The following future work can address the existing research gap and enable new lines of web privacy research.
Reproducible web measurement studies: The dynamic nature of the web
makes it impossible to reproduce other researchers’ work as the analyzed pages almost constantly change. A potential direction for future work can be to develop infrastructure and tools for reproducible analysis of online tracking. Chromium Project’s Web Page Replay [13] and mitmproxy’s server-side replay feature [12] can be used to this end.
Record-and-replay capabilities of web traffic and sessions can be useful for multi- execution based analysis of web-based malware [56]. Similarly, information-flow security studies based on secure multi-execution such as FlowFox [32] can benefit from such capability.
Finally, longitudinal tracking studies similar to recently published [62] can reproduce the tracking practices more realistically using replayable web archives.
Using browser instrumentation for web security studies: The native-
code level browser instrumentation such as the one accomplished in our work [19] can be adapted for the analysis of web based malware. The existing JavaScript malware analysis tools such as JSDetox [11] have limitations when it comes to emulating a real browser. Web-based malware with fingerprinting capabilities can easily bypass their protections. Using full-fledged instrumented browsers with low-level instrumentation can be used to overcome this problem.
Studying new web-enabled devices and IoT: New connected devices such
as smart TVs and IoT devices can enable different set of tracking mechanisms that is worth studying. Although web tracking studies may offer methodological support in detecting long-term and unique identifiers, data collection and automation can be challenging for this line of research. A possible extension of this study could be to investigate cross-device tracking involving smart TVs.
Detecting Code Injection by Tor Exit Nodes: Winter et al.’s “Spoiled
FUTURE WORK 31
the network traffic. They find several malicious or misconfigured exit nodes, that attempt to strip SSL connections or steal email credentials [114]. Although their study mentions a case where HTML code is injected by a malicious exit, it does not presents a decisive analysis due to limited data. To address this research gap, the nature and extent of privacy violating code injections by Tor exit nodes can be investigated. This study can contribute to Tor Project by flagging malicious exits who tamper with web pages.
Bibliography
[1] #13313 (Enable bundled fonts in Tor Browser) – Tor Bug Tracker & Wiki. https://trac.torproject.org/projects/tor/ticket/13313.
[2] Firefox — Notes (52.0) — Mozilla. https://www.mozilla.org/en-US/ firefox/52.0/releasenotes/.
[3] Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. https://tools.ietf.org/html/rfc5280. [4] Nmap - Free Security Scanner For Network Exploration & Security Audits.
http://www.nmap.org.
[5] ’Tor Stinks’ presentation. http://www.theguardian.com/world/ interactive/2013/oct/04/tor-stinks-nsa-presentation-
document, 2013.
[6] About Adblock Plus for Android. https://adblockplus.org/android- about, 2015.
[7] Disconnect Malvertising for Android. https://disconnect.me/mobile/ disconnect-malvertising/sideload, 2015.
[8] Mobile apps doubleheader: BADASS Angry Birds. http:// www.spiegel.de/media/media-35670.pdf, 2015.
[9] Selenium - Web Browser Automation. http://docs.seleniumhq.org/, 2015.
[10] Bug 164213 – remove battery status api from the tree. https:// bugs.webkit.org/show_bug.cgi?id=164213, 2016.
[11] Jsdetox | relentless coding. http://www.relentless-coding.com/ projects/jsdetox/info, 2016.
34 BIBLIOGRAPHY
[12] Server-side replay — mitmproxy 0.17.1 documentation. http:// docs.mitmproxy.org/en/stable/features/serverreplay.html, 2016. [13] Web page replay - webpagetest documentation. https:
//sites.google.com/a/webpagetest.org/docs/private-instances/ web-page-replay, 2016.
[14] HTTP Public Key Pinning (HPKP) - HTTP | MDN. https:// developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning, 2017.
[15] The Chromium Projects. https://www.chromium.org/, 2017.
[16] Toomey for Senate | Facebook for Business. https://www.facebook.com/ business/success/toomey-for-senate, 2017.
[17] Users - Tor Metrics. https://metrics.torproject.org/userstats- relay-country.html, 2017.
[18] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The Web never forgets: Persistent tracking mechanisms in the wild. In 21st ACM Conference on Computer and
Communications Security (CCS), pages 674–689. ACM, 2014.
[19] Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. FPDetective: Dusting the Web for fingerprinters. In 20th ACM Conference on Computer and
Communications Security (CCS), pages 1129–1140. ACM, 2013.
[20] Furkan Alaca and PC van Oorschot. Device fingerprinting for augmenting web authentication: classification and analysis of methods. In Proceedings
of the 32nd Annual Conference on Computer Security Applications, pages
289–301. ACM, 2016.
[21] arthuredelstein. #16672 (Text rendering allows font fingerprinting) – Tor Bug Tracker & Wiki. https://trac.torproject.org/projects/tor/ ticket/16672.
[22] Mika Ayenson, Dietrich J Wambach, Ashkan Soltani, Nathan Good, and Chris J Hoofnagle. Flash cookies and privacy II: Now with HTML5 and ETag respawning. World Wide Web Internet And Web Information
Systems, 2011.
[23] Tim Berners-Lee. Three challenges for the web, according to its inventor. http://webfoundation.org/2017/03/web-turns-28-letter/, 2017.
BIBLIOGRAPHY 35
[24] Paul E. Black. Ratcliff/Obershelp pattern recognition. https: //xlinux.nist.gov/dads//HTML/ratcliffObershelp.html, December 2004.
[25] Károly Boda, Ádám Máté Földes, Gábor György Gulyás, and Sándor Imre. User tracking on the web via cross-browser fingerprinting. In Nordic
Conference on Secure IT Systems, pages 31–46. Springer, 2011.
[26] Elie Bursztein, Artem Malyshev, Tadek Pietraszek, and Kurt Thomas. Picasso: Lightweight device class fingerprinting for web clients. In
Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 93–102. ACM, 2016.
[27] Ryan Sleevi Chris Evans, Chris Palmer. Public Key Pinning Extension for HTTP. https://tools.ietf.org/html/rfc7469, 2015.
[28] European Commission. Antitrust: Commission opens three investigations into suspected anticompetitive practices in e-commerce. http:// europa.eu/rapid/press-release_IP-17-201_en.htm.
[29] Federal Trade Commission. Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers. https://www.ftc.gov/reports/protecting-consumer-privacy-era- rapid-change-recommendations-businesses-policymakers, 2012. [30] Aldo Cortesi. mitmproxy: a man-in-the-middle proxy. http://
mitmproxy.org/.
[31] Lorrie Faith Cranor. Can users control online behavioral advertising effectively? IEEE Security & Privacy, 10(2):93–96, 2012.
[32] Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. Flowfox: a web browser with flexible and precise information flow control. In Proceedings of the 2012 ACM conference on Computer
and communications security, pages 748–759. ACM, 2012.
[33] Claudia Diaz, Stefaan Seys, Joris Claessens, and Bart Preneel. Towards measuring anonymity. In International Workshop on Privacy Enhancing
Technologies, pages 54–68. Springer, 2002.
[34] Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The second- generation onion router. In Proceedings of the 13th USENIX Security
Symposium, pages 303–320. USENIX, 2004.
[35] Peter Eckersley. How unique is your web browser? In Privacy Enhancing
36 BIBLIOGRAPHY
[36] Manuel Egele, Engin Kirda, and Christopher Kruegel. Mitigating drive-by download attacks: Challenges and open problems. In iNetSec 2009–Open
Research Problems in Network Security, pages 52–62. Springer, 2009.
[37] William Enck, Landon P Cox, Peter Gilbert, and Patrick Mcdaniel. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. OSDI’10 Proceedings of the 9th USENIX
conference on Operating systems design and implementation, 2010.
[38] Steven Englehardt and Arvind Narayanan. Online tracking: A 1- million-site measurement and analysis. In Conference on Computer and
Communications Security. ACM, 2016.
[39] Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. Cookies That Give You Away: The Surveillance Implications of Web Tracking. In Proceedings of the 24th International Conference on World Wide Web, pages 289–299, 2015.
[40] Roy T. Fielding and David Singer. Tracking Preference Expression (DNT). https://www.w3.org/2011/tracking-protection/drafts/
tracking-dnt.html, 2016.
[41] David Fifield and Serge Egelman. Fingerprinting Web Users through Font Metrics. In Financial Cryptography and Data Security (FC). Springer- Verlag, 2015.
[42] Laurie J. Flynn. THE MEDIA BUSINESS: ADVERTISING; Battle Begun on Internet Ad Blocking. http://www.nytimes.com/1999/ 06/07/business/the-media-business-advertising-battle-begun- on-internet-ad-blocking.html?mtrref=query.nytimes.com&gwh= F568E9499F00F79E057B625FDE4FB7BE&gwt=pay, 1999.
[43] Electronic Frontier Foundation. Privacy badger | electronic frontier foundation. https://www.eff.org/privacybadger, 2017.
[44] gacar. #5798 (Improve persistence and WebFont compatibility of font patch) – Tor Bug Tracker & Wiki. https://trac.torproject.org/ projects/tor/ticket/5798#comment:13, 2013.
[45] David Goldschlag, Michael Reed, and Paul Syverson. Hiding routing information. In Information Hiding, pages 137–150, 1996.
[46] Derek Gooley. Top Exploit Kit Activity Roundup - Winter 2017 | Zscaler Blog. https://www.zscaler.com/blogs/research/top-exploit-kit- activity-roundup-winter-2017, 2017.
BIBLIOGRAPHY 37
[47] MC Grace, Wu Zhou, X Jiang, and AR Sadeghi. Unsafe Exposure Analysis of Mobile In-App Advertisements. Proceedings of the fifth ACM conference
on Security and Privacy in Wireless and Mobile Networks, 067(Section 2),
2012.
[48] Joshua Green and Sasha Issenberg. Inside the Trump Bunker, With Days to Go. https://www.bloomberg.com/news/articles/2016-10-27/ inside-the-trump-bunker-with-12-days-to-go, 2016.
[49] Aniko Hannak, Gary Soeller, David Lazer, Alan Mislove, and Christo Wilson. Measuring price discrimination and steering on e-commerce web sites. In Proceedings of the 2014 conference on internet measurement
conference, pages 305–318. ACM, 2014.
[50] Ariya Hidayat. PhantomJS | PhantomJS. http://phantomjs.org/, 2017. [51] Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, and
David Wetherall. These aren’t the droids you’re looking for: Retrofitting Android to protect data from imperious applications. In Proceedings of the
18th ACM conference on Computer and communications security, pages
639–652. ACM, 2011.
[52] Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kaafar, Anirban Mahanti, and Balachandar Krishnamurthy. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. Proceedings
on Privacy Enhancing Technologies, 2017(1):79–99, 2017.
[53] Facebook IQ. Moments That Matter: Finding the Extraordinary in the Ordinary. https://insights.fb.com/2015/06/09/moments-that- matter/, 2015.
[54] Samy Kamkar. Evercookie - virtually irrevocable persistent cookies. http://samy.pl/evercookie/, Sep 2010.
[55] Tadayoshi Kohno, Andre Broido, and Kimberly C Claffy. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure
Computing, 2(2):93–108, 2005.
[56] Clemens Kolbitsch, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. Rozzle: De-cloaking internet malware. In Proceedings of the IEEE
Symposium on Security and Privacy, May 2012.
[57] Georgios Kontaxis and Monica Chew. Tracking Protection in Firefox For Privacy and Performance. In Web 2.0 Workshop on Security and Privacy
38 BIBLIOGRAPHY
[58] Anssi Kostiainen and Mounir Lamouri. Battery Status API. https: //www.w3.org/TR/battery-status/, 2012. Accessed: 24.4.14.
[59] Balachander Krishnamurthy, Delfina Malandrino, and Craig E Wills. Measuring privacy loss and the impact of privacy protection in web browsing. In Proceedings of the 3rd symposium on Usable privacy and
security, pages 52–63. ACM, 2007.
[60] Balachander Krishnamurthy, Konstantin Naryshkin, and Craig Wills. Privacy leakage vs. protection measures: the growing disconnect. In
Proceedings of the Web 2.0 Security and Privacy Workshop, volume 2,
pages 1–10, 2011.
[61] Pedro Leon, Blase Ur, Richard Shay, Yang Wang, Rebecca Balebako, and Lorrie Cranor. Why johnny can’t opt out: A usability evaluation of tools to limit online behavioral advertising. In SIGCHI Conference on Human
Factors in Computing Systems, pages 589–598. ACM, 2012.
[62] Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In 25th USENIX
Security Symposium (USENIX Security 16), Austin, TX, August 2016.
USENIX Association.
[63] Mary Madden and Lee Rainie. Americans’ attitudes about privacy, security and surveillance. http://www.pewinternet.org/ 2015/05/20/americans-attitudes-about-privacy-security-and- surveillance/, 2015.
[64] Jonathan R. Mayer. Any person... a pamphleteer. Senior Thesis, Stanford University, 2009.
[65] Jonathan R Mayer and John C Mitchell. Third-party web tracking: Policy and technology. In IEEE Symposium on Security and Privacy (S&P)), pages 413–427. IEEE, 2012.
[66] Aleecia M McDonald and Lorrie Faith Cranor. Americans’ attitudes about internet behavioral advertising practices. In ACM Workshop on Privacy
in the Electronic Society (WPES), pages 63–72. ACM, 2010.
[67] Aleecia M McDonald and Lorrie Faith Cranor. Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies, A. ISJLP, 7:639, 2011.
[68] William Melicher, Mahmood Sharif, Joshua Tan, Lujo Bauer, Mihai Christodorescu, and Pedro Giovanni Leon. (do not) track me sometimes:
BIBLIOGRAPHY 39
Users’ contextual preferences for web tracking. Proceedings on Privacy
Enhancing Technologies, 2016(2):135–154, 2016.
[69] Steven Murdoch Mike Perry, Erinn Clark. The Design and Implementation of the Tor Browser [DRAFT]. https://www.torproject.org/projects/ torbrowser/design//#Implementation, 2015.
[70] Jakub Mikians, László Gyarmati, Vijay Erramilli, and Nikolaos Laoutaris. Crowd-assisted search for price discrimination in e-commerce: First results. In Proceedings of the ninth ACM conference on Emerging networking
experiments and technologies, pages 1–6. ACM, 2013.
[71] Lou Montulli. The irregular musings of lou montulli: The reasoning behind web cookies. http://www.montulli-blog.com/2013/05/the- reasoning-behind-web-cookies.html, 2013.
[72] David Z. Morris. Trump Digital Team Running "Three Major Voter Suppression Operations" | Fortune.com. http://fortune.com/2016/10/ 30/trump-voter-supression-operations/.
[73] Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham. Fingerprinting information in JavaScript implementations. In Helen Wang, editor, Proceedings of W2SP 2011. IEEE Computer Society, May 2011.
[74] Keaton Mowery and Hovav Shacham. Pixel perfect: Fingerprinting canvas in HTML5. In Web 2.0 Workshop on Security and Privacy (W2SP). IEEE, 2012.
[75] Martin Mulazzani, Philipp Reschl, Markus Huber, Manuel Leithner, Sebastian Schrittwieser, and Edgar R. Weippl. Fast and reliable browser identification with javascript engine fingerprinting. In Web 2.0 Workshop
on Security and Privacy (W2SP), May 2013.
[76] Arvind Narayanan. Price Discrimination is All Around You. https://33bits.org/2011/06/02/price-discrimination-is-all- around-you/, 2011.
[77] Nick Nikiforakis and Gunes Acar. Browse at your own risk. IEEE
Spectrum, 51(8):30–35, 2014.
[78] Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Security
40 BIBLIOGRAPHY
[79] Rishab Nithyanand, Sheharbano Khattak, Mobin Javed, Narseo Vallina- Rodriguez, Marjan Falahrastegar, Julia E Powles, Emiliano De Cristofaro, Hamed Haddadi, and Steven J Murdoch. Ad-blocking and counter blocking: A slice of the arms race. In 6th USENIX Workshop on Free and
Open Communications on the Internet (FOCI 16). USENIX Association,
2016.
[80] Lukasz Olejnik. Bug 1124127 - Round Off Navigator Battery Level on Linux. https://bugzilla.mozilla.org/show_bug.cgi?id=1124127, 2015. Accessed: 30.2.15.
[81] Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. The leaking battery - A privacy analysis of the HTML5 battery status API. In
Data Privacy Management, and Security Assurance - 10th International Workshop, DPM 2015, and 4th International Workshop, QASA 2015, Vienna, Austria, September 21-22, 2015. Revised Selected Papers, pages
254–263, 2015.
[82] Lukasz Olejnik, Tran Minh-Dung, and Claude Castelluccia. Selling Off Privacy at Auction. In Annual Network and Distributed System Security
Symposium (NDSS). IEEE, 2014.
[83] Erol Ozan. Password-free authentication for social networks. In Computing
and Communication Workshop and Conference (CCWC), 2017 IEEE 7th Annual, pages 1–5. IEEE, 2017.
[84] PageFair. The state of the blocked web: 2017 global adblock report. https://pagefair.com/downloads/2017/01/PageFair-2017- Adblock-Report.pdf, 2017.
[85] Article 29 Working Party. Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting. http://ec.europa.eu/ justice/data-protection/article-29/documentation/opinion- recommendation/files/2014/wp224_en.pdf, 2014.
[86] Adam Pasick. Facebook says it can sway elections after all—for a price — Quartz. https://qz.com/922436/facebook-says-it-can- sway-elections-after-all-for-a-price/, 2017.
[87] Nicolas Perriault and CasperJS Contributors. CasperJS, a navigation scripting and testing utility for PhantomJS and SlimerJS. http:// casperjs.org/, 2016.
[88] Mike Perry. Do Not Beg: Moving Beyond DNT through Privacy by Design. In W3C Workshop: Do Not Track and Beyond. W3C, 2012.
BIBLIOGRAPHY 41
[89] Chris Peterson. Bug 1313580 - remove web content access to battery api. https://bugzilla.mozilla.org/show_bug.cgi?id=1313580, 2016. [90] Sören Preibusch, Thomas Peetz, Gunes Acar, and Bettina Berendt.
Shopping for privacy: Purchase details leaked to paypal. Electronic
Commerce Research and Applications, 15:52–64, 2016.
[91] Davy Preuveneers and Wouter Joosen. Smartauth: Dynamic context fingerprinting for continuous user authentication. In Proceedings of the
30th Annual ACM Symposium on Applied Computing, pages 2185–2191.
ACM, 2015.
[92] Shayla Price. How Emotional Targeting Converts More Leads. https://blog.kissmetrics.com/emotional-targeting-converts- more-leads/, 2017.
[93] Lee Rainie, Sara Kiesler, Ruogu Kang, Mary Madden, Maeve Duggan, Stephanie Brown, and Laura Dabbish. Anonymity, privacy, and security online. Pew Research Center, 5, 2013.
[94] Edith Ramirez, Julie Brill, Maureen K Ohlhausen, Joshua D Wright, and Terrell McSweeny. Data Brokers–A Call for Transparency and Accountability. Federal Trade Commission, Tech. Rep, 2014.
[95] F. Roesner and T. Kohno und D. Wetherall. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX
conference on Networked Systems Design and Implementation (NSDI,
2012.
[96] Jérôme Segura. Large Angler Malvertising Campaign Hits Top Publishers - Malwarebytes Labs | Malwarebytes Labs. https://blog.malwarebytes.com/threat-analysis/2016/03/large- angler-malvertising-campaign-hits-top-publishers/, 2016. [97] Jérôme Segura and Eugene Aseev. Operation Fingerprint: A look
into several Angler Exploit Kit malvertising campaigns. https:// malwarebytes.app.box.com/v/operation-fingerprint, 2016.
[98] Andrei Serjantov and George Danezis. Towards an information theoretic metric for anonymity. In International Workshop on Privacy Enhancing
Technologies, pages 41–53. Springer, 2002.
[99] Claude Elwood Shannon. A mathematical theory of communication. The
Bell System Technical Journal, 27:379–423, 623–656, 1948.
[100] Ryan Singel. Online tracking firm settles suit over undeletable cookies. https://www.wired.com/2010/12/zombie-cookie-settlement/, 2010.
42 BIBLIOGRAPHY
[101] Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. Flash cookies and privacy. In AAAI Spring
Symposium: Intelligent Information Privacy Management, 2010.
[102] Ashkan Soltani, Andrea Peterson, and Barton Gellman. NSA uses Google cookies to pinpoint targets for hacking. https: //www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa- uses-google-cookies-to-pinpoint-targets-for-hacking/, 2013. [103] Aditya K Sood and Richard J Enbody. Malvertising–exploiting web
advertising. Computer Fraud & Security, 2011(4):11–16, 2011.
[104] Jan Spooren, Davy Preuveneers, and Wouter Joosen. Mobile device fingerprinting considered harmful for risk-based authentication. In
Proceedings of the Eighth European Workshop on System Security. ACM,
April 2015.
[105] Jan Spooren, Davy Preuveneers, and Wouter Joosen. Leveraging battery usage from mobile devices for active authentication. Mobile Information
Systems, 2017.
[106] Joseph Turow, Michael Hennessy, and Nora A Draper. The tradeoff fallacy: How marketers are misrepresenting american consumers and opening them up to exploitation. 2015.
[107] Thomas Unger, Martin Mulazzani, Dominik Fruhwirt, Markus Huber, Sebastian Schrittwieser, and Edgar Weippl. SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting. In Availability, Reliability
and Security (ARES), pages 255–261. IEEE, 2013.
[108] Blase Ur, Pedro Giovanni Leon, Lorrie Faith Cranor, Richard Shay, and Yang Wang. Smart, useful, scary, creepy: perceptions of online behavioral advertising. In Proceedings of the Eighth Symposium on Usable Privacy
and Security, SOUPS ’12, pages 4:1–4:15, New York, NY, USA, 2012.
ACM.
[109] Jennifer Valentino-DeVries, Jeremy Singer-Vine, and Ashkan Soltani. Websites Vary Prices, Deals Based on Users’ Information. https://www.wsj.com/articles/ SB10001424127887323777204578189391813881534, 2012.
[110] Tom Van Goethem, Wout Scheepers, Davy Preuveneers, and Wouter Joosen. Accelerometer-based device fingerprinting for multi-factor mobile authentication. In International Symposium on Engineering Secure