Browser Fingerprinting: 9 Facts

Tracking technology that can identify individual identities and devices is improving faster than consumers might realize, warn privacy researchers.
5. Users Can Block Fingerprinting – Sometimes.

Bretano said BlueCava's fingerprinting isn't hidden from browser privacy plug-ins designed to track tracking technology. "I can only speak for us, but the most common tool, Ghostery, absolutely sees us, they will see our code run. We explicitly write a cookie whenever we can, so we leave a mark behind," he said.

But Acar noted that not all tracking technology can be detected by tracking monitoring software such as Ghostery or NoScript. "Ghostery has a big database of trackers, if they add the ones we found to their databases Ghostery can block some of them," he explained. "Still, there are ways to circumvent these protections, like serving the same script from different addresses." In addition, he said, "NoScript can block some fingerprinters -- depends on the configuration."

6. Fingerprinting Can Make "Opt-Out" Preferences Stick.

BlueCava's Brentano said his firm also uses its fingerprinting techniques to ensure that a consumer's opt-out preferences persist. "We believe that we do a better job of opt out, because with cookies, if you opt out, and then delete the cookies -- which people often do -- then you delete your opt out," he said. "But we also record an opt-out event against our record of that device ... and we'll actually reset the opt-out cookie."

But what about giving consumers the right to opt in to these techniques -- rather than being stuck in the situation of having to opt out of techniques they may not realize are being used? "That's an absolutely legitimate political debate, which we do not have an opinion on," Brentano said. "From our standpoint, either one is fine. We just play by the rules that the industry and regulatory regime sets."

7. Do Not Track: Not Mentioned In BlueCava's Privacy Policy.

But AVG's Brock questioned why BlueCava's privacy statement makes no mention of any Do Not Track compliance. "The Federal Trade Commission can only effectively enforce statements that are literally made, and I couldn't find a statement in [BlueCava's] privacy policy that they honor Do Not Track," he said. "So their statement has no legal effect, as far as I know."

8. Are Advertisers Seeking Legal Protection For Fingerprinting?

The Digital Advertising Alliance and the Interactive Advertising Bureau -- both advertising trade groups -- are currently developing standards for all types of tracking, including cookies. They say this will provide consumers with a single, consistent way to opt out of being tracked, although some privacy groups think it may be a push by the industry to legitimize obscure -- and likely controversial -- fingerprinting techniques.

In addition, according to Brock, by combining these techniques, advertisers are gaining new ways to tie together devices with people's identities and personal information. For example, if a user searches for information about a disease on their smartphone, that information could end up getting added to a file -- maintained about that one person -- that gets bought and sold by data brokers, and which also records what they do or see from their PC and tablet.

9. More Aggressive Tracking To Come?

Given the overarching privacy and regulatory questions surrounding tracking, don't expect advanced fingerprinting techniques -- or related debates -- to go away, especially if more people begin to use ad-blocking technology. "We're going to be hearing a lot more about this technology as the advertisers become more desperate," Brock said. "We don't have a Do Not Track standard, and the industry organizations are embracing these new aggressive tracking methods as a way to shore up the business."

Furthermore, tracking firms still have many more tracking techniques available to them, should they decide to use them. "There are ways to fingerprint devices without JavaScript or Flash. Clock skew, network packet fingerprinting and our attack on Tor Browser -- scriptless font fingerprinting -- are examples for passive fingerprinting techniques," said University of Leuven's Acar. "These techniques I'd refer to as really, really stealthy compared to JavaScript or Flash-based fingerprinting. They don't require any client-side code to run and are very hard to detect for researchers too."