How many websites today are using latest-generation supercookies to secretly track a person's browsing habits across different websites, and even when they use different devices?
According to a new report, "FPDetective: Dusting the Web for Fingerprinters," from privacy researchers in Belgium and the United States, at least 404 of the world's 1 million most popular websites are using a never-before-seen tracking technology that fingers devices while evading detection. The researchers are due to present their paper at next month's 20th ACM Conference on Computer and Communications Security in Berlin.
Fingerprinting refers to creating a unique signature for a browser -- whether on a PC or mobile device -- that allows a tracking firm to watch which sites a user visits, no matter which device they're using. "Fingerprinting user devices through the browser is an increasingly common practice used of advertising and anti-fraud companies," according to the researchers.
But it's a practice that may exist in a legal gray area. "Stateless user tracking allows advertising companies to sidestep the limitations imposed by regulation on cookies in Europe and the United States," according to the researchers. "Moreover, with the advent of smartphones and tablets, fingerprinting allows advertisers to augment previously gathered user data and track the user across devices."
[ Privacy groups are suing the NSA over its call-tracking programs. Read NSA Lawsuit Proceeding, Despite Government Shutdown. ]
The researchers also looked for Flash-based fingerprinting technology, although only on the world's 10,000 most popular websites as ranked by Alexa, and detected the technology in use on 95 of those sites.
Cookie-free tracking technologies -- often referred to as supercookies -- are typically designed to avoid detection as well as users' attempts to block the technology. Likewise, the technology historically hasn't ever been deterred by the presence of an active "do not track" flag in a user's browser. Many privacy advocates have long held that the only way to stop the cookies will be through legislation that requires websites to disclose the tracking technology they're using, as well as to respect people's DNT preferences.
Might an anonymizing browser, such as Tor, help block the latest generation of supercookies? While that would theoretically help a user defeat the tracking mechanisms, in fact Tor doesn't restrict the browser's ability to call system fonts, meaning Tor users' devices can still be fingerprinted using the font-probing techniques. But the researchers said they've alerted Tor to the vulnerability, and that it's been fixed in the forthcoming source code and version 2.4 of the Tor browser bundle.
Going forward, the researchers said they plan to release the source code for the tool they developed to crawl the Web in search of fingerprinting technology, which they dubbed FPDetective. They built it using modified versions of the PhantomJS "headless" Webkit browser, as well as the Chrome browser. FPDetective includes the ability to relay Flash files through "an SSL-capable intercepting proxy," which allowed the researchers to capture, decompile and analyze the font-probing Flash files using third-party tools.