Privacy 2024: fingerprinting test #121
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
What is the goal behind measuring the number of APIs used in the script. If this is for detecting fingerprinters, then I think we settled on the Disconnect's list, no? Or is the goal to extend the detections by Disconnect by using the API presence threshold as a heuristic? If that is the case, then we can also look at the combination of APIs to pinpoint the exact fingerprinting method, e.g., by extending the heuristics proposed in this paper: https://www.cs.princeton.edu/~arvindn/publications/OpenWPM_1_million_site_tracking_measurement.pdf Here are some combinations for prominent fingerprinting methods: For CanvasFont: For Canvas: AudioContext: WebRTC: The other fingerprinting analysis is to look at the prevalence of known FP APIs, for which relying on APIs used by FPJS2 makes sense. |
Yes - the Disconnect list only shows known fingerprinters, this would let us find unknown ones as well.
The idea is to extend this and ask, "what are the scripts using these APIs for fingerprinting" and their prevalence, similar to how we identify tracking network prevalence. Many of the usages of these are for legitimate non-fingerprinting purposes, but a script that uses many of them across different categories is more likely to be fingerprinting, which is where the threshold comes in. The four you list make sense as a separate analysis, but don't cover the many other methods used by FPJS. |
|
@SaptakS Nurullah mentioned you were managing PRs - are you able to do a review on this? |
tunetheweb
requested changes
Jun 10, 2024
Co-authored-by: Barry Pollard <barrypollard@google.com>
|
Can you resolve the merge conflicts @bstandaert-wustl ? |
…ngerprinting-strings
|
Done. |
|
The latest tests show |
tunetheweb
reviewed
Jun 12, 2024
|
OK the reason the custom metric is returning @pmeenan is working on a fix. |
Custom metrics for https://almanac.httparchive.org/en/2022/WPT test run results: http://webpagetest.httparchive.org/results.php?test=240612_PQ_T Custom metrics for https://fingerprintjs.github.io/fingerprintjs/WPT test run results: http://webpagetest.httparchive.org/results.php?test=240612_26_V {
"_privacy": {
"privacy_wording_links": [],
"iab_tcf_v1": {
"present": false,
"data": null,
"compliant_setup": null
},
"iab_tcf_v2": {
"present": false,
"data": null,
"compliant_setup": null
},
"iab_usp": {
"present": false,
"privacy_string": null
},
"navigator_doNotTrack": false,
"navigator_globalPrivacyControl": false,
"document_permissionsPolicy": false,
"document_featurePolicy": false,
"referrerPolicy": {
"entire_document_policy": null,
"individual_requests": null,
"link_relations": null
},
"media_devices": {
"navigator_mediaDevices_enumerateDevices": false,
"navigator_mediaDevices_getUserMedia": false,
"navigator_mediaDevices_getDisplayMedia": false
},
"geolocation": {
"navigator_geolocation_getCurrentPosition": false,
"navigator_geolocation_watchPosition": false
},
"fingerprinting": {
"counts": {
"getchanneldata": 1,
"todataurl": 2,
"prefers-contrast": 1,
"forced-colors": 1,
"dynamic-range": 1,
"indexeddb": 1,
"inverted-colors": 1,
"navigator.oscpu": 1,
"prefers-reduced-motion": 1,
"prefers-reduced-transparency": 1,
"availwidth": 1,
"availheight": 1,
"maxtouchpoints": 1,
"webgl_debug_renderer_info": 1,
"getshaderprecisionformat": 1
},
"likelyFingerprintingScripts": [
"https://fingerprintjs.github.io/fingerprintjs/main.js?f495f35ba65f05e50da4"
]
},
"request_hostnames_with_cname": {},
"ccpa_link": {
"hasCCPALink": false,
"CCPALinkPhrases": []
}
}
}Custom metrics for https://nytimes.comWPT test run results: http://webpagetest.httparchive.org/results.php?test=240612_EA_W {
"_privacy": {
"privacy_wording_links": [
{
"text": "Privacy Policy"
}
],
"iab_tcf_v1": {
"present": false,
"data": null,
"compliant_setup": null
},
"iab_tcf_v2": {
"present": false,
"data": null,
"compliant_setup": null
},
"iab_usp": {
"present": false,
"privacy_string": null
},
"navigator_doNotTrack": true,
"navigator_globalPrivacyControl": true,
"document_permissionsPolicy": false,
"document_featurePolicy": true,
"referrerPolicy": {
"entire_document_policy": null,
"individual_requests": null,
"link_relations": null
},
"media_devices": {
"navigator_mediaDevices_enumerateDevices": false,
"navigator_mediaDevices_getUserMedia": false,
"navigator_mediaDevices_getDisplayMedia": false
},
"geolocation": {
"navigator_geolocation_getCurrentPosition": false,
"navigator_geolocation_watchPosition": false
},
"fingerprinting": {
"counts": {
"indexeddb": 6,
"localstorage": 242,
"opendatabase": 3,
"gettimezoneoffset": 18,
"navigator.vendor": 10,
"todataurl": 1,
"navigator.platform": 2,
"prefers-reduced-motion": 9,
"ontouchstart": 3,
"forced-colors": 1,
"resolvedoptions().timezone": 4,
"maxtouchpoints": 2,
"navigator.language": 4,
"navigator.userlanguage": 2,
"sessionstorage": 37,
"screen.width": 9,
"screen.height": 9,
"devicememory": 1,
"availwidth": 1,
"availheight": 1
},
"likelyFingerprintingScripts": [
"https://www.nytimes.com/",
"https://www.datadoghq-browser-agent.com/us1/v5/datadog-rum.js",
"https://www.nytimes.com/vi-assets/static-assets/home-2b223b859fe3ba339ee6.js",
"https://www.nytimes.com/vi-assets/static-assets/main-0ac8d87d0abf4c43ba1a.js",
"https://www.googletagmanager.com/gtm.js?id=GTM-P528B3>m_auth=tfAzqo1rYDLgYhmTnSjPqw>m_preview=env-130>m_cookies_win=x",
"https://c.amazon-adsystem.com/aax2/apstag.js",
"https://www.nytimes.com/ads/prebid8.25.0.js",
"https://securepubads.g.doubleclick.net/pagead/managed/js/gpt/m202406120101/pubads_impl.js?cb=31084553",
"https://launchpad.privacymanager.io/latest/launchpad.bundle.js",
"https://ads.pubmatic.com/AdServer/js/user_sync.html?p=156011&s=165626&predirect=https%3A%2F%2Fs.amazon-adsystem.com%2Fecm3%3Fex%3Dpubmatic.com%26id%3DPM_UID",
"https://eus.rubiconproject.com/usync.js",
"https://accounts.google.com/gsi/client",
"https://cdn.brandmetrics.com/scripts/bundle/65568.js?sid=4486dfe2-780e-4dfa-a60a-2a948887658f&toploc=www.nytimes.com",
"https://ats-wrapper.privacymanager.io/ats-modules/087423d8-0b74-47f4-a79b-03ddad419681/ats.js",
"https://www.google.com/recaptcha/api2/aframe"
]
},
"request_hostnames_with_cname": {
"www.nytimes.com": [
"nytimes.map.fastly.net"
],
"g1.nyt.com": [
"nytimes.map.fastly.net"
],
"samizdat-graphql.nytimes.com": [
"nytimes.map.fastly.net"
],
"a.et.nytimes.com": [
"region-selector.nyti.nytimes.com"
],
"als-svc.nytimes.com": [
"region-selector.nyti.nytimes.com"
],
"rumcdn.geoedge.be": [
"d1bqktvj79b0wh.cloudfront.net"
],
"c.amazon-adsystem.com": [
"d1ykf07e75w7ss.cloudfront.net"
],
"static01.nytimes.com": [
"nytimes.map.fastly.net"
],
"static01.nyt.com": [
"nytimes.map.fastly.net"
],
"aax.amazon-adsystem.com": [
"d1jvc9b8z3vcjs.cloudfront.net"
],
"dd.nytimes.com": [
"detpi4b5pore2.cloudfront.net"
],
"hbopenbid.pubmatic.com": [
"gob-pairb-nje1.pubmnet.com"
],
"tlx.3lift.com": [
"us-east-tlx.3lift.com"
],
"ib.adnxs.com": [
"ib.anycast.adnxs.com"
],
"fastlane.rubiconproject.com": [
"tagged-by.rubiconproject.net.akadns.net"
],
"purr.nytimes.com": [
"region-selector.nyti.nytimes.com"
],
"a.nytimes.com": [
"region-selector.nyti.nytimes.com"
],
"ads.pubmatic.com": [
"e6603.g.akamaiedge.net"
],
"eus.rubiconproject.com": [
"e8960.b.akamaiedge.net"
],
"83d8835bb9dd0ae7681fc4e317560c89.safeframe.googlesyndication.com": [
"pagead-googlehosted.l.google.com"
],
"ads.stickyadstv.com": [
"fp4.ads.stickyadstv.com.akadns.net"
],
"image6.pubmatic.com": [
"pugm-nje1.pubmnet.com"
],
"static.chartbeat.com": [
"d3f7zc5bbfci5.cloudfront.net"
],
"a1.nyt.com": [
"nytimes.map.fastly.net"
],
"token.rubiconproject.com": [
"pixel.rubiconproject.net.akadns.net"
],
"pr-bh.ybp.yahoo.com": [
"ds-pr-bh.ybp.gysm.yahoodns.net"
],
"simage2.pubmatic.com": [
"pug-vac.pubmnet.com"
],
"i6.liadm.com": [
"idaas6.cph.liveintent.com"
],
"eb2.3lift.com": [
"us-east-eb2.3lift.com"
],
"image2.pubmatic.com": [
"pug-vac.pubmnet.com"
],
"image4.pubmatic.com": [
"spug-vac.pubmnet.com"
],
"image8.pubmatic.com": [
"imagesync-vac.pubmnet.com"
],
"pixel.rubiconproject.com": [
"pixel.rubiconproject.net.akadns.net"
],
"px.ads.linkedin.com": [
"l-0005.l-msedge.net"
],
"match.sharethrough.com": [
"match-us-east-1-ecs.sharethrough.com"
],
"ce.lijit.com": [
"raptor-prd-ue1-alb-1693497337.us-east-1.elb.amazonaws.com"
],
"prebid.a-mo.net": [
"dc13-prebid.a-mx.net"
],
"5290727.fls.doubleclick.net": [
"dart.l.doubleclick.net"
],
"simage4.pubmatic.com": [
"spug-vac.pubmnet.com"
],
"collector.brandmetrics.com": [
"waws-prod-dm1-179-pork.centralus.cloudapp.azure.com"
],
"match.deepintent.com": [
"m.deepintent.com"
],
"sync-tm.everesttech.net": [
"h2.shared.global.fastly.net"
],
"sync.bfmio.com": [
"io-cookie-sync-1725936127.us-east-1.elb.amazonaws.com"
],
"ups.analytics.yahoo.com": [
"ats-eks.us-east-1.dcs-online-targeting-prd.aws.oath.cloud"
],
"pm.w55c.net": [
"cdn.w55c.net"
],
"b1sync.zemanta.com": [
"chidc2.outbrain.org"
],
"pixel-us-east.rubiconproject.com": [
"pixel-us-east.rubiconproject.net.akadns.net"
],
"i.liadm.com": [
"idaas-ext.cph.liveintent.com"
],
"cms.quantserve.com": [
"global.px.quantserve.com"
],
"x.bidswitch.net": [
"user-data-us-east.bidswitch.net"
],
"live.primis.tech": [
"d2wcz8sc48ztgm.cloudfront.net"
],
"pubmatic-match.dotomi.com": [
"bfp.global.dual.dotomi.weighted.com.akadns.net"
],
"sync.technoratimedia.com": [
"adserver.technoratimedia.com"
],
"rtb-csync.smartadserver.com": [
"rtb-csync-use1.smartadserver.com"
],
"bh.contextweb.com": [
"lga-direct-bgp.contextweb.com"
]
},
"ccpa_link": {
"hasCCPALink": false,
"CCPALinkPhrases": []
}
}
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements a test that looks for fingerprinting API strings in response bodies. Strings are manually derived from fingerprintJS.
It reports a count of API usages for each site, and a list of "likely fingerprinting scripts", which is anything with >= 5 API usages. @UmarIqbal do you have any recommendations on what this threshold should be?
Test websites: