12 October 2013 — IEEE

Websites that really want to track you without permission have a way. A new report shows a surprising number of top Internet websites using so-called “device fingerprints” to secretly track visitors—a method that avoids legal limits on the use of cookies and also ignores the Do Not Track HTTP header.

The new report suggests that such secret tracking of Web users is more widespread than previous studies had found, according to researchers from KU Leuven in Belgium and New York University (NYU). Researchers counted 95 of the top 10 000 websites using device fingerprinting targeted at the Flash browser plugin used to play animations, videos, and sound files. They also found 404 of the top 1 million websites used device fingerprinting targeted at the JavaScript programming language used in web applications. Such fingerprinting can identify users on mobile phones and other devices that may not use Flash.

Device fingerprinting collects the properties of PCs, smartphones, and tablets that people use to access the Internet in order to create a unique identification. The fingerprint properties—including screen size, versions of installed software, and even lists of installed fonts—allow websites to track users without relying on the more common Internet cookies to follow users’ online activities.

The technique can even track users who had requested not to be tracked by enabling a Do Not Track HTTP header, researchers found. The Do Not Track project has attempted to create a universal standard for opting out of online tracking that goes beyond implementation by individual web browsers, but theWashington Post reports that recent Do Not Track discussions by a working group organized under the World Wide Web Consortium (W3C) appear close to collapse.

The rise of device fingerprinting, also known as browser fingerprinting, falls under the category of “supercookie” technologies that avoid the traditional restrictions on tracking cookies, according to Information Week. Even anonymous Web-browsing tools such as Tor have vulnerabilities that allowed device fingerprinting to track users according to font lists. (The upcoming 2.4 version of Tor has been updated to fix that vulnerability after the KU Leuven/NYU team passed along a warning.)

Luckily, anybody who wants to scrutinize their favorite websites for such digital fingerprinting technologies can soon do so with the FPDetective tool used by the researchers. The team plans to make the tool available for free at http://homes.esat.kuleuven.be/~gacar/fpdetective/, and will present its findings at the 20th ACM Conference on Computer and Communications Security this November in Berlin.