We are regularly told to block or ‘clear our cookies’, or use a private browsing mode, if we don’t want to be tracked as we visit websites. Website operators and marketing, advertising, and other tracking companies, however, have developed other ways of tracking us, called ‘fingerprinting’, which work even if you clear or block your cookies. How prevalent is this kind of cookieless tracking? How accurate is it? And what are the implications for our ability to control our personal information and protect our privacy interests?
Overview
Devices that you carry with you, and the web browsers that you use, can be ‘fingerprinted’ to record information that is unique to you. Fingerprinting entails an organization analyzing your browser or device to determine its unique characteristics, such as:
- the plugins that are installed in your web browser (e.g., those for ad blocking or for posting to social media);
- the fonts that are installed on a device;
- the Internet Protocol (IP) address of a device, often even when a Virtual Private Network (VPN) is used (due to a protocol found in many web browsers that allows you to communicate in real-time over peer-to-peer connections);
- the technical information concerning your web browser (e.g., renderer, version, and operating system);
- the device’s system files to reveal unique identifying information (e.g., hard disk identifier, device name);
- the ‘Flash cookies’ that are installed on the device; and
- the differences in how text and interactive 2D and 3D graphics are rendered.
By fingerprinting a device, an organization can identify you, correlate your browsing activities within and across browsing sessions, and track you in ways you cannot control. Using a VPN or other privacy-protective service, such as one that blocks ‘normal’ HTTP cookies, is insufficient to prevent device or browser fingerprinting.
Passive Fingerprinting
When you browse websites, the server running these websites can examine characteristics of your web browser without ever making a request to your browser. In addition to collecting information about the cookies which are automatically transmitted to the server when pages from the site are requested, information about your browser, its version, and the operating system you’re using can be captured. Sometimes this browser information, combined with your IP address, can uniquely identify the device. This kind of tracking is particularly hard to detect because all of the activities take place on the server without sending any extra commands or instructions to your web browser. This kind of fingerprinting can also be used to create statistical connections between devices. Such cross-device connections are sometimes referred to as ‘probabilistic matching’.
Active Fingerprinting
Websites can also run extra code in your browser to purposely track you. This might involve querying such characteristics as the fonts installed on your computer, the serial numbers for hard drives, the plugins that are installed in your browser, screen resolutions, or user language—combined, these characteristics may uniquely identify your computer. A particular type of active fingerprinting is called ‘canvas fingerprinting’. This technique involves ‘drawing’ a hidden line of text or graphic that captures variations in graphic processing on a device, which is converted into a digital token that uniquely identifies your device. These tokens can be shared with third-parties to track your activities across a range of websites that you visit.
Active fingerprinting can sometimes be detected because it involves running code on your computer. However, detecting active fingerprinting requires the ability to analyze the data transmitted from websites and whether it contains Flash or JavaScript code.
Cookie-Like Fingerprinting
While you can use your browser to delete ‘normal’ HTTP cookies, other forms of information can be harder to control. For example, Flash cookies can be left on your computer browser when a website embeds videos, music, games, or other Flash components. Flash cookies are designed so that different browsers on your device can access the commonly-stored Flash cookies. The result is that even if you use different browsers for different tasks (e.g., one browser for shopping and another for research and another for social media), a tracking company can correlate your activity across browsing sessions. Because these cookies are not removed when you clear your cookie cache from your web browser(s), clear your browsing history, or choose a ‘private browsing’ mode, they are more resilient for tracking your behaviour than HTTP cookies. Furthermore, Flash cookies sometimes include the same information as HTTP cookies so that if you re-visit a website after you’ve deleted the site’s HTTP cookies, they can be re-created with the original tracking information in the deleted HTTP cookies.
It’s possible to similarly re-identify your device using so-called ‘super cookies’ that use storage locations in your web browser to save information about you. In other cases, third-parties can use the web storage feature of HTML 5 to locally store information. In both cases the information may be retained until you deliberately clear the specific cache locations in your browser, which are often separate from the history and cookie caches located in your web browser. Where these kinds of cookies are assigned by advertising networks, this behaviour can enable relatively persistent tracking of your activities across the Web, contrary to the OPC’s position paper on Online Behavioural Advertising (OBA).
Prevalence and Accuracy
Researchers have found that cookieless tracking is becoming more prevalent. A 2014 study found that 5.5% of websites used canvas fingerprinting, which was up from 1.5% when measured one year earlier. Some of the companies that use canvas fingerprinting techniques may not be recognized as advertising companies, and include companies that help share content on social media, run online dating services, and provide Voice over IP calls. Separately, an American NGO, Access Now, found that approximately 15% of the people that used the organization’s super-cookie detection tool had one or more of these cookies installed.
It’s been found that cookieless tracking is accurate because of the relative uniqueness of our browsers, their configurations, and our computer systems. The Electronic Frontier Foundation’s ‘Panopticlick’ project found that 94.2% of browsers with Flash or Java were unique for the 286,777 visitors to their research website. Further, the EFF found that, while browser fingerprints might change slightly over time, relatively simple heuristics let them correlate ‘old’ and ‘new’ fingerprints with 99.1% accuracy.
Privacy Impacts and Technical Limitations
Device fingerprinting is used by websites, website analytics companies and advertising agencies to persistently track you even when you delete or block HTTP cookies. The fingerprinting methods are very difficult to detect and control, and researchers have found that websites often fail to disclose or explain their fingerprinting practices in their privacy policies. Moreover, many of the companies that perform the fingerprinting are working for the websites that you visit, so even if you ask an organization if fingerprinting is used on their site, they may not know the answer.
Fingerprinting is an area where technical tracking technologies are currently outpacing the ability to have individual controls. It can be challenging to prevent the different kinds of fingerprinting that take place. Passive fingerprinting can be ‘spoofed’ by changing some of the variables that are monitored, but changing many of the characteristics are beyond most people’s technical capabilities. Active fingerprinting and cookie-like fingerprinting alike can by reduced by preventing websites from running Flash or JavaScript code, but this often breaks websites or leads to poor browsing experiences. Short of an outright ban, fingerprinting may be difficult to curb, but internet users should at least be made aware of the risks.