Lehigh University
For good or ill, what users do on the web is tracked. Banks
track users as an authentication technique, to offer their customers enhanced
security protection.
Retailers track customers and potential customers in order
to deliver personalized service tailored to their tastes and needs.
The method commonly used for tracking is called web
fingerprinting. Web fingerprinting is a way of collecting information that can
be used to fully or partially identify a given user, even when cookies are
disabled.
Such techniques have been evolving quickly. Yet, the most
advanced and commonly used methods track users in a single browser only.
Now a team of researchers led by Yinzhi Cao , assistant professor computer science and engineering at Lehigh University (Bethlehem, PA) -- and including graduate student Song Li, also of Lehigh University and Erik Wijmans of Washington University in St. Lous -- has developed the first cross-browser fingerprinting technique to use machine-level features to identify users.
The work is described in a paper called: "(Cross-) Browser
Fingerprinting via OS and Hardware Level Features." Cao and his colleagues
are scheduled to present their findings at the Internet Society's Network and
Distributed System Security (NDSS) Symposium, February 26 through
March 1 in San Diego, CA.
The authors write:
"Our principal contribution is being the first to use many novel OS and hardware features, especially computer graphics ones, in both single- and cross-browser fingerprinting. Particularly, our approach with new features can successfully fingerprint 99.24% of users as opposed to 90.84% for AmIUnique, i.e., state of the art, on the same dataset for single-browser fingerprinting."
In addition, their technique can achieve higher uniqueness rates
than the only cross-browser approach in the literature with similar stability.
"The only other cross-browser fingerprinting work uses IP
address as the main feature by which to identify users," says Cao.
"This method has been criticized as too unstable as people use the
internet at home, work and on different devices. Using an IP address is too
dynamic and unreliable."
Cao's novel approach adopts OS and hardware levels features
including graphic cards exposed by WebGL, audio stack by Audio-Context, and CPU
by hardwareConcurrency.
In addition to being able to uniquely identify more
users than AmIUnique for single-browser fingerprinting, and the only other
cross-browser fingerprinting technique in the literature, their approach is
highly reliable.
According to their study, the removal of any single feature
only decreases the accuracy by at most 0.3%.
The team used crowdsourcing for data collection, asking
participants to visit their website using two different browsers of their
choice and incentivizing them to use a third browser by offering additional
payment.
According to Cao, the ideal next step for this work would be for
a financial institution to adopt the approach as a way to provide multi-factor
authentication for their customers.
"Our goal is for people to use it," says Cao.