Anti-Fingerprinting Telemetry

412 views
Skip to first unread message

Tom Ritter

unread,
Sep 24, 2024, 11:43:12 AMSep 24
to Mozilla
In October, we intend to start a gradual roll-out of a set of new privacy-preserving telemetry probes to help us continue combating browser fingerprinting. These probes are subject to our standard data collection policies and telemetry opt-out. We’re also implementing some additional protections for these probes as described below.

First, some background. While we already have strong protections for cookie based tracking (e.g. Total Cookie Protection), online trackers are adopting alternative ways to track people online. One of the most common ways is browser fingerprinting - combining small individual characteristics about a user’s browser or computer into a unique fingerprint. This fingerprint can be used to identify users across websites and browsing sessions without Cookies or IP Addresses.

Firefox already offers fingerprinting protection [0], but it’s a difficult problem to address, in part because it’s difficult to get concrete facts about it. We know it occurs, we know many of the characteristics used to uniquely identify users, and there have been some publications that give indicators about what the most troublesome characteristics are to make users unique. But these publications are based on a biased sample, are several years out of date, and have verifiably incorrect (or inapplicable) results, such as navigator.plugins being a purported source of entropy when it is in fact hard-coded in modern Firefox for over two years [1].

By collecting real-world data in a privacy-preserving way, we intend to find out which Web APIs to modify such that most of our users are no longer unique. Ideally, arriving at large sets of users with the same fingerprint. These measurements will help us build effective and robust protections in Firefox against online fingerprinting.

This technical data is not sensitive in the traditional sense: it’s mundane information like screen resolution and CPU core count. However, because bad actors are currently using these same kinds of data points to track users, we are taking a number of additional precautions with the collection:

 - not linking the received data to any other telemetry pings and omitting all additional ping metadata, both of which prevent the submission from being correlated to other telemetry data and expanding the scope of disclosure
 - limiting the data retention period to a maximum of 90 days and limiting the access controls for the data to the specific team working on this,
 - and perhaps most notably - submitting the data over Oblivious HTTP (OHTTP) [2] to provide verifiable unlinkability. We already don’t record the IP address used to submit telemetry, but this provides technical enforcement behind that policy, allowing anyone to inspect the code and verify it cannot be linked to the sender.

The meta bug tracking this work is https://bugzilla.mozilla.org/show_bug.cgi?id=1879151 . The more noteworthy artifact is our public Decision Brief ( https://docs.google.com/document/d/1m_j0BQEprQleRHZ7tVT7mG-krc8UA171GD5Vl6gZbL0/edit ) which lays out the reasoning behind doing this collection, the specific questions we intend to answer with it, the alternatives we explored, and the safeguards we are including.

The new telemetry probes respect the existing Telemetry opt-out settings. They can also be disabled individually by setting “toolkit.telemetry.user_characteristics_ping.opt-out” to true. The telemetry collection will not be sent from every client, it will be requested from a random sampling of users. Over time we may expand the collection in order to inform research for developing fingerprinting protections.


[0] https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1720353
[2] https://www.ietf.org/rfc/rfc9458.html

Nick Alexander

unread,
Sep 24, 2024, 12:33:57 PMSep 24
to Tom Ritter, Mozilla
Tom,

No substantive comment on the meat of the proposal: it sounds like a reasonable idea to me.

The new telemetry probes respect the existing Telemetry opt-out settings. They can also be disabled individually by setting “toolkit.telemetry.user_characteristics_ping.opt-out” to true. The telemetry collection will not be sent from every client, it will be requested from a random sampling of users. Over time we may expand the collection in order to inform research for developing fingerprinting protections.

I'm interested in this "random sampling of users", but I don't see anything about this in the linked public Decision Brief.  In fact, my reading of the Decision Brief says "all clients once, and then maybe again in the future", but I could be wrong, or the approach may have evolved.  Can you link to more details?  I'm particularly interested in the technical mechanism (client coin flips?) and the power calculations that go into determining the sampling rate.

Thanks!
Nick

Tom Ritter

unread,
Sep 24, 2024, 12:57:27 PMSep 24
to Nick Alexander, Tom Ritter, Mozilla
We didn't do anything special for that - we're just relying on Nimbus.  The Decision Brief is supposed to convey that when we get to Release, we'll just do a small sample size initially ("Limit roll-out through Nimbus") but if it's unclear somewhere I can tweak it.  I am hopeful that we won't need to collect data from all clients on Release, but since we ultimately are looking to protect the most unique users I don't know for certain the point at which we will have a statistically significant sample size.  We do intend to do one collection (one ping/enrolled user) initially and eventually a follow-up to validate our efforts and measure how less fingerprintable our users are.

-tom


Nick Alexander

unread,
Sep 24, 2024, 1:01:00 PMSep 24
to Tom Ritter, Mozilla
Since I understand how Nimbus enrolls users, that clarifies things.

Thanks!
Nick


Reply all
Reply to author
Forward
0 new messages