The new tech makes it possible to establish a unique online fingerprint based not on browser features but on features of a user’s operating system and computer hardware, according to a new study by researchers at Lehigh University and Washington University. The cross-browser fingerprinting technique identifies users with an accuracy of 99.24 percent, compared to AmIUnique’s “state-of-the-art” accuracy of 90.84 percent across a single browser, according to the researchers.
While acknowledging the fingerprinting method could be used for undesirable purposes that violate online privacy, the researchers said the technique could also help service providers authenticate users for improved security.
Tracking Tech Evolving Fast
In their paper, researchers Yinzhi Cao and Song Li of Lehigh University and Erik Wijmans of Washington University in St. Louis described their cross-browser fingerprinting technique as the first to use “many novel OS and hardware features, especially computer graphics ones” to establish identities and track individual online users. They provided both a working demo and open source code online.
“Web tracking is a debatable technique used to remember and recognize past website visitors,” the researchers noted. “On the one hand, web tracking can authenticate users — and particularly a combination of different web tracking techniques can be used for multifactor authentication to strengthen security. On the other hand, web tracking can also be used to deliver personalized service — if the service is undesirable, e.g., some unwanted, targeted ads, such tracking is a violation of privacy.”
Whether people like it or not, Web tracking technology is widely used and evolving quickly, the researchers added, noting that “more than 90 [percent] of Alexa Top 500 Web sites adopt web tracking.”
Possible Defenses: Tor, Virtualization
Cao, Li and Wijmans said their tracking technique outperforms the only other cross-browser fingerprinting technique, which uses IP (Internet Protocol) addresses to track user activity. That technique doesn’t work when IP addresses are dynamically allocated — as when users browse via mobile networks — or changed by switching from home networks to office networks, they said.
By contrast, the new cross-browser tracking technique might even work with some installations of the Tor browser, which normally prevents browser fingerprinting, according to the researchers. They said their technique could probably be blocked by using the Tor browser with its default settings intact or by using machine virtualization, although the latter technique has the disadvantage of being “heavyweight.”
For many online users, Web tracking is a daily issue. The most common sign of being tracked online is when users see ads on different Web sites for products or services they searched for earlier on different sites.
Privacy-focused organizations have developed a number of tools to help users minimize the impact of such tracking. The Electronic Frontier Foundation, for example, offers a tracking tester called Panopticlick that lets users analyze and tweak their browsers and add-ons to maximize privacy protections.
Cao, Li and Wijmans plan to present their research at the Network and Distributed System Security Symposium scheduled for Feb. 26 through March 1 in San Diego.
Image credit: iStock/Artist’s concept.