Pierre Laperdrix

About Me

I am currently a full-time researcher (Chargé de Recherche) for CNRS in the CRIStAL laboratory. I am working in the SPIRALS team on computer security and privacy with a touch of software engineering.

Previously, I was a postdoctoral researcher in the PragSec lab at Stony Brook University and, after, in the Secure Web Applications Group at Cispa.

I obtained my PhD working on browser fingerprinting in the DiverSE team at INRIA Rennes where I developed the AmIUnique.org and Fingerprint Central websites.

Scientific publications

2024
Free Proxies Unmasked: A Vulnerability and Longitudinal Analysis of Free Proxy Services
Naif Mehanna, Walter Rudametkin, Pierre Laperdrix and Antoine Vastel
Proceedings of the 6th Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb 2024)
San Diego, CA, USA
- Distinguished Paper Award
PDF
2023
UA-Radar: Exploring the Impact of User Agents on the Web
Jean Luc Intumwayase, Imane Fouad, Pierre Laperdrix and Romain Rouvoy
Proceedings of the 22nd Workshop on Privacy in the Electronic Society (WPES 2023)
Copenhagen, Denmark
PDF

Breaking Bad: Quantifying the Addiction of Web Elements to JavaScript
Romain Fouquet, Pierre Laperdrix and Romain Rouvoy
Journal ACM Transactions on Internet Technology (TOIT)
- Media coverage NextInpact (FR)
PDF

2022
Multi-variant Execution at the Edge
Javier Cabrera Arteaga, Pierre Laperdrix, Martin Monperrus and Benoit Baudry
Proceedings of the 9th ACM Workshop on Moving Target Defense (MTD 2022)
Los Angeles, CA, USA
PDF

The Price to Play: A Privacy Analysis of Free and Paid Games in the Android Ecosystem
Pierre Laperdrix, Naif Mehanna, Antonin Durey and Walter Rudametkin
Proceedings of the 2022 edition of The Web Conference (WWW 2022)
Online
- Media coverage Inria (FR) Journal du CNRS (FR) JV Culture Jeu Vidéo n°95 (FR)
PDF Artifact

JSRehab: Weaning Common Web Interface Components from JavaScript Addiction
Romain Fouquet, Pierre Laperdrix and Romain Rouvoy
Companion proceedings of the 2022 edition of The Web Conference (WWW 2022, Special track: "Web developer and W3C")
Online
PDF Artifact

DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting
Tomer Laor, Naif Mehanna, Antonin Durey, Vitaly Dyadyuk, Pierre Laperdrix, Clémentine Maurice, Yossi Oren, Romain Rouvoy, Walter Rudametkin and Yuval Yarom
Proceedings of the 29th Network and Distributed System Security Symposium (NDSS 2022)
San Diego, CA, USA
- First Place at CSAW'22 MENA Applied Research Competition
- Media coverage Forbes The Hacker News BleepingComputer BitDefender TechRadar Gizmodo
PDF Artifact

2021
SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers
Thomas Rokicki, Clémentine Maurice and Pierre Laperdrix
Proceedings of the 6th IEEE European Symposium on Security and Privacy (EuroS&P 2021)
Online
PDF Artifact

Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets
Pierre Laperdrix, Oleksii Starov, Quan Chen, Alexandros Kapravelos and Nick Nikiforakis
Proceedings of the 30th USENIX Security Symposium (USENIX Sec. 2021)
Online
PDF Artifact

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security
Antonin Durey, Pierre Laperdrix, Walter Rudametkin, Romain Rouvoy
Proceedings of the 18th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2021)
Online (acceptance rate: 29%)
PDF Dataset

Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users
Vikas Mishra, Pierre Laperdrix, Walter Rudametkin and Romain Rouvoy
Proceedings of the 21st Privacy Enhancing Technologies Symposium (PETS 2021)
Online
PDF

Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication
Gordon Meiser, Pierre Laperdrix and Ben Stock
Proceedings of the 6th ACM ASIA Conference on Computer and Communications Security (ASIACCS 2021)
Online
PDF

2020

Web Runner 2049: Evaluating Third-Party Anti-bot Services
Babak Amin Azad, Oleksii Starov, Pierre Laperdrix and Nick Nikiforakis
Proceedings of the 17th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2020)
Lisboa, Portugal (acceptance rate: 29%)
PDF

Taming The Shape Shifter: Detecting Anti-fingerprinting Browsers
Babak Amin Azad, Oleksii Starov, Pierre Laperdrix and Nick Nikiforakis
Proceedings of the 17th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2020)
Lisboa, Portugal (acceptance rate: 29%)
PDF

Don’t count me out: On the relevance of IP addresses in the tracking ecosystem
Vikas Mishra, Pierre Laperdrix, Antoine Vastel, Walter Rudametkin, Romain Rouvoy and Martin Lopatka
Proceedings of the 2020 edition of The Web Conference (WWW 2020)
Taipei, Taïwan (acceptance rate: 19%)
PDF

Browser fingerprinting: A survey
Pierre Laperdrix, Nataliia Bielova, Benoit Baudry and Gildas Avoine
Journal ACM Transactions on the Web (TWEB)
PDF

2019

Less is More: Quantifying the Security Benefits of Debloating Web Applications
Babak Amin Azad, Pierre Laperdrix and Nick Nikiforakis
Proceedings of the 28th USENIX Security Symposium (USENIX Sec. 2019)
Santa Clara, CA, USA (acceptance rate: 16%)
PDF Artifact

Morellian Analysis for Browsers: Making Web Authentication Stronger With Canvas Fingerprinting
Pierre Laperdrix, Gildas Avoine, Benoit Baudry and Nick Nikiforakis
Proceedings of the 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2019)
Gothenburg, Sweden (acceptance rate: 29%)
PDF Artifact Demo

Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat
Oleksii Starov, Pierre Laperdrix, Alexandros Kapravelos and Nick Nikiforakis
Proceedings of the 2019 edition of The Web Conference (WWW 2019)
San Fransisco, CA, USA (acceptance rate: 20%)
PDF Artifact

Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers
Meng Luo, Pierre Laperdrix, Nima Honarmand, Nick Nikiforakis
Proceedings of the 26th Network and Distributed System Security Symposium (NDSS 2019)
San Diego, CA, USA (acceptance rate: 17%)
PDF

2018

FP-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies
Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, Romain Rouvoy
Proceedings of the 27th USENIX Security Symposium (USENIX Sec. 2018)
Baltimore, MD, USA (acceptance rate: 19%)
PDF

FP-STALKER: Tracking Browser Fingerprint Evolutions
Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, Romain Rouvoy
Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P 2018)
San Francisco, CA, USA (acceptance rate: 11%)
PDF

Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale
Alejandro Gómez-Boix, Pierre Laperdrix, Benoit Baudry
Proceedings of the 2018 edition of The Web Conference (WWW 2018)
Lyon, France (acceptance rate: 15%)
PDF

2017

FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques
Pierre Laperdrix, Benoit Baudry, Vikas Mishra
Proceedings of the 9th International Symposium on Engineering Secure Software and Systems (ESSoS 2017)
Bonn, Germany (acceptance rate: 37%)
- Distinguished Artifact Award
- Similar defense technique added in the Brave browser Brave blog Inria blog
PDF Slides Artifact

2016

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints
Pierre Laperdrix, Walter Rudametkin, Benoit Baudry
Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P 2016)
San Jose, CA, USA (acceptance rate: 13%)
- 2018 CNIL-Inria European Privacy Protection Award
PDF Slides Video

2015

Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification
Pierre Laperdrix, Walter Rudametkin, Benoit Baudry
Proceedings of the 10th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS 2015)
Florence, Italy (acceptance rate: 29%)
PDF Slides Artifact (Original) Artifact (Docker)

PhD Thesis

Browser Fingerprinting: Exploring Device Diversity to Augment Authentication and Build Client-Side Countermeasures
Pierre Laperdrix
Defense in October 2017
- Honorable mention for the 2018 Gilles Kahn PhD thesis award
PDF

Service

Vice-president of the CNIL-Inria Privacy Award 2022
Jury member of the CNIL-Inria Privacy Award 2023
Program Committee member for:

CCS 2024 (Track "Web Security")
WOOT 2024
SecWeb 2024
EuroSec 2024
MADWeb 2024
USENIX Security 2024
CCS 2023 (Track "Web Security")
SecWeb 2023
EuroSec 2023
MADWeb 2023
The Web Conference 2023 (Track "Security, Privacy, and Trust")
USENIX Security 2023
DIMVA 2022
SecWeb 2022
EuroSec 2022
CCS 2022 (Track "Web Security")
MADWeb 2022
The Web Conference 2022 (2 tracks: "Security, Privacy, and Trust" and "Systems and Infrastructure"), PC member honorable mention
SecWeb 2021
RAID 2021
EuroSec 2021
USENIX Security 2021
DIMVA 2021
WOOT 2021
The Web Conference 2021 (Track "Systems and Infrastructure")
WPES 2020
USENIX Security 2020
WOOT 2020
DIMVA 2020
WOOT 2019
eCrime 2018
IMC 2018 (Shadow PC)

Reviewer for:

External reviewer for WOOT 2023, DSN 2022, USENIX Security 2022, CCS 2021, S&P 2020, WWW 2020, ICSE SEIP 2020, PETS 2020, ACSAC 2019, CCS 2019, PETS 2019, WOOT 2018, USENIX Security 2018, DIMVA 2018, ICDCS 2018, WWW 2018, ESORICS 2017

Grants

ANR PRCI project "FACADES" (PI), 2022-2025
STaRS project "ASCOT" (PI), 2020-2023

Awards

- Best Paper Award at MADWeb'24 for the article "Free Proxies Unmasked: A Vulnerability and Longitudinal Analysis of Free Proxy Services"
- First place at CSAW'22 MENA Applied Research Competition for the article "DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting"
- 2018 CNIL-Inria European Privacy Protection award for the article "Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints"
- Honorable mention for the 2018 Gilles Kahn PhD thesis award
- Distinguished Artifact Award for the article "FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques"

Public outreach

Interview "Des mouchards dans les jeux mobiles"
Journal du CNRS. Mars 2023 Link
Interview "Attention, les jeux sur votre smartphone en veulent aussi à vos données personelles"
JV Culture Jeu Vidéo n°95, Octobre 2022 Link
Interview "L’adaptation au changement peut poser problème"
Monaco Hebdo. Août 2021 Link
Interview "Pour les mouchards publicitaires, les alternatives aux cookies restent limitées"
Le Monde. February 2020 Link
Blog "Browser Fingerprinting: An Introduction and the Challenges Ahead"
The Tor project blog. September 2019 Link
Article "Le fingerprinting : une nouvelle technique de traçage"
MISC n°81, french security-focused magazine. September/October 2015, pp.52-57 Link

Projects

AmIUnique.org - Learn how identifiable you are on the Internet

A website to inform users on the dangers of browser fingerprinting
Open Source

The goal of this website is to measure and study the diversity of web browsers and establish statistical profiles of browser fingerprints.

By connecting to AmIUnique, you cannot only check your browser fingerprint and see how unique you are in the web ecosystem, you will also contribute in building a database of genuine fingerprints that will help us build solutions to prevent fingerprint tracking.

Source: View on GitHub

View your browser fingerprint

In addition to the AmIUnique website, I developed extensions for Chrome and Firefox to understand the evolution of fingerprints and study it in depth.

With them, the user can see the evolution of his fingerprint on his own timeline and be notified as soon as a change is detected.

AmIUnique extension for Firefox AmIUnique extension for Chrome

Fingerprint Central - A project for the Tor organization

A website to help developers design smart defences against browser fingerprinting
Developed as part of the Google Summer of Code 2016
Now officially part of the Tor Project - Official site
Open Source

New

The capabilities of browser fingerprinting as a tool to track users online has been demonstrated by Panopticlick and other research papers since 2010. The Tor community is fully aware of the problem and the Tor browser has been modified to follow the "one fingerprint for all" approach. However, due to the constant evolution of the web and its underlying technologies, it has become a true challenge to always stay ahead of the latest fingerprinting techniques.

For this Google Summer of Code project, I'm developing the Fingerprint Central website that runs a fingerprinting test suite and collect data from Tor browsers to help developers design and test new defences against browser fingerprinting. The website is similar to AmIUnique.org or Panopticlick for users where they will get a complete summary with statistics after the test suite has been executed. It can be used to test new fingerprinting protection as well as making sure that fingerprinting-related bugs were correctly fixed with specific regression tests. The expected long-term impact of this project is to reduce the differences between Tor users and reinforce their privacy and anonymity online.

Links: View on GitHub View the GSoC proposal View status reports

Visit the official site

FPRandom - Breaking the stability of advanced fingerprinting techniques

A modified browser that introduces random noise inside core browser objects
Open Source

FPRandom is a modified version of Firefox 54, the latest Nightly version from Mozilla. FPRandom's primary goal is to break the stability and determinism of very specific fingerprinting techniques (Canvas, Audio, JavaScript engine) while preserving the best user experience possible. By introducing enough noise during the fingerprinting process, trackers are fooled and cannot bound a freshly collected fingerprint with an old one, thus rendering the tracking across multiple sessions impossible.

Source: View on GitHub

Test the Linux prototype

Blink on Docker

A new and improved version of Blink running completely inside Docker containers!
Open Source

New features:

Improved performances: Thanks to the technology behind containers, Blink generates and launches complete environments in less than 10s! The footprint has also been drastically reduced compared to the size of complete virtual machines.
Easy installation: One script to build everything, one script to run everything! It cannot get simpler than that.
Integrated maintenance system: Updates to both Blink's core and the diversity reservoir are now automatically delivered!
Tor compatibility: You can now direct all your network traffic through the Tor network!

Source: View on GitHub View on Docker Hub

An early build without the complete set of features is now available. More information here!

Talks/events

MADWeb 2024 (San Diego, US) - Keynote speaker on the topic of web evolution
Summer School Cyber in Sophia 2023 (Valbonne, FR) - Lecture on online tracking and browser fingerprinting
JEIA 2023 (Lille, FR) - Tutorial on online tracking
CNIL Privacy Research day 2022 (Paris, FR) - Talk on Android games research
Journées nationales du GDR Sécurité Informatique (Paris, FR) - Presentation on browser fingerprinting
FIC 2022 (Lille, FR) - Presentation on browser fingerprinting
Panel on web security and privacy (Lille, FR) - Invited to talk to the public about the dangers of online tracking
SoSySec seminar (Online) - Invited talk on browser fingerprinting
GDR RSF and ASD Winter School 2020 (Le Pleynet, FR) - Presentation of our study on debloating web applications
DIMVA 2019 (Gothenburg, SE) - Presentation of my publication on using canvas fingerprinting for authentication
RuhrSec IT Security conference (Bochum, DE) - Presentation of the research in the browser fingerprinting domain
Security Seminar at CNIL (Paris, FR) - Presentation of the research in the browser fingerprinting domain
Congrès SIF 2019 (Bordeaux, FR) - Presentation of the work performed in my PhD for the Gilles Kahn Award
Dagstuhl seminar (Dagstuhl, DE) - Seminar on Web Application Security
Security seminar (Stockholm, SE) - Invited talk on browser fingerprinting
The Web Conference 2018 (Lyon, FR) - Tutorial "Web Tracking Technologies and Protection Mechanisms"
Meeting with a researcher (Rennes, FR) - Introduction on browser fingerprinting with a discussion about life as a researcher
MozFest 2017 (London, UK) - Workshop on third-party tracking and browser fingerprinting
PhD defense (Rennes, FR)
Security seminar (Potsdam, DE) - Invited talk on browser fingerprinting
ESSoS 2017 (Bonn, DE) - Presentation of my 3rd publication on FPRandom
FADEx 2017 (Nancy/Paris/Rennes, FR) - Participation in security-focused workshops and seminars
RESSI 2017 (Grenoble, FR) - Presentation of my 2nd publication on AmIUnique
EuroS&P 2017 (Paris, FR) - Student volunteer
Cryptoparty III (Rennes, FR) - Workshop on browser fingerprinting
Facebook Security Faculty Summit (London, UK) - Participation in a security-focused summit with Facebook employees and faculty members
Security seminar (Caen, FR) - Invited talk on browser fingerprinting
Cybersecurity meeting (Nancy, FR) - Presentation of AmIUnique and browser fingerprinting
EIT Digital International Security Symposium (Rennes, FR) - Presentation of AmIUnique and Blink
Meeting with researchers at DGA (National Defense Government agency in Bruz, FR) - Presentation of Blink
GSOC 2016 - Development of Fingerprint Central for the Tor organization
S&P 2016 (San Jose, US) - Presentation of my 2nd publication on AmIUnique and presentation of a poster on Blink
Cryptoparty II (Rennes, FR) - Workshop on browser fingerprinting
Irisa Open House Day (Rennes, FR) - Presentation of AmIUnique and browser fingerprinting
SEAMS 2015 (Firenze, IT) - Presentation of my 1st publication
Cryptoparty I (Rennes, FR) - Workshop on browser fingerprinting
FIC 2015 (Lille, FR) - Presentation of Blink
fOSSa 2014 (Rennes, FR) - Presentation of Blink
OWF 2014 (Paris, FR) - Presentation of Blink

About Me

Scientific publications

Free Proxies Unmasked: A Vulnerability and Longitudinal Analysis of Free Proxy Services

UA-Radar: Exploring the Impact of User Agents on the Web

Breaking Bad: Quantifying the Addiction of Web Elements to JavaScript

Multi-variant Execution at the Edge

The Price to Play: A Privacy Analysis of Free and Paid Games in the Android Ecosystem

JSRehab: Weaning Common Web Interface Components from JavaScript Addiction

DRAWNAPART: A Device Identification Technique based on Remote GPU Fingerprinting

SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers

Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets

FP-Redemption: Studying Browser Fingerprinting Adoption for the Sake of Web Security

Déjà vu: Abusing Browser Cache Headers to Identify and Track Online Users

Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication

Web Runner 2049: Evaluating Third-Party Anti-bot Services

Taming The Shape Shifter: Detecting Anti-fingerprinting Browsers

Don’t count me out: On the relevance of IP addresses in the tracking ecosystem

Browser fingerprinting: A survey

Less is More: Quantifying the Security Benefits of Debloating Web Applications

Morellian Analysis for Browsers: Making Web Authentication Stronger With Canvas Fingerprinting

Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat

Time Does Not Heal All Wounds: A Longitudinal Analysis of Security-Mechanism Support in Mobile Browsers

FP-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies

FP-STALKER: Tracking Browser Fingerprint Evolutions

Hiding in the Crowd: an Analysis of the Effectiveness of Browser Fingerprinting at Large Scale

FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints

Mitigating browser fingerprint tracking: multi-level reconfiguration and diversification