How ‘device fingerprinting’ tracks you without your consent

BY BEN RICHMOND

The more closely you examine online privacy, the more it becomes clear that you can’t get online without giving something away.

Even if there are measures you can take, like enabling “Do Not Track” on your browser or switching to Tor, and even with legal protections in place, like those restricting cookies, loading a webpage requires a give-and-take, and what your browser gives away through Javascript or Flash could be enough for you to be identified and tracked.

A study out this week from KU Leuven-iMinds researchers confirms this reality: Tracking users without their knowledge or consent via hidden scripts that uncover the users’ “device fingerprint,” they found, is much more widespread than previously thought.

Web applications need information on the device where they’re being employed so they can present the content correctly—the right dimensions, with compatible media, in a font that you have, and on and on. 

“Web-based device fingerprinting” is the process of collecting enough of that information through the browser to perform stateless, which is to say cookie-free, device identification that is, for practical purposes, unique. With the right information, these fingerprints can be collected by private companies who then store and use it to track the device across the Web.

In 2010, Electronic Free Foundation’s Peter Eckersley demonstrated that “benign characteristics of a browser’s environment” that it transmits upon a website’s request—stuff like the browser’s version, its screen dimensions, list of plugins and list of installed fonts—is enough to create a unique device-specific fingerprint. Among the half-million users with Java or Flash who visited panopticlick.eff.org, 94.2 percent of them could be identified and tracked without the need for browser or Flash cookies. 

Read the full story on Motherboard. Photo via CJ Isherwood/Flickr