I know what you did last summer: New persistent tracking mechanisms in the wild.

Abstract

OAPA As the usage of the web increases, so do the threats an everyday user faces. One of the most pervasive threats a web user faces is tracking, which enables an entity to gain unauthorised access to the user’s personal data. Through the years many client storage technologies, such as cookies, have been used for this purpose and have been extensively studied in the literature. The focus of this work is on three newer client storage mechanisms, namely Web Storage, Web SQL Database and Indexed Database API. Initially, a large-scale analysis of their usage on the web is conducted to appraise their usage in the wild. Then, this work examines the extent they are used for tracking purposes. The results suggest that Web Storage is the most used among the three technologies. More importantly, to the best of our knowledge this work is the first to suggest web tracking as the main use case of these technologies. Motivated by these results, this work examines whether popular desktop and mobile browsers protect their users from tracking mechanisms that use Web Storage, Web SQL Database and Indexed Database. Our results uncover many cases where the relevant security controls are ineffective, thus making it virtually impossible for certain users to avoid tracking.