11:38 AM

Browser Fingerprinting: 9 Facts

Tracking technology that can identify individual identities and devices is improving faster than consumers might realize, warn privacy researchers.

5. Users Can Block Fingerprinting – Sometimes.

Bretano said BlueCava's fingerprinting isn't hidden from browser privacy plug-ins designed to track tracking technology. "I can only speak for us, but the most common tool, Ghostery, absolutely sees us, they will see our code run. We explicitly write a cookie whenever we can, so we leave a mark behind," he said.

But Acar noted that not all tracking technology can be detected by tracking monitoring software such as Ghostery or NoScript. "Ghostery has a big database of trackers, if they add the ones we found to their databases Ghostery can block some of them," he explained. "Still, there are ways to circumvent these protections, like serving the same script from different addresses." In addition, he said, "NoScript can block some fingerprinters -- depends on the configuration."

6. Fingerprinting Can Make "Opt-Out" Preferences Stick.

BlueCava's Brentano said his firm also uses its fingerprinting techniques to ensure that a consumer's opt-out preferences persist. "We believe that we do a better job of opt out, because with cookies, if you opt out, and then delete the cookies -- which people often do -- then you delete your opt out," he said. "But we also record an opt-out event against our record of that device ... and we'll actually reset the opt-out cookie."

But what about giving consumers the right to opt in to these techniques -- rather than being stuck in the situation of having to opt out of techniques they may not realize are being used? "That's an absolutely legitimate political debate, which we do not have an opinion on," Brentano said. "From our standpoint, either one is fine. We just play by the rules that the industry and regulatory regime sets."

7. Do Not Track: Not Mentioned In BlueCava's Privacy Policy.

But AVG's Brock questioned why BlueCava's privacy statement makes no mention of any Do Not Track compliance. "The Federal Trade Commission can only effectively enforce statements that are literally made, and I couldn't find a statement in [BlueCava's] privacy policy that they honor Do Not Track," he said. "So their statement has no legal effect, as far as I know."

8. Are Advertisers Seeking Legal Protection For Fingerprinting?

The Digital Advertising Alliance and the Interactive Advertising Bureau -- both advertising trade groups -- are currently developing standards for all types of tracking, including cookies. They say this will provide consumers with a single, consistent way to opt out of being tracked, although some privacy groups think it may be a push by the industry to legitimize obscure -- and likely controversial -- fingerprinting techniques.

In addition, according to Brock, by combining these techniques, advertisers are gaining new ways to tie together devices with people's identities and personal information. For example, if a user searches for information about a disease on their smartphone, that information could end up getting added to a file -- maintained about that one person -- that gets bought and sold by data brokers, and which also records what they do or see from their PC and tablet.

9. More Aggressive Tracking To Come?

Given the overarching privacy and regulatory questions surrounding tracking, don't expect advanced fingerprinting techniques -- or related debates -- to go away, especially if more people begin to use ad-blocking technology. "We're going to be hearing a lot more about this technology as the advertisers become more desperate," Brock said. "We don't have a Do Not Track standard, and the industry organizations are embracing these new aggressive tracking methods as a way to shore up the business."

Furthermore, tracking firms still have many more tracking techniques available to them, should they decide to use them. "There are ways to fingerprint devices without JavaScript or Flash. Clock skew, network packet fingerprinting and our attack on Tor Browser -- scriptless font fingerprinting -- are examples for passive fingerprinting techniques," said University of Leuven's Acar. "These techniques I'd refer to as really, really stealthy compared to JavaScript or Flash-based fingerprinting. They don't require any client-side code to run and are very hard to detect for researchers too."

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.