With the recent launch of the iPhone 5s, there has been much ado about using fingerprints as an added method of security for our personal devices, thus bringing the lightly used authentication technique on PCs and laptops to the mobile world – where device theft and misplacement are big issues. But there is another type of “device fingerprinting.” While employed for good security purposes, fingerprinting can also be a source of mischief.
In fact, a new study by Belgium-based KU Leuven-iMinds university researchers has uncovered that 145 of the Internet’s 10,000 top websites track users without their knowledge or consent using this capability.
Image via Shutterstock
Device fingerprinting: what it is and how it works
Device fingerprinting, also known as browser fingerprinting, is the practice of collecting properties of PCs, smartphones and tablets to identify and track users. These properties include the screen size, the versions of installed software and plugins, and the list of installed fonts.
The study, the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet, will be formally presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin. As noted above, the team of KU Leuven-iMinds researchers looked at the Internet’s top 10,000 websites and discovered that 145 of them (almost 1.5 percent) use Flash-based fingerprinting. Some Flash objects included questionable techniques such as revealing a user's original IP address when visiting a website through a third party.
Circumventing “Do Not Track”
Unfortunately, the story gets even more disconcerting. The researchers identified 16 new providers of device fingerprinting, only one of which had been identified in prior research. They also found that users are tracked by these device fingerprinting technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.
The researchers also evaluated Tor Browser and Firegloves, two privacy-enhancing tools offering fingerprinting resistance. New vulnerabilities – some of which give access to users’ identity – were identified.
The good, the bad and a solution
The study team did point out that device fingerprinting is not the root of all evil. In fact, it can and is used for security-related tasks such as fraud detection, protection against account hijacking and anti-bot and anti-scraping services. However, as seems to be the case with most technologies used for monitoring and tracking purposes the ability to do so means that marketers, who always want to know more about us to better target their messaging, are using device fingerprinting to gather much desired knowledge using fingerprinting scripts hidden in advertising banners and web widgets.
The best thing to come out of the research was not just the explanation of the problem but also a solution. It comes in the form of a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts, and is available for free. The goal is for other researchers to use and build upon it.
It always seems that just when we all thought our privacy protections were adequate for keeping prying eyes away from our online behavior something new is revealed that proves our trust is not well placed. While the websites that employ device fingerprinting have not been disclosed, the very publication of the report is likely to give those who have not done so an incentive to try. Let’s hope that the disclosure of an antidote at least gives them pause, and spurs some enterprising folks to add anti-device fingerprinting to their arsenal of protection tools.
SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…
Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …
In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…
In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…
To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…