Below is a look back at the software engineering work carried out by the Spirals* project team and how it can be applied to web privacy.
Is digital anonymity even possible any more? When we browse online we leave countless digital footprints behind us, betraying our hobbies, preferences, behaviours, etc. This data is often collected without our knowledge, and represents a mine of information that is primarily used for commercial purposes.
A team with in-depth knowledge of web privacy issues
By changing the settings of your web browser or deleting your browsing history, you can prevent or control certain potential data leakages – mainly those caused by cookies. However, these actions have little effect against more sophisticated and malicious data collection techniques, such as browser fingerprinting.
This is a technique that the software engineering researchers in the Spirals team* have detailed knowledge of – including all its flaws. They have come up with a method to neutralise it. Their solution went on to inspire recent developments in Brave, a browser devised by the American firm Brave Software, whose market positioning is its privacy offering. The new feature will be available to its 12 million users within a matter of weeks.
A formidable tracking technique
“The normal operation of a browser is based – among other things – on various data exchange protocols which can characterise the configuration of the connected device (applications, fonts, plugins, etc.)”, explains Lionel Seinturier, head of Spirals, a team which he helped set up in 2014 at the Inria Lille-Nord Europe Centre.
Browsers have become more and more complex and efficient and offer increasingly diverse features (video, 3D, etc.). However, to work optimally, they need a large amount of data. When these data are combined to ensure reliable, secure operation, they construct a browsing “fingerprint” specific to each user, which can be used to track his or her online activity.
“For web users, this fingerprint is harder to control than cookies… And it may also last longer”, says Pierre Laperdrix, CNRS research fellow, member of the Spirals team and author of a browser fingerprinting thesis carried out in the Diverse team* at Inria Rennes-Bretagne. His research has shown that a browser fingerprint can last for several months – a windfall for anyone who wants to explore your online activity and find out everything about you!
A solution derived from academic research
“My research focused on the potentially malicious uses to which fingerprinting may be put, and how to protect web users from it”, explains Pierre. “I devised a technique which consists of introducing unpredictable data into the information used to build the browser fingerprint, while ensuring that these disturbances do not affect operation.” The resultant fingerprint is “blurred” and therefore cannot be tracked for advertising purposes, for example.
Pierre Laperdrix developed the technique during his thesis and it was cited in publications in 2017, when he joined the Spirals team. These scientific papers caught the attention of Pete Snyder, director of development for Brave, and contributed to improving the performances of the firm’s software – an acknowledgement of the quality and relevance of the work by the Spirals team.
“Our research is oriented towards the concrete functioning of digital and computer mechanisms, and it has an applications-driven objective”, comments Lionel Seinturier. “We regularly work with software developers and publishers such as Brave.” The team’s work on fingerprinting also led to the construction of a database on this technique and the creation of the website Am I Unique, which explains its principles and uses to web users (see inset).
“Our research also provides the general public with greater information about how the internet works, and makes them more aware of the issues of the digital society – particularly those around privacy”, Lionel concludes.
Am I unique, a site that explains fingerprinting
Created in 2014 by Pierre Laperdrix when he was doing his PhD, the initial aim of the Am I Unique website was to explain how browser fingerprinting works. It shows web users which personal data is likely to be sent to third parties via their browser.
In its first year online, without any advertising, the script developed by the young researcher scanned almost 100,000 devices, building a database that he was able to use in his research into anti-fingerprinting solutions. Today this information has turned out to be invaluable to the Spirals team in their bid to develop their research and in their ongoing efforts to inform web users informer about the subject.
*Spirals, standing for Self-adaptation for distributed services and large software systems, is a joint Inria/University of Lille project team in the CRIStAL research unit, run by Lionel Seinturier.
**Diverse, standing for Diversity-centric Software Engineering, is a joint Inria/University of Rennes 1/Insa Rennes project team in the IRISA research unit, run by Olivier Barrais.