two popular websites that should underline that some people might actively participate on this technology while others might just be victims. Last but not least we have shown that most anti-tracking tools cannot sufficiently protect users. To really protect users we need to simplify and unify the JavaScript interface and not extend it with just
24:45
another useless feature. If you want to see more technical details and more results of our work I want to invite you to read our paper. We have published our paper and fpmon browser extension on our website that you will find on fpmon.github.io. For any further questions you can
25:02
participate in the following Q&A or just contact us via mail. Thanks a lot for your attention and stay healthy. Well that was a super interesting talk and quite crazy actually that you know this fingerprinting is so popular sadly and interesting to see some names in there and luckily we have Julian here
25:30
as well to the pre-recording to answer some questions. So if you have any questions about what you've seen there about the tool or in particular about fingerprinting in general maybe
25:45
you can still send us questions either using the social Twitter using the hashtag RC3CWTV or in our ISE channel it is RC3-CWTV
26:02
on the HackInt network so feel free to join in there and our signal angel will pick up those questions for us. And I do see that we do have some questions in the chat already um so I don't know I think we can start Julian. First question
26:23
uh probably very interesting to to many many uh what about you Matrix? Is it possible to block fingerprints with this extension or is fpmon like a completely different beast? So I don't know
26:41
actually about this Matrix tool and I also see that there are many people asking for other extensions so we only have tried those four tools because we tried to look at the most popular ones let's say or the ones we didn't know about. So this you Matrix it looks very manual like you have to like a firewall you have to configure it quite in a quite detailed way
27:05
and it might be a solution for very uh for people that are really specialized into this but I think it's not a solution for my mother for example and that's that's what we want to look at. I think your tool has a quite different approach here where you Matrix is
27:25
like you choose what you need to block and your tool like shows in the first place what is even being tracked and what is happening there you know it's like two different approaches I think yeah in the moment we are only monitoring what happens um so we have thought about defense
27:43
mechanisms but when we have seen that there are solutions that don't work in the moment we didn't want to just publish another one that doesn't work in the end yeah so it was actually really to work to understand what's happening what's going on where do I get fingerprinted and where the networks behind it yeah yeah maybe with this data now that you know
28:03
what exactly is happening you can target much more precisely instead of like doing something that might or might not work you don't know yeah that's basically the next step we are targeting at in the moment to like get some resources and uh then push this further because we have also as it was mentioned in the talk we have also found that like
28:29
oh it seems whatever I mean blacklisting sounds very reasonable there could you repeat the last sentence we had a small connection glitch there yeah so I'm back now right yes yeah
28:41
okay um yeah so as we have seen there are really just a few scripts that do this in the moment but they are spread across the web and uh so maybe blocking something might be still a good solution but so far it seems they haven't targeted the right domains or something like this
29:03
okay um do you have any firefox support plan because that's a good question I also in the background try to install it but I'm a firefox user doesn't seem like it works there so for our tests we had a firefox plugin but we haven't published it in a moment because uh we we
29:22
cannot really manage to um uh yeah to take care of this chrome solutions also used with chrome yum which is the platform we use actually and I can emphasize to use that but it should basically also work in firefox but maybe the
29:42
ui doesn't work so in this way now for all the made it and it has worked but we haven't I'm not sure maybe you can you know something about this but how do you think is the effectiveness of u-block maybe against such fingerprinting measures
30:09
um I think u-block is also just based on blacklisting and many of those tools might even use the same blacklist by some which are yeah published by some companies or smaller
30:21
projects and from that point I would bet that it's maybe not that effective and the best solution communication and simplifying of those interfaces which is a completely different way to think about this kind of problem and I think it's also the right direction unfortunately there's
30:43
a party browser that's not available for everyone but um yeah I mean I think the firefox guys they could maybe also take up this idea from my point of view do you maybe know what metrics apple or the safari is using and why it's so so effective
31:01
like I think you've shown in one slide that it's one of the most effective if not the most effective solution right now against us does it work similar or does it just count function calls or evaluate it somehow in the background no so they have some I mean they have a completely different approach than blacklisting they use they simplify and unify the javascript in case
31:27
so if you call and ask hey uh what's the user we're having some really bad languages they want to be very limited yeah um we'll try something um julian uh I'm very sorry but
31:42
could you in your uh in your webcam share this little eye icon on the bottom an organ symbol click on that and we'll disable the webcam so we can save on some bandwidth maybe that will help the audio connection yes so this didn't work yeah exactly so now we sadly cannot see you
32:04
anymore but hopefully we'll have more bandwidth for the audio and can you repeat the last answer please so apple has chosen a completely different way they simplify and unify the javascript interface and this way you cannot distinguish between different devices which use apple's
32:23
operating system and that's actually a solution I would like to see everywhere because so the script engine so far let's say useless features or nobody really uses many of those features which are used for fingerprint and um yeah that's that's actually a better way instead of blocking
32:44
some weird domains because we have also seen scripts that had have used dynamically fragmented and they even used randomized domains to hide their fingerprinting so blocking is not a valid solution now and it will not be in the future yeah yeah it's the same for ip blocking I guess
33:07
the one is currently fighting the same thing you know in the details block one ip the next one just pops up it's yeah really hard to mitigate to make this maybe more visible with the apple device everybody looks a bit the same so you cannot distinguish between the different users
33:25
yeah yeah you know if everyone has the same fingerprint then yes you get a fingerprint but it's pretty much useless it's a good strategy I think yeah yeah um did you by chance check out the tour browser I maybe the tour browser also has some apple like counter
33:47
measures to this fingerprinting I think there was a lot of headlines a few years ago because suddenly people realized yes tour will hide where you are coming from but not how your browser looks like right so I don't know is is the javascript in enabled by default on the tour
34:06
browser I'm actually not sure but I think they do have an extension default uh usually that will um yeah we'll have something I'm seeing in chat that someone commented that um
34:21
firefox has a resist fingerprinting setting and it seems like the tour browser has this active by default do you know how useful that is so at least for the firefox we have tested actually exactly this case it's called strict privacy mode
34:41
and it's not it's not so it's maybe the best solution from those we have seen but it's not as good as the one from apple with unification and herd immunity yeah so it works in some cases but it also didn't work in many other cases okay yeah but hopefully better than nothing and yeah I'm just hearing from the chat that
35:03
javascript is enabled by default in the tour browser yeah but they have a lot of other tools that try to block stuff and different levels of protection so hopefully you're sort of safe there um but as we got it has this resist fingerprinting
35:24
yeah and in the end it's again what we had in the beginning of our q and a I don't know I mean we as specialists might start to use tour but it's not true for can you repeat that one more time that was sprung up
35:44
so the term browser is not used by everybody right so then most people will use one of these default solutions which you can easily install and so on yeah um we have one question from twitter finally I think this is the very first question from twitter that we have at this congress
36:04
did you explore the use cases for these fingerprinting integrations on commercial sites a little bit further I think you've mentioned that briefly in the talks somewhere about sift and especially akamai that can use this for like machine learning fraud detection something maybe for payment processing do you have any like analysis of
36:27
for example good or bad fingerprinting yeah so I mean bot detection is probably the and security applications so in our studies we also have seen that while you are logging into
36:44
some services you are fingerprinted and that makes sense to some degree the question is how access to this or is it used in some other form and that's actually a fundamental problem here
37:01
because like with cookies we can never say is it a benign or malicious use does somebody monetize on this data or not and so on so that's the complicated part yeah that's probably always like a hard question you know data can be used for good and bad and the approach to
37:20
collect the data might be the same but you never know what people are going to do with it that's the dualism of technology often right yeah it's it's a really tricky thing and then another question from fattyverse I think so somewhere on mastodon someone asked if using a virtual machine is an effective fingerprinting countermeasure
37:46
for some of the methods we know it might be effective but it's actually also an interesting question if you can for example then detect virtualization and so on which is at least under security considerations another interesting topic yeah yeah you'll probably then be able to
38:07
classify people that try to evade fingerprinting measures you know you feel like you know your new user group classification and they're already that's yeah yeah it's really tricky and as always it's again the question how it's scalable or like how many people do this right
38:26
to protect themselves yeah I still see people using no ad blockers no nothing and I'm always like how can you even still use the internet with this it's I've tried it once and it's
38:41
bearable to me yeah I totally agree and then one more question where can this fpmon extension be found how can you install it if you're interested in doing so so at the moment we have a domain fpmon.github.io it's also in the end of our talk and there you get there's
39:03
some facts and the paper is linked and you can also download it it's published on github and so far you have to install it on your own as a developer in the developer mode but then you can yeah later on you might easily install it via the marketplace this extension marketplace
39:25
or something we are in the process actually to publish it there yeah that's great so at some point maybe you can just go to the store and yeah install it yeah that seems to be pretty important nowadays that you are you are on some kind of store otherwise you just don't exist
39:46
interesting developments not true if I really like that yeah yeah yeah so fast I mean it was a research project so far and we now since we thought hey this really great results let's publish this somehow and it's people that use it and yeah for us there's no really
40:06
I mean there's the only incentive to give it to people is that they get awareness of fingerprinting so we don't record anything or something that would make this tool is super useless right yeah we thought about maybe studying this or something like this but it's again
40:20
tracking of users so we we don't want to do this so yeah that's why we have to yeah give it out and get some trust by people that they also say okay I installed this extension which could just basically see everything I do on the web right yeah of course a bit conflictly
40:41
yeah but I think you know just enabling people to recognize the problem is like the first step to a solution you know it's something you always say recognizing problems the first step and maybe we can get some traction we had so many talks on the stage already that showed like hey there is a problem and in the old spirit of to what maybe yeah something
41:06
something happens out of this yeah true that would be great yep oh there's also I think yeah that's that's one of the key strengths of fpmon it can visualize something which you don't see usually it's too quick and it's too hidden to see it and with this tool you
41:25
can make it visible great one more interesting question can browser plug-in fingerprinting be circumvented I'm not sure yeah actually yeah so you can also finger produce on other layers
41:43
can you restart sorry so other layers are not protected we only target javascript fingerprinting which is for my personal opinion the most important one so far you also have something like tcp fingerprints for example but they are not as sophisticated as
42:03
javascript fingerprints for example so then you better just track the ip or something like this right so okay and with javascript fingerprinting you have so much there's so much weird functionality and kind of side channels to to figure out what's your audio interface what's your
42:22
gpu and so on and that's the weird thing about javascript fingerprinting it has so much access to your device yeah yeah I'm quite interesting quite interested you mentioned ip fingerprinting there how this will turn out with the growing or hopefully growing adoption of
42:42
ipv6 where essentially everyone has a non-netted ip yeah and you know just deciding behind the nut gateway in the past worked maybe quite well if you're like at a university then many are using the same ip and this doesn't work anymore in the future you know even with the
43:02
privacy extensions for the time that you have the ip you can be tracked through that ip probably hmm yeah um one more question uh is setting the language or the localization for your web browser to english or some international thing international defaults useful so they can maybe track you
43:26
by the specific language that you have enabled in your browser hmm i mean i wouldn't say it can protect you because it's just a single feature out of let's say four so it's too little of a change to make you yes depends on how
43:49
sophisticated their technology is and if you think about let's say ai technology and so on which is probably already deployed now in this domain that kind of small changes will be tracked
44:04
they have also to use some kind of variety because you also change your location here and there and your time might change in your system and so on right so this process has to be fuzzy in some way okay i'm just sitting here but i think with
44:22
i mean there there are more questions coming in by the minute um it seems like there's a very lively discussion in the isc chat so if you are not there yet you might want to join them and i'm not sure julian uh will you be taking a look at the isc chat uh i'm i'm at the isc
44:40
yeah great so you're already in there and maybe you can answer some more questions to follow on quick ah yeah yeah we can do it like this and then i guess uh we'll somehow wrap it up here and thank you again for the talk a very interesting interesting introduction and also
45:02
thank you and your working group for this tool more weapons to defend ourselves are always great to have and um yeah let's let's wrap it up here