1. bookVolume 2020 (2020): Issue 2 (April 2020)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

A Comparative Measurement Study of Web Tracking on Mobile and Desktop Environments

Published Online: 08 May 2020
Page range: 24 - 44
Received: 31 Aug 2019
Accepted: 16 Dec 2019
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English

Web measurement is a powerful approach to studying various tracking practices that may compromise the privacy of millions of users. Researchers have built several measurement frameworks and performed a few studies to measure web tracking on the desktop environment. However, little is known about web tracking on the mobile environment, and no tool is readily available for performing a comparative measurement study on mobile and desktop environments. In this work, we built a framework called WTPatrol that allows us and other researchers to perform web tracking measurement on both mobile and desktop environments. Using WTPatrol, we performed the first comparative measurement study of web tracking on 23,310 websites that have both mobile version and desktop version web-pages. We conducted an in-depth comparison of the web tracking practices of those websites between mobile and desktop environments from two perspectives: web tracking based on JavaScript APIs and web tracking based on HTTP cookies. Overall, we found that mobile web tracking has its unique characteristics especially due to mobile-specific trackers, and it has become increasingly as prevalent as desktop web tracking. However, the potential impact of mobile web tracking is more severe than that of desktop web tracking because a user may use a mobile device frequently in different places and be continuously tracked. We further gave some suggestions to web users, developers, and researchers to defend against web tracking.

Keywords

[1] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2014.Search in Google Scholar

[2] Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. FPDetective: dusting the web for fingerprinters. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013.Search in Google Scholar

[3] M. Ayenson, D.J. Wambach, A. Soltani, N. Good, and C.J. Hoofnagle. Flash cookies and privacy II: Now with HTML5 and ETag respawning, 2011. http://dx.doi.org/10.2139/ssrn.1898390.Search in Google Scholar

[4] Hristo Bojinov, Yan Michalevsky, Gabi Nakibly, and Dan Boneh. Mobile Device Identification via Sensor Fingerprinting. CoRR, abs/1408.1416, 2014.Search in Google Scholar

[5] Qian Cui, Guy-Vincent Jourdan, Gregor V Bochmann, Russell Couturier, and Iosif-Viorel Onut. Tracking phishing attacks over time. In Proceedings of the 26th International Conference on World Wide Web (WWW), 2017.Search in Google Scholar

[6] Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. The web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1515–1532. ACM, 2018.Search in Google Scholar

[7] Anupam Das, Nikita Borisov, and Matthew Caesar. Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2014.Search in Google Scholar

[8] Anupam Das, Nikita Borisov, and Matthew Caesar. Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2016.Search in Google Scholar

[9] Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014.Search in Google Scholar

[10] Peter Eckersley. How Unique is Your Web Browser? In Proceedings of the International Conference on Privacy Enhancing Technologies (PETS), 2010.Search in Google Scholar

[11] Steven Englehardt and Arvind Narayanan. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.Search in Google Scholar

[12] Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web (WWW), 2015.Search in Google Scholar

[13] Christian Eubank, Marcela Melara, Diego Perez-Botero, and Arvind Narayanan. Shining the floodlights on mobile web tracking-a privacy survey. In Proceedings of the Web 2.0 Security & Privacy (W2SP) Workshop, 2013.Search in Google Scholar

[14] Seungyeop Han, Jaeyeon Jung, and David Wetherall. A study of third-party tracking by mobile apps in the wild. Univ. Washington, Tech. Rep. UW-CSE-12-03-01, 2012.Search in Google Scholar

[15] Thomas Hupperich, Davide Maiorca, Marc Kührer, Thorsten Holz, and Giorgio Giacinto. On the robustness of mobile device fingerprinting: Can mobile users escape modern web-tracking mechanisms? In Proceedings of the 31st Annual Computer Security Applications Conference, 2015.Search in Google Scholar

[16] Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kaafar, Anirban Mahanti, and Balachandar Krishnamurthy. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. In Proceedings on Privacy Enhancing Technologies (PETS), 2017.Search in Google Scholar

[17] David M. Kristol. HTTP Cookies: Standards, Privacy, and Politics. ACM Transactions on Internet Technology, 2001.Search in Google Scholar

[18] Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy, 2016.Search in Google Scholar

[19] Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium, 2016.Search in Google Scholar

[20] Christophe Leung, Jingjing Ren, David Choffnes, and Christo Wilson. Should you use the app for that?: Comparing the privacy implications of app-and web-based online services. In Proceedings of the 2016 Internet Measurement Conference, 2016.Search in Google Scholar

[21] Jonathan R. Mayer and John C. Mitchell. Third-Party Web Tracking: Policy and Technology. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.Search in Google Scholar

[22] Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham. Fingerprinting information in JavaScript implementations. In Proceedings of the Web 2.0 Security & Privacy (W2SP) workshop, 2011.Search in Google Scholar

[23] Martin Mulazzani, Philipp Reschl, Markus Huber, Manuel Leithner, Sebastian Schrittwieser, Edgar Weippl, and FC Wien. Fast and reliable browser identification with javascript engine fingerprinting. In Proceedings of the Web 2.0 Security & Privacy (W2SP) workshop, 2013.Search in Google Scholar

[24] Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy, 2013.Search in Google Scholar

[25] Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. The leaking battery. In Proceedings of the International Workshop on Data Privacy Management, 2015.Search in Google Scholar

[26] Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, and Christian Kreibich Phillipa Gill. Apps, trackers, privacy, and regulators. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS), 2018.Search in Google Scholar

[27] Franziska Roesner, Tadayoshi Kohno, and David Wetherall. Detecting and Defending Against Third-party Tracking on the Web. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2012.Search in Google Scholar

[28] Jerome H Saltzer and Michael D Schroeder. The protection of information in computer systems. In Proceedings of the IEEE, 1975.Search in Google Scholar

[29] Anastasia Shuba, Athina Markopoulou, and Zubair Shafiq. Nomoads: Effective and efficient cross-app mobile ad-blocking. Proceedings on Privacy Enhancing Technologies, 2018.Search in Google Scholar

[30] Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. Flash Cookies and Privacy. In Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management, 2010.Search in Google Scholar

[31] Oleksii Starov and Nick Nikiforakis. Xhound: Quantifying the fingerprintability of browser extensions. In Proceedings of the IEEE Symposium on Security and Privacy, 2017.Search in Google Scholar

[32] Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen Nissenbaum, and Solon Barocas. Adnostic: Privacy preserving targeted advertising. 2010.Search in Google Scholar

[33] Zhonghao Yu, Sam Macbeth, Konark Modi, and Josep M Pujol. Tracking the trackers. In Proceedings of the 25th International Conference on World Wide Web (WWW), 2016.Search in Google Scholar

[34] Zhe Zhou, Wenrui Diao, Xiangyu Liu, and Kehuan Zhang. Acoustic fingerprinting revisited: Generate stable device id stealthily with inaudible sound. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2014.Search in Google Scholar

[35] Mobile web browsing overtakes desktop for the first time, 2016. https://www.theguardian.com/technology/2016/nov/02/mobile-web-browsing-desktop-smartphones-tablets.Search in Google Scholar

[36] PageFair, 2017. https://pagefair.com/downloads/2017/01/PageFair-2017-Adblock-Report.pdf.Search in Google Scholar

[37] Market share held by leading mobile internet browsers, 2018. https://www.statista.com/statistics/263517/market-share-held-by-mobile-internet-browsers-worldwide/.Search in Google Scholar

[38] ACM Code of Ethics and Professional Conduct, 2019. https://www.acm.org/code-of-ethics/.Search in Google Scholar

[39] Ad block engine of Brave Browser, 2019. https://github.com/brave/ad-block.Search in Google Scholar

[40] AdBlock, 2019. https://getadblock.com/.Search in Google Scholar

[41] Adblock Plus, 2019. https://adblockplus.org/.Search in Google Scholar

[42] Brave Browser, 2019. https://brave.com/.Search in Google Scholar

[43] Cliqz Browser, 2019. https://cliqz.com/.Search in Google Scholar

[44] CookiePedia, 2019. https://cookiepedia.co.uk/.Search in Google Scholar

[45] CrunchBase, 2019. https://www.crunchbase.com/.Search in Google Scholar

[46] Disconnect Basic, 2019. https://disconnect.me/disconnect.Search in Google Scholar

[47] EasyList, 2019. https://easylist.to/easylist/easylist.txt.Search in Google Scholar

[48] EasyListVari, 2019. https://easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html.Search in Google Scholar

[49] EasyPrivacy, 2019. https://easylist.to/easylist/easyprivacy.txt.Search in Google Scholar

[50] Fully Qualified Domain Name, 2019. https://en.wikipedia.org/wiki/Fully_qualified_domain_name.Search in Google Scholar

[51] General Data Protection Regulation, 2019. https://eugdpr.org/the-process/timeline-of-events/.Search in Google Scholar

[52] International Standard for Professional Software Development and Ethical Responsibility, 2019. https://www.etsu.edu/cbat/computing/seeri/ethics-code.php.Search in Google Scholar

[53] Mozilla Public Suffix List, 2019. https://publicsuffix.org/list/public_suffix_list.dat.Search in Google Scholar

[54] Privacy Policy of nytimes.com, 2019. https://help.nytimes.com/hc/en-us/articles/115014892108-Privacy-policy.Search in Google Scholar

[55] Ratcliff/Obershelp pattern recognition, 2019. https://xlinux.nist.gov/dads/HTML/ratcliffObershelp.html.Search in Google Scholar

[56] Selenium Web Driver, 2019. http://www.seleniumhq.org/.Search in Google Scholar

[57] Timothy Libert’s Library, 2019. https://github.com/timlib/webXray_Domain_Owner_List.Search in Google Scholar

[58] Web of Trust, 2019. https://www.mywot.com/.Search in Google Scholar

[59] WHOIS, 2019. https://www.whois.com/whois/.Search in Google Scholar

[60] World Wide Web Consortium, 2019. https://html.spec.whatwg.org/multipage/dom.html.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo