Users will now receive automatic updates to the pre-trained list of trackers
The Electronic Frontier Foundation (EFF) has changed Privacy Badger’s default settings after security researchers at Google warned the tool’s privacy-protecting features might be turned against its users.
Privacy Badger is a browser add-on that blocks advertisers and other third-party trackers from covertly following users’ browsing activity. The software employs tracking heuristics based on third-party cookies, HTML5 local storage ‘supercookies’, and canvas fingerprinting.
The EFF is switching off the tool’s ‘local learning’ function, whereby Privacy Badger actively searches, logs, and blocks trackers while the user is browsing, according to a blog post published Wednesday (October 7).
The EFF reconfigured the tool’s default settings in the latest software update after being informed by Google, in February, of how weaknesses inherent to heuristic learning blockers such as Privacy Badger could put users’ privacy at risk.
For instance, the EFF immediately removed the tool’s pixel cookie sharing function, which was introduced in July 2019, after learning that the way Privacy Badger checked first-party cookie strings against outgoing third-party request URLs meant an attacker could potentially extract first-party cookie values.
Google also found that heuristic learning blockers could be manipulated, through a form of fingerprinting, into identifying arbitrary domains as trackers and allowing adversaries to ascertain which domains a user’s tool had learned to block – a problem underpinning vulnerabilities in Safari’s Intelligent Tracking Prevention feature that Apple patched late last year.
“The main risk of enabling local learning is that a bad actor can manipulate Privacy Badger’s state in order to create a unique identifier,” said a team of EFF technologists and privacy engineers who wrote the blog post.
With local learning switched off, attackers will find it difficult to distinguish between whether a domain was visited by a user or during pre-training, while “Privacy Badger’s list of domains that belong to the same entity” will “always be seen as first party by Privacy Badger and thus [be] immune” to history sniffing.
Sett and setting
Previously, every new Privacy Badger installation would block domains based on a list of known trackers collected from the latest Badger Sett scan, but subsequent software updates would not expand the list.
Instead, the list of known trackers would expand dynamically based on a user’s own browsing activity.
Now – unless they opt into local learning – all users’ Privacy Badger instances will be updated periodically based on fresh Badger Sett scans.
Opting back in
If users opt back into local learning, the function will perform in the same way as before, although users will not receive automatic tracker list updates.
Users can opt back into local learning at their own risk – and the EFF has “seen no evidence” of in-the-wild exploitation against Privacy Badger users.
“Compared with existing methods available to bad actors, fingerprinting Privacy Badger’s local learning is likely to be less reliable, more resource-intensive, and more visible to users,” added the EFF’s security experts.
However, the EFF has turned off local learning “because we believe the majority of Privacy Badger’s protection is already captured by the pre-trained list, and we don’t want to expose users to any potential risk without informed opt-in”.
Nevertheless, they acknowledged that local learning still has some utility.
“The pre-trained list is designed to learn about the trackers present on thousands of the most popular sites on the Web, but it does not capture the ‘long tail’ of tracking on websites that are less popular.”
Users might still decide to opt into local learning if they “regularly browse websites overlooked by ad/tracker blocker lists, or if [they] prefer a more hands-on approach”.
“In the coming months,” the EFF is also “expanding the reach of Badger Sett beyond U.S.-centric websites to capture more trackers in our pre-trained lists”, as well as “improving widget replacement” and adding “new tracker detection mechanisms”.