2

Top Websites Use Device Fingerprinting to Track Users

Posted by on Nov 14, 2013

Image from http://www.redorbit.com/

Image from http://www.redorbit.com/

Several top websites track users without their knowledge or consent using a technique called “device fingerprinting”. Device fingerprinting or browser fingerprinting is a method of collecting properties of PCs, smartphones and tablets to track and identify users. These properties include screen size, versions of installed software, and lists of fonts. The combinations of these fingerprint properties are unique and thus can be used to track users without relying on the Internet cookies. Using this technique, the websites can track you even when you have enabled  Do Not Track HTTP header on your browser. According to the researchers from KU Leuven in Belgium and New York University (NYU), about 95 of the top 10 000 websites using device fingerprinting targeted at the Flash browser plugin used to play animations, videos, and sound files. When they expanded their survey to 1 million websites they found 404 of them used device fingerprinting targeted at JavaScript programming language used in web applications. “The researchers said the figures should be taken as the lower bounds since their crawlers weren’t able to access pages behind CAPTHCAs and other types of Web forms.”

As per Arstechnica, the researchers did not provide an exhaustive list of 404 or more websites that hosted tracking code. However researcher Gunes Acar of KU Leuven University in Belgium mentioned names of some of the websites that used device fingerprinting for tracking users like orbitz.com, tmobile.co.uk, pokerstrategy.com, anonymizer.com, westernunion.com, and t-online He stressed that his team may have missed some sites given the limitations of their scanning technology. The researchers also evaluated two privacy enhancing tools that provide resistance against device fingerprinting – Tor Browser and Firegloves. They identified some vulnerabilities in these tools that gives access to user ‘s identity.

Device fingerprinting can be used for various legitimate purposes like fraud detection, protection against account hijacking and anti-bot and anti-scraping services. But it has a darker side too. It can be used for marketing and analytics purposes via fingerprinting scripts hidden in advertising banners and web widgets. Besides that device fingerprinting may have given National Security Agency and its counterparts ability to identify and track people using Tor privacy service. In one of the slides of an NSA presentation titled Tor Stinks included the excerpt: “Goal: … Ignore user-agents from Torbutton or Improve browser fingerprinting? Using javascript instead of Flash?”

Image from www.theguardian.com

Image from www.theguardian.com

The Firefox Browser that ships the Tor Browser Bundle has attempted to prevent fingerprinting by placing a cap on the number of fonts a web page can request or load. The fingerprinting researchers were able to bypass the cap on the fonts of the web page by using a web-programming tool called as CSS front face. This weakness was reported to the Tor developers and later on it was patched.

The revelations about  the NSA’s surveillance program have been a wake up call for many of us and have put security front and foremost in our minds. It is extremely difficult for us to avoid being tracked by device fingerprinting technology. According to  Peter Eckersley, staff scientist at the Electronic Frontier Foundation, a privacy-advocacy group, “when it comes to device fingerprinting, we have no convenient options for privacy. All the things we can do are inconvenient to the point of being really impractical.” In a study this year, Mr. Eckersley found that about 91% of nearly 1 million computer users surveyed could be fingerprinted simply by visiting a website.

Image from http://www.bestvpnservicereview.com/

Image from http://www.bestvpnservicereview.com/

Fingerprints are tough to avoid but we can do a few things to maintain our privacy while surfing the Internet and protect ourselves from device fingerprinting:

  • Disable JavaScript and Flash in your browser.  Disabling JavaScript and Flash in the browser reduces some of the information websites can collect.You can disable JavaScript by using Mozilla Foundation’s Firefox browser will an add-on program called NoScript. This stops JavaScript on pages and allows people to access trusted web pages.
  • To detect websites using device fingerprinting technologies, the researchers developed a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts. This tool will be freely available at http://homes.esat.kuleuven.be/~gacar/fpdetective/ for other researchers to use and build upon.The findings will be presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin.

Protect your data with SpiderOak

Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.

SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, users can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and syncing on the go.

 

 

2 Responses to “Top Websites Use Device Fingerprinting to Track Users”

  1. Kirk Davis says:

    It is a shame that digital fingerprinting is being used to target us with marketing and track our cyber whereabouts. Your advice on how to minimize this was very helpful. I never thought about trying to block the fingerprinting. I just sort of accepted it as a necessary evil.

  2. Tammy Clark says:

    Wow! Very interesting to learn. I can say that as a consumer I am not happy about learning of yet another way that our privacy is invaded upon. Yet another way for marketers to be bold and pushy exactly where they are not wanted.

Leave a Reply

Powered by sweetCaptcha