Browser Fingerprinting: 9 Facts

Tracking technology that can identify individual identities and devices is improving faster than consumers might realize, warn privacy researchers.

Not all firms that track consumers browsing behavior by using advanced browser fingerprinting techniques fail to honor Do Not Track (DNT) flags or opt-out preferences.
So said James Brentano, VP of solutions at BlueCava, responding to a recently released
study
-- FPDetective: Dusting the Web for Fingerprinters -- from privacy researchers in Belgium and the United States. The study reported that at least 404 of the worlds one million most popular websites were
using advanced techniques to fingerprint users and devices
and to tie an individual consumers identity to multiple devices. The researchers warned that latest-generation techniques, based on JavaScript and Flash fingerprinting of devices, arent technically cookies, and thus might allow advertisers to bypass European cookie laws.
But Brentano said that BlueCava -- whose fingerprinting tracking technology the researchers most often encountered during their survey of the Web -- doesnt fingerprint in a surreptitious manner. We do respect Do Not Track from all the browsers. We do have opt out, he said, speaking by phone. Theres no value for a company like us in tracking people who dont want to be tracked, because people who dont want to be tracked dont respond to tracking.
[ Is a more secure browser in your future? Read
Aviator Browser Blocks Ads, Cookies By Default
. ]
Still, few consumers likely know about browser fingerprinting, and as awareness grows, the topic promises to become contentious. Here are nine related facts to understand as this debate unfolds:
1. Multiple Tracking Firms Employ Fingerprinting Techniques.
The researchers behind the FPDetective study reported finding fingerprinting technology from numerous firms, including
Bitcoin
digital wallet provider CoinBase, geolocation and online fraud prevention firm MaxMind, consumer tracking provider Mindshare Technology, as well as services with such names as Analyticsengine, Anonymizer, fingerprint.js, Inside graph and Perferencement. But they wrote that BlueCavas font-probing JavaScript code was the most prevalent, and the only one of the discovered font-probing scripts that queries different sets of fonts based on the devices operating system: 231 fonts for Microsoft Windows, 167 for Mac OS and 62 for other operating systems.
Brentano said this fingerprinting is designed to identify a given device, but not to surreptitiously track it. Commercially -- and I dont know what the bad guys are doing -- but theres no intent to bypass a users preferences, he said. This isnt about privacy, this is about economics. The goal is to give users choice, which sounds like marketing crap, but its economically true. Theres no value to trying to track a user who objects. Brands are very explicit about this: our customers put the burden on us, make sure users know this is happening, and can opt out.
2. Most Consumers Dont Understand Fingerprinting.
Brentano also said that the browser-fingerprinting techniques -- for example, making a record of the fonts used by a given computer -- are well-known in the advertising and tracking industries. Everyone in this space pretty much has access to the same information -- you can see the fonts, the user agent, he said. But he noted that browsers will also change over time, meaning that the profile of a given device must evolve. The secret sauce, if you will, is to be able to take these two profiles and recognize if theyre the same [device], because you have to do it in Internet time.
Privacy advocate Jim Brock, however, said via phone that he didnt think these types of fingerprinting techniques have been widely adopted. Im glad [BlueCava has] an opt-out program; thats good. Im glad they have a reset button; thats good. But I do not think its mainstream ... what theyre doing, said Brock, who founded PrivacyChoice in 2009, which was acquired by AVG Technologies in May 2013. Brock currently serves as VP of privacy products at AVG.
Gunes Acar, lead author of the FPDetective paper and Ph.D. student -- researching Web and mobile application privacy -- at the
University of Leuven
in Belgium, posited that most consumers would be surprised to learn about these fingerprint techniques, which were
first discovered by a font geek
. I dont think its well known, even in academia, Acar said via email. Most of the people who hear about that -- measuring the sizes of invisible strings with different fonts -- freak out.
3. Billions In Ad Revenue Drive Consumer Tracking.
The economic incentives to track users today are higher than ever. Internet sales figures from the first half of 2013
totaled $20.1 billion
-- an all-time high -- which was an increase of 18% from the same period last year.
Still, whats wrong with fingerprinting techniques? My problem with them is theyre immutable, invisible and unexpected by consumers, Brock explained. These types of methods are on the frontier of aggressive data collection because ... they associate your data and activity across multiple devices, and associate your households devices in a way that consumers wouldnt expect.
4. Not All Fingerprinting Vendors Are The Same.
As demand for new tracking techniques grows, however, not all JavaScript and Flash-based fingerprinting technology -- or vendors -- are the same. Let me acknowledge that among the fingerprinting companies we aware of, BlueCava might be the most transparent about their practices, Acar said. I guess this is partly because they want to operate in Europe and have to comply with the EU directives. These include the eCookie Directive, which was designed to ensure that users were tracked only with their consent.
Legally speaking, fingerprinting technology falls into a gray area. Since you dont have to store cookies with fingerprinting, user consent is possibly not required, Acar said, though he noted that this has
yet to be tested in European court
. In addition, he noted that
BlueCavas opt-out page
doesnt apply to third parties who use its technology, which may include for fraud prevention purposes.
5. Users Can Block Fingerprinting – Sometimes.
Bretano said BlueCavas fingerprinting isnt hidden from browser privacy plug-ins designed to track tracking technology. I can only speak for us, but the most common tool, Ghostery, absolutely sees us, they will see our code run. We explicitly write a cookie whenever we can, so we leave a mark behind, he said.
But Acar noted that not all tracking technology can be detected by tracking monitoring software such as
Ghostery or NoScript
. Ghostery has a big database of trackers, if they add the ones we found to their databases Ghostery can block some of them, he explained. Still, there are ways to circumvent these protections, like serving the same script from different addresses. In addition, he said, NoScript can block some fingerprinters -- depends on the configuration.
6. Fingerprinting Can Make Opt-Out Preferences Stick.
BlueCavas Brentano said his firm also uses its fingerprinting techniques to ensure that a consumers opt-out preferences persist. We believe that we do a better job of opt out, because with cookies, if you opt out, and then delete the cookies -- which people often do -- then you delete your opt out, he said. But we also record an opt-out event against our record of that device ... and well actually reset the opt-out cookie.
But what about giving consumers the right to opt in to these techniques -- rather than being stuck in the situation of having to opt out of techniques they may not realize are being used? Thats an absolutely legitimate political debate, which we do not have an opinion on, Brentano said. From our standpoint, either one is fine. We just play by the rules that the industry and regulatory regime sets.
7. Do Not Track: Not Mentioned In BlueCavas Privacy Policy.
But AVGs Brock questioned why BlueCavas privacy statement makes no mention of any
Do Not Track compliance
. The Federal Trade Commission can only effectively enforce statements that are literally made, and I couldnt find a statement in [BlueCavas]
privacy policy
that they honor Do Not Track, he said. So their statement has no legal effect, as far as I know.
8. Are Advertisers Seeking Legal Protection For Fingerprinting?
The Digital Advertising Alliance and the Interactive Advertising Bureau -- both advertising trade groups -- are currently developing standards for all types of tracking, including cookies. They say this will provide consumers with a single, consistent way to opt out of being tracked, although some privacy groups think it may be a push by the industry to
legitimize obscure -- and likely controversial -- fingerprinting techniques
.
In addition, according to Brock, by combining these techniques, advertisers are gaining new ways to tie together devices with peoples identities and personal information. For example, if a user searches for information about a disease on their smartphone, that information could end up getting added to a file -- maintained about that one person -- that gets bought and sold by data brokers, and which also records what they do or see from their PC and tablet.
9. More Aggressive Tracking To Come?
Given the overarching privacy and regulatory questions surrounding tracking, dont expect advanced fingerprinting techniques -- or related debates -- to go away, especially if more people begin to use ad-blocking technology. Were going to be hearing a lot more about this technology as the advertisers become more desperate, Brock said. We dont have a Do Not Track standard, and the industry organizations are embracing these new aggressive tracking methods as a way to shore up the business.
Furthermore, tracking firms still have many more tracking techniques available to them, should they decide to use them. There are ways to fingerprint devices without JavaScript or Flash. Clock skew, network packet fingerprinting and our attack on Tor Browser -- scriptless font fingerprinting -- are examples for passive fingerprinting techniques, said University of Leuvens Acar. These techniques Id refer to as really, really stealthy compared to JavaScript or Flash-based fingerprinting. They dont require any client-side code to run and are very hard to detect for researchers too.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Browser Fingerprinting: 9 Facts