With the recent launch of the iPhone 5s, there has been much ado about using fingerprints as an added method of security for our personal devices, thus bringing the lightly used authentication technique on PCs and laptops to the mobile world – where device theft and misplacement are big issues. But there is another type of “device fingerprinting.” While employed for good security purposes, fingerprinting can also be a source of mischief.
In fact, a new study by Belgium-based KU Leuven-iMinds university researchers has uncovered that 145 of the Internet’s 10,000 top websites track users without their knowledge or consent using this capability.
Image via Shutterstock
Device fingerprinting: what it is and how it works
Device fingerprinting, also known as browser fingerprinting, is the practice of collecting properties of PCs, smartphones and tablets to identify and track users. These properties include the screen size, the versions of installed software and plugins, and the list of installed fonts.
The study, the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet, will be formally presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin. As noted above, the team of KU Leuven-iMinds researchers looked at the Internet’s top 10,000 websites and discovered that 145 of them (almost 1.5 percent) use Flash-based fingerprinting. Some Flash objects included questionable techniques such as revealing a user's original IP address when visiting a website through a third party.
Circumventing “Do Not Track”
Unfortunately, the story gets even more disconcerting. The researchers identified 16 new providers of device fingerprinting, only one of which had been identified in prior research. They also found that users are tracked by these device fingerprinting technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.
The researchers also evaluated Tor Browser and Firegloves, two privacy-enhancing tools offering fingerprinting resistance. New vulnerabilities – some of which give access to users’ identity – were identified.
The good, the bad and a solution
The study team did point out that device fingerprinting is not the root of all evil. In fact, it can and is used for security-related tasks such as fraud detection, protection against account hijacking and anti-bot and anti-scraping services. However, as seems to be the case with most technologies used for monitoring and tracking purposes the ability to do so means that marketers, who always want to know more about us to better target their messaging, are using device fingerprinting to gather much desired knowledge using fingerprinting scripts hidden in advertising banners and web widgets.
The best thing to come out of the research was not just the explanation of the problem but also a solution. It comes in the form of a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts, and is available for free. The goal is for other researchers to use and build upon it.
It always seems that just when we all thought our privacy protections were adequate for keeping prying eyes away from our online behavior something new is revealed that proves our trust is not well placed. While the websites that employ device fingerprinting have not been disclosed, the very publication of the report is likely to give those who have not done so an incentive to try. Let’s hope that the disclosure of an antidote at least gives them pause, and spurs some enterprising folks to add anti-device fingerprinting to their arsenal of protection tools.
Digital advertising has exploded in recent years, with the latest eMarketer data forecasting $83 billion in revenue this year and continued growth on …
One of the biggest challenges for 5G and last mile 10 Gig deployments is not raw data speeds, but middle mile and core networks. The wireless industry…
Although a new and emerging technology, (which is still evolving), in early 2018, most companies are not aware of the possible benefits they can achie…
VR could change everything from how we play video games to how we interact with our friends and family. VR has the power to change how we consume all …
The app economy is upon us, and businesses of all stripes are moving to address it. In this age of digital transformation, businesses rely on applicat…