Abstract
Anti-tracking browser extensions are popular among web users since they provide them with the ability to limit the number of trackers who get to learn about their browsing habits. These extensions however are limited in that they ignore other privacy signals, such as, the presence of a privacy policy, use of HTTPS, or presence of insecure web forms that can leak PII. To effectively inform users about the privacy consequences of visiting particular websites, we design, implement, and evaluate PrivacyMeter, a browser extension that, on-the-fly, computes a relative privacy score for any website that a user is visiting. This score is computed based on each website’s privacy practices and how these compare to the privacy practices of other pre-analyzed websites. We report on the development of PrivacyMeter with respect to the requirements for coverage of privacy practices, accuracy of measurement, and low performance overhead. We show how relative privacy scores help in interpreting results as different categories of websites have different standards across the monitored privacy parameters. Finally, we discuss the power of crowdsourcing for privacy research, and the existing challenges of properly incorporating crowdsourcing in a way that protects user anonymity while allowing the service to defend against malicious clients.
The stamp on the top of this paper refers to an approval process conducted by the ESSoS Artifact Evaluation Committee.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
AdNauseam. http://adnauseam.io/
Chameleon. https://github.com/ghostwords/chameleon
TrackMeNot. https://cs.nyu.edu/trackmenot/
AdBlock. https://getadblock.com/
Adblock Plus. https://adblockplus.org/
Chaabane, A., Ding, Y., Dey, R., Kaafar, M.A., Ross, K.W.: A closer look at third-party OSN applications: are they leaking your personal information? In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 235–246. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04918-2_23
Data Transparency Lab. http://datatransparencylab.org/
Disconnect—Online Privacy & Security. https://disconnect.me/
Ghostery. https://www.ghostery.com/
Hashcash: Proof-of-work algorithm. http://www.hashcash.org/
Hruska, J.: Forbes forces readers to turn off ad blockers, promptly serves malware (2016). http://www.extremetech.com/internet/220696-forbes-forces-readers-to-turn-off-ad-blockers-promptly-serves-malware
Iqbal, U., Shafiq, Z., Qian, Z.: The ad wars: retrospective measurement and analysis of anti-adblock filter lists. In: Proceedings of the 2017 Internet Measurement Conference, IMC 2017 (2017)
Krishnamurthy, B., Naryshkin, K., Wills, C.E.: Privacy leakage vs. protection measures: the growing disconnect. In: Web 2.0 Security and Privacy Workshop (2011)
Leon, P., Ur, B., Shay, R., Wang, Y., Balebako, R., Cranor, L.: Why Johnny can’t opt out: a usability evaluation of tools to limit online behavioral advertising. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2012, pp. 589–598. ACM, New York (2012). https://doi.org/10.1145/2207676.2207759
Lerner, A., Simpson, A.K., Kohno, T., Roesner, F.: Internet Jones and the raiders of the lost trackers: an archaeological study of web tracking from 1996 to 2016. In: USENIX Security Symposium (2016)
Maass, M., Wichmann, P., Pridöhl, H., Herrmann, D.: PrivacyScore: improving privacy and security via crowd-sourced benchmarks of websites. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds.) APF 2017. LNCS, vol. 10518, pp. 178–191. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67280-9_10
Malandrino, D., Petta, A., Scarano, V., Serra, L., Spinelli, R., Krishnamurthy, B.: Privacy awareness about information leakage: who knows what about me? In: Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society, WPES 2013, pp. 279–284. ACM, New York (2013). https://doi.org/10.1145/2517840.2517868
Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: IEEE Symposium on Security and Privacy, pp. 413–427. IEEE Computer Society (2012). http://dblp.uni-trier.de/db/conf/sp/sp2012.html#MayerM12
Merzdovnik, G., Huber, M., Buhov, D., Nikiforakis, N., Neuner, S., Schmiedecker, M., Weippl, E.: Block me if you can: a large-scale study of tracker-blocking tools. In: Proceedings of the 2nd IEEE European Symposium on Security and Privacy (IEEE Euro S&P) (2017)
Mughees, M.H., Qian, Z., Shafiq, Z.: Detecting anti ad-blockers in the wild. Proc. Priv. Enhancing Technol. 2017(3), 130–146 (2017)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (IEEE S&P), pp. 541–555 (2013)
Privacy Badger—Electronic Frontier Foundation. https://www.eff.org/privacybadger
Sanchez-Rola, I., Santos, I., Balzarotti, D.: Extension breakdown: security analysis of browsers extension resources control policies. In: 26th USENIX Security Symposium, pp. 679–694 (2017)
Sjösten, A., Van Acker, S., Sabelfeld, A.: Discovering browser extensions via web accessible resources. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, pp. 329–336. ACM (2017)
Starov, O., Nikiforakis, N.: XHOUND: quantifying the fingerprintability of browser extensions. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 941–956, May 2017. https://doi.org/10.1109/SP.2017.18
Starov, O., Gill, P., Nikiforakis, N.: Are you sure you want to contact us? Quantifying the leakage of PII via website contact forms. PoPETs 2016(1), 20–33 (2016). http://www.degruyter.com/view/j/popets.2016.2016.issue-1/ popets-2015-0028/popets-2015-0028.xml
Starov, O., Nikiforakis, N.: Extended tracking powers: measuring the privacy diffusion enabled by browser extensions. In: Proceedings of the 26th International Conference on World Wide Web. WWW 2017, pp. 1481–1490, International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva (2017). https://doi.org/10.1145/3038912.3052596
uBlock. https://www.ublock.org/
uBlock origin. https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
Safe Browsing Tool—WOT (Web of Trust). https://www.mywot.com/
Acknowledgments
We thank the reviewers for their valuable feedback. This work was support by the National Science Foundation under grants CNS-1527086 and CNS-1617593 as well as by the Data Transparency Lab.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix A
Box plots for number of third-party iframes and number of leaky web forms per each of 17 Alexa’s website categories, as well as the overall distribution.
Appendix B
The list of fingerprinting-related APIs currently intercepted by PrivacyMeter:
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Starov, O., Nikiforakis, N. (2018). PrivacyMeter: Designing and Developing a Privacy-Preserving Browser Extension. In: Payer, M., Rashid, A., Such, J. (eds) Engineering Secure Software and Systems. ESSoS 2018. Lecture Notes in Computer Science(), vol 10953. Springer, Cham. https://doi.org/10.1007/978-3-319-94496-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-94496-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94495-1
Online ISBN: 978-3-319-94496-8
eBook Packages: Computer ScienceComputer Science (R0)