October 11, 2013
As Cookies Decline, Device ‘Fingerprinting’ Becomes Increasingly Common
Enid Burns for redOrbit.com - Your Universe Online
The factors used to identify a device create a unique pattern or 'fingerprint.' "A 2010 study by the Electronic Frontier Foundation (EFF) showed that, for the vast majority of browsers, the combination of these properties is unique, and thus functions as a 'fingerprint' that can be used to track users without relying on cookies," the report said.
While device fingerprinting has been known to exist, the KU Leuven-iMinds research is the first comprehensive look at device fingerprinting on the Internet that attempts to quantify just how many sites use the technique to identify and track users.
Service providers that aid in device fingerprinting are numerous. The report identified 16, only one of which was identified prior to research.
The issue with device fingerprinting is that it is not regulated, and is done even when a user explicitly requests not to be tracked by enabling the Do Not Track (DNT) HTTP header. It was used early on to identify mobile users, where cookies were not available to track users. There are also a few instances where device fingerprinting is used legitimately, such as when banks or service providers verify a device for authentication. In those cases, the organization using device fingerprinting only uses those tools for identification when a user is accessing a secure website, and not to track user activity elsewhere online.
"Device fingerprinting can be used for various security-related tasks, including fraud detection, protection against account hijacking and anti-bot and anti-scraping services. But it is also being used for analytics and marketing purposes via fingerprinting scripts hidden in advertising banners and web widgets," the report said.