Célestin Matte
Privacy researcher, Wi-Fi & Web tracking
Publications
-
Conference publications:
-
-
Célestin Matte, Cristiana Santos, Nataliia Bielova
Purposes in IAB Europe's TCF: which legal basis and how are they used by advertisers?5
Summary6
APF'207 (Annual Privacy Forum)
The General Data Protection Regulation (GDPR), Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB) discuss purposes for data processing and the legal bases upon which data controllers can rely on: either "consent" or "legitimate in-terests". We study the purposes defined in IAB Europe's Transparency and Consent Framework (TCF) and their usage by advertisers. We analyze the purposes with regard to the legal requirements for defining them lawfully, and suggest that several of them might not be specific or explicit enough to be compliant. Arguably, a large portion thereof requires consent, even though the TCF allows advertisers to declare them under the legitimate interests basis. Finally, we measure the declaration of purposes by all advertisers registered in the TCF versions 1.1. and 2.0 and show that hundreds of them do not operate under a legal basis that could be considered compliant under the GDPR. -
Célestin Matte, Nataliia Bielova, Cristiana Santos
Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework3
Website8, Browser extension9
IEEE S&P'2010 (IEEE Symposium on Security and Privacy, A*)
Press: Techdirt11 Next INpact12 Mediapart13 Le Monde14 CNIL's blog15As a result of the GDPR and the ePrivacy Directive, European users encounter cookie banners on almost every website. Many of such banners are implemented by Consent Management Providers (CMPs), who respect the IAB Europe's Transparency and Consent Framework (TCF). Via cookie banners, CMPs collect and disseminate user consent to third parties. In this work, we systematically study IAB Europe's TCF and analyze consent stored behind the user interface of TCF cookie banners. We analyze the GDPR and the ePrivacy Directive to identify legal violations in implementations of cookie banners based on the storage of consent and detect such violations by crawling 22 949 European websites. With two automatic and semi-automatic crawl campaigns, we detect violations, and we find that: 141 websites register positive consent even if the user has not made their choice; 236 websites nudge the users towards accepting consent by pre-selecting options; and 27 websites store a positive consent even if the user has explicitly opted out. Performing extensive tests on 560 websites, we find at least one violation in 54% of them. Finally, we provide a browser extension to facilitate manual detection of violations for regular users and Data Protection Authorities. -
Célestin Matte, Mathieu Cunche, et al.
Defeating MAC Address Randomization Through Timing Attacks16
WiSec'1617 (ACM Conference on Security and Privacy in Wireless and Mobile Networks)MAC address randomization is a common privacy protection measure deployed in major operating systems today. It is used to prevent user-tracking with probe requests that are transmitted during IEEE 802.11 network scans. We present an attack to defeat MAC address randomization through observation of the timings of the network scans with an off-the-shelf Wi-Fi interface. This attack relies on a signature based on inter-frame arrival times of probe requests, which is used to group together frames coming from the same device although they use distinct MAC addresses. We propose several distance metrics based on timing and use them together with an incremental learning algorithm in order to group frames. We show that these signatures are consistent over time and can be used as a pseudo-identifier to track devices. Our framework is able to correctly group frames using different MAC addresses but belonging to the same device in up to 75% of the cases. These results show that the timing of 802.11 probe frames can be abused to track individual devices and that address randomization alone is not always enough to protect users against tracking. -
Célestin Matte, Mathieu Cunche
DEMO: Panoptiphone: How Unique is Your Wi-Fi Device?18
WiSec'1617 (ACM Conference on Security and Privacy in Wireless and Mobile Networks) -
Mathy Vanhoef, Célestin Matte, Mathieu Cunche, et al.
Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms19
AsiaCCS'1620 (ACM ASIA Conference on Computer and Communications Security, B)We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy. First, we show that information elements in probe requests can be used to fingerprint devices. We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds. These can be used to improve the performance of our tracking algorithm. Finally, we present two attacks that reveal the real MAC address of a device, even if MAC address randomization is used. In the first one, we create fake hotspots to induce clients to connect using their real MAC address. The second technique relies on the new 802.11u standard, commonly referred to as Hotspot 2.0, where we show that Linux and Windows send Access Network Query Protocol (ANQP) requests using their real MAC address. -
Célestin Matte, Jagdish Prasard Achara, Mathieu Cunche
Device-to-Identity Linking Attack Using Targeted Wi-Fi Geolocation Spoofing21
WiSec'1522 (ACM Conference on Security and Privacy in Wireless and Mobile Networks) (+ travel grant obtained)Today, almost all mobile devices come equipped with Wi-Fi technology. Therefore, it is essential to thoroughly study the privacy risks associated with this technology. Recent works have shown that some Personally Identifiable Information (PII) can be obtained from the radio signals emitted by Wi-Fi equipped devices. However, most of the times, the identity of the subject of those pieces of information remains unknown and the Wi-Fi MAC address of the device is the only available identifier. In this paper, we show that it is possible for an attacker to get the identity of the subject. The attack presented in this paper leverages the geolocation information published on some geotagged services, such as Twitter, and exploits the fact that geolocation information obtained through Wi-Fi-based Positioning System (WPS) can be easily manipulated. We show that geolocation manipulation can be targeted to a single device, and in most cases, it is not necessary to jam real Wi-Fi access points (APs) to mount a successful attack on WPS.
Journals:
-
Célestin Matte, Cristiana Santos, Nataliia Bielova
-
-
Cristiana Santos, Nataliia Bielova, Célestin Matte
Are cookie banners indeed compliant with the law? Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners23
TechReg24 (Technology and Regulation) (2020)
Tech report:
-
Cristiana Santos, Nataliia Bielova, Célestin Matte
-
-
Célestin Matte, Mathieu Cunche, Vincent Toubiana
Does disabling Wi-Fi prevent my Android phone from sending Wi-Fi frames?25 (2017)
Press: CNIL's blog26 01net27 Comment ça marche28 Science et avenir29 Frandroid30 UFC Que Choisir31 ZDNet32 Hacker News33No. For Android, we show that another option, called "Always allow scanning", when activated, makes a device send Wi-Fi frames which can be used to track this device, even if the Wi-Fi switch is off. This option is not clearly described in all Android versions, and sometimes very hard to find. Besides, the Google Maps application prompts the user to activate this option. Similarly, for iOS 11, the Wi-Fi switch in the control center does not prevent Wi-Fi frames from being emitted by some services.
Thesis:
-
Célestin Matte, Mathieu Cunche, Vincent Toubiana
-
Wi-Fi Tracking: Fingerprinting Attacks and Countermeasures34 (2017) The recent spread of everyday-carried Wi-Fi-enabled devices (smartphones, tablets and wearable devices) comes with a privacy threat to their owner, and to society as a whole. These devices continuously emit signals which can be captured by a passive attacker using cheap hardware and basic knowledge. These signals contain a unique identifier, called the MAC address. To mitigate the threat, device vendors are currently deploying a countermeasure on new devices: MAC address randomization. Unfortunately, we show that this mitigation, in its current state, is insufficient to prevent tracking. To do so, we introduce several attacks, based on the content and the timing of emitted signals. In complement, we study implementations of MAC address randomization in some recent devices, and find a number of shortcomings limiting the efficiency of these implementations at preventing device tracking. At the same time, we perform two real-world studies. The first one considers the development of actors exploiting this issue to install Wi-Fi tracking systems. We list some real-world installations and discuss their various aspects, including regulation, privacy implications, consent and public acceptance. The second one deals with the spread of MAC address randomization in the devices population. Finally, we present two tools: an experimental Wi-Fi tracking system for testing and public awareness raising purpose, and a tool estimating the uniqueness of a device based on the content of its emitted signals even if the identifier is randomized.
Teaching
-
- INSA Lyon, Algorithmics and programming 135 EN, L1 (2016 - 2017) 64 hours, 1.5 groups with ~25 students per group
Teaching of basis programming in Java, plus a Libreoffice introduction module. - INSA Lyon, Algorithmique et programmation 136 FR, L1 (2014 - 2016) 2 * 64 hours, 1.5 groups with ~25 students per group
- INSA Lyon, Algorithmics and programming 135 EN, L1 (2016 - 2017) 64 hours, 1.5 groups with ~25 students per group
-
- Cookie-Glasses9 A browser extension showing consent registered by cookie banners of IAB Europe's Transparency & Consent Framework JavaScript WebExtensions
- Vendorlist explorer37 Web application that extracts information from the vendorlist of IAB Europe Transparency & Consent Framework and makes this information human-readable. Python Flask SQLAlchemy
- Cookinspect38 Selenium-based crawler used to find violations in cookie banners of IAB Europe's Transparency & Consent Framework Python Selenium WebExtensions SQLAlchemy
- Wombat39 A Wi-Fi tracking system for testing and demonstrational purpose Python Ansible Arch Linux
- Panoptiphone40 A tool to show the identifying information that can be found in the frames broadcast by a Wi-Fi-enabled device Python Wireshark
- Ansible-PGLister41 Ansible script to install all components of the PGLister mailing list system Ansible
- Members-django42 Rewriting of SPI's membership application using Django Python Django
Talks
-
Invited talks:
- 03-2021: at Utrecht University, Master's Programme Law & Technology in Europe on cookie banners and Wi-Fi tracking
- 01-2020: at Brave on cookie banners
- 09-2019: at CNIL on cookie banners
- APVP'1943: Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe's Transparency and Consent Framework
-
APVP'1744: Wombat: An experimental Wi-Fi tracking system45
- CITI lab PhD Day'1646, APVP'1647: Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms
- STDA'1448, APVP'1449: Device-to-Identity Linking Attack Using Targeted Wi-Fi Geolocation Spoofing
Community Service
-
- Organization Committee: GreHack'1550
- Program Committee: APVP'1951, APVP'2052, WiSec'2053
- (Sub-)Reviewer: CoNext2015StudentWorkshop, TrustCom'16, EuroS&P'19, TheWeb'20, The Computer Journal, PETS'20, PETS'21, IEEE TWC54
- Member of the Conseil de laboratoire:
- CITI lab, 2015-2016 (one year)
- Inria Sophia, 2019-2020 (7 months)
Dissemination
-
Installation of our Wi-Fi tracking demonstration prototype39:
- 2017 - 2018: Cité des Sciences et de l'Industrie (Paris) for the Terra Data exhibition55.
- 2018: CITI laboratory showroom
- 2018: CNIL Linc showroom
-
Talks:
-
Pas Sage en Seine'19: Traçage Wi-Fi et Bluetooth56
-
Célestin Matte
Traçage Wi-Fi : qu’en est-il en pratique ?57
GNU/Linux Magazine HS n°99 (2018-11) -
Célestin Matte
MAC Address Randomization : tour d’horizon58
MISC n°96 (2018-03) -
Célestin Matte
Transfert de style : et si Van Gogh peignait Tux ?59
GNU/Linux Magazine n°202 (2017-03) (cover article) -
Célestin Matte, Mathieu Cunche
Traçage Wi-Fi, applications et contre-mesures60
GNU/Linux Magazine HS n°84 (2016-05) -
Célestin Matte
Fingerprinting de smartphones : votre téléphone est-il traçable ?61
MISC n°81 (2015-09)
-
Pas Sage en Seine'19: Traçage Wi-Fi et Bluetooth56
Industry impact
-
Google cites our work on MAC address randomization for related changes in Android62.
Our work on MAC address randomization was discussed at an IEEE session63.
A complaint by NOYB to the CNIL64 followed our work on cookie banners. It was relayed by Le Monde14, Le Figaro65, Les Échos66, Europe167, BFM TV68...
Contributions to open source projects
-
- wyrd69 Sysadmin Fix compile issue and maintain AUR package (Arch Linux)
- PGLister70 and PGArchives71 Django (8 commits) Fix bugs and minor improvements related to the install process
- Ansible community.general72 Sysadmin Python (1 commit) Add new feature for pacman
- Consent-O-Matic73 JavaScript (9 commits) Improve behaviour, handle new cases
- ranger74 Python (5 commits) Bugfix, new functionality
- poezio75 Python (8 commits) New functionalities
- git (Git-Mediawiki)76 Perl (32 commits) Code cleaning, new functionality
Bug reports leading to fixes:
randrctl,
gmic,
disconnect-tracking-protection,
OCaml Curses
Misc.
-
Languages: French (native), English (excellent), German (average).
Driving license.
PSC1: Prevention and civic aid, level 1 (French first aid diploma).
"Study-Arts77" dance diploma from INSA Lyon.
Selected personal projects:- System administrator for an association in 2012-14: in charge of servers hosting student websites (Summary78) sysadmin Debian
- Developer and administrator for the online game Sistearth79 PHP MySQL Javascript sysadmin
- Wrote several dancing shows, some using digital art (Kinect sensors) (Website80) C C++ libfreenect OpenCL SDL
- panu81 A XMPP (Jabber) bot Python XMPP Slixmpp SQLAlchemy
- html-cv-generator82 A CV generator Python Flask
Contact
-
contact@cmatte.me (GPG83: 0xCB6A8BD6 – 6430 156C 58FF 95B8 7EA9 0F30 A1A6 28FE CB6A 8BD6)
Twitter: @CelestinMatte
Links
1: https://hal.inria.fr/hal-024905312: https://chrome.google.com/webstore/detail/cookie-glasses/gncnjghkclkhpkfhghcbobednpchjifk
3: https://arxiv.org/abs/1911.09964
4: https://twitter.com/nataliabielova/status/1199658816134164482
5: https://hal.inria.fr/hal-02566891
6: https://twitter.com/nataliabielova/status/1261302416147873795
7: https://privacyforum.eu/
8: https://www-sop.inria.fr/members/Nataliia.Bielova/cookiebanners/
9: https://github.com/Perdu/Cookie-Glasses
10: https://www.ieee-security.org/TC/SP2020
11: https://www.techdirt.com/articles/20191210/07425443541/guess-what-many-cookie-banners-ignore-your-wishes-so-max-schrems-goes-gdpr-attack-again.shtml
12: https://www.nextinpact.com/news/108495-cookies-refuses-mais-installes-cdiscount-allocine-et-vanity-fair-attaques-devant-cnil.htm
13: https://www.mediapart.fr/journal/france/190220/donnees-personnelles-les-cookies-resistent-encore
14: https://www.lemonde.fr/pixels/article/2019/12/10/vie-privee-cdiscount-allocine-et-vanity-fair-vises-par-une-plainte-d-une-ong_6022380_4408996.html
15: https://linc.cnil.fr/mecanismes-et-recueil-du-consentement
16: https://hal.archives-ouvertes.fr/hal-01330476/
17: https://www.sigsac.org/wisec/WiSec2016
18: https://hal.inria.fr/hal-01330479/
19: https://hal.archives-ouvertes.fr/hal-01282900
20: http://meeting.xidian.edu.cn/conference/AsiaCCS2016/papers.html
21: https://hal.inria.fr/hal-01176842
22: https://www.sigsac.org/wisec/WiSec2015
23: https://techreg.org/index.php/techreg/article/view/43
24: https://techreg.org/index.php/techreg
25: https://hal.inria.fr/hal-01575519v2
26: https://linc.cnil.fr/fr/desactiver-le-wi-fi-android-ne-nous-preserve-pas-du-tracage
27: https://www.01net.com/actualites/sur-android-le-wi-fi-peut-vous-tracer-meme-s-il-est-desactive-1245292.html
28: https://www.commentcamarche.net/news/5870290-meme-desactive-le-wi-fi-reste-tracable
29: https://www.sciencesetavenir.fr/high-tech/google-android-detecte-en-permanence-la-localisation-du-telephone_116061
30: https://www.frandroid.com/android/mises-a-jour-android/487194_le-nfc-pourrait-bientot-etre-utilise-meme-quand-vous-le-desactivez
31: https://www.quechoisir.org/actualite-smartphones-android-meme-une-fois-le-wi-fi-desactive-vous-etes-piste-n46076/
32: https://www.zdnet.fr/actualites/android-desactiver-le-wi-fi-n-empeche-pas-d-etre-espionne-39856640.htm
33: https://news.ycombinator.com/item?id=15141077
34: https://hal.inria.fr/tel-01659783v1
35: http://planete.insa-lyon.fr/scolpeda/f/ects?id=31099&_lang=fr
36: https://planete.insa-lyon.fr/scolpeda/f/ects?id=30011&_lang=fr
37: https://github.com/Perdu/vendorlistexplorer
38: https://github.com/Perdu/Cookinspect
39: https://github.com/Perdu/wombat
40: https://github.com/Perdu/panoptiphone
41: https://gitlab.com/cmatte/ansible-pglister/
42: https://gitlab.com/spi-inc/members-django
43: https://project.inria.fr/apvp2019/programme/
44: https://apvp2017.sciencesconf.org/
45: https://hal.inria.fr/hal-01679007/
46: http://phd-day.citi-lab.fr/2016/index.html
47: https://apvp2016.sciencesconf.org/resource/page/id/2
48: https://bit.ly/stda2014
49: http://apvp14.orange-labs.fr/?page_id=2
50: http://grehack.fr/2015/info
51: https://project.inria.fr/apvp2019/organisation/
52: https://apvp2020.sciencesconf.org/
53: https://wisec2020.ins.jku.at/organization/
54: https://publons.com/researcher/4082188/celestin-matte/
55: http://www.cite-sciences.fr/fr/au-programme/expos-temporaires/terra-data/
56: https://programme.passageenseine.fr/
57: https://connect.ed-diamond.com/GNU-Linux-Magazine/GLMFHS-099/Tracage-Wi-Fi-qu-en-est-il-en-pratique
58: https://bit.ly/misc96
59: https://bit.ly/glmf202
60: https://bit.ly/glmfhs84
61: https://bit.ly/misc81
62: https://android-developers.googleblog.com/2017/04/changes-to-device-identifiers-in.html
63: https://mentor.ieee.org/802.11/documents?is_dcn=privacy
64: https://noyb.eu/say-no-to-cookies-yet-see-your-privacy-crumble
65: https://www.lefigaro.fr/secteur/high-tech/allocine-cdiscount-et-vanity-fair-accuses-de-depot-illegal-de-cookies-20191211
66: https://www.lesechos.fr/tech-medias/medias/ces-entreprises-qui-vous-tracent-meme-si-vous-refusez-leurs-cookies-1155052
67: https://www.europe1.fr/technologies/trois-grands-sites-francais-et-leurs-partenaires-accuses-dignorer-le-refus-des-cookies-3936626
68: https://www.bfmtv.com/tech/sur-ces-sites-francais-refuser-les-cookies-ne-suffit-pas-a-ne-plus-etre-trace-1821554.html
69: https://aur.archlinux.org/packages/wyrd-git
70: https://gitlab.com/pglister/pglister/-/commits/master?author=cmatte
71: https://github.com/postgres/pgarchives/commits?author=Perdu
72: https://github.com/ansible-collections/community.general/commits?author=Perdu
73: https://github.com/cavi-au/Consent-O-Matic/commits?author=Perdu
74: https://github.com/ranger/ranger/commits?author=Perdu
75: https://github.com/mathieui/poezio/commits?author=Perdu
76: https://github.com/git/git/commits?author=Perdu
77: https://www.insa-lyon.fr/sites/www.insa-lyon.fr/files/plaquette-art-etudes.pdf#page=8
78: http://cmatte.me/sysadmin_polecom_en.txt
79: http://www.sistearth.com
80: https://cmatte.me/danse
81: https://github.com/Perdu/panu
82: https://github.com/Perdu/html-pdf-cv-generator
83: https://cmatte.me/CV/gpg
44: https://apvp2017.sciencesconf.org/
45: https://hal.inria.fr/hal-01679007/
46: http://phd-day.citi-lab.fr/2016/index.html
47: https://apvp2016.sciencesconf.org/resource/page/id/2
48: https://bit.ly/stda2014
49: http://apvp14.orange-labs.fr/?page_id=2
50: http://grehack.fr/2015/info
51: https://project.inria.fr/apvp2019/organisation/
52: https://apvp2020.sciencesconf.org/
53: https://wisec2020.ins.jku.at/organization/
54: https://publons.com/researcher/4082188/celestin-matte/
55: http://www.cite-sciences.fr/fr/au-programme/expos-temporaires/terra-data/
56: https://programme.passageenseine.fr/
57: https://connect.ed-diamond.com/GNU-Linux-Magazine/GLMFHS-099/Tracage-Wi-Fi-qu-en-est-il-en-pratique
58: https://bit.ly/misc96
59: https://bit.ly/glmf202
60: https://bit.ly/glmfhs84
61: https://bit.ly/misc81
62: https://android-developers.googleblog.com/2017/04/changes-to-device-identifiers-in.html
63: https://mentor.ieee.org/802.11/documents?is_dcn=privacy
64: https://noyb.eu/say-no-to-cookies-yet-see-your-privacy-crumble
65: https://www.lefigaro.fr/secteur/high-tech/allocine-cdiscount-et-vanity-fair-accuses-de-depot-illegal-de-cookies-20191211
66: https://www.lesechos.fr/tech-medias/medias/ces-entreprises-qui-vous-tracent-meme-si-vous-refusez-leurs-cookies-1155052
67: https://www.europe1.fr/technologies/trois-grands-sites-francais-et-leurs-partenaires-accuses-dignorer-le-refus-des-cookies-3936626
68: https://www.bfmtv.com/tech/sur-ces-sites-francais-refuser-les-cookies-ne-suffit-pas-a-ne-plus-etre-trace-1821554.html
69: https://aur.archlinux.org/packages/wyrd-git
70: https://gitlab.com/pglister/pglister/-/commits/master?author=cmatte
71: https://github.com/postgres/pgarchives/commits?author=Perdu
72: https://github.com/ansible-collections/community.general/commits?author=Perdu
73: https://github.com/cavi-au/Consent-O-Matic/commits?author=Perdu
74: https://github.com/ranger/ranger/commits?author=Perdu
75: https://github.com/mathieui/poezio/commits?author=Perdu
76: https://github.com/git/git/commits?author=Perdu
77: https://www.insa-lyon.fr/sites/www.insa-lyon.fr/files/plaquette-art-etudes.pdf#page=8
78: http://cmatte.me/sysadmin_polecom_en.txt
79: http://www.sistearth.com
80: https://cmatte.me/danse
81: https://github.com/Perdu/panu
82: https://github.com/Perdu/html-pdf-cv-generator
83: https://cmatte.me/CV/gpg