Internet Device Fingerprinting On The Rise
October 11, 2013

As Cookies Decline, Device ‘Fingerprinting’ Becomes Increasingly Common

Enid Burns for - Your Universe Online

While tracking cookies attract attention on the Internet, device 'fingerprinting' slips under the radar and has been discovered to be in use to track users by at least 145 of the Web's 10,000 top websites. The findings are part of a study conducted by KU Leuven-iMinds researchers.

Fingerprinting is a tactic some websites use to identify devices. "The websites use hidden scripts to extract a device fingerprint from users' browsers. Device fingerprinting circumvents legal restrictions imposed on the use of cookies and ignores the Do Not Track HTTP header," a statement from the report reads.

Websites use fingerprinting to identify users on multiple devices including PCs, smartphones and tablets. It is known as device fingerprinting or browser fingerprinting, and is used to track users online activities. Fingerprinting is done by looking at properties such as the screen size, the versions of installed software and plugins, and the list of installed fonts. Typically fingerprinting is carried out through Flash or JavaScript.

The factors used to identify a device create a unique pattern or 'fingerprint.' "A 2010 study by the Electronic Frontier Foundation (EFF) showed that, for the vast majority of browsers, the combination of these properties is unique, and thus functions as a 'fingerprint' that can be used to track users without relying on cookies," the report said.

While device fingerprinting has been known to exist, the KU Leuven-iMinds research is the first comprehensive look at device fingerprinting on the Internet that attempts to quantify just how many sites use the technique to identify and track users.

The study finds that the use of device fingerprinting is more widespread than previously thought. The study identified that 404 of the top 1 million sites use JavaScript-based fingerprinting. This allows sites to track non-Flash mobile phones and devices. "The fingerprinting scripts were found to be probing a long list of fonts - sometimes up to 500 - by measuring the width and the height of secretly-printed strings on the page," the report said.

Service providers that aid in device fingerprinting are numerous. The report identified 16, only one of which was identified prior to research.

The issue with device fingerprinting is that it is not regulated, and is done even when a user explicitly requests not to be tracked by enabling the Do Not Track (DNT) HTTP header. It was used early on to identify mobile users, where cookies were not available to track users. There are also a few instances where device fingerprinting is used legitimately, such as when banks or service providers verify a device for authentication. In those cases, the organization using device fingerprinting only uses those tools for identification when a user is accessing a secure website, and not to track user activity elsewhere online.

"Device fingerprinting can be used for various security-related tasks, including fraud detection, protection against account hijacking and anti-bot and anti-scraping services. But it is also being used for analytics and marketing purposes via fingerprinting scripts hidden in advertising banners and web widgets," the report said.