Websites use device fingerprinting for secret tracking
We all realize, or should do, that whatever we do online leaves a trail. Usually this is in the form of cookies or other information over which we have some control and which is subject to a degree of legal regulation, but what about other, more insidious, forms of tracking?
The KU Leven research is the first concerted effort to measure just how widespread device fingerprinting is. The researchers found that of the Internet's top 10,000 websites 145 of them use Flash-based fingerprinting. More worrying still is that some of the Flash objects included questionable techniques such as revealing a user's original IP address even when they're visiting a website through a proxy.
Of course device fingerprinting does have legitimate security-related uses including fraud detection and protection against account hijacking. But this study suggests it's also being used for analytics and marketing purposes via fingerprinting scripts which are hidden in seemingly innocuous advertising banners and web widgets.
In order to detect websites which are using device fingerprinting technologies, the researchers have developed a tool called FPDetective. This crawls and analyses sites looking for suspicious scripts. This tool and its source code will be made freely available for other researchers to use and build on, so we can expect to see fingerprinting detection appearing in security products in the future.
The report's findings will be presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin. Meantime you can download the full paper outlining the research methodology as a PDF.