With the recent launch of the iPhone 5s, there has been much ado about using fingerprints as an added method of security for our personal devices, thus bringing the lightly used authentication technique on PCs and laptops to the mobile world – where device theft and misplacement are big issues. But there is another type of “device fingerprinting.” While employed for good security purposes, fingerprinting can also be a source of mischief.
In fact, a new study by Belgium-based KU Leuven-iMinds university researchers has uncovered that 145 of the Internet’s 10,000 top websites track users without their knowledge or consent using this capability.
Image via Shutterstock
Device fingerprinting: what it is and how it works
Device fingerprinting, also known as browser fingerprinting, is the practice of collecting properties of PCs, smartphones and tablets to identify and track users. These properties include the screen size, the versions of installed software and plugins, and the list of installed fonts.
The study, the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet, will be formally presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin. As noted above, the team of KU Leuven-iMinds researchers looked at the Internet’s top 10,000 websites and discovered that 145 of them (almost 1.5 percent) use Flash-based fingerprinting. Some Flash objects included questionable techniques such as revealing a user's original IP address when visiting a website through a third party.
Circumventing “Do Not Track”
Unfortunately, the story gets even more disconcerting. The researchers identified 16 new providers of device fingerprinting, only one of which had been identified in prior research. They also found that users are tracked by these device fingerprinting technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.
The researchers also evaluated Tor Browser and Firegloves, two privacy-enhancing tools offering fingerprinting resistance. New vulnerabilities – some of which give access to users’ identity – were identified.
The good, the bad and a solution
The study team did point out that device fingerprinting is not the root of all evil. In fact, it can and is used for security-related tasks such as fraud detection, protection against account hijacking and anti-bot and anti-scraping services. However, as seems to be the case with most technologies used for monitoring and tracking purposes the ability to do so means that marketers, who always want to know more about us to better target their messaging, are using device fingerprinting to gather much desired knowledge using fingerprinting scripts hidden in advertising banners and web widgets.
The best thing to come out of the research was not just the explanation of the problem but also a solution. It comes in the form of a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts, and is available for free. The goal is for other researchers to use and build upon it.
It always seems that just when we all thought our privacy protections were adequate for keeping prying eyes away from our online behavior something new is revealed that proves our trust is not well placed. While the websites that employ device fingerprinting have not been disclosed, the very publication of the report is likely to give those who have not done so an incentive to try. Let’s hope that the disclosure of an antidote at least gives them pause, and spurs some enterprising folks to add anti-device fingerprinting to their arsenal of protection tools.
The World Earth Day agenda offers a chance to flip the rationale for cloud adoption and highlight environmental benefits that the technology brings pr…
James Cham, partner at seed fund Bloomberg BETA, was at Cisco Collaboration Summit today talking about the importance of models to the future of machi…
The retail value chain is in for a blockchain-enabled overhaul, with smarter relationships, delivering enhanced transparency across an environment of …
With GDPR on the horizon, Zuckerberg in Congress testifying and Facebook users questioning loyalty, change is coming. What that change will look like,…
Organizations amass profuse amounts of data these days, ranging from website traffic metrics to online customer surveys. Collectively, AI, IoT and eve…