Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The First Early Evidence of the Use of Browser Fingerprinting for Online Tracking

Zengrui Liu, Jimmy Dani, Yinzhi Cao, Shujiang Wu, Nitesh Saxena

TL;DR

The study tackles whether browser fingerprinting is used for online tracking and targeted advertising. It introduces FPTrace, a framework that simulates user behavior, spoofs fingerprints, captures ad bids, and exports cookies to detect fingerprinting-driven changes in advertising signals. Results show fingerprint alterations correlate with bid-value shifts and a substantial drop in HTTP records, indicating fingerprinting influences targeting, though the link to cookie restoration remains inconclusive and regulation-specific effects vary. The work highlights important privacy implications for advertising ecosystems and informs regulatory considerations and auditing approaches.

Abstract

While advertising has become commonplace in today's online interactions, there is a notable dearth of research investigating the extent to which browser fingerprinting is harnessed for user tracking and targeted advertising. Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. It is imperative to address the mounting concerns regarding the utilization of browser fingerprinting in the realm of online advertising. This paper introduces ``FPTrace'' (fingerprinting-based tracking assessment and comprehensive evaluation framework), a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments. Using FPTrace, we emulate user interactions, capture ad bid data, and monitor HTTP traffic. Our large-scale study reveals strong evidence of browser fingerprinting for ad tracking and targeting, shown by bid value disparities and reduced HTTP records after fingerprinting changes. We also show fingerprinting can bypass GDPR/CCPA opt-outs, enabling privacy-invasive tracking. In conclusion, our research unveils the widespread employment of browser fingerprinting in online advertising, prompting critical considerations regarding user privacy and data security within the digital advertising landscape.

The First Early Evidence of the Use of Browser Fingerprinting for Online Tracking

TL;DR

The study tackles whether browser fingerprinting is used for online tracking and targeted advertising. It introduces FPTrace, a framework that simulates user behavior, spoofs fingerprints, captures ad bids, and exports cookies to detect fingerprinting-driven changes in advertising signals. Results show fingerprint alterations correlate with bid-value shifts and a substantial drop in HTTP records, indicating fingerprinting influences targeting, though the link to cookie restoration remains inconclusive and regulation-specific effects vary. The work highlights important privacy implications for advertising ecosystems and informs regulatory considerations and auditing approaches.

Abstract

While advertising has become commonplace in today's online interactions, there is a notable dearth of research investigating the extent to which browser fingerprinting is harnessed for user tracking and targeted advertising. Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. It is imperative to address the mounting concerns regarding the utilization of browser fingerprinting in the realm of online advertising. This paper introduces ``FPTrace'' (fingerprinting-based tracking assessment and comprehensive evaluation framework), a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments. Using FPTrace, we emulate user interactions, capture ad bid data, and monitor HTTP traffic. Our large-scale study reveals strong evidence of browser fingerprinting for ad tracking and targeting, shown by bid value disparities and reduced HTTP records after fingerprinting changes. We also show fingerprinting can bypass GDPR/CCPA opt-outs, enabling privacy-invasive tracking. In conclusion, our research unveils the widespread employment of browser fingerprinting in online advertising, prompting critical considerations regarding user privacy and data security within the digital advertising landscape.
Paper Structure (39 sections, 5 figures, 15 tables)

This paper contains 39 sections, 5 figures, 15 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Browser Fingerprinting
  4. Browser Fingerprint Spoofing
  5. Cookie Restoration
  6. Header Bidding
  7. Privacy Regulations
  8. FPTrace: Our Framework to Assess Fingerprinting Use in Tracking
  9. Framework Design
  10. Framework Implementation
  11. Web Crawling
  12. Spoofing Browser Fingerprints
  13. Capturing Bidding Object
  14. Exporting Cookies
  15. Measurement Study Methodology
  16. ...and 24 more sections

Figures (5)

  • Figure 1: High level overview of measurement study methodology. In Step 1, We create browser persona by visiting a list of websites. This step is called "Simulating Interest Personas". In Step 2, we first use trained persona to visit websites which display ads, then collect bids and HTTP data. This step is called "Collecting Bids and HTTP Data". In Step 3, we extract cookies from the browser profile and compare them between different experiment settings. This step is called "Detecting Cookie Restoration". In Step 4, we analyze the manual inspect extracted cookies. This step is called "Detecting Fingerprinting Related Cookie Restoration".
  • Figure 2: High level overview of advertisement experiment. In step 1, FPTrace will visit websites sequentially to keep updating the browser profile. In Step 2, FPTrace will control the browser with updated profile to visit each website. In Step 3, FPTrace will record the bids data and HTTP data. In Step 4, FPTrace will not update the current browser profile, and load the profile updated after Step 1. After visiting all websites in Step 2, FPTrace will compare the bids data and HTTP data between A, A* and B.
  • Figure 3: High level overview of cookie restoration experiment. In Step 1, FPTrace will control the browser to visit websites. In Step 2, FPTrace will export all cookies including including 1st party and 3rd party cookies. In A and A*, FPTrace will use the same browser fingerprints, and same experiment conditions. In B, FPTrace will use a different browser fingerprint. Then FPTrace will do cookie comparisons between A, A* and B.
  • Figure 4: Figure a is the CDF of different fingerprints and IPs settings in keeping cookies. Figrue b is the CDF of different fingerprints and IPs settings in removing cookies. The range of bids value is from 0 to 5. The range of CDF score is between 0.8 to 1. In Figure a, We can observe that the red curve is much different from the other two curves which are closer to each other, thus showing that fingerprinting is being used for tracking. In Figure b We can observe that the red curve is much different from the other two curves which are closer to each other, thus showing that fingerprinting is being used for tracking.
  • Figure 5: High level overview of GDPR/CCPA experiment. Step A represents the training persona, with the original fingerprint. Step B involves Opt Out or Opt In actions on websites with ads, utilizing CMPs, and employing Prebid.js, or on the central Opt Out website NAI. Step C involves the collection of HTTP data. Step D represents the data analysis.