With many Internet users concerned the National Security Agency is tracking their Web browsing activity, Belgian researchers have released another study showing it’s not just government following our activity – marketers and major Web sites are doing it, too.
In a study by researchers from the University of Leuven in Belgium, it came to light that about 145 of the world’s top 10,000 Web sites have been tracking users without their knowledge or consent – even if they’re using the Do Not Track HTTP header on their browsers. The researchers did not disclose which sites were tracking its visitors.
Using a tool they developed called FPDetective, researchers found many sites have been homing in on users running Flash, the browser plugin that plays animations, videos, and sound files. These sites can also scope out users running Javascript, a programming language that appears in a lot of Web applications.
Some of the sites checking out Javascript have gone as far as to probe up to 500 fonts, measuring the height and width of strings secretly printed onto a Web page. By using hidden scripts, they extract device “fingerprints” from users’ browsers, giving them a way around both the Do Not Track HTTP header and any legal restrictions on cookies – showing many Web sites are secretly keeping tabs on us, perhaps more often than we suspect.
Roughly 145 of the world’s top 10,000 sites have been following people through Flash, while 404 of the top one million sites have been doing the same through Javascript, the study found. The companies doing the actual fingerprinting were very clear about that on their sites, their social media channels, and in press releases. But the Web sites employing these companies rarely stated they were doing that in their privacy policies, the researchers said.
“Device fingerprinting raises serious privacy concerns for everyday users. Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to
opt-out,” researchers noted in their report.
“Moreover, fingerprinting works just as well in the ‘private-mode’ of modern browsers, which cookie-conscious users may be utilizing to perform privacy-sensitive operations.”
Device fingerprinting involves collecting the screen size, versions of installed software and plugins, and the list of installed fonts for PCs, smartphones, and tablets. That makes it easier to track users and identify who they are, because for the most part, the combination of these factors is unique to each device. And with the rise of smartphones and tablets, marketers and advertisers are also able to track users across devices.
While device fingerprinting can also be used in cybersecurity in fraud detection, protection against account hijacking, anti-bot services, and anti-scraping services, researchers said they also found marketers were putting fingerprinting scripts in advertising banners and Web widgets.
The researchers’ tool, FPDetective, zeroes in on detecting fingerprinting through font detection, rather than checking databases of known fingerprinters or blacklisted third-party trackers. Developed as a crawler using two instrumented browsers, PhantomJS and Chromium, the tool visits Web sites and collects data about font loading, or accessing browser properties, in case those activities point to fingerprinting.
“Our findings demonstrate that web fingerprinting is a real and growing issue, deserving the attention of both policymakers and the research community,” the researchers concluded in their report.
“We hope that our framework, which is freely available to other researchers and can easily be extended to conduct further studies, will contribute to addressing this issue by providing a means to shed light on web fingerprinting practices and techniques.”
FPDetective will be shared online at http://homes.esat.kuleuven.be/~gacar/fpdetective, allowing other researchers to build on it, especially for other languages like Python, C++, JavaScript, and MySQL. The team at the University of Leuven will be presenting their findings at the 20th ACM Conference on Computer and Communications Security in Berlin in November.