11:38 AM

Browser Fingerprinting: 9 Facts

Tracking technology that can identify individual identities and devices is improving faster than consumers might realize, warn privacy researchers.

5. Users Can Block Fingerprinting – Sometimes.

Bretano said BlueCava's fingerprinting isn't hidden from browser privacy plug-ins designed to track tracking technology. "I can only speak for us, but the most common tool, Ghostery, absolutely sees us, they will see our code run. We explicitly write a cookie whenever we can, so we leave a mark behind," he said.

But Acar noted that not all tracking technology can be detected by tracking monitoring software such as Ghostery or NoScript. "Ghostery has a big database of trackers, if they add the ones we found to their databases Ghostery can block some of them," he explained. "Still, there are ways to circumvent these protections, like serving the same script from different addresses." In addition, he said, "NoScript can block some fingerprinters -- depends on the configuration."

6. Fingerprinting Can Make "Opt-Out" Preferences Stick.

BlueCava's Brentano said his firm also uses its fingerprinting techniques to ensure that a consumer's opt-out preferences persist. "We believe that we do a better job of opt out, because with cookies, if you opt out, and then delete the cookies -- which people often do -- then you delete your opt out," he said. "But we also record an opt-out event against our record of that device ... and we'll actually reset the opt-out cookie."

But what about giving consumers the right to opt in to these techniques -- rather than being stuck in the situation of having to opt out of techniques they may not realize are being used? "That's an absolutely legitimate political debate, which we do not have an opinion on," Brentano said. "From our standpoint, either one is fine. We just play by the rules that the industry and regulatory regime sets."

7. Do Not Track: Not Mentioned In BlueCava's Privacy Policy.

But AVG's Brock questioned why BlueCava's privacy statement makes no mention of any Do Not Track compliance. "The Federal Trade Commission can only effectively enforce statements that are literally made, and I couldn't find a statement in [BlueCava's] privacy policy that they honor Do Not Track," he said. "So their statement has no legal effect, as far as I know."

8. Are Advertisers Seeking Legal Protection For Fingerprinting?

The Digital Advertising Alliance and the Interactive Advertising Bureau -- both advertising trade groups -- are currently developing standards for all types of tracking, including cookies. They say this will provide consumers with a single, consistent way to opt out of being tracked, although some privacy groups think it may be a push by the industry to legitimize obscure -- and likely controversial -- fingerprinting techniques.

In addition, according to Brock, by combining these techniques, advertisers are gaining new ways to tie together devices with people's identities and personal information. For example, if a user searches for information about a disease on their smartphone, that information could end up getting added to a file -- maintained about that one person -- that gets bought and sold by data brokers, and which also records what they do or see from their PC and tablet.

9. More Aggressive Tracking To Come?

Given the overarching privacy and regulatory questions surrounding tracking, don't expect advanced fingerprinting techniques -- or related debates -- to go away, especially if more people begin to use ad-blocking technology. "We're going to be hearing a lot more about this technology as the advertisers become more desperate," Brock said. "We don't have a Do Not Track standard, and the industry organizations are embracing these new aggressive tracking methods as a way to shore up the business."

Furthermore, tracking firms still have many more tracking techniques available to them, should they decide to use them. "There are ways to fingerprint devices without JavaScript or Flash. Clock skew, network packet fingerprinting and our attack on Tor Browser -- scriptless font fingerprinting -- are examples for passive fingerprinting techniques," said University of Leuven's Acar. "These techniques I'd refer to as really, really stealthy compared to JavaScript or Flash-based fingerprinting. They don't require any client-side code to run and are very hard to detect for researchers too."

2 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

Published: 2015-03-27
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.