Track: Web Privacy

Part of:
9:30 AM, Thursday 16 Jul 2020 EDT (1 hour 40 minutes)

Use the red “Join on YouTube” button above to join the livestream. If you cannot see this button, make sure you are logged in (see the upper-right corner of your screen).

Session Chair: Nataliia Bielova

  • Long-Term Observation on Browser Fingerprinting: Users’ Trackability and Perspective

    Gaston Pugliese (Friedrich-Alexander University Erlangen-Nürnberg (FAU)), Christian Riess (Friedrich-Alexander University Erlangen-Nürnberg (FAU)), Freya Gassmann (Saarland University), and Zinaida Benenson (Friedrich-Alexander University Erlangen-Nürnberg (FAU))

    Pre-recorded presentation

    SummaryBrowser fingerprinting, as a stateless tracking technique, can be used to recognize users based on the characteristics and behavior of their browser. In this talk, we present technical and user-centred findings from a 3-year online study.

  • No boundaries: data exfiltration by third parties embedded on web pages

    Gunes Acar (KU Leuven), Steve Englehardt (Mozilla), and Arvind Narayanan (Princeton University)

    Pre-recorded presentation

    SummaryWe investigate data exfiltration by third-party scripts directly embedded on web pages. Specifically, we study three attacks: misuse of browsers’ internal login managers, social data exfiltration, and whole-DOM exfiltration. Although the possibility of these attacks was well known, we provide the first empirical evidence based on measurements of 300,000 distinct web pages from 50,000 sites. We extend OpenWPM’s instrumentation to detect and precisely attribute these attacks to specific third-party scripts. Our analysis reveals invasive practices such as inserting invisible login forms to trigger autofilling of the saved user credentials, and reading and exfiltrating social network data when the user logs in via Facebook login. Further, we uncovered password, credit card, and health data leaks to third parties due to wholesale collection of the DOM. We discuss the lessons learned from the responses to the initial disclosure of our findings and fixes that were deployed by the websites, browser vendors, third-party libraries and privacy protection tools.

  • A Comparative Measurement Study of Web Tracking on Mobile and Desktop Environments artifact

    Zhiju Yang (Colorado School of Mines) and Chuan Yue (Colorado School of Mines)

    Pre-recorded presentation

    SummaryWeb measurement is a powerful approach to studying various tracking practices that may compromise the privacy of millions of users. Researchers have built several measurement frameworks and performed a few studies to measure web tracking on the desktop environment. However, little is known about web tracking on the mobile environment, and no tool is readily available for performing a comparative measurement study on mobile and desktop environments. In this work, we built a framework called WTPatrol that allows us and other researchers to perform web tracking measurement on both mobile and desktop environments. Using WTPatrol, we performed the first comparative measurement study of web tracking on 23,310 websites that have both mobile version and desktop version webpages. We conducted an in-depth comparison of the web tracking practices of those websites between mobile and desktop environments from two perspectives: web tracking based on JavaScript APIs and web tracking based on HTTP cookies. Overall, we found that mobile web tracking has its unique characteristics especially due to mobile-specific trackers, and it has become increasingly as prevalent as desktop web tracking. However, the potential impact of mobile web tracking is more severe than that of desktop web tracking because a user may use a mobile device frequently in different places and be continuously tracked. We further gave some suggestions to web users, developers, and researchers to defend against web tracking.

  • In Depth Evaluation of Redirect Tracking and Link Usage

    Martin Koop (None), Erik Tews (University of Twente), and Stefan Katzenbeisser (Universität Passau)

    Pre-Recorded Presentation

    SummaryIn this work we present the first large scale study on the threat of redirect link tracking. By crawling the Alexa top 50k websites and following up to 34 page links, we recorded traces of HTTP requests from 1.2 million individual visits of websites as well as analyzed 108,435 redirect chains originating from links clicked on those websites. We evaluate the derived redirect network on its tracking ability and demonstrate that top trackers are able to identify the user on the most visited websites. We also show that 11.6% of the scanned websites use one of the top 100 redirectors which are able to store non-blocked first-party tracking cookies on users' machines even when third-party cookies are disabled. Moreover, we present the effect of various browser cookie settings, resulting in a privacy loss even when using third-party blocking tools.

Who's Attending 

  • 21 anonymous people