Keywords: browser fingerprinting, decentralized clustering, randomization, software diversity, statistics
Contact: Benoit Baudry (benoit.baudry@inria.fr), Davide Frey (davide.frey@inria.fr), David Bromberg (david.bromberg@irisa.fr)
Description
Context
Browser fingerprinting is the systematic collection of information about a browser, for identification purposes. Client-side scripting languages allow the development of procedures to collect very rich fingerprints: browser and operating system type and version, screen resolution, architecture type, lists of fonts, plugins, microphone, camera, etc. In 2010, the Electronic Frontier Foundation demonstrated that fingerprints are so diverse that they can be used to identify users uniquely and track them [1]. Since then, more work has demonstrated how fingerprints are used to track users [2,3] and has proposed fingerprinting scripts that are more and more sophisticated [4].
Project
This PhD aims at providing effective algorithms and tools to mitigate tracking through browser fingerprinting. These new solutions will be based on decentralized identification of similar devices that are prone to share the same fingerprint, combined with the automatic reconfiguration of devices in order to modify the fingerprint. Our approach will prevent remote sites from identifying browsers by proactively modifying their configurations so that a large number of browsers end up having the same or indistinguishable fingerprints. We aim at addressing the two main properties that support profiling through fingerprinting: the uniqueness and the stability of fingerprints.
The PhD student will contribute to all the aspects of the project, described in the following:
- fingerprinting detection: here we want to establish statistical profiles of regular accesses on browser interfaces. This approach, similar to intrusion detection systems, will consist in analyzing a large quantity of web sites as well as the interactions they have with browser interfaces to establish statistical thresholds about what are legitimate accesses. We will perform these analyses by instrumenting the Javascript engine.
- collaborative mitigation: design novel decentralized clustering protocols that allow a large number of browsers to self-organize in disjoint groups characterized by similar fingerprints. A key component of these protocols will consist of novel similarity metrics that can evaluate the distance between browser fingerprints. The second step is to model the parts of a device that can be reconfigured and automatically reason about this model in order to take autonomous reconfiguration decisions that increase the similarity among devices that are in the same cluster
There will be an important focus on experimentation and development in this PhD. In particular, we will (1) build mechanisms to actually modify a device configuration; (2) implement the clustering protocols by exploiting browser-to-browser communication within the WebRTC framework; and (3) combine and evaluate the reconfiguration mechanisms in a real-world setting by means of experiments within our research lab.
The applicant should have strong skills in software development and distributed computing and have a taste for statistics, automated reasoning and machine learning.
References
[1] Peter Eckersley. How unique is your web browser? In Proc. of Int. Conf. on Privacy Enhancing Technologies (PETS), 2010
[2] Nick Nikiforakis and Gunes Acar. Browser fingerprinting and the online-tracking arms race. IEEE Spectrum, 2014.
[3] Pierre Laperdrix, Walter Rudametkin, Benoit Baudry. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In Proc. of the Symp. on Security and Privacy (S&P), 2016
[4] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proc. of the Conf on Computer and Communications Security (CCS), 2014.
[5] https://amiunique.org