Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Browser Fingerprinting: 9 Facts

Tracking technology that can identify individual identities and devices is improving faster than consumers might realize, warn privacy researchers.

Not all firms that track consumers' browsing behavior by using advanced browser fingerprinting techniques fail to honor "Do Not Track" (DNT) flags or opt-out preferences.

So said James Brentano, VP of solutions at BlueCava, responding to a recently released study -- "FPDetective: Dusting the Web for Fingerprinters" -- from privacy researchers in Belgium and the United States. The study reported that at least 404 of the world's one million most popular websites were using advanced techniques to fingerprint users and devices and to tie an individual consumer's identity to multiple devices. The researchers warned that latest-generation techniques, based on JavaScript and Flash fingerprinting of devices, aren't technically cookies, and thus might allow advertisers to bypass European cookie laws.

But Brentano said that BlueCava -- whose fingerprinting tracking technology the researchers most often encountered during their survey of the Web -- doesn't fingerprint in a surreptitious manner. "We do respect 'Do Not Track' from all the browsers. We do have opt out," he said, speaking by phone. "There's no value for a company like us in tracking people who don't want to be tracked, because people who don't want to be tracked don't respond to tracking."

[ Is a more secure browser in your future? Read Aviator Browser Blocks Ads, Cookies By Default. ]

Still, few consumers likely know about browser fingerprinting, and as awareness grows, the topic promises to become contentious. Here are nine related facts to understand as this debate unfolds:

1. Multiple Tracking Firms Employ Fingerprinting Techniques.

The researchers behind the FPDetective study reported finding fingerprinting technology from numerous firms, including Bitcoin digital wallet provider CoinBase, geolocation and "online fraud prevention" firm MaxMind, consumer tracking provider Mindshare Technology, as well as services with such names as Analyticsengine, Anonymizer, fingerprint.js, Inside graph and Perferencement. But they wrote that BlueCava's font-probing JavaScript code was the most prevalent, and "the only one of the discovered font-probing scripts that queries different sets of fonts based on the device's operating system: 231 fonts for Microsoft Windows, 167 for Mac OS and 62 for other operating systems."

Brentano said this fingerprinting is designed to identify a given device, but not to surreptitiously track it. "Commercially -- and I don't know what the bad guys are doing -- but there's no intent to bypass a user's preferences," he said. "This isn't about privacy, this is about economics. The goal is to give users choice, which sounds like marketing crap, but it's economically true. There's no value to trying to track a user who objects. Brands are very explicit about this: our customers put the burden on us, make sure users know this is happening, and can opt out."

2. Most Consumers Don't Understand Fingerprinting.

Brentano also said that the browser-fingerprinting techniques -- for example, making a record of the fonts used by a given computer -- are well-known in the advertising and tracking industries. "Everyone in this space pretty much has access to the same information -- you can see the fonts, the user agent," he said. But he noted that browsers will also change over time, meaning that the profile of a given device must evolve. "The secret sauce, if you will, is to be able to take these two profiles and recognize if they're the same [device], because you have to do it in Internet time."

Privacy advocate Jim Brock, however, said via phone that he didn't think these types of fingerprinting techniques have been widely adopted. "I'm glad [BlueCava has] an opt-out program; that's good. I'm glad they have a reset button; that's good. But I do not think it's mainstream ... what they're doing," said Brock, who founded PrivacyChoice in 2009, which was acquired by AVG Technologies in May 2013. Brock currently serves as VP of privacy products at AVG.

Gunes Acar, lead author of the FPDetective paper and Ph.D. student -- researching Web and mobile application privacy -- at the University of Leuven in Belgium, posited that most consumers would be surprised to learn about these fingerprint techniques, which were first discovered by a font geek. "I don't think it's well known, even in academia," Acar said via email. "Most of the people who hear about that -- measuring the sizes of invisible strings with different fonts -- freak out."

3. Billions In Ad Revenue Drive Consumer Tracking.

The economic incentives to track users today are higher than ever. Internet sales figures from the first half of 2013 totaled $20.1 billion -- an all-time high -- which was an increase of 18% from the same period last year.

Still, what's wrong with fingerprinting techniques? "My problem with them is they're immutable, invisible and unexpected by consumers," Brock explained. "These types of methods are on the frontier of aggressive data collection because ... they associate your data and activity across multiple devices, and associate your household's devices in a way that consumers wouldn't expect."

4. Not All Fingerprinting Vendors Are The Same.

As demand for new tracking techniques grows, however, not all JavaScript and Flash-based fingerprinting technology -- or vendors -- are the same. "Let me acknowledge that among the fingerprinting companies we aware of, BlueCava might be the most transparent about their practices," Acar said. "I guess this is partly because they want to operate in Europe and have to comply with the EU directives." These include the eCookie Directive, which was designed to ensure that users were tracked only with their consent.

Legally speaking, fingerprinting technology falls into a gray area. "Since you don't have to store cookies with fingerprinting, user consent is possibly not required," Acar said, though he noted that this has yet to be tested in European court. In addition, he noted that BlueCava's opt-out page doesn't apply to third parties who use its technology, which may include for fraud prevention purposes.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...