Tracking Users Across the Internet

It seems that privacy is a sought after commodity out there on the Internet these days. The stakes are high as being able to accurately track users across the web can provide higher revenue from targeted advertising but at the same time such information could equally well be used for identity theft and other nefarious activities. The problem is that much of this is happening without users knowledge.

The inspiration for looking at this problem came from Steve Gibson's Security Now! podcast episode 264 which in turn was based on the EFF's Panopticlick experiment.

Browser HTTP Cookies

Whilst some of the mechanisms in the list above uses the built in functionality of some browsers others use will use external plugins like Adobe's Flash and Microsoft's Silverlight (soon to be supported in evercookie). Most of these mechanisms are difficult to disable or manage by the average user.

System Profiling

The Panopticlick study mentioned above did much to show that browsers do have significant differential traits to allow for the tracking of users. The following is a summary of some of the methods used for fingerprinting:

The mechanisms used to detect information about a system will vary on availability. Javascript and Flash are available on most systems whilst Silverlight is estimated to be on 60% of devices connected to the Internet.

Implications for Privacy

As discussed at the start of this article, the primary beneficiaries of user tracking would be advertisers that can sell more targeted advertising. An example is this CNET article which explores how Tacoda Systems, by providing advertisers with user tracking information, has impacted users privacy. To see how this can all go wrong we only have to look back at the AOL Data Search Scandal where anonymised data was cross-referenced to identify real users.

Legal protection for users still seems fairly limited. The EU is developing legislation which would allow an opt-out for users having information stored on their computer. This would not tackle fingerprinting of the users machine or sharing of that data. The US meanwhile is pushing through an Internet Privacy Bill which would limit the sharing of user information between different parties. Such information includes personal information as well as IP addresses but nothing about system profile data.

So in the end it is up to the individual to protect his/her own privacy until browsers and legal protection catch up.


comments powered by Disqus