Tracking Users Across the Internet
It seems that privacy is a sought after commodity out there on the Internet these days. The stakes are high as being able to accurately track users across the web can provide higher revenue from targeted advertising but at the same time such information could equally well be used for identity theft and other nefarious activities. The problem is that much of this is happening without users knowledge.
The inspiration for looking at this problem came from Steve Gibson's Security Now! podcast episode 264 which in turn was based on the EFF's Panopticlick experiment.
Browser HTTP Cookies
- Local Shared Objects (Adobe Flash Cookies),
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out,
- Storing cookies in and reading out HTTP Etags,
- Internet Explorer userData storage,
- HTML 5 Session Storage,
- HTML 5 Local Storage,
- Firefox 2 Global Storage,
- HTML 5 Web Database
Whilst some of the mechanisms in the list above uses the built in functionality of some browsers others use will use external plugins like Adobe's Flash and Microsoft's Silverlight (soon to be supported in evercookie). Most of these mechanisms are difficult to disable or manage by the average user.
The Panopticlick study mentioned above did much to show that browsers do have significant differential traits to allow for the tracking of users. The following is a summary of some of the methods used for fingerprinting:
- A User Agent string is sent as part of every request by the web browser. Information on the locale, browser version and OS are normally sent. Often plugins also advertise themselves in the User Agent string, for example the .Net CLR version. The information sent in the header and indeed the order it is sent are used in fingerprinting,
- If the user's browser supports Java Applets it is possible to get specific information on the JVM version, the system OS and architecture,
Implications for Privacy
As discussed at the start of this article, the primary beneficiaries of user tracking would be advertisers that can sell more targeted advertising. An example is this CNET article which explores how Tacoda Systems, by providing advertisers with user tracking information, has impacted users privacy. To see how this can all go wrong we only have to look back at the AOL Data Search Scandal where anonymised data was cross-referenced to identify real users.
Legal protection for users still seems fairly limited. The EU is developing legislation which would allow an opt-out for users having information stored on their computer. This would not tackle fingerprinting of the users machine or sharing of that data. The US meanwhile is pushing through an Internet Privacy Bill which would limit the sharing of user information between different parties. Such information includes personal information as well as IP addresses but nothing about system profile data.
So in the end it is up to the individual to protect his/her own privacy until browsers and legal protection catch up.