Automatic Discovery of Emerging Browser Fingerprinting Techniques

With the progression of modern browsers, online tracking has become the most concerning issue for preserving privacy on the web. As major browser vendors plan to or already ban third-party cookies, trackers have to shift towards browser fingerprinting by incorporating novel browser APIs into their tracking arsenal. Understanding how new browser APIs are abused in browser fingerprinting techniques is a significant step toward ensuring protection from online tracking. In this paper, we propose a novel hybrid system, named BFAD, that automatically identifies previously unknown browser fingerprinting APIs in the wild. The system combines dynamic and static analysis to accurately reveal browser API usage and automatically infer browser fingerprinting behavior. Based on the observation that a browser fingerprint is constructed by pulling information from multiple APIs, we leverage dynamic analysis and a locality-based algorithm to discover all involved APIs and static analysis on the dataflow of fingerprinting information to accurately associate them together. Our system discovers 231 fingerprinting APIs in Alexa top 10K domains, starting with only 35 commonly known fingerprinting APIs and 17 data transmission APIs. Out of 231 APIs, 161 of them are not identified by state-of-the-art detection systems. Since our approach is fully automated, we repeat our experiments 11 months later and discover 18 new fingerprinting APIs that were not discovered in our previous experiment. We present with case studies the fingerprinting ability of a total of 249 detected APIs.