Web sites tracking users using fonts, Belgian researchers find

With many Internet users concerned the National Security Agency is tracking their Web browsing activity, Belgian researchers have released another study showing it’s not just government following our activity – marketers and major Web sites are doing it, too.

In a study by researchers from the University of Leuven in Belgium, it came to light that about 145 of the world’s top 10,000 Web sites have been tracking users without their knowledge or consent – even if they’re using the Do Not Track HTTP header on their browsers. The researchers did not disclose which sites were tracking its visitors.

Using a tool they developed called FPDetective, researchers found many sites have been homing in on users running Flash, the browser plugin that plays animations, videos, and sound files. These sites can also scope out users running Javascript, a programming language that appears in a lot of Web applications.

Some of the sites checking out Javascript have gone as far as to probe up to 500 fonts, measuring the height and width of strings secretly printed onto a Web page. By using hidden scripts, they extract device “fingerprints” from users’ browsers, giving them a way around both the Do Not Track HTTP header and any legal restrictions on cookies – showing many Web sites are secretly keeping tabs on us, perhaps more often than we suspect.

Roughly 145 of the world’s top 10,000 sites have been following people through Flash, while 404 of the top one million sites have been doing the same through Javascript, the study found. The companies doing the actual fingerprinting were very clear about that on their sites, their social media channels, and in press releases. But the Web sites employing these companies rarely stated they were doing that in their privacy policies, the researchers said.

“Device fingerprinting raises serious privacy concerns for everyday users. Its stateless nature makes it hard to detect (no cookies to inspect and delete) and even harder to
opt-out,” researchers noted in their report.

“Moreover, fingerprinting works just as well in the ‘private-mode’ of modern browsers, which cookie-conscious users may be utilizing to perform privacy-sensitive operations.”

Device fingerprinting involves collecting the screen size, versions of installed software and plugins, and the list of installed fonts for PCs, smartphones, and tablets. That makes it easier to track users and identify who they are, because for the most part, the combination of these factors is unique to each device. And with the rise of smartphones and tablets, marketers and advertisers are also able to track users across devices.

While device fingerprinting can also be used in cybersecurity in fraud detection, protection against account hijacking, anti-bot services, and anti-scraping services, researchers said they also found marketers were putting fingerprinting scripts in advertising banners and Web widgets.

The researchers’ tool, FPDetective, zeroes in on detecting fingerprinting through font detection, rather than checking databases of known fingerprinters or blacklisted third-party trackers. Developed as a crawler using two instrumented browsers, PhantomJS and Chromium, the tool visits Web sites and collects data about font loading, or accessing browser properties, in case those activities point to fingerprinting.

“Our findings demonstrate that web fingerprinting is a real and growing issue, deserving the attention of both policymakers and the research community,” the researchers concluded in their report.

“We hope that our framework, which is freely available to other researchers and can easily be extended to conduct further studies, will contribute to addressing this issue by providing a means to shed light on web fingerprinting practices and techniques.”

FPDetective will be shared online at http://homes.esat.kuleuven.be/~gacar/fpdetective, allowing other researchers to build on it, especially for other languages like Python, C++, JavaScript, and MySQL. The team at the University of Leuven will be presenting their findings at the 20th ACM Conference on Computer and Communications Security in Berlin in November.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Candice So
Candice Sohttp://www.itbusiness.ca
Candice is a graduate of Carleton University and has worked in several newsrooms as a freelance reporter and intern, including the Edmonton Journal, the Ottawa Citizen, the Globe and Mail, and the Windsor Star. Candice is a dog lover and a coffee drinker.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.