Show simple item record

dc.contributor.authorMilligan, Julissaen_US
dc.contributor.authorScheffler, Sarahen_US
dc.contributor.authorSellars, Andrewen_US
dc.contributor.authorTiwari, Trishitaen_US
dc.contributor.authorTrachtenberg, Arien_US
dc.contributor.authorVaria, Mayanken_US
dc.date.accessioned2020-05-08T19:38:23Z
dc.date.available2020-05-08T19:38:23Z
dc.date.issued2019
dc.identifier.citationJulissa Milligan, Sarah Scheffler, Andrew Sellars, Trishita Tiwari, Ari Trachtenberg, Mayank Varia. 2019. "Case Study: Disclosure of Indirect Device Fingerprinting in Privacy Policies.." CoRR, Volume abs/1908.07965, https://arxiv.org/abs/1908.07965
dc.identifier.urihttps://hdl.handle.net/2144/40721
dc.description.abstractRecent developments in online tracking make it harder for individuals to detect and block trackers. This is especially true for de- vice fingerprinting techniques that websites use to identify and track individual devices. Direct trackers { those that directly ask the device for identifying information { can often be blocked with browser configu- rations or other simple techniques. However, some sites have shifted to indirect tracking methods, which attempt to uniquely identify a device by asking the browser to perform a seemingly-unrelated task. One type of indirect tracking known as Canvas fingerprinting causes the browser to render a graphic recording rendering statistics as a unique identifier. Even experts find it challenging to discern some indirect fingerprinting methods. In this work, we aim to observe how indirect device fingerprint- ing methods are disclosed in privacy policies, and consider whether the disclosures are sufficient to enable website visitors to block the track- ing methods. We compare these disclosures to the disclosure of direct fingerprinting methods on the same websites. Our case study analyzes one indirect ngerprinting technique, Canvas fingerprinting. We use an existing automated detector of this fingerprint- ing technique to conservatively detect its use on Alexa Top 500 websites that cater to United States consumers, and we examine the privacy poli- cies of the resulting 28 websites. Disclosures of indirect fingerprinting vary in specificity. None described the specific methods with enough granularity to know the website used Canvas fingerprinting. Conversely, many sites did provide enough detail about usage of direct fingerprint- ing methods to allow a website visitor to reliably detect and block those techniques. We conclude that indirect fingerprinting methods are often technically difficult to detect, and are not identified with specificity in legal privacy notices. This makes indirect fingerprinting more difficult to block, and therefore risks disturbing the tentative armistice between individuals and websites currently in place for direct fingerprinting. This paper illustrates differences in fingerprinting approaches, and explains why technologists, technology lawyers, and policymakers need to appreciate the challenges of indirect fingerprinting.en_US
dc.language.isoen_US
dc.relation.ispartofCoRR
dc.titleCase study: disclosure of indirect device fingerprinting in privacy policiesen_US
dc.typeArticleen_US
dc.description.versionAccepted manuscripten_US
pubs.elements-sourcedblpen_US
pubs.notesEmbargo: No embargoen_US
pubs.organisational-groupBoston Universityen_US
pubs.organisational-groupBoston University, College of Arts & Sciencesen_US
pubs.organisational-groupBoston University, College of Arts & Sciences, Department of Computer Scienceen_US
pubs.organisational-groupBoston University, College of Engineeringen_US
pubs.organisational-groupBoston University, College of Engineering, Department of Electrical & Computer Engineeringen_US
dc.identifier.mycv502334


This item appears in the following Collection(s)

Show simple item record