Risk
10/10/2013
02:21 PM
Connect Directly
RSS
E-Mail
50%
50%

Advertisers Evade 'Do Not Track' With Supercookies

Many popular sites use JavaScript and Flash font probes to track users and their browsing habits across multiple devices, researchers say.

How many websites today are using latest-generation supercookies to secretly track a person's browsing habits across different websites, and even when they use different devices?

According to a new report, "FPDetective: Dusting the Web for Fingerprinters," from privacy researchers in Belgium and the United States, at least 404 of the world's 1 million most popular websites are using a never-before-seen tracking technology that fingers devices while evading detection. The researchers are due to present their paper at next month's 20th ACM Conference on Computer and Communications Security in Berlin.

Fingerprinting refers to creating a unique signature for a browser -- whether on a PC or mobile device -- that allows a tracking firm to watch which sites a user visits, no matter which device they're using. "Fingerprinting user devices through the browser is an increasingly common practice used of advertising and anti-fraud companies," according to the researchers.

But it's a practice that may exist in a legal gray area. "Stateless user tracking allows advertising companies to sidestep the limitations imposed by regulation on cookies in Europe and the United States," according to the researchers. "Moreover, with the advent of smartphones and tablets, fingerprinting allows advertisers to augment previously gathered user data and track the user across devices."

[ Privacy groups are suing the NSA over its call-tracking programs. Read NSA Lawsuit Proceeding, Despite Government Shutdown. ]

The researchers said their discovery of 16 new fingerprinting scripts and Flash objects, as well as counts of the sites using the technology, demonstrates "that fingerprinting is much more prevalent than previous studies estimated." Furthermore, while the total number of sites -- just 404 -- on which they found the JavaScript tracking technology might seem small, they cautioned that their Web crawling targeted only homepages, and couldn't penetrate paywalls or any site with a Turing test.

The JavaScript-based fingerprinting technology is being sold or distributed by tracking firm BlueCava, Bitcoin digital wallet provider CoinBase, geolocation and "online fraud prevention" firm MaxMind, and consumer tracking provider Mindshare Technology, among other companies. Some of those fingerprint scripts appeared to actively try to evade detection by deleting themselves as soon as they'd run and relayed a fingerprint to a third-party server.

BlueCava's font-probing JavaScript code was the most prevalent such script detected by the researchers, and ran on the homepages of 250 sites that are included in the Alexa index of the 1 million most popular websites. "[BlueCava's] is the only one of the discovered font-probing scripts that queries different sets of fonts based on the device's operating system: 231 fonts for Microsoft Windows, 167 for Mac OS and 62 for other operating systems," said the researchers.

The researchers also looked for Flash-based fingerprinting technology, although only on the world's 10,000 most popular websites as ranked by Alexa, and detected the technology in use on 95 of those sites.

Cookie-free tracking technologies -- often referred to as supercookies -- are typically designed to avoid detection as well as users' attempts to block the technology. Likewise, the technology historically hasn't ever been deterred by the presence of an active "do not track" flag in a user's browser. Many privacy advocates have long held that the only way to stop the cookies will be through legislation that requires websites to disclose the tracking technology they're using, as well as to respect people's DNT preferences.

Might an anonymizing browser, such as Tor, help block the latest generation of supercookies? While that would theoretically help a user defeat the tracking mechanisms, in fact Tor doesn't restrict the browser's ability to call system fonts, meaning Tor users' devices can still be fingerprinted using the font-probing techniques. But the researchers said they've alerted Tor to the vulnerability, and that it's been fixed in the forthcoming source code and version 2.4 of the Tor browser bundle.

Going forward, the researchers said they plan to release the source code for the tool they developed to crawl the Web in search of fingerprinting technology, which they dubbed FPDetective. They built it using modified versions of the PhantomJS "headless" Webkit browser, as well as the Chrome browser. FPDetective includes the ability to relay Flash files through "an SSL-capable intercepting proxy," which allowed the researchers to capture, decompile and analyze the font-probing Flash files using third-party tools.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/11/2013 | 9:49:09 AM
re: Advertisers Evade 'Do Not Track' With Supercookies
Arms race is the right metaphor. For every tracking technology that gets excoriated by privacy rights groups or interrogated by regulators/legislators, another one springs up.

That's why having a higher-level take on this might create the concept of user rights that aren't tied to technology, and thus subject to abuse, and get more people on the same page.
NG11209
50%
50%
NG11209,
User Rank: Apprentice
10/10/2013 | 9:15:12 PM
re: Advertisers Evade 'Do Not Track' With Supercookies
I remember the do-not-track debate from my time working at a direct & digital marketing trade publication. This report makes it seem that the debate has shifted more to a steroids-in-baseball-style arms race, with one side racing to stay ahead of the rules. The New York Times has some recent reporting on the subject as well, so it's clearly in the public consciousness GÇö I wonder (if we ever have a functioning government again) if some legislation to codify what's appropriate is coming.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
10/10/2013 | 8:31:49 PM
re: Advertisers Evade 'Do Not Track' With Supercookies
Ah, got it. Thanks.

And I'd say the answer to your question is: Both.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/10/2013 | 8:15:01 PM
re: Advertisers Evade 'Do Not Track' With Supercookies
First, this type of personal information is a commodity -- it can be bought and sold (for profit). The more information, the more valuable the record associated with a given person.

Second, it gives advertisers "richer" insights into individual consumers (i.e. you and me). Visit a website that's concerned with menopause, pregnancy, erectile disfunction, baseball or divorce -- and the advertiser's algorithms can spot that and serve up more targeted (and thus theoretically likely to get clicked on and converted to a sale) advertising. And every click or completed sale equals revenue for the advertiser and commissions for affiliates.

The "benefit" for consumers, or hit to our privacy? That's open to debate.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
10/10/2013 | 7:05:05 PM
re: Advertisers Evade 'Do Not Track' With Supercookies
I'm not entirely clear on why sites need/want to track us THAT closely. What's the payoff, exactly?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.