Conference Paper: “Cookies That Give You Away: The Surveillance Implications of Web Tracking”
The following paper by Princeton University and Stanford University researchers was presented on May 20th at the 24th International World Wide Web Conference in Florence, Italy.
Title
Cookies That Give You Away: The Surveillance Implications of Web Tracking
Authors
Steven Englehardt
Princeton University
Dillon Reisman
Princeton University
Christian Eubank
Princeton University
Peter Zimmerman
Princeton University
Jonathan Mayer
Stanford University
Arvind Narayanan
Princeton University
Edward W. Felten
Princeton University
Source
Proceedings of the 24th International World Wide Web Conference
May 2015
Abstract
We study the ability of a passive eavesdropper to leverage “third-party” HTTP tracking cookies for mass surveillance.
If two web pages embed the same tracker which tags the browser with a unique cookie, then the adversary can link visits to those pages from the same user (i.e., browser instance) even if the user’s IP address varies. Further, many popular websites leak a logged-in user’s identity to an eavesdropper in unencrypted traffic.
To evaluate the effectiveness of our attack, we introduce a methodology that combines web measurement and network measurement. Using OpenWPM, our web privacy measurement platform, we simulate users browsing the web and find that the adversary can reconstruct 62-73% of a typical user’s browsing history.
We then analyze the effect of the physical location of the wiretap as well as legal restrictions such as the NSA’s “one-end foreign” rule. Using measurement units in various locations—Asia, Europe, and the United States—we show that foreign users are highly vulnerable to the NSA’s dragnet surveillance due to the concentration of third-party trackers in the U.S.
Finally, we find that some browser-based privacy tools mitigate the attack while others are largely ineffective.
Direct to Full Text Paper (11 pages; PDF)
Filed under: Conference Presentations, Journal Articles, News, Patrons and Users
About Gary Price
Gary Price (gprice@gmail.com) is a librarian, writer, consultant, and frequent conference speaker based in the Washington D.C. metro area. He earned his MLIS degree from Wayne State University in Detroit. Price has won several awards including the SLA Innovations in Technology Award and Alumnus of the Year from the Wayne St. University Library and Information Science Program. From 2006-2009 he was Director of Online Information Services at Ask.com. Gary is also the co-founder of infoDJ an innovation research consultancy supporting corporate product and business model teams with just-in-time fact and insight finding.
ADVERTISEMENT
Archives
ADVERTISEMENT