Closed Bug 1847990 Opened 9 months ago Closed 6 months ago

Add fingerprinting detection heuristics

Categories

(Core :: Privacy: Anti-Tracking, enhancement)

enhancement

Tracking

()

RESOLVED FIXED
121 Branch
Tracking Status
firefox118 --- wontfix
firefox121 --- fixed

People

(Reporter: decoder, Assigned: tschuster)

References

Details

(Whiteboard: [fpp:m5])

Attachments

(6 files, 1 obsolete file)

Being able to detect fingerprinting when it happens and bubbling up this information to the user (either on a privacy panel or by other means) can be beneficial for our felt privacy goals.

The same heuristics can also be useful to collect more information about fingerprinters in the wild.

There are some types of fingerprinting that are more suitable to be detected by heuristics than others, in particular:

  • Font Fingerprinting (by amount of fonts requested)
  • Canvas Fingerprinting (by combination of extracted WebGL/2D canvases, both based on combinations of dimensions as well as behavioral heuristics before extraction)
  • WebAudio Fingerprinting (by behavioral heuristics)

I have a proof-of-concept patch that shows that the first two features can work. This patch is not suitable for deployment but was used to gather some preliminary data about how widespread these methods are when looking at the top 1k domains.

Flags: needinfo?(tschuster)
Assignee: nobody → tschuster
Flags: needinfo?(tschuster)
Whiteboard: [fpp:m5]

Depends on D188340

Attachment #9353402 - Attachment description: WIP: Bug 1847990 - Canvas fingerprinting detection heuristics → Bug 1847990 - Canvas fingerprinting detection heuristics. r?decoder!,lsalzman!
Attachment #9354856 - Attachment description: WIP: Bug 1847990 - Binary canvas fingerprinting telemetry → WIP: Bug 1847990 - Canvas fingerprinting telemetry
Group: mozilla-employee-confidential
Attachment #9354856 - Attachment description: WIP: Bug 1847990 - Canvas fingerprinting telemetry → Bug 1847990 - Canvas fingerprinting telemetry
Attachment #9354856 - Attachment description: Bug 1847990 - Canvas fingerprinting telemetry → WIP: Bug 1847990 - Canvas fingerprinting telemetry
Attachment #9354856 - Attachment description: WIP: Bug 1847990 - Canvas fingerprinting telemetry → Bug 1847990 - Canvas fingerprinting telemetry
Attachment #9354856 - Attachment description: Bug 1847990 - Canvas fingerprinting telemetry → Bug 1847990 - Canvas fingerprinting telemetry. r?timhuang
Attachment #9360616 - Attachment description: WIP: Bug 1847990 - Font fingerprinting detection and telemetry → Bug 1847990 - Font fingerprinting detection and telemetry. r?timhuang!,jfkthame!

I've now run mach try perf compare to see the performance results of this change.

Thanks to Dave Hunt for having a look at these raw results. He pointed out a high confidence 3% regression for MotionMark on Windows, which seems concerning to me. I am just ignoring the improvements for now, we are strictly doing more work, so any improvement is should be rather accidental. There are also huge changes on browsertime, both positive and negative.

I've re-triggered the tests a bunch of times and the MotionMark regression seems to be gone now. On browsertime there is still a 10% regression on expedia. I need to figure out what that test actually contains, because loading https://www.expedia.com/ doesn't seem to trigger any of the fingerprinting detection code. Hopefully this is just another fluke.

Attached file Data review
Attachment #9361870 - Flags: data-review?(chutten)

Comment on attachment 9361870 [details]
Data review

DATA COLLECTION REVIEW RESPONSE:

Is there or will there be documentation that describes the schema for the ultimate data set available publicly, complete and accurate?

Yes.

Is there a control mechanism that allows the user to turn the data collection on and off?

Yes. This collection can be controlled through Firefox's Preferences.

If the request is for permanent data collection, is there someone who will monitor the data over time?

No. This collection will expire in six months.

Using the category system of data types on the Mozilla wiki, what collection type of data do the requested measurements fall under?

Category 1, Technical.

Is the data collection request for default-on or default-off?

Default on for all channels.

Does the instrumentation include the addition of any new identifiers?

No.

Is the data collection covered by the existing Firefox privacy notice?

Yes.

Does the data collection use a third-party collection tool?

No.


Result: datareview+

Attachment #9361870 - Flags: data-review?(chutten) → data-review+

Depends on D192674

Attachment #9348271 - Attachment is obsolete: true
Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/34ee4d28fb84
Canvas fingerprinting detection heuristics. r=lsalzman
https://hg.mozilla.org/integration/autoland/rev/6cdd212ea9fc
Canvas fingerprinting telemetry. r=timhuang,anti-tracking-reviewers
https://hg.mozilla.org/integration/autoland/rev/fd241b407772
Font fingerprinting detection and telemetry. r=timhuang,jfkthame,anti-tracking-reviewers
https://hg.mozilla.org/integration/autoland/rev/643c91b8f754
Canvas fingerprinting telemetry tests. r=timhuang
https://hg.mozilla.org/integration/autoland/rev/25308a5c7e55
Font fingerprinting telemetry tests. r=timhuang
Blocks: 1864826
See Also: → 1881392
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: