A Comparative Measurement Study of Web Tracking on Mobile and Desktop Environments

  • 1 Colorado School of Mines,
  • 2 Colorado School of Mines,

Abstract

Web measurement is a powerful approach to studying various tracking practices that may compromise the privacy of millions of users. Researchers have built several measurement frameworks and performed a few studies to measure web tracking on the desktop environment. However, little is known about web tracking on the mobile environment, and no tool is readily available for performing a comparative measurement study on mobile and desktop environments. In this work, we built a framework called WTPatrol that allows us and other researchers to perform web tracking measurement on both mobile and desktop environments. Using WTPatrol, we performed the first comparative measurement study of web tracking on 23,310 websites that have both mobile version and desktop version web-pages. We conducted an in-depth comparison of the web tracking practices of those websites between mobile and desktop environments from two perspectives: web tracking based on JavaScript APIs and web tracking based on HTTP cookies. Overall, we found that mobile web tracking has its unique characteristics especially due to mobile-specific trackers, and it has become increasingly as prevalent as desktop web tracking. However, the potential impact of mobile web tracking is more severe than that of desktop web tracking because a user may use a mobile device frequently in different places and be continuously tracked. We further gave some suggestions to web users, developers, and researchers to defend against web tracking.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2014.

  • [2] Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. FPDetective: dusting the web for fingerprinters. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013.

  • [3] M. Ayenson, D.J. Wambach, A. Soltani, N. Good, and C.J. Hoofnagle. Flash cookies and privacy II: Now with HTML5 and ETag respawning, 2011. http://dx.doi.org/10.2139/ssrn.1898390.

  • [4] Hristo Bojinov, Yan Michalevsky, Gabi Nakibly, and Dan Boneh. Mobile Device Identification via Sensor Fingerprinting. CoRR, abs/1408.1416, 2014.

  • [5] Qian Cui, Guy-Vincent Jourdan, Gregor V Bochmann, Russell Couturier, and Iosif-Viorel Onut. Tracking phishing attacks over time. In Proceedings of the 26th International Conference on World Wide Web (WWW), 2017.

  • [6] Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. The web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 1515–1532. ACM, 2018.

  • [7] Anupam Das, Nikita Borisov, and Matthew Caesar. Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2014.

  • [8] Anupam Das, Nikita Borisov, and Matthew Caesar. Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2016.

  • [9] Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014.

  • [10] Peter Eckersley. How Unique is Your Web Browser? In Proceedings of the International Conference on Privacy Enhancing Technologies (PETS), 2010.

  • [11] Steven Englehardt and Arvind Narayanan. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2016.

  • [12] Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web (WWW), 2015.

  • [13] Christian Eubank, Marcela Melara, Diego Perez-Botero, and Arvind Narayanan. Shining the floodlights on mobile web tracking-a privacy survey. In Proceedings of the Web 2.0 Security & Privacy (W2SP) Workshop, 2013.

  • [14] Seungyeop Han, Jaeyeon Jung, and David Wetherall. A study of third-party tracking by mobile apps in the wild. Univ. Washington, Tech. Rep. UW-CSE-12-03-01, 2012.

  • [15] Thomas Hupperich, Davide Maiorca, Marc Kührer, Thorsten Holz, and Giorgio Giacinto. On the robustness of mobile device fingerprinting: Can mobile users escape modern web-tracking mechanisms? In Proceedings of the 31st Annual Computer Security Applications Conference, 2015.

  • [16] Muhammad Ikram, Hassan Jameel Asghar, Mohamed Ali Kaafar, Anirban Mahanti, and Balachandar Krishnamurthy. Towards seamless tracking-free web: Improved detection of trackers via one-class learning. In Proceedings on Privacy Enhancing Technologies (PETS), 2017.

  • [17] David M. Kristol. HTTP Cookies: Standards, Privacy, and Politics. ACM Transactions on Internet Technology, 2001.

  • [18] Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy, 2016.

  • [19] Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium, 2016.

  • [20] Christophe Leung, Jingjing Ren, David Choffnes, and Christo Wilson. Should you use the app for that?: Comparing the privacy implications of app-and web-based online services. In Proceedings of the 2016 Internet Measurement Conference, 2016.

  • [21] Jonathan R. Mayer and John C. Mitchell. Third-Party Web Tracking: Policy and Technology. In Proceedings of the IEEE Symposium on Security and Privacy, 2012.

  • [22] Keaton Mowery, Dillon Bogenreif, Scott Yilek, and Hovav Shacham. Fingerprinting information in JavaScript implementations. In Proceedings of the Web 2.0 Security & Privacy (W2SP) workshop, 2011.

  • [23] Martin Mulazzani, Philipp Reschl, Markus Huber, Manuel Leithner, Sebastian Schrittwieser, Edgar Weippl, and FC Wien. Fast and reliable browser identification with javascript engine fingerprinting. In Proceedings of the Web 2.0 Security & Privacy (W2SP) workshop, 2013.

  • [24] Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy, 2013.

  • [25] Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. The leaking battery. In Proceedings of the International Workshop on Data Privacy Management, 2015.

  • [26] Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, and Christian Kreibich Phillipa Gill. Apps, trackers, privacy, and regulators. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS), 2018.

  • [27] Franziska Roesner, Tadayoshi Kohno, and David Wetherall. Detecting and Defending Against Third-party Tracking on the Web. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2012.

  • [28] Jerome H Saltzer and Michael D Schroeder. The protection of information in computer systems. In Proceedings of the IEEE, 1975.

  • [29] Anastasia Shuba, Athina Markopoulou, and Zubair Shafiq. Nomoads: Effective and efficient cross-app mobile ad-blocking. Proceedings on Privacy Enhancing Technologies, 2018.

  • [30] Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas, and Chris Jay Hoofnagle. Flash Cookies and Privacy. In Proceedings of the AAAI Spring Symposium: Intelligent Information Privacy Management, 2010.

  • [31] Oleksii Starov and Nick Nikiforakis. Xhound: Quantifying the fingerprintability of browser extensions. In Proceedings of the IEEE Symposium on Security and Privacy, 2017.

  • [32] Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen Nissenbaum, and Solon Barocas. Adnostic: Privacy preserving targeted advertising. 2010.

  • [33] Zhonghao Yu, Sam Macbeth, Konark Modi, and Josep M Pujol. Tracking the trackers. In Proceedings of the 25th International Conference on World Wide Web (WWW), 2016.

  • [34] Zhe Zhou, Wenrui Diao, Xiangyu Liu, and Kehuan Zhang. Acoustic fingerprinting revisited: Generate stable device id stealthily with inaudible sound. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2014.

  • [35] Mobile web browsing overtakes desktop for the first time, 2016. https://www.theguardian.com/technology/2016/nov/02/mobile-web-browsing-desktop-smartphones-tablets.

  • [36] PageFair, 2017. https://pagefair.com/downloads/2017/01/PageFair-2017-Adblock-Report.pdf.

  • [37] Market share held by leading mobile internet browsers, 2018. https://www.statista.com/statistics/263517/market-share-held-by-mobile-internet-browsers-worldwide/.

  • [38] ACM Code of Ethics and Professional Conduct, 2019. https://www.acm.org/code-of-ethics/.

  • [39] Ad block engine of Brave Browser, 2019. https://github.com/brave/ad-block.

  • [40] AdBlock, 2019. https://getadblock.com/.

  • [41] Adblock Plus, 2019. https://adblockplus.org/.

  • [42] Brave Browser, 2019. https://brave.com/.

  • [43] Cliqz Browser, 2019. https://cliqz.com/.

  • [44] CookiePedia, 2019. https://cookiepedia.co.uk/.

  • [45] CrunchBase, 2019. https://www.crunchbase.com/.

  • [46] Disconnect Basic, 2019. https://disconnect.me/disconnect.

  • [47] EasyList, 2019. https://easylist.to/easylist/easylist.txt.

  • [48] EasyListVari, 2019. https://easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html.

  • [49] EasyPrivacy, 2019. https://easylist.to/easylist/easyprivacy.txt.

  • [50] Fully Qualified Domain Name, 2019. https://en.wikipedia.org/wiki/Fully_qualified_domain_name.

  • [51] General Data Protection Regulation, 2019. https://eugdpr.org/the-process/timeline-of-events/.

  • [52] International Standard for Professional Software Development and Ethical Responsibility, 2019. https://www.etsu.edu/cbat/computing/seeri/ethics-code.php.

  • [53] Mozilla Public Suffix List, 2019. https://publicsuffix.org/list/public_suffix_list.dat.

  • [54] Privacy Policy of nytimes.com, 2019. https://help.nytimes.com/hc/en-us/articles/115014892108-Privacy-policy.

  • [55] Ratcliff/Obershelp pattern recognition, 2019. https://xlinux.nist.gov/dads/HTML/ratcliffObershelp.html.

  • [56] Selenium Web Driver, 2019. http://www.seleniumhq.org/.

  • [57] Timothy Libert’s Library, 2019. https://github.com/timlib/webXray_Domain_Owner_List.

  • [58] Web of Trust, 2019. https://www.mywot.com/.

  • [59] WHOIS, 2019. https://www.whois.com/whois/.

  • [60] World Wide Web Consortium, 2019. https://html.spec.whatwg.org/multipage/dom.html.

OPEN ACCESS

Journal + Issues

Search