Risk
10/24/2013
11:38 AM
Connect Directly
RSS
E-Mail
50%
50%

Browser Fingerprinting: 9 Facts

Tracking technology that can identify individual identities and devices is improving faster than consumers might realize, warn privacy researchers.

5. Users Can Block Fingerprinting – Sometimes.

Bretano said BlueCava's fingerprinting isn't hidden from browser privacy plug-ins designed to track tracking technology. "I can only speak for us, but the most common tool, Ghostery, absolutely sees us, they will see our code run. We explicitly write a cookie whenever we can, so we leave a mark behind," he said.

But Acar noted that not all tracking technology can be detected by tracking monitoring software such as Ghostery or NoScript. "Ghostery has a big database of trackers, if they add the ones we found to their databases Ghostery can block some of them," he explained. "Still, there are ways to circumvent these protections, like serving the same script from different addresses." In addition, he said, "NoScript can block some fingerprinters -- depends on the configuration."

6. Fingerprinting Can Make "Opt-Out" Preferences Stick.

BlueCava's Brentano said his firm also uses its fingerprinting techniques to ensure that a consumer's opt-out preferences persist. "We believe that we do a better job of opt out, because with cookies, if you opt out, and then delete the cookies -- which people often do -- then you delete your opt out," he said. "But we also record an opt-out event against our record of that device ... and we'll actually reset the opt-out cookie."

But what about giving consumers the right to opt in to these techniques -- rather than being stuck in the situation of having to opt out of techniques they may not realize are being used? "That's an absolutely legitimate political debate, which we do not have an opinion on," Brentano said. "From our standpoint, either one is fine. We just play by the rules that the industry and regulatory regime sets."

7. Do Not Track: Not Mentioned In BlueCava's Privacy Policy.

But AVG's Brock questioned why BlueCava's privacy statement makes no mention of any Do Not Track compliance. "The Federal Trade Commission can only effectively enforce statements that are literally made, and I couldn't find a statement in [BlueCava's] privacy policy that they honor Do Not Track," he said. "So their statement has no legal effect, as far as I know."

8. Are Advertisers Seeking Legal Protection For Fingerprinting?

The Digital Advertising Alliance and the Interactive Advertising Bureau -- both advertising trade groups -- are currently developing standards for all types of tracking, including cookies. They say this will provide consumers with a single, consistent way to opt out of being tracked, although some privacy groups think it may be a push by the industry to legitimize obscure -- and likely controversial -- fingerprinting techniques.

In addition, according to Brock, by combining these techniques, advertisers are gaining new ways to tie together devices with people's identities and personal information. For example, if a user searches for information about a disease on their smartphone, that information could end up getting added to a file -- maintained about that one person -- that gets bought and sold by data brokers, and which also records what they do or see from their PC and tablet.

9. More Aggressive Tracking To Come?

Given the overarching privacy and regulatory questions surrounding tracking, don't expect advanced fingerprinting techniques -- or related debates -- to go away, especially if more people begin to use ad-blocking technology. "We're going to be hearing a lot more about this technology as the advertisers become more desperate," Brock said. "We don't have a Do Not Track standard, and the industry organizations are embracing these new aggressive tracking methods as a way to shore up the business."

Furthermore, tracking firms still have many more tracking techniques available to them, should they decide to use them. "There are ways to fingerprint devices without JavaScript or Flash. Clock skew, network packet fingerprinting and our attack on Tor Browser -- scriptless font fingerprinting -- are examples for passive fingerprinting techniques," said University of Leuven's Acar. "These techniques I'd refer to as really, really stealthy compared to JavaScript or Flash-based fingerprinting. They don't require any client-side code to run and are very hard to detect for researchers too."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.