Fingerprinting, when it comes to the web, refers to the ability to recognize an otherwise anonymous user based on those facets of a visit that are not under the user’s control. NewScientist (4 June 2016) reports on a reverse fingerprinting effort by scientists at Princeton – that is, recognizing the fingerprinting techniques used by the million busiest web sites based on the web site’s behavior:
Studying a million websites is hard. To do it, Arvind Narayanan – who heads the Web Transparency and Accountability Project at Princeton University – built a tool called OpenWPM with graduate student Steven Englehardt. OpenWPM can visit and log in to websites automatically, taking more than a dozen measurements of each one. It took two weeks to crawl through the top million websites, as ranked by web traffic firm Alexa.
Narayanan and Englehardt discovered that many trackers are sharing the information they gather with at least one other party, sometimes dozens of times. The audit also revealed several previously unknown “fingerprinting” techniques that sites are using. Here, the website asks the browser to perform a task that is hidden from the user. The site then fingerprints individual machines based on slight differences in their performance. Trackers used to do this by watching how the browser draws a graphic; now, they check what fonts are installed or how the browser processes audio. A couple of trackers even gathered the device’s battery level.
I’m disturbed that browsers permit access to those resources, even only in a monitoring mode. And, really, the battery level? How does that even apply? The scientists comment:
“You often don’t know how much tracking is going on, who’s doing the tracking, or what data they’re collecting about you and what that will be used for,” [Narayanan] says. “There needs to be external oversight, somebody holding companies’ feet to the fire.”
Overall, they discovered more than 81,000 third-party trackers. News websites had the most, on average. Adult websites and those owned by government agencies and universities tended to have the fewest.
It would be interesting to have a pop up window which would tell you which fingerprinting technique is being used by the website. I doubt it could tell you what the data would be used for, though.
