The new Web tracking: You never see it coming

Web tracking is far more pervasive and invisible than ever, thanks to browser fingerprinting and third-party aggregation

If a website really wants to track you, it seems, it'll be able to do so no matter what.

That's one of the conclusions to be gleaned from a report published by researchers from the KU Leuven Dept. of Computer Science and the Department of Media, Culture, and Communication at New York University.

Entitled "FPDetective: Dusting the Web for Fingerprinters," the report describes a method for determining whether or not browsers are being tracked via mechanisms that are invisible to the end-user and don't use cookies, Flash, or other technologies that are easily tracked and blocked.

Tracked without traces

Tracking mechanisms such as this typically involve polling the browser for information about it and its host PC that are readily available. This doesn't just include the browser's user agent string, but also the size of the screen, the fonts available in the system (a major source of uniquely identifiable data), and so forth. Because all this data is routinely made available to the browser -- and thus any Web page invoked in it -- it's trivially simple to harvest it and create a fingerprint from it.

"Device fingerprinting raises serious privacy concerns for everyday users," the report notes. "Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to opt out." Few if any sites admit that they do this kind of detection -- in part because such fingerprinting is used in conjunction with "massive device reputation databases where device fingerprints are stored along with the device owners' Web history and 'reputation scores.' "

The researchers found that tracking of this sort is not only quite pervasive, but provided by a wide range of third-party outfits normally involved in consumer tracking, such as Mindshare Technology, BlueCava, and others.

Even spookier was the way some of the tracking mechanisms in question actively evaded detection, such as "by removing the fingerprinting script once the device has been fingerprinted, and collecting fingerprints through third-party widgets."

Not new, but hardly benign

Browser fingerprinting isn't new, not by a long shot. Back in 2010, the Electronic Frontier Foundation created a research project, dubbed "Panopticlick," that pulls as much individually identifiable information as it can from visiting browsers. The results are compiled into a database that allows a user to determine how uniquely identifiable their browser is.

The EFF discussed the resulting research in a paper, "How Unique Is Your Web Browser?" It claimed that browsers, on average, provided "at least 18.1 bits of entropy," meaning the odds of a given browser's signature were unique to a degree of 1 in 286,777. That plus any number of other identifying behaviors means a given browser is trivially easy to single out from the crowd.

What's new here, though, is the way the fingerprinting is being done as a service by third parties. Discussions of privacy on the Web have tended to revolve around cookies or other obvious methods, not the gathering of general behavioral metrics. But the methods used are tilting more toward the latter than the former, in big part because they leave no traces on the user's computer.

The privacy implications of all this shouldn't be hard to see, especially given how repositories of personal data harvested by third parties are susceptible to attack and harvesting.

The FPDetective software created for the sake of producing the study is to be released to the general public at some point later. Privacy advocates will most likely want to use it to continue where this study left off -- especially as the methods used to track people and harvest personal data from behavior grow all the more widely used in multiple venues.

This story, "The new Web tracking: You never see it coming," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.


Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform