Understanding Server-side Commercial Fingerprinting

Browser fingerprinting is a covert technique for implicitly identifying Web users using combinations of system attributes provided by the browser. However, most studies of fingerprinting have focused on the attributes themselves and how discriminating they might be. In this paper, we explore the discriminatory power of fingerprinting in practice, as seen through the lens of a commercial fingerprinting service. Using grey-box testing of the largest commercial fingerprinting service, we selectively mutate inputs to infer key aspects of their approach. In this way, we empirically characterize the relative importance of attributes, and how they are combined with server-side state about cookies and IP addresses to build a fingerprinting service considerably more robust than pure client-side approaches. CCS Concepts • Information systems → World Wide Web; • Security and privacy → Privacy protections.