How 'device fingerprinting' tracks you without your consent
BY BEN RICHMOND
The more closely you examine online privacy, the more it becomes clear that you can’t get online without giving something away.
A study out this week from KU Leuven-iMinds researchers confirms this reality: Tracking users without their knowledge or consent via hidden scripts that uncover the users’ “device fingerprint,” they found, is much more widespread than previously thought.
Web applications need information on the device where they’re being employed so they can present the content correctly—the right dimensions, with compatible media, in a font that you have, and on and on.
“Web-based device fingerprinting” is the process of collecting enough of that information through the browser to perform stateless, which is to say cookie-free, device identification that is, for practical purposes, unique. With the right information, these fingerprints can be collected by private companies who then store and use it to track the device across the Web.
In 2010, Electronic Free Foundation’s Peter Eckersley demonstrated that “benign characteristics of a browser’s environment” that it transmits upon a website’s request—stuff like the browser’s version, its screen dimensions, list of plugins and list of installed fonts—is enough to create a unique device-specific fingerprint. Among the half-million users with Java or Flash who visited panopticlick.eff.org, 94.2 percent of them could be identified and tracked without the need for browser or Flash cookies.