Browser fingerprints, and why they are so hard to erase

17.02.2015
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Web advertisers and many others have long appreciated the volumes of information they can collect on us based only on our web browsing patterns. The data can be quite telling, revealing our locations, incomes, family status, interests and many other facts that advertisers can use to target you.

Understandably, most of us would prefer that "big brother like" advertising networks aren't always watching over our shoulder, while going about regular activities including product research and purchase option exploration and especially not while investigating medical or other highly sensitive topics.

With this in mind, it only makes sense to spend a little extra time to remain anonymous while browsing. In addition to tracking, identification can result in sites blocking access to pertinent data, showing higher prices, or in the worst-case scenario intentionally directing you to inaccurate or misleading information capable of completely derailing your efforts.

As such, most users concerned with their Internet privacy commonly delete browser cookies. However, as tracking technologies continue to evolve, the practice of deleting cookies has become much less effective at shielding a user who is trying to avoid detection. This has understandably led to users embracing a host of other solutions including "Incognito" or "Private Browsing" modes to automatically stop cookies and using VPNs or other IP masking tactics.

Most of these attempts at anonymity fail to fully shield a user for one reason: the growing power of the frustratingly sticky browser fingerprint.

What's in a Fingerprint

Browser fingerprinting is an increasingly common yet rarely discussed technique of identifying an individual user by the unique patterns of information visible whenever a computer visits a website. The information collected is quite comprehensive and often includes the browser type and version, operating system and version, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations. These identifiers may seem generic and not at all personally identifying, yet typically only one in several million people have exactly the same specifications as you.

A quick look here (https://panopticlick.eff.org) provides a glimpse of the type of information any website can see about you, and also shines a light on the uniqueness of your individual configuration.

The browser fingerprint technique took another big step in 2012 with the release of the Mowery and Shacham paper, which focused primarily on the effectiveness of the canvas fingerprint. The technique for creating the canvas fingerprint is to give the browser a somewhat complex image to render, capture the actual pixel values produced, which is then hashed down to make the actual fingerprint. This study determined that "fingerprints are inherent when the browser is-- for performance and consistency-- tied closely to operating system functionality and system hardware." They also summarized the possibility of distinguishing between systems with seemingly identical fingerprints by rendering scenes that stress the underlying hardware.

The end result is the ability to track users even if they are deleting all their cookies and hiding their IP addresses with tools. While fingerprints are not identifying in the same way as an IP address, they do enable user recognition whenever revisiting a website. Even when deleting cookies, the browser fingerprint allows organizations to re-identify and re-cookie your system, essentially rejecting your efforts to remain private.

Growing pattern

A joint research project conducted by the Princeton University in the US and University of Leuven in Belgium analyzing the tracking techniques of 100,000 websites, showed that over 5% utilize the canvas fingerprinting process to identify visitors.

In a University of California report presented at the 2013 IEEE Symposium on Security and Privacy, Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting, the authors found that fingerprinting is already part of some of the most popular sites of the Internet, meaning hundreds of thousands of their visitors are fingerprinted on a daily basis.

According to UC Study, Skype.com surfaces as the most popular website utilizing fingerprinting, while the most popular categories of websites were pornography and dating sites. Specifically, for pornographic sites, the authors see a reasonable explanation being that fingerprinting is used to detect shared or stolen credentials of paying members, whereas for dating sites it ensures that attackers do not create multiple profiles for social-engineering purposes.

Circumventing the Fingerprint

Since the fingerprint is derived from a host of system-based characteristics, circumvention is far more complex than the historical process of deleting cookies. While its possible to make system changes by hand, doing so after each browsing session could prove laborious and annoying at best.

Specifically, the manual process of protecting against the fingerprint involves changing monitors or screen resolutions; installing or uninstalling fonts, extensions and plugins; as well as switching between different browsers and browser versions.

However, even after exerting all the effort to make changes, it's hard to know if you have done enough or have done it right without a detailed analysis.

A better approach is to make your browser fingerprint as common and generic as possible. You can do that by running the browser inside a clean and un-customized virtual machine. It's only in this kind of environment that it's feasible to revert to the clean state at the end of every use, preventing the accumulation of identifying changes. This approach gives the browser a truly generic identifier, while eliminating all other kinds of tracking techniques.

The virtual machine solution works because an out of the box installation is very standard. There will be many people with brand new computers who would have very similar or identical configurations. The more people who do this, the less identifying it becomes. It also ensures complete elimination of any other tracking tools like cookies other than user's IP address, which still requires a VPN for protection.

Smart phones and tablets also provide some protection against browser fingerprinting because they have very limited support for plugins or customization. This is particularly true in iOS where fingerprints are much less varied and so are less identifying.

Security expert Lance Cottrell founded Anonymizer in 1995, which was later acquired by Ntrepid. Anonymizer's technologies form the core of Ntrepid's Internet misattribution and security products. More information can be found at www.ntrepidcorp.com.

(www.networkworld.com)

By Lance Cottrell, chief scientist, Ntrepid

Zur Startseite