Invisible Trails? An Identity Alignment Scheme based on Online Tracking

TL;DR

This paper demonstrates that anonymized online tracking data can be exploited to accurately identify users across websites through novel passive and active de-anonymization attacks, revealing persistent privacy risks.

Contribution

It introduces a new identity alignment scheme, develops attack algorithms, and proposes a novel evaluation framework for online tracking-based de-anonymization.

Findings

Passive attack achieves high identity matching accuracy.

Active attack increases success rates by inducing user interactions.

The evaluation framework effectively measures tracking-based identity alignment effectiveness.

Abstract

Many tracking companies collect user data and sell it to data markets and advertisers. While they claim to protect user privacy by anonymizing the data, our research reveals that significant privacy risks persist even with anonymized data. Attackers can exploit this data to identify users' accounts on other websites and perform targeted identity alignment. In this paper, we propose an effective identity alignment scheme for accurately identifying targeted users. We develop a data collector to obtain the necessary datasets, an algorithm for identity alignment, and, based on this, construct two types of de-anonymization attacks: the \textit{passive attack}, which analyzes tracker data to align identities, and the \textit{active attack}, which induces users to interact online, leading to higher success rates. Furthermore, we introduce, for the first time, a novel evaluation framework for online tracking-based identity alignment. We investigate the key factors influencing the effectiveness of identity alignment. Additionally, we provide an independent assessment of our generated dataset and present a fully functional system prototype applied to a cryptocurrency use case.