Fp-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies Antoine Vastel, Univ. Lille / Inria / Inria; Pierre Laperdrix, Stony Brook University; Walter Rudametkin, Univ. Lille / Inria / Inria; Romain Rouvoy, Univ. Lille / Inria / IUF https://www.usenix.org/conference/usenixsecurity18/presentation/vastel This paper is included in the Proceedings of the 27th USENIX Security Symposium. August 15–17, 2018 • Baltimore, MD, USA ISBN 978-1-939133-04-5 Open access to the Proceedings of the 27th USENIX Security Symposium is sponsored by USENIX. FP-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies Antoine Vastel Pierre Laperdrix Univ. Lille / Inria Stony Brook University [email protected] [email protected] Walter Rudametkin Romain Rouvoy Univ. Lille / Inria Univ. Lille / Inria / IUF [email protected] [email protected] Abstract In 2010, Eckerlsey [3] revealed a stateless track- ing technique that can complement traditional stateful By exploiting the diversity of device and browser con- tracking: browser fingerprinting. This technique com- figurations, browser fingerprinting established itself as a bines several non-Personally Identifiable Information viable technique to enable stateless user tracking in pro- (PII) made available as browser attributes and reveal the duction. Companies and academic communities have re- nature of the user device. These attributes are disclosed sponded with a wide range of countermeasures. How- by querying a rich diversity of JavaScript APIs, and by ever, the way these countermeasures are evaluated does analyzing HTTP headers sent by the browser. By col- not properly assess their impact on user privacy, in par- lecting browser fingerprints composed of 8 attributes, he ticular regarding the quantity of information they may demonstrated that 83:6% of the visitors of the PANOP- indirectly leak by revealing their presence. TICLICK website could be uniquely identified. In this paper, we investigate the current state of the Since browser fingerprinting is stateless, it is difficult art of browser fingerprinting countermeasures to study for end-users to opt-out or block, and raises several pri- the inconsistencies they may introduce in altered finger- vacy concerns, in particular when it comes to undesired prints, and how this may impact user privacy. To do so, advertising and profiling. In response to these concerns, we introduce FP-SCANNER as a new test suite that ex- researchers have developed countermeasures to protect plores browser fingerprint inconsistencies to detect po- against browser fingerprinting [10, 11, 15, 20]. Most of tential alterations, and we show that we are capable of the countermeasures rely on modifying the fingerprint’s detecting countermeasures from the inconsistencies they attributes to hide their true identity. Nonetheless, this introduce. Beyond spotting altered browser fingerprints, strategy tends to generate inconsistent combinations of we demonstrate that FP-SCANNER can also reveal the attributes called inconsistencies, which are used by com- original value of altered fingerprint attributes, such as the mercial fingerprinters, like AUGUR1, or open source li- browser or the operating system. We believe that this re- braries, such as FINGERPRINTJS2 [21], to detect coun- sult can be exploited by fingerprinters to more accurately termeasures. target browsers with countermeasures. In this paper, we extend the work of Niki- forakis et al. [16], which focused on revealing inconsis- 1 Introduction tencies to detect user agent spoofers, to consider a much wider range of browser fingerprinting countermeasures. Recent studies have shown that user tracking keeps in- To do so, we introduce FP-SCANNER, a fingerprint scan- creasing among popular websites [2, 4, 23], with mo- ner that explores fingerprint attribute inconsistencies in- tivations ranging from targeted advertising to content troduced by state-of-the-art countermeasures in order to personalization or security improvements. State-of-the- detect if a given fingerprint is genuine or not. In partic- art tracking techniques assign a Unique User IDentifier ular, we show that none of the existing countermeasures (UUID), which is stored locally—either as a cookie or succeed in lying consistently without being detected and some other storage mechanism (e.g., local storage, E- that it is even possible to recover the ground value of key tags). Nonetheless, to protect users, private browsing attributes, such as the OS or the browser. Then, we dis- modes and extensions automatically delete cookies and cuss how using detectable countermeasures may impact clear storages at the end of a session, decreasing the effi- user privacy, in particular how fingerprinters can leverage ciency of the standard tracking techniques. this information to improve their tracking algorithms. USENIX Association 27th USENIX Security Symposium 135 In summary, this paper reports on 5 contributions to considering JavaScript-related attributes. With the ap- better evaluate the privacy impact of browser fingerprint- pearance of new JavaScript APIs, Mowery et al. [14] ing countermeasures: 1) we review the state-of-the-art showed how the HTML 5 canvas API could be used to browser fingerprinting countermeasures, 2) we propose generate a 2D image whose exact rendering depends on an approach that leverages the notion of consistency to the device. In 2016, Laperdrix et al. [12] studied the detect if a fingerprint has been altered, 3) we implement diversity of fingerprint attributes, both on desktop and a fingerprinting script and an inconsistency scanner ca- mobile devices, and showed that even if attributes, like pable of detecting altered fingerprints at runtime, 4) we the list of plugins or the list of fonts obtained through run extensive experiments to detect how fingerprinting Flash, exhibit high entropy, new attributes like canvas countermeasures can be detected using our inconsistency are also highly discriminating. They also discovered scanner, and 5) we discuss the impact of our findings on that, even though many mobile devices, such as iPhones, user privacy. are standardized, other devices disclose a lot of informa- The remainder of this paper is organized as follows. tion about their nature through their user agent. More Section 2 overviews the state of the art in the domain of recently, Gomez-Boix´ et al. [8] analyzed the impact of browser fingerprinting before exploring existing browser browser fingerprinting at a large scale. Their findings fingerprinting countermeasures. Then, Section 3 intro- raise some new questions on the effectiveness of finger- duces a new test suite to detect altered browser finger- printing as a tracking and identification technique as only prints. Section 4 reports on an empirical evaluation of 33.6% of more than two million fingerprints they ana- our contribution and Section 5 discusses the impact on lyzed were unique. user privacy, as well as the threats to validity. Finally, we Besides fingerprint uniqueness, which is critical for conclude and present some perspectives in Section 6. tracking, stability is also required, as browser finger- prints continuously evolve with browser and system up- dates. Eckersley [3] was the first to propose a sim- 2 Background & Motivations ple heuristic to link evolutions of fingerprints over time. More recently, Vastel et al. [22] showed that, using a set Before addressing the consistency properties of finger- of rules combined with machine learning, it was possible print attributes (cf. Section 2.3), we introduce the princi- to keep track of fingerprint evolutions over long periods ples of browser fingerprint (cf. Section 2.1) and existing of time. countermeasures in this domain (cf. Section 2.2). Browser Fingerprinting Adoption. Several studies 2.1 Browser Fingerprinting in a Nutshell using Alexa top-ranked websites have shown a steady growth in the adoption of browser fingerprinting tech- Browser fingerprinting provides the ability to identify niques [1, 2, 5, 16]. The most recent, conducted by En- a browser instance without requiring a stateful iden- glehardt et al. [5], observed that more than 5% of the tifier. This means that contrary to classical tracking Top 1000 Global Sites listed by Alexa were using canvas techniques—such as cookies—it does not store anything fingerprinting techniques. on the user device, making it both harder to detect and to protect against. When a user visits a website, the finger- printer provides a script that the browser executes, which 2.2 Browser Fingerprinting Countermea- automatically collects and reports a set of attributes re- sures lated to the browser and system configuration known as In response to the privacy issues triggered by browser fin- a browser fingerprint. Most of the attributes composing a gerprint tracking, several countermeasures have been de- fingerprint come from either JavaScript browser APIs— veloped. Among these, we distinguish 5 different strate- particularly the navigator object—or HTTP headers. gies of browser fingerprinting countermeasures: script When considered individually, these attributes do not re- blocking, attribute blocking, attribute switching with pre- veal a lot of information, but their combination has been existing values, attribute blurring with the introduction demonstrated as being mostly unique [3, 12]. of noise, and reconfiguration through virtualization. While script blocking extensions are not specifically Browser Fingerprints Uniqueness and Linkability. designed to counter browser fingerprinting,