Add fingerprinting detection heuristics
Categories
(Core :: Privacy: Anti-Tracking, enhancement)
Tracking
()
People
(Reporter: decoder, Assigned: tschuster)
References
Details
(Whiteboard: [fpp:m5])
Attachments
(6 files, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
3.14 KB,
text/plain
|
chutten
:
data-review+
|
Details |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
Being able to detect fingerprinting when it happens and bubbling up this information to the user (either on a privacy panel or by other means) can be beneficial for our felt privacy goals.
The same heuristics can also be useful to collect more information about fingerprinters in the wild.
There are some types of fingerprinting that are more suitable to be detected by heuristics than others, in particular:
- Font Fingerprinting (by amount of fonts requested)
- Canvas Fingerprinting (by combination of extracted WebGL/2D canvases, both based on combinations of dimensions as well as behavioral heuristics before extraction)
- WebAudio Fingerprinting (by behavioral heuristics)
I have a proof-of-concept patch that shows that the first two features can work. This patch is not suitable for deployment but was used to gather some preliminary data about how widespread these methods are when looking at the top 1k domains.
|
Reporter | |
Comment 1•11 months ago
|
||
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Updated•10 months ago
|
|
|
Assignee | |
Comment 2•9 months ago
|
||
|
||
Updated•9 months ago
|
|
|
Assignee | |
Comment 3•9 months ago
|
||
Depends on D188340
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
|
Assignee | |
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
|
||
Updated•9 months ago
|
|
|
||
Updated•8 months ago
|
|
|
||
Updated•8 months ago
|
|
|
Assignee | |
Comment 4•8 months ago
|
||
Depends on D189111
|
|
||
Updated•8 months ago
|
|
||
Comment 5•8 months ago
|
||
I've now run mach try perf compare to see the performance results of this change.
Thanks to Dave Hunt for having a look at these raw results. He pointed out a high confidence 3% regression for MotionMark on Windows, which seems concerning to me. I am just ignoring the improvements for now, we are strictly doing more work, so any improvement is should be rather accidental. There are also huge changes on browsertime, both positive and negative.
|
|
||
Comment 6•8 months ago
|
||
Depends on D192074
|
|
Assignee | |
Comment 7•8 months ago
|
||
I've re-triggered the tests a bunch of times and the MotionMark regression seems to be gone now. On browsertime there is still a 10% regression on expedia. I need to figure out what that test actually contains, because loading https://www.expedia.com/ doesn't seem to trigger any of the fingerprinting detection code. Hopefully this is just another fluke.
|
|
Assignee | |
Comment 8•8 months ago
|
||
|
||
Comment 9•8 months ago
|
||
Comment on attachment 9361870 [details]
Data review
DATA COLLECTION REVIEW RESPONSE:
Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?
Yes.
Is there a control mechanism that allows the user to turn the data collection on and off?
Yes. This collection can be controlled through Firefox's Preferences.
If the request is for permanent data collection, is there someone who will monitor the data over time?
No. This collection will expire in six months.
Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?
Category 1, Technical.
Is the data collection request for default-on or default-off?
Default on for all channels.
Does the instrumentation include the addition of any new identifiers?
No.
Is the data collection covered by the existing Firefox privacy notice?
Yes.
Does the data collection use a third-party collection tool?
No.
Result: datareview+
|
|
Assignee | |
Comment 10•8 months ago
|
||
Depends on D192674
|
|
||
Updated•7 months ago
|
|
||
Comment 11•7 months ago
|
||
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/34ee4d28fb84 Canvas fingerprinting detection heuristics. r=lsalzman https://hg.mozilla.org/integration/autoland/rev/6cdd212ea9fc Canvas fingerprinting telemetry. r=timhuang,anti-tracking-reviewers https://hg.mozilla.org/integration/autoland/rev/fd241b407772 Font fingerprinting detection and telemetry. r=timhuang,jfkthame,anti-tracking-reviewers https://hg.mozilla.org/integration/autoland/rev/643c91b8f754 Canvas fingerprinting telemetry tests. r=timhuang https://hg.mozilla.org/integration/autoland/rev/25308a5c7e55 Font fingerprinting telemetry tests. r=timhuang
|
||
Comment 12•7 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/34ee4d28fb84
https://hg.mozilla.org/mozilla-central/rev/6cdd212ea9fc
https://hg.mozilla.org/mozilla-central/rev/fd241b407772
https://hg.mozilla.org/mozilla-central/rev/643c91b8f754
https://hg.mozilla.org/mozilla-central/rev/25308a5c7e55
|
||
Updated•7 months ago
|
Description
•