Detecting browser fingerprinting

Hello all.

This may be of interest, particularly with respect to our work on developing privacy guidance regarding browser fingerprinting:

http://www.kuleuven.be/english/news/several-top-websites-use-device-fingerprinting-to-secretly-track-users

"A new study by KU Leuven-iMinds researchers has uncovered that 145 of the Internet’s 10,000 top websites track users without their knowledge or consent. The websites use hidden scripts to extract a device fingerprint from users’ browsers. Device fingerprinting circumvents legal restrictions imposed on the use of cookies and ignores the Do Not Track HTTP header. The findings suggest that secret tracking is more widespread than previously thought.

….

The researchers identified a total of 16 new providers of device fingerprinting, only one of which had been identified in prior research. In another surprising finding, the researchers found that users are tracked by these device fingerprinting technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.

The researchers also evaluated Tor Browser and Firegloves, two privacy-enhancing tools offering fingerprinting resistance. New vulnerabilities – some of which give access to users’ identity – were identified.

Device fingerprinting can be used for various security-related tasks, including fraud detection, protection against account hijacking and anti-bot and anti-scraping services. But it is also being used for analytics and marketing purposes via fingerprinting scripts hidden in advertising banners and web widgets.

To detect websites using device fingerprinting technologies, the researchers developed a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts. This tool will be freely available at http://homes.esat.kuleuven.be/~gacar/fpdetective/ for other researchers to use and build upon.

The findings will be presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin."

Received on Sunday, 13 October 2013 21:45:17 UTC