device fingerprinting

Top sites (and maybe the NSA) track users with “device fingerprinting”

Close to 1.5 percent of the Internet's top websites track users without their knowledge or consent, even when visitors have enabled their browser's Do Not Track option, according to an academic research paper that raises new questions and concerns about online privacy.

The research, by a team of scientists in Europe, is among the first to expose the real-world practice of "device fingerprinting," a process that collects the screen size, list of available fonts, software versions, and other properties of the visitor's computer or smartphone to create a profile that is often unique to that machine. The researchers scanned select pages of the top 10,000 websites as ranked by Alexa and found that 145 of them deployed code based on Adobe's Flash Player that fingerprinted users surreptitiously. When they expanded their survey to the top one million sites, they found 404 that used JavaScript-based fingerprinting. The researchers said the figures should be taken as the lower bounds since their crawlers weren't able to access pages behind CAPTHCAs and other types of Web forms. Mainstream awareness of fingerprinting first surfaced three years ago following the release of research from the Electronic Frontier Foundation.

Device fingerprinting serves many legitimate purposes, including mitigating the impact of denial-of-service attacks, preventing fraud, protecting against account hijacking, and curbing content scraping, bots, and other automated nuisances. But fingerprinting also has a darker side. For one, few websites that include fingerprinting code in their pages disclose the practice in their terms of service. For another, marketing companies advertise their ability to use fingerprinting to identify user behavior across websites and devices. That suggests device fingerprinting may be used much the way tracking cookies are used to follow people as they browse from site to site, even though fingerprinting isn't covered by most laws governing cookies and websites' Do Not Track policies. And unlike user profiling that relies on "stateful" browser cookies that are usually easy to delete from hard drives, most end users have no idea that their computers are being fingerprinted, and they have few recourses to prevent the practice.

"Device fingerprinting raises serious privacy concerns for everyday users," the researchers wrote in a recently published paper. "Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to opt-out. Moreover, fingerprinting works just as well in the 'private-mode' of modern browsers, which cookie-conscious users may be utilizing to perform privacy-sensitive operations."

More troubling, device fingerprinting may have given the National Security Agency and its counterparts around the world an avenue to identify people using the Tor privacy service. As disclosed in an installment of previously secret NSA documents published last week by The Guardian, the spy agency is capable of injecting script redirections into the traffic of Tor users. Slide 16 of an NSA presentation titled Tor Stinks included the excerpt: "Goal: ... Ignore user-agents from Torbutton or Improve browser fingerprinting? Using javascript instead of Flash?"

The Firefox browser that ships with the Tor Browser Bundle has long attempted to prevent fingerprinting by limiting the customizable properties that are available to users. It also placed a cap on the number of fonts a webpage can request or load. The fingerprinting researchers found a way to bypass the font cap by making use of the Web programming property known as CSS font face. The researchers reported their findings to Tor developers, who have since patched the weaknesses.