If a website really wants to track you, it seems, it'll be able to do so no matter what.
That's one of the conclusions to be gleaned from a report published by researchers from the KU Leuven Dept. of Computer Science and the Department of Media, Culture, and Communication at New York University.
Tracked without traces
Tracking mechanisms such as this typically involve polling the browser for information about it and its host PC that are readily available. This doesn't just include the browser's user agent string, but also the size of the screen, the fonts available in the system (a major source of uniquely identifiable data), and so forth. Because all this data is routinely made available to the browser -- and thus any Web page invoked in it -- it's trivially simple to harvest it and create a fingerprint from it.
"Device fingerprinting raises serious privacy concerns for everyday users," the report notes. "Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to opt out." Few if any sites admit that they do this kind of detection -- in part because such fingerprinting is used in conjunction with "massive device reputation databases where device fingerprints are stored along with the device owners' Web history and 'reputation scores.' "
The researchers found that tracking of this sort is not only quite pervasive, but provided by a wide range of third-party outfits normally involved in consumer tracking, such as Mindshare Technology, BlueCava, and others.
Even spookier was the way some of the tracking mechanisms in question actively evaded detection, such as "by removing the fingerprinting script once the device has been fingerprinted, and collecting fingerprints through third-party widgets."