Libraries for fingerprinting detection and other anti-tracking systems

[cowlicks]

Hi y'all, I work on Privacy Badger at the EFF. Privacy Badger is a web extension that protects users from tracking, so it has a lot of overlap with Brave's functionality.

I recently noticed y'all adapted some fingerprinting detection code from Privacy Badger (here). Awesome!

I've been thinking about breaking some of our anti-tracking code into separate libraries, so they could be more easily used by others and developed independently. I'd like to hear about y'alls usecase to better understand how a fingerprint detection library could be useful, and your ideas on what an api would look like.

For some perspective, the fingerprintjs2 project has a large, active community constantly working on fingerprinting techniques. I think a competing project could find community support. And I think we would all benefit.

We have other anti-tracking systems that could be developed externally:

• We have a script surrogate system which was adapted from NoScript (info).
• We have a widget replacement system, which replaces things like twitter's "tweet" buttons, and facebook's "like" buttons. These were adapted from ShareMeNot (info).
• Super cookie detection (info).
• Frst party scripts. We've been experimenting with theses recently. We added support for unwrapping twitter's t.co url's (info).

Would any of these be useful to you? What would the API's need to look like? What other projects might benefit?

We've have public Privacy Badger meetings twice a week, feel free to join!

cc @diracdeltas I'm especially interested to hear what you think since you've worked on both projects

[cowlicks]

I just found out that we actually adapt our surrogate system from uBlockOrigin (not NoScript). Those resources are already separated into another repo here in uBlockOrigin/uAssets.

[diracdeltas]

I've been thinking about breaking some of our anti-tracking code into separate libraries, so they could be more easily used by others and developed independently. I'd like to hear about y'alls usecase to better understand how a fingerprint detection library could be useful, and your ideas on what an api would look like.

This would potentially be useful for us. I'm not sure if we will continue doing blocking using content scripts (vs patches to Chromium/Muon) but if we do, it would be nice to have a content script-level API that returns true/false for whether some call to a DOM/JS API is (1) likely to be fingerprinting and (2) the origin domain of the call. As a first approximation, we could collaborate on a master list of object methods commonly used for fingerprinting.

Have you talked to the Tor Browser team yet? At the last dev meeting, we started making a list of fingerprinting vectors that are addressed by the various browsers. cc @arthuredelstein

Would any of these be useful to you? What would the API's need to look like? What other projects might benefit?

We have no plans to incorporate ShareMeNot. I originally worked with Franzi on adding this to Privacy Badger and could reach out again to see if it's worth the effort for Brave.

The surrogate script system looks useful; we did something similar for GA in order to unbreak sites.

Localstorage supercookies - maybe useful. Brave completely blocks localstorage access from 3rd parties and localstorage is cleared when cookies are cleared.

First party scripts like unwrapping t.co - I don't recall seeing any user requests for this (we already clear all 3rd party referrers by default btw). It seems more suitable for user-added script functionality, which we plan to add eventually, than part of Brave itself.

It would be great to loop in someone from ublock origin.

[cowlicks]

Hi @arthuredelstein! We met at the Noisebridge the other day. I'd be happy to drop in on the next meeting y'all have. When/where are they?

I'd love to see your list of vectors y'all have.

I'll have some time to start aggregating a list this weekend, feel free to email me (firstname @ eff.org) if you'd like to join.

Once we have this list, I think it would be interesting to try to detect fingerprinting based on how many methods from this list get used from the same origin. Basically we'd just count the number of esoteric API's an origin uses, if it is above some threshold, call it fingerprinting. This is pretty naive, but it should work since fingerprinting libraries try to improve their accuracy by trying to fingerprint as many vectors as possible.

I won't be working on the other stuff until there is more interest.

[cowlicks]

I'm closing this since it is a question and it has been answered.

[cowlicks]

@diracdeltas Here's a PR that includes a bunch of methods used in fingerprinting, and implements the heuristic I described. It has worked consistently detecting fingerprintjs2 and augur.io.

Usage:

new Counter(listeOfMethods, callbackTriggeredOnFingerPrinting)

Where the callback is passed the origin that was seen fingerprinting on the page.

Note that this is normal javascript (not a content script) it just uses regular web APIs.

I'll put this in its own repo later this week.

EFForg/privacybadger#1505