New reliable technique to track web users across browsers
For good or ill, what users do on the web is tracked. Banks track users as an authentication technique, to offer their customers enhanced security protection. Retailers track customers and potential customers in order to deliver personalized service tailored to their tastes and needs.
Source: Lehigh University
The method commonly used for tracking is called web fingerprinting. Web fingerprinting is a way of collecting information that can be used to fully or partially identify a given user, even when cookies are disabled.
Such techniques have been evolving quickly. Yet, the most advanced and commonly used methods track users in a single browser only.
Now a team of researchers led by Yinzhi Cao , assistant professor computer science and engineering at Lehigh University (Bethlehem, PA) -- and including graduate student Song Li, also of Lehigh University and Erik Wijmans of Washington University in St. Lous -- has developed the first cross-browser fingerprinting technique to use machine-level features to identify users. The work is described in a paper called: "(Cross-) Browser Fingerprinting via OS and Hardware Level Features." Cao and his colleagues are scheduled to present their findings at the Internet Society's Network and Distributed System Security (NDSS) Symposium next week, February 26 through March 1 in San Diego, CA.
The authors write: "Our principal contribution is being the first to use many novel OS and hardware features, especially computer graphics ones, in both single- and cross-browser fingerprinting. Particularly, our approach with new features can successfully fingerprint 99.24% of users as opposed to 90.84% for AmIUnique, i.e., state of the art, on the same dataset for single-browser fingerprinting."
In addition, their technique can achieve higher uniqueness rates than the only cross-browser approach in the literature with similar stability.
"The only other cross-browser fingerprinting work uses IP address as the main feature by which to identify users," says Cao. "This method has been criticized as too unstable as people use the internet at home, work and on different devices. Using an IP address is too dynamic and unreliable."
Cao's novel approach adopts OS and hardware levels features including graphic cards exposed by WebGL, audio stack by Audio-Context, and CPU by hardwareConcurrency. In addition to being able to uniquely identify more users than AmIUnique for single-browser fingerprinting, and the only other cross-browser fingerprinting technique in the literature, their approach is highly reliable. According to their study, the removal of any single feature only decreases the accuracy by at most 0.3%.
The team used crowdsourcing for data collection, asking participants to visit their website using two different browsers of their choice and incentivizing them to use a third browser by offering additional payment.
According to Cao, the ideal next step for this work would be for a financial institution to adopt the approach as a way to provide multi-factor authentication for their customers.
"Our goal is for people to use it," says Cao.