Online Tracking

Oliver Jensen�

Most slides adapted from Vitaly Shmatikov and Arvind Narayanan

Reading Assignment

• “Third-Party Web Tracking: Policy and Technology”
• “Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting”

It’s the Internet! Of course they know you’re a dog. They also know your favorite brand of pet food and the name of the cute poodle at the park that you have a crush on!

Third-Party Tracking

Third-party cookies:

• Safari:�disabled by default
• Most browsers:�can be disabled by user
• Some browsers:�cannot be disabled (Android)

​

…but there are many other tracking technologies

Behavioral Targeting

publishers

Ad network

Advertisers

Partial List of Ad Networks

Tracking Is Pervasive

independent tracking mechanisms�in an average top-50 website

64

Sticky Tracking

Subverting same origin policy

(publisher also runs an ad network)

ad.hi5.com = ad.yieldmanager.com

​

Flash cookies

​

Browser fingerprinting

​

History sniffing

Tracking Technologies

• HTTP Cookies
• HTTP Auth
• HTTP Etags
• Content cache
• IE userData
• HTML5 protocol and content handlers
• HTML5 storage

• Flash cookies
• Silverlight storage
• TLS session ID & resume
• Browsing history
• window.name
• HTTP STS
• DNS cache

Everything Has a Fingerprint

Fingerprinting Web Browsers

• User agent
• HTTP ACCEPT headers
• Browser plug-ins
• MIME support
• Clock skew

• Installed fonts
• Cookies enabled?
• Browser add-ons
• Screen resolution

Panopticlick Example

Plugin 0: Adobe Acrobat; Adobe Acrobat Plug-In Version 7.00 for Netscape; nppdf32.dll; (Acrobat Portable Document Format; application/pdf; pdf) (Acrobat Forms Data Format; application/vnd.fdf; fdf) (XML Version of Acrobat Forms Data Format; application/vnd.adobe.xfdf; xfdf) ( Acrobat XML Data Package; application/vnd.adobe.xdp+xml; xdp) (Adobe FormFlow99 Data File; application/vnd.adobe.xfd+xml; xfd). Plugin 1: Adobe Acrobat; Adobe PDF Plug-In For Firefox and Netscape; nppdf32.dll; (Acrobat Portable Document Format; application/pdf; pdf) (Adobe PDF in XML Format; application/vnd.adobe.pdfxml; pdfxml) (Adobe PDF in XML Format; application/vnd.adobe.x-mars; mars) (Acrobat Forms Data Format; application/vnd.fdf; fdf) (XML Version of Acrobat Forms Data Format; application/vnd.adobe.xfdf; xfdf) ( Acrobat XML Data Package; application/vnd.adobe.xdp+xml; xdp) (Adobe FormFlow99 Data File; application/vnd.adobe.xfd+xml; xfd). Plugin 2: Google Update; Google Update; npGoogleOneClick8.dll; (; application/x-vnd.google.oneclickctrl.8; ). Plugin 3: Microsoft® Windows Media Player Firefox Plugin; np-mswmp; np-mswmp.dll; (np-mswmp; application/x-ms-wmp; *) (; application/asx; *) (; video/x-ms-asf-plugin; *) (; application/x-mplayer2; *) (; video/x-ms-asf; asf,asx,*) (; video/x-ms-wm; wm,*) (; audio/x-ms-wma; wma,*) (; audio/x-ms-wax; wax,*) (; video/x-ms-wmv; wmv,*) (; video/x-ms-wvx; wvx,*). Plugin 4: Move Media Player; npmnqmp 07103010; npmnqmp07103010.dll; (npmnqmp; application/x-vnd.moveplayer.qm; qmx,qpl) (npmnqmp; application/x-vnd.moveplay2.qm; ) (npmnqmp; application/x-vnd.movenetworks.qm; ). Plugin 5: Mozilla Default Plug-in; Default Plug-in; npnul32.dll; (Mozilla Default Plug-in; *; *). Plugin 6: Shockwave Flash; Shockwave Flash 10.0 r32; NPSWF32.dll; (Adobe Flash movie; application/x-shockwave-flash; swf) (FutureSplash movie; application/futuresplash; spl). Plugin 7: Windows Genuine Advantage; 1.7.0059.0; npLegitCheckPlugin.dll; (npLegitCheckPlugin; application/WGA-plugin; *).

84% of browser fingerprints are unique

With Flash or Java, 94% are unique

“Don’t Worry, It’s All Anonymous”

• Is it?
• What’s the difference between
• “anonymous”
• “pseudonymous”
• “identified”
• Which technology changed data collection from anonymous to pseudonymous?

How Websites Get Your Identity

Third party is sometimes the site itself

​

Leakage of identifiers

GET http:/​/ad.doubleclick.net/adj/...

Referer: http:/​/submit.SPORTS.com/...?email=jdoe@email.com

Cookie: id=35c192bcfe0000b1...

​

Security bugs

Remember XSUH (cross-site URL hijacking)?

​

Third party buys your identity

History Sniffing

• How can a webpage figure out which sites you
• visited previously?
• Color of links (defunct)
• CSS :visited property
• getComputedStyle()
• Timing attacks (cache, computation)
• DNS timing

Preventing History Sniffing

• Major browsers do not return computed styles for links
• So you have to get cleverer:
• http://tinsnail.neocities.org/
• http://lcamtuf.coredump.cx/yahh/

Identity Sniffing

• All social networking sites allow users to join groups
• Users typically join multiple groups
• Some of these groups are public
• Group-specific URLs are predictable

​

​

• Intersection of group affiliations acts as a fingerprint
• Can sometimes infer identity by computing the intersection of group membership lists

[Wondracek et al.]

One-Click Fraud

Thank you for your patronage! You successfully registered for our premium online services, at an incredible price of 50,000 JPY. Please promptly send your payment by bank transfer to ABC Ltd at Ginko Bank, Account 1234567. Questions? Please contact us at 080-1234-1234.

​

Your IP address is 10.1.2.3, you run Firefox 3.5 over Windows XP, and you are connecting from Tokyo.

​

Failure to send your payment promptly will force us to mail you a postcard reminder to your home address. Customers refusing to pay will be prosecuted to the fullest extent of the law. Once again, thank you for your patronage!

One-Click Fraud

• Estimated costs to victims:�USD 260 million / year

​

• What’s going on here?
• Why only Japan?
• Cultural factors:
• susceptibility to authoritative language
• threat of public shaming

Credible because the website

does have your real identity!

Instant Personalization

Creepy is the New Normal

Do Not Track

Basics

​

HTTP header

• DNT: 1

​

Standardization

​

Browser support in FF4, IE9

​

Beginning to see adoption (AP, NAI)… or not

Privacy protections

​

No tracking across sites

• Who is the “third” party?

​

No intrusive tracking

​

Limits on regular log data

​

Exceptions for fraud

prevention, etc.

DNT Adoption Issues

“But the NAI code also recognizes that companies sometimes need to continue to collect data for operational reasons that are separate from ad targeting based on a user’s online behavior. For example, online advertising companies may need to gather data to prove to advertisers that an ad has been delivered and should be paid for; to limit the number of times a user sees the same ad; or to prevent fraud.”

Translation: we’re going to keep tracking you, but we’ll simply call it “operational reasons.”

Brave New World?

Google AdID

Verizon “supercookie”

How are these identifiers different from third-party cookies?