With the recent launch of the iPhone 5s, there has been much ado about using fingerprints as an added method of security for our personal devices, thus bringing the lightly used authentication technique on PCs and laptops to the mobile world – where device theft and misplacement are big issues. But there is another type of “device fingerprinting.”  While employed for good security purposes, fingerprinting can also be a source of mischief. 

In fact, a new study by Belgium-based KU Leuven-iMinds university researchers has uncovered that 145 of the Internet’s 10,000 top websites track users without their knowledge or consent using this capability.

How so?

The websites use hidden scripts to extract a device fingerprint from users’ browsers. The reason is that device fingerprinting circumvents legal restrictions imposed on the use of cookies and ignores the Do Not Track HTTP header. The facts are that device fingerprinting is well known. What the researchers found is that its employment for secret tracking is more widespread than previously thought. 


Image via Shutterstock

Device fingerprinting: what it is and how it works

Device fingerprinting, also known as browser fingerprinting, is the practice of collecting properties of PCs, smartphones and tablets to identify and track users. These properties include the screen size, the versions of installed software and plugins, and the list of installed fonts.

As the researchers point out, a 2010 study by the Electronic Frontier Foundation (EFF) showed that, for the vast majority of browsers, the combination of these properties is unique, and thus functions as a ‘fingerprint’ that can be used to track users without relying on cookies. The targets for device fingerprinting are the ubiquitously used Flash and JavaScript.

The study, the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet, will be formally presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin. As noted above, the team of KU Leuven-iMinds researchers looked at the Internet’s top 10,000 websites and discovered that 145 of them (almost 1.5 percent) use Flash-based fingerprinting. Some Flash objects included questionable techniques such as revealing a user's original IP address when visiting a website through a third party.

On the JavaScript side of things the picture is also cause for concern. The study found that 404 of the top 1 million sites use JavaScript-based fingerprinting, which allows sites to track non-Flash mobile phones and devices. The fingerprinting scripts were found to be probing a long list of fonts – sometimes up to 500 – by measuring the width and the height of secretly-printed strings on the page.

Circumventing “Do Not Track”

Unfortunately, the story gets even more disconcerting. The researchers identified 16 new providers of device fingerprinting, only one of which had been identified in prior research. They also found that users are tracked by these device fingerprinting technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.

The researchers also evaluated Tor Browser and Firegloves, two privacy-enhancing tools offering fingerprinting resistance. New vulnerabilities – some of which give access to users’ identity – were identified.

The good, the bad and a solution

The study team did point out that device fingerprinting is not the root of all evil. In fact, it can and is used for security-related tasks such as fraud detection, protection against account hijacking and anti-bot and anti-scraping services. However, as seems to be the case with most technologies used for monitoring and tracking purposes the ability to do so means that marketers, who always want to know more about us to better target their messaging, are using device fingerprinting to gather much desired knowledge using fingerprinting scripts hidden in advertising banners and web widgets.

The best thing to come out of the research was not just the explanation of the problem but also a solution. It comes in the form of a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts, and is available for free. The goal is for other researchers to use and build upon it.

It always seems that just when we all thought our privacy protections were adequate for keeping prying eyes away from our online behavior something new is revealed that proves our trust is not well placed. While the websites that employ device fingerprinting have not been disclosed, the very publication of the report is likely to give those who have not done so an incentive to try. Let’s hope that the disclosure of an antidote at least gives them pause, and spurs some enterprising folks to add anti-device fingerprinting to their arsenal of protection tools.