Doppelganger: Better Browser Privacy Without the Bother

Umesh Shankar and Chris Karlof - UC Berkeley

link: http://www.cs.berkeley.edu/~ushankar/research/doppel/doppel-ccs06.pdf

The paper studies the usability and privacy issues for the current cookie management systems and then offers a solution in
the form of a tool called "Doppelganger", implemented as a firefox-plugin. The main goal of the paper is to identify useful
cookies and their privacy implications automatically and then present the results to the user, which would help her in
creating a feasible cookie policy for a particular domain.

The paper starts out by introducing the cookies and the existing cookie management frameworks. They then describe the doppelganger framework in the rest of the paper. Doppelganger uses mirroring and user initiated error recovery as the two main techniques to identify beneficial cookies.

Mirroring is done by using client-side parallelism to explore alternate policies in the background. When the tool encounters a page load for a domain for which it doesn't have a complete policy, it begins to mirror the session in the fork window. It mirrors the session by replicating the user's main window actions in the fork window and then looking for differences between the two. The paper then explains in detail about the features like mirroring in the fork window, how the fork window is used
to make automatic decisions affecting the cookie policy and exposes additional functionality enabled by cookies to the user.

The Doppelganger tool has a button labeled "Fix Me", which can be used to initiate recovery of the webpage if the user makes a mistake of blocking a useful cookie. To do this the tool explicitly keeps track of the user initiated UI events like mouse clicks and form inputs, and replays them when needed.

  The paper elaborates the techniques they use to create the tool and also evaluate the tool over various real-world websites, which are known to have cookies. Finally they discuss some of the countermeasures that wesite owners can use to circumvent Doppelganger and thereby bring out some of it's limitations.

Pros:

1. The paper is well written.
2. The detailed background helped us to understand the cookies well. We did not need to look up external sources to understand the paper. It was also good to see that the paper also discusses the limitations of their approach.
3. The proposed ideas are interesting. Some of the features like allowing for roll back of the users' decisions, the way privacy consequences of the cookies are evaluated were liked by everyone.

Cons:
1. Although the introduction is well written, it has lots of redundant information. In the later part of the paper, however, things are explained too conscisely. For instance, section 3.3 when it talks about recoveries and rollbacks, and section 3.2.5 need more examples. Omid brought up two examples to illustrate the point:
    a) Suppose a user goes to google & logs in to do 20 searches. Then she goes to the finance page, and finds that her personlized information is lost. If the user clicks the "Fix Me" button, then it is not clear if all the 20 google searches are repeated to get to the final page or some other way to replay user's actions. This would have an     important consequence on the performance of the tool.
    b) Similarly, what would happen in case of a shopping cart example. The user places some items in the shopping cart, but closes his browser window accidentally. If the user reopens the page, she expects to find the items in the shopping cart. If not she would try to restored them by using the same 'fix me' button. It is now clear how all the     items would be restored.

2. It would have been good if they had given a more comprehensive analysis of the tool in terms of more number of websites tested, performance constraints for example the extra time required to do a roll back, etc. They could have atleast summarized briefly the results from the controlled user experiment they mention.

3. The SRG thought that the tool itself could become a security bottleneck. The tool keeps track of the users' form data,
mouse clicks and maybe also keystrokes and if this data can be intercepted, it would leak a lot more information about the user.

  In summary, the paper was a good read and their approach was interesting. They should have illustrated their method better
with more examples and performance results.


Voting results:
strong accept: 0
weak accept: 6
weak reject: 4
strong reject: 0