An Inria research project tries to uncover how websites can dig into your preferences online

Rédigé par Geoffrey Delcroix

 - 

24 August 2017


LINC (Vincent Toubiana, Technologist, and Geoffrey Delcroix, Innovation & foresight): Fingerprinting is a powerful tool for online tracking, and your research team is devoting a lot of energy to make these techniques more transparent. What are the different techniques that you’re exploring?

Inria Privatics: The main goal of online tracking is to follow website visitors across websites. Trackers recognize visitors by reading unique user’s identifier stored in cookies, or by identifying a unique collection of user’s device characteristics: this is called device fingerprinting. Such unique collection of device’s properties, or a fingerprint, can often uniquely identify the user who visited the website. Usually, fingerprint includes technical parameters like what browser and operating system a visitor is using, what timezone he or she is from or what screen size he or she has.


Beyond purely technical characteristics, which are not explicitly chosen by the user, users can be identified by more “preferential” characteristics, such as the fonts list. When we install the apps we prefer, we also install new fonts to our computers – thus websites explicitly detect our preferences when they detect what fonts we have installed.

 

LINC : Your team launched a “Browser Extension and Login-Leak Experiment”. Can you tell us more about that?

Inria Privatics: The INDES and PRIVATICS teams at Inria started a new privacy-awareness raising project that evaluates the privacy risk of exposing more on our preferences, such as the browser extensions we have installed and the websites where we have logged in. Websites may collect these pieces of information for various reasons; either to track you, or to learn more about you.


There could be more reasons for detecting your extensions and logins, which are beyond tracking (as tracking is mostly used for behavioral advertising and dynamic pricing). For example, extensions can reveal your religious background (e.g., if you are using the KnowTheBible extension or one of the many such extensions), or preferences against advertisements (e.g., using AdBlock) or privacy-invasive tracking (e.g., having PrivacyBadger). Detecting extensions is especially worrisome for pro-privacy people as the more extensions they install to their browsers, the more trackable they are – as privacy extensions are less widely adopted, especially in specific combinations.

Websites detecting where you are logged in can leak to very similar problems: revealing your preferential profile and can also make you more trackable. They can reveal private information such as your dating interests or if you are concerned with health issues. But you are also more likely to be targeted with phishing attacks, if someone learns that you use PayPal or shopping websites. Furthermore, if you log in to your company intranet, there is a chance, that it could be detected and your workplace be learned (e.g., people working for Inria this can be detected).

 

LINC: From your point of view of researchers specialized in privacy, what advices would you give for self-protection?

Inria Privatics: If you want to protect yourself from websites seeing which extensions you use, the only advice we can give for the moment is to switch to another browser. For example, in Firefox only few extensions are detectable. You could use other browsers too, but we can’t tell which one would be the best in terms of protection: it has not yet been evaluated.

The good news are: blocking login detections is easy — all you need to do is to disable third party cookies in your browser. Some tracking blocking extensions, such as Privacy Badger could also help — but don’t forget: the more extensions you install, the more trackable you’ll be!

 

Photo by Roman Mager on Unsplash


 

Inria Privatics

Published on 24 August 2017

(Clockwise, from top left)

- Nataliia Bielova is a research scientist at Inria Sophia Antipolis (France). Her main interest is in privacy and transparency technologies for Web applications. She works on measurement, detection and prevention of Web tracking and interested in technical enforcement of ePrivacy regulation.

- Gábor György Gulyás is a research engineer at Inria Grenoble (France) in the Privatics team. His main research interests are focused around privacy, and he is currently working on projects related to web tracking, de-anonymization with machine learning, and smart home privacy.

- Claude Castelluccia is a senior researcher (directeur de recherche) at Inria Grenoble (France), where he leads the Privatics group.
Claude's current research is on Internet privacy and security with a focus on anonymized analytics, data surveillance, identity management and authentication schemes.
His main research objective is to understand how the Internet is being used, by governements and companies, to influence and manipulate people.

- Dolière Francis Somé is a PhD Student at Inria Sophia Antipolis Méditerranée (France).
His research interests include web applications, browsers and JavaScript security. He also works on privacy, in particular web tracking technologies and defenses.

 


Article rédigé par Geoffrey Delcroix , Chargé des études prospectives