Websites use device fingerprinting for secret tracking
We all realize, or should do, that whatever we do online leaves a trail. Usually this is in the form of cookies or other information over which we have some control and which is subject to a degree of legal regulation, but what about other, more insidious, forms of tracking?
New research carried out by Netherlands-based university KU Leven reveals that a small number of sites are secretly tracking their users. The study by KU Leuven-iMinds researchers has uncovered evidence that 145 of the Internet's 10,000 top websites carry out tracking without the knowledge or consent of their users. The sites do this by using hidden scripts to extract a device fingerprint from users' browsers. This technique avoids the legal restrictions imposed on the use of cookies as well as ignoring the Do Not Track HTTP header. The study's findings suggest that secret fingerprinting is being used to get around legitimate barriers to tracking.
By collecting the properties of PCs, smartphones and tablets including their screen size, the software versions they're running and which plug-ins are installed, fingerprinting can accurately identify and track users. A 2010 study by the Electronic Frontier Foundation showed that, for the vast majority of browsers, the combination of these properties is unique, and can be used to track users without relying on cookies. Device fingerprinting generally targets either Flash, the common browser plugin which enables animations, videos and sound files, or JavaScript, the programming language for web applications.
The KU Leven research is the first concerted effort to measure just how widespread device fingerprinting is. The researchers found that of the Internet's top 10,000 websites 145 of them use Flash-based fingerprinting. More worrying still is that some of the Flash objects included questionable techniques such as revealing a user's original IP address even when they're visiting a website through a proxy.
The study also found that 404 of the top million sites use JavaScript-based fingerprinting, which allows sites to track non-Flash devices and mobile phones. Although this is only a tiny percentage of sites it's still evidence of a disturbing trend.
Of course device fingerprinting does have legitimate security-related uses including fraud detection and protection against account hijacking. But this study suggests it's also being used for analytics and marketing purposes via fingerprinting scripts which are hidden in seemingly innocuous advertising banners and web widgets.
In order to detect websites which are using device fingerprinting technologies, the researchers have developed a tool called FPDetective. This crawls and analyses sites looking for suspicious scripts. This tool and its source code will be made freely available for other researchers to use and build on, so we can expect to see fingerprinting detection appearing in security products in the future.
The report's findings will be presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin. Meantime you can download the full paper outlining the research methodology as a PDF.
Photo Credit: Maksim Kabakou/Shutterstock