Many tracking companies collect user data and sell it to data markets and advertisers. While they claim to protect user privacy by anonymizing the data, our research reveals that significant privacy risks persist even with anonymized data. Attackers can exploit this data to identify users' accounts on other websites and perform targeted identity alignment. In this paper, we propose an effective identity alignment scheme for accurately identifying targeted users. We develop a data collector to obtain the necessary datasets, an algorithm for identity alignment, and, based on this, construct two types of de-anonymization attacks: the \textit{passive attack}, which analyzes tracker data to align identities, and the \textit{active attack}, which induces users to interact online, leading to higher success rates. Furthermore, we introduce, for the first time, a novel evaluation framework for online tracking-based identity alignment. We investigate the key factors influencing the effectiveness of identity alignment. Additionally, we provide an independent assessment of our generated dataset and present a fully functional system prototype applied to a cryptocurrency use case.
翻译:许多追踪公司收集用户数据并将其出售给数据市场和广告商。尽管他们声称通过匿名化处理来保护用户隐私,但我们的研究表明,即使数据经过匿名化处理,仍然存在显著的隐私风险。攻击者可以利用这些数据识别用户在其他网站上的账户,并进行针对性的身份对齐。在本文中,我们提出了一种有效的身份对齐方案,用于准确识别目标用户。我们开发了一个数据收集器来获取必要的数据集,一种用于身份对齐的算法,并在此基础上构建了两种类型的去匿名化攻击:\textit{被动攻击}(通过分析追踪器数据来对齐身份)和\textit{主动攻击}(诱导用户在线互动,从而获得更高的成功率)。此外,我们首次引入了一种新颖的基于在线追踪的身份对齐评估框架。我们研究了影响身份对齐有效性的关键因素。同时,我们对生成的数据集进行了独立评估,并展示了一个应用于加密货币用例的完整功能系统原型。