Keep your Identity Small: Privacy-preserving Client-side Fingerprinting

Abstract

Device fingerprinting is a widely used technique that allows a third party to identify a particular device. Applications of device fingerprinting include authentication, attacker identification, or software license binding. Device fingerprinting is also used on the web as a method for identifying users. Unfortunately, one of its most widespread uses is to identify users visiting different websites and thus build their browsing history. This constitutes a specific type of web tracking that poses a threat to users’ privacy. While many anti-tracking solutions have been proposed, all of them block or tamper with device fingerprinting techniques rather than just blocking their web tracking application. Therefore, users may be limited in their experience while using a website. In this paper, we propose Privacy-preserving Client-side Fingerprinting (PCF), a new method that allows device fingerprinting on the web, while blocks the possibility of performing web tracking. To this end, PCF is built upon fingerprinting transparency: any website ought to declare its fingerprinting scripts while users will compute them in a privacy-preserving manner, limiting the resultant fingerprints for each different domain and, therefore, making web tracking not feasible.