Sites Inria

Version française

Research - Privacy

Jean-Michel Prima - 23/07/2015

Helping Web Users Thwart Sneaky Browser Fingerprinting

Benoit Baudry, chercheur Inria

Billions of people surf the web. Surprisingly enough, almost everyone uses a uniquely customized browser. These small  differences are tantamount to a distinct digital fingerprint that can be surreptitiously collected by a new breed of inquisitive programs, spurring privacy concerns. A scientist at Inria research center in Rennes, Brittany, France, Benoît Baudry holds that software diversity is also at the crux of the solution against such prying tools.

Fancy a new car? Maybe a coupé. Hard or soft top. Japanese or German flavor. A few clicks on the Internet will help to ponder options. Lo and behold, the magic of targeted advertizing also kicks into gear. Banners and sponsored links get in sync, coincidentally touting scores of car dealer services. It will be months before the flow peters out. The mysterious alchemy behind the scene is called a
cookie. This little file is sent by the server and stored by the web browser. Many cookies are merely meant to enable sites to function properly. But others serve a different purpose: tracking. They compile long-term records of users' browsing histories for marketing reasons.

Mitigating the privacy concern is the fact that cookies prove easy to spot, easy to block and easy to erase. In that regard, browser fingerprinting is another kettle of fish. “Whenever a user visits a website, a lot of code is executed in order to display the pages properly and to enable all kinds of legitimate interactions with the server, Benoît Baudry explains. Unbeknownst to this user, a tiny line of code can also sneak in. It will trigger a distant program aimed at garnering information about him. The novelty here is that it is very hard to distinguish so little an instruction inserted among such a huge amount of code. In addition, nothing gets stored on the computer. ” Therefore, traditional adware removers are of no avail.

Not Two Browsers are the Same

A second aspect is the nature of the data being collected. “Type of browser, browser version, list of installed plug-ins, list of fonts, selected language, screen resolution, type of OS, OS version, time zone. You would think that we all surf the web pretty much with the same browsing configuration. Say Internet Explorer and Windows for instance. But that's wrong. There is actually a tremendous diversity of options available out there for us to customize our favorite tool. We change fonts, add plug-ins and so on. Each of us picks up a minuscule portion of the available  diversity. As a result, among hundreds of millions of browsers not two are the same. In other words, your browser has a unique fingerprint. This fingerprint also happens to remain very stable over time. ”  Web visitors will be pretty easy to shadow.
As Baudry remarks, “it is the software diversity that make browser fingerprinting possible. But we believe that, by the same token, this diversity can also be leveraged to deliver the solution against such tracking. ”  Inria scientists are about to introduce BLINK, an innovative tool meant to demonstrate the strength of the concept. What it boils down to is a cunning addition of noise. “Double-click BLINK's shortcut icon on your desktop and it will launch your favorite browser. But instead of loading only your usual fonts and plug-ins, there will some more added to the list. Next time you go on line, the features will be randomly changed once again. ” The singularity of the fingerprint thus vanishes, and tracking becomes much more difficult.

The trade-off between privacy concern and navigation comfort is also part of the equation. “We are currently experimenting with two modes. If you think that for surfing the web you just need your bookmarks, your open tabs and your passwords, then we will chose a browser for you. We will pick it up from a pool of available browsers. And we will deploy it in an OS also picked up from a pool. On the other hand, if you really want to stick to your favorite browser and your favorite OS, then we will only change fonts and plug-ins, which is still enough to dissolve the fingerprint. A new change will take place each time you lock your computer. ”

 No decision has been made yet as to how BLINK will eventually be made available to the public. “Providing it through a Linux distribution is what we have in mind at the moment. ” Meanwhile, researchers would also like to raise public awareness regarding the whole issue. “We will setup a web site pretty soon, with the goal of showing people how amazingly unique their browser really is!

Keywords: Benoit Baudry Privacy INRIA Rennes - Bretagne Atlantique Navigateur Blink DIVERSE Internet