Received July 1, 2018, accepted August 5, 2018, date of publication September 10, 2018, date of current version October 12, 2018. Digital Object Identifier 10.1 109/ACCESS.2018.2869251 I Know What You Did Last Summer: New Persistent Tracking Mechanisms in the Wild STEFANO BELLORO 1 AND ALEXIOS MYLONAS 2 , (Member, IEEE) 1 British Broadcasting Corporation, London W1A 1AA, U.K. 2 Department of Computing and Informatics, Bournemouth University, Poole BH12 5BB, U.K. Corresponding author: Alexios Mylonas (amylonas@bournemouth.ac.uk) ABSTRACT As the usage of the Web increases, so do the threats an everyday user faces. One of the most pervasive threats a Web user faces is tracking, which enables an entity to gain unauthorized access to the user’s personal data. Through the years, many client storage technologies, such as cookies, have been used for this purpose and have been extensively studied in the literature. The focus of this paper is on three newer client storage mechanisms, namely, Web Storage, Web SQL Database, and Indexed Database API. Initially, a large-scale analysis of their usage on the Web is conducted to appraise their usage in the wild. Then, this paper examines the extent that they are used for tracking purposes. The results suggest that Web Storage is the most used among the three technologies. More importantly, to the best of our knowledge, this paper is the first to suggest Web tracking as the main use case of these technologies. Motivated by these results, this paper examines whether popular desktop and mobile browsers protect their users from tracking mechanisms that use Web Storage, Web SQL Database, and Indexed Database. Our results uncover many cases where the rel- evant security controls are ineffective, thus making it virtually impossible for certain users to avoid tracking. INDEX TERMS Web tracking, web security, privacy, indexed database, indexedDB, web storage, Web SQL database. advertising or for any other kind of surveillance [3]. Many I. INTRODUCTION As of April 2018, the digital population has reached client storage technologies have been used for tracking pur- 4087 million users [1]. Most users access the web on a daily poses over the years; the most famous of all is HTTP cookies. basis for the most diverse array of tasks, from sending emails Almost a decade ago, the web community was galvanized and reading the news to browsing social media and accessing by the advent of HTML5 and the myriad of new primi- any kind of content. The usage of the Internet has improved tive APIs associated to it. Among them, client-side storage the quality of our lives and provided us with opportunities APIs, such as Web Storage, Web SQL Database and Indexed and information, which were previously accessible only to a Database API, were bound to revolutionize the web and small percentage of people. eventually narrow the differences between web applications Nonetheless, such advantages do not come without a and native apps. Since then, the web has certainty evolved, but price. While users navigate the web, they expose themselves web applications are far from replacing native mobile apps. and share, willingly or not, personal information. Indeed, Moreover, in some instances, trackers have adopted client- users are exposed to different threats, such as tracking and side storage techniques as a way to enhance the capabilities behavioral profiling, which directly violate their privacy. of HTTP cookies, as shown by [35], but until now their use Many websites deploy a variety of technologies to track has been considered very limited. the users or profile them. These practices are used for a In this context, this work focuses on Web Storage, Web number of reasons [2]. For instance, identifying the user and SQL Database and Indexed Database API and investigates knowing their characteristics enables a website to provide a the usage of these client-side storage APIs as a tracking more personalized user experience. While this may sound vector. Contrary to previous results in the literature, our innocent and even desirable, the same techniques can be results suggest that tracking is a major use case for these used to profile a possible target of a social engineering APIs. Moreover, we investigate the user control over the data attack, gather personal information to either sell it, use it for that the aforementioned client-side technologies store on the 2169-3536 2018 IEEE. Translations and content mining are permitted for academic research only. 52779 VOLUME 6, 2018 Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Recommend
More recommend
