The Feasibility of Limiting Access to Fingerprintable Surfaces in Web Browsers

https://i62bbb.tm.kit.edu/b/mic-7xx-rfr

2021-03-30

14:00

In this work, we examine the feasibility of limiting access to fingerprintable surfaces for the purpose of making browser fingerprinting ineffective for tracking users.
Specifically, we aim to determine whether the Privacy Budget, as proposed by google as part of their Privacy Sandbox project, is fit for this purpose.
The Privacy Budget monitors how much fingerprinting information is extracted from a browser installation by a website and stops further extraction of information once a threshold is reached.
We come to the conclusion, that the privacy budget, while feasible and fit for purpose, is faced with many problems that remain yet unsolved.
As it is currently proposed, the Budget does not make use of the fact that fingerprints may be unstable.
We try to push in this direction by introducing a new metric for fingerprint stability based on entropy.
The budget also fails to take into account the possibilities of fingerprinting across multiple websites, which we detail in this work.
We survey a list of 10000 popular websites to examine which fingerprinting surfaces they use in order to establish whether the privacy budget would break them, leading to a failure in user acceptance.
For this, we develop an application called FPLog, a modified browser which logs website’s accesses to fingerprinting surfaces as they occur.
Evaluating our results from visiting the 10000 websites with this application, we come to the conclusion, that current websites make use of many fingerprinting surfaces, but not so many as to make an entropy-based limit infeasible.