Internet sites “fingerprint” users by secretly collecting browser info
A group of European researchers have released the results of their research into just how many of the most visited Internet websites track users without their knowledge with the help of “device fingerprinting”, and the answer is 145 out of 10,000.
“In the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly fingerprint the user: a practice that may have serious privacy and security implications,” they noted.
Device (or in this case browser) fingerprinting refers to the practice of collecting attributes about the device / browser – such as the device’s screen size, the versions of installed software, and the list of installed fonts, etc. – used by the user and using it to fully or partially identify users / devices.
But while this practice can be great for preventing online identity theft, credit card fraud, or mitigating DDoS attacks, it can also be used to surreptitiously create user profiles.
The researchers have created their own framework for the detection and analysis of web-based fingerprinters – FPDetective.
“By applying our framework with a focus on font detection practices, we were able to conduct a large scale analysis of the million most popular websites of the Internet, and discovered that the adoption of fingerprinting is much higher than previous studies had estimated,” they noted.
Whether the “fingerprinters” use JavaScript or plugins to do the fingerprinting, the point is that they can track the users’ online activity even when cookies are turned off, and users have enabled the Do Not Track option on their browsers (if there is one). Most of the time, the “fingerprinting” is surreptitious, and hard to spot by the users.
“Device fingerprinting raises serious privacy concerns for everyday users,” the researchers pointed out. “Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to opt-out. Moreover, fingerprinting works just as well in the ‘private-mode’ of modern browsers, which cookie-conscious users may be utilizing to perform privacy-sensitive operations.”
They also proved that two countermeasures that are use to defend against fingerprinting – the Tor Browser and Firegloves, a POC browser extension that returns randomized values when queried for certain attributes – have exploitable weaknesses that could make them useless.
For more details about their research, check out the whitepaper.