Cross-Site - Franziska Roesner
advertisement
Detecting and Defending Against Third-Party Tracking on the Web Franziska Roesner, Tadayoshi Kohno, David Wetherall April 26, 2012 NSDI Third-Party Web Tracking Advertise.com Tracker.com Bigger browsing profiles = increased value for trackers = reduced privacy for users (Hypothetical tracking relationships only.) April 26, 2012 Franziska Roesner 2 Tracking is Complicated • Much discussion of tracking, but limited understanding of how it actually works. • Our goals: – Understand the tracking ecosystem. • How is tracking actually done in the wild? • What kinds of browsing profiles do trackers compile? • How effective are defenses available to users? – Address gaps with new defense (ShareMeNot). April 26, 2012 Franziska Roesner 3 Outline • How Tracking Works – Tracking Mechanisms – Tracking Taxonomy • Measurements • Defenses April 26, 2012 Franziska Roesner 4 Mechanisms Required By Trackers • Ability to store user identity in the browser – Browser cookies – HTML5 LocalStorage and Flash cookies (LSOs) – Not considering more exotic storage mechanisms or approximate fingerprinting • Ability to communicate visited page and user identity back to tracker – Identity: Cookies attached to requests – Visited page: HTTP referrers – Both: scripts that embed information in URLs April 26, 2012 Franziska Roesner 5 Tracking: The Simple Version • Within-Site: First-party cookies are used to track repeat visits to a site. • Cross-Site: Third-party cookies are used by trackers included in other sites to create profiles. tracker.com http://site1.com http://site2.com Cookie Database tracker.com: id=789 cookie: id=789 <iframe src=tracker.com/a d.html> ad cookie: id=789 </iframe> April 26, 2012 Franziska Roesner processing engine 9:30am: user 789 visited site1.com 9:31am: user 789 visited site2.com logs 6 Our Tracking Taxonomy Name N/A Scope User Visits Directly? Within-Site Yes Site does its own on-site analytics. Evolution: Embedding analytics libraries Analytics Within-Site No Vanilla Cross-Site No Evolution: Third-party cookie blocking Forced Cross-Site Yes (forced) Overview Site uses third-party analytics engine (e.g., Google Analytics). Site embeds third-party tracker that uses third-party storage (e.g., Doubleclick). Site embeds third-party tracker that forced the user to visit directly (e.g., via popup). Referred Cross-Site No Tracker relies on another cross-site tracker to leak unique identifier values. Personal Cross-Site Yes Site embeds third-party tracker that the user otherwise visits directly (e.g., Facebook). April 26, 2012 Franziska Roesner 7 Quirks of Third-Party Cookie Blocking • Option blocks the setting of third-party cookies: all browsers • Option blocks the sending of third-party cookies: only Firefox • Result: Once a third-party cookie is somehow set, it can be used (in most browsers). April 26, 2012 Franziska Roesner 8 Forced Tracking http://site1.com <iframe src=tracker.com/a d.html> tracker.com processing engine High-level point: On most browsers,adif a tracker can ever set a cookie, tracker.com: </iframe> popup id=321 third-party cookie blocking is rendered ineffective. Cookie Database http://site2.com <iframe src=tracker.com/a d.html> ad logs 1:30pm: site1.com: user 321 1:31pm: site2.com: user 321 </iframe> April 26, 2012 Franziska Roesner 9 Our Tracking Taxonomy Type (Name) N/A Scope User Visits Directly? Within-Site Yes Site does its own on-site analytics. Evolution: Embedding analytics libraries Analytics Within-Site No Vanilla Cross-Site No Evolution: Third-party cookie blocking Forced Cross-Site Yes (forced) Evolution: Complex ad networks Overview Site uses third-party analytics engine (e.g., Google Analytics). Site embeds third-party tracker that uses third-party storage (e.g., Doubleclick). Site embeds third-party tracker that forced the user to visit directly (e.g., via popup). Referred Cross-Site No Tracker relies on another cross-site tracker to leak unique identifier values. Personal Cross-Site Yes Site embeds third-party tracker that the user otherwise visits directly (e.g., Facebook). April 26, 2012 Franziska Roesner 10 Referred Tracking http://site1.com tracker.com processing engine <iframe src=tracker.com/a d.html> High-level point: ad One tracker with client-side state can enable tracker.com: </iframe> id=522tracking by partners without client-side state. othertracker.com/tra Cookie Database http://site2.com <iframe src=tracker.com/a d.html> ck?id=522&referrer= site1.com processing engine ad </iframe> othertracker.com/tra ck?id=522&referrer =site2.com April 26, 2012 Franziska Roesner othertracker.com logs 2:34pm: site1.com: user 522 2:35pm: site2.com: user 522 11 Our Tracking Taxonomy Type (Name) Scope N/A User Visits Overview Directly? Within-Site Yes Site does its own on-site analytics. Evolution: Embedding analytics libraries Analytics Within-Site No Vanilla Cross-Site No Evolution: Third-party cookie blocking Forced Cross-Site Yes (forced) Evolution: Complex ad networks Site uses third-party analytics engine (e.g., Google Analytics). Site embeds third-party tracker that uses third-party storage (e.g., Doubleclick). Site embeds third-party tracker that forced the user to visit directly (e.g., via popup). Referred Cross-Site No Tracker relies on another cross-site tracker to leak unique identifier values. Personal Cross-Site Yes Site embeds third-party tracker that the user otherwise visits directly (e.g., Facebook). Evolution: Social networks April 26, 2012 Franziska Roesner 12 Personal Tracking • Just loading these buttons (not clicking on them) enables tracking. • Users visit these sites directly. • This tracking is often not anonymous (linked to accounts). April 26, 2012 Franziska Roesner 13 Our Tracking Taxonomy Type (Name) Scope N/A User Visits Overview Directly? Within-Site Yes Site does its own on-site analytics. Evolution: Embedding analytics libraries Analytics Within-Site No Vanilla Cross-Site No Evolution: Third-party cookie blocking Forced Cross-Site Yes (forced) Evolution: Complex ad networks Site uses third-party analytics engine (e.g., Google Analytics). Site embeds third-party tracker that uses third-party storage (e.g., Doubleclick). Site embeds third-party tracker that forced Anonymous the user to visit directly (e.g., via popup). Referred Cross-Site No Tracker relies on another cross-site tracker to leak unique identifier values. Personal Cross-Site Yes Site embeds third-party tracker that the user otherwise visits directly (e.g., Facebook). Evolution: Social networks April 26, 2012 Franziska Roesner 14 Outline • How Tracking Works – Tracking mechanisms – Tracking taxonomy • Measurements • Defenses April 26, 2012 Franziska Roesner 15 Measurement Tool: TrackingTracker • • • • Firefox add-on Based on taxonomy of client-side mechanisms Crawls the web, automatically categorizing trackers Monitors: – Third-party requests – Cookies, HTML5 LocalStorage, Flash LSOs (considers state that changes across clean measurement runs) – Identifier leaks April 26, 2012 Franziska Roesner 16 Measurement Study • 3 data sets – Alexa Top 500 • 5 pages per domain: main page and up to 4 links – Alexa Non-Top 500 • Sites ranked #501, #601, #701, etc. • 5 pages per domain: main page and up to 4 links – AOL search logs • 300 unique queries for 35 random users April 26, 2012 Franziska Roesner 17 Tracking Prevalence (Top 500) • 524 unique trackers on 500 domains 457 domains (91%) embed at least one tracker. (97% of those include at least one cross-site tracker.) 50% of domains embed between 4 and 5 trackers. One domain includes 43 trackers. April 26, 2012 Franziska Roesner 18 -, ./ 01 21 9- .34 : ; 56 . 75 ?1 / 5.< - 8 5/ 5= $ 65 ; 72 -@ / 5 , - - = / >$ 1@ - 75 9@ - , - 8 / . B: 6/ 1 / 75- $ 12 @5A 8 >6 75 $ /@ - 8 >D C/ 75 $ <E 3</ 1 / @ 8 $ .9 >9 75<8 8 1 8 > 8 $ @D 21 75-@ ,/ 8 .9 @75 $ D <9 8 / 19 @/ 75- $ C/ C6 8 $ @4 5<7 6<2 2/ 19 , 7 >$ 9> 5A< 8 <2 19 675- $ C<> 2 8 / 8 F67 $ 6/ / 5@C 9<1 8 <2 75 $ , 3- 0636 8 $ 19 : >: 759> ; / 8 $ A< 75 65 - 8 ; . 927 $ 8 : / = 5- 8 /9 1 <1 <75- $ G. 8 /F $ 758 $ ,- ! "#$%&"'( "&) #*&+$&',- '. / 0 #1+23' ( %%$ ) %%$ *%%$ ! &%$ ! %%$ &%$ ! / 4'56'! "#$%&"2'/ +'! / 4'766'. / 0 #1+2' ) &%$ H <>A<20I <>/ $ *#+$ J@ - 660I <>/ $KL/ @ 6- 21.M $ J@ - 660I <>/ $KN2- 238 - : 6M $ *&%$ ! " #$ ! &( $! ( #$ ! %#$! %&$ #) $ " ! $ ' %$ ( &$ ( ( $( %$ ) ( $ ) ) $ April 26, 2012 Franziska Roesner ) *$) *$ ) %$*#$ *+$ *' $ %$ 19 *+ , 45 - . ,/ .- .0 8. +) 12 )9 ) 0 - 3" -. 7 59 ) ) 1. ) (9 7 6 ," ; * 8- 5 1. ) 52 9. : 6 " 38 1. -9 )6 3= <- 1. " /> ) 6 ?/- 5 - 91 " ,( 3( . ) 6 /6 6 5 6 3 " 9= 25 1. ) ) 9 7- 6 " ,( 91. = /( ) 6 " 5( 9- 1. ) <- <8 6 " 9@ . /12 8 5( /271 3" ( 3 .) :/ 6" /2 5( 81. ) </3 2 6 - A8 " 8- 6 - 1. ) 9< ( /5 6 " /2 1. 7 ) ?) B8?8 6 " 5( *3* 1. ) ( 3 +- 6 " : / 1. 8. ) 6 + , ( 21 " 6 *- 0 . ) 6 -( 5 /5 /1. ) " C, 6 -A " 1. ) #) 6 " D1 23" () ! "#$%&'( )*&'+, '! - . &/0' 12 3'4 /&"/5'! "#$%&'( )*&/'67'8#9': ; '<"#//=( )>&'8"- ?@&"/' #! ! " ' &! " ' %! " ' $! " ' #! " ' !!" &! " %! " $! " #! " !" Doubleclick: Avg 39% (Max 66%) Facebook: Avg 23% (Max 45%) April 26, 2012 Franziska Roesner Each line represents one user. Google: Avg 21% (Max 61%) 20 LocalStorage and Flash Cookies • Surprisingly little use of these mechanisms! • Of 524 trackers on Alexa Top 500: – Only 5 set unique identifiers in LocalStorage – 35 set unique identifiers in Flash cookies • Respawning: – LS Cookie: 1 case; Cookie LS: 3 cases – Flash Cookie: 6 cases; Cookie Flash: 7 cases April 26, 2012 Franziska Roesner 21 Outline • How Tracking Works – Tracking mechanisms – Tracking taxonomy • Measurements • Defenses April 26, 2012 Franziska Roesner 22 Defenses to Reduce Tracking • We explore several in the paper: – Third-party cookie blocking – Do Not Track header – Popup blocking – Clearing client-side state – Disabling JavaScript – Private browsing mode April 26, 2012 Franziska Roesner 23 &%$ "#$%&"'( &"'( "&) "&) #* #*&+$&',&+$&',- '.'. // 00 #1 #1+23' +23' !! "#$% %%$ //4'56'! "#$% & "2'/+'! +'!& /"#$% 4'766'. #1 +2',! 81 /#1 1 &1& 2'>* / $% &93' ! /!!4'56'! "#$% "2'/ /"#$% 4'766'. // 0/+'! +2',! 81"9:( "9:(/#";<'=/ #";<'=/ /%% 2'>* / $% &93' 4'56'! "#$% "2'/ +'! 4'766'. 0//#1 4'56'! & "2'/ +'! 4'766'. #1 +2' !! //&4'56'! & "2'/ //4'766'. 00 +2' +2' (% %% %$$ &**# (&++# (no cookie blocking) &% &% % +# $$ ()()% *# @ -- JI660 <$ >/ L/ 621.M $ #$ @ 660 I$<K#>/ #$K@ L/ 6-21.O # J@ -LJ660 <->/IK> K</L/ @ 621.M $21.M @ 660 M N/ @ 6-@ !*#+$ ' *# *#+$ )**# %% %$$ !*#+$ ) ( % ++# ( ' +# %%$ !*&% %*# +# $$ !*&% % &%$ %%$ &%$ ,- -, %$ #$ !! ""#$ ! " #$ $%! #!$% !&( &(!#$#!$&' $!(( #$ #$ # $&' ! &% &% $ !$% $% +# $ *#! &( $ Referred Tracker Forced Tracker ! ( #$ %#$ #$ !!% %&$ &$"#)&#$ !!% " &# #) $ ""!!$$ ! % % $ !$++# %%$ $**# ! %#$! %&$ %$$ '' % #) $ " ! $ &$(((($$((% ((&$ %$$)()(&# &% &% % +# $$ ($$))))$$))*$) *#$ % *# *$)*$ *$!)))%%#$$!*#$ " # *+$*'*'$$ ( &# !$&# " # ! ) #' !%*# $ $&# $&# $! # $! #$$# $$# $*#$*#$*# " # ' *+$ # '# ( &$ ( ( $( %$ ) ( $ ) ) $ %$$ % +# ) *$) *$ ) %$*#$ *+$ *' $ *# %$$ !*% ++# % !*% **# - @ >@AE/ 5--88 # 8 A <2 1G9@/ <67755-- 8 #$$ C<>< 266 8 # / 18- F6775- #$ 6/ /: 1 5- 8 @C 9<-17 8 # <2 5 755- #$ , 02H - 8 6 H 8# 3 1A 1 - : 367755- #$ C. 91.> >: DD - 88 # I @ 9>8 ; /75 #$ >/ A<618 75- 8 2A 5 1 - 8 # ; F. 2 92775- #$ 8 : /A=/ @5- 88 # / 9 H 1 75 #$ <1G/ A <75-- 8 ./- 75 8 # F75- #$ - 88 # #$ %%$ J@ - J660 <>/I$<K>/ N2238 @ -M $ @ -I660 #$KN>A/ #$: 6M @ - I660 #M P 238 <B/ @ O J@ -L660 <>/K> $K</N2-#: 6M $ ./ 65 01 21 -@ /5 99-1 .34 1@ :5;/ 567 9@ 75 / 6 ?1 .:/-5-.< 5-- 88 B: 65 / 1 5,/-; ;57=57 ##$ 12- @/ @5A --, -. -28/ >6 51 75<,=- /=7755 >##$ / @@9 - 8>-? -- 8 C/ @/16A $,/./@7 8 ##$ B1:A75- /A1< 755-- 8 B5> 8 1A2<B8 @ 3</ >6>6 $ A67755- ##$ .9 AC2 - 88 # 3- /5@ 8 >CD< /7755- #$ <8 1 <CE: - 88 @D 213 - @ <,/</.@> 1: >1 //@7755- ##$ : 9> .9 < 9@ D8 D 87511-.9C A8C>75 88 ##$ <9@DC 2816> 75-- 8 / -71- 2 ,$-/2 8 # 5@ 19 7 @-.<996/ / @ 8DD@<E @77555---88 #$ C/ @4 1A $<99///775 8 ##$$ 6<2119 @-/ : 755---8 ,97CC.>//2@; C6/575 88 ##$$ 5 F 8-@844/66A<2>2 <7-28/ # < > = 1969/ $2,,77755- #$ &%$ >A< <>/ H I<20 >A< 20 H <>A< <>/I 20I $</I$<#>/ $# JH <>20 <B> 20K> April 26, 2012 Franziska Roesner 24 Personal Tracking Revisited • Most popular, based on measurements: – Facebook, Google, Twitter, AddThis, YouTube, LinkedIn, Digg, Stumbleupon • Third-party cookie blocking is ineffective. • Existing browser extension solutions remove the buttons (undesirable to some users). • Can we reduce tracking but allow use? April 26, 2012 Franziska Roesner 25 ShareMeNot http://sharemenot.cs.washington.edu • A browser extension that protects against tracking from third-party social media buttons while still allowing them to be used. • Firefox version: removes cookies from relevant requests until user clicks button. – Similar: Priv3 Firefox add-on • Chrome version: replace buttons with local stand-in button until user click. April 26, 2012 Franziska Roesner NEW 26 Effectiveness of ShareMeNot (Top 500) Tracker Facebook Without ShareMeNot With ShareMeNot 154 9 Google Twitter AddThis 149 93 34 15 0 0 YouTube LinkedIn Digg Stumbleupon 30 22 8 6 0 0 0 0 April 26, 2012 Franziska Roesner 27 Summary • Introduced taxonomy of tracking behavior for any client-side identifiers. – Analytics, Vanilla, Forced, Referred, Personal • Studied tracking in the wild with browser measurements. – Revealed rich tracking ecosystem. – Results can assist informed broader discussions. • Developed ShareMeNot, a new privacyenhancing defense for personal tracking. http://sharemenot.cs.washington.edu/ April 26, 2012 Franziska Roesner 28
