Report: You can be Tracked Online, even without IP or Cookies

Dennis Faas's picture

Researchers have found a way to track web users even if they switch web browsers. It could improve security but also weaken online privacy.

The researchers at Lehigh University in Pennsylvania were trying to find ways of improving fingerprinting. That's a way to attempt to identify an individual user (or at least their computer) without relying on single identifiers such as login details, browser cookies, or an IP address.

Instead, fingerprinting involves taking multiple pieces of information provided by a user's browser such as the browser name, it's version, whether they have an ad blocker running, what time zone they are on, and which plugins or extensions they have selected. While any one of these pieces of information will be the same among potentially tens of millions of users, with enough pieces of information, the specific combination will be rare if not unique.

Font Selection Among Identifying Factors

At the moment such fingerprinting is based entirely around browser data, meaning that if users switch to a different browser, they can no longer be tracked. That could make it possible to, for example, use one browser for everyday user and one for more sensitive or personal online activity.

The Lehigh research extends the idea to cover 36 pieces of information about the individual computer that are detectable by the browser but aren't dependent on the browser itself. These include everything from the specific type of processor in the computer to the selection of fonts the user has installed. (Source: fossbytes.com)

According to the researchers, when running tests on 1,903 computers over the course of three months, they had a 99.2 percent accuracy rate in identifying a particular computer. (Source: arstechnica.com)

Technique Morally Neutral

The researchers say that the technique is not inherently good or bad, but rather that it's down to how people choose to use it. For example, they note that online banks might use it to detect when somebody logs on to an account from a machine they don't normally use. That could help catch hackers even if they breach someone's home WiFi and thus have the 'normal' IP address.

On the other hand, the cross-browser fingerprinting could be used by websites to deliver personalized advertising, even when the user had deliberate changed browsers to try to avoid tracking.

What's Your Opinion?

Are you worried by the idea of cross-browser fingerprinting? Was it right of the researchers to carry out this work and publish the results? Could the technique by adopted for more positive purposes?

Rate this article: 
Average: 5 (7 votes)

Comments

Dennis Faas's picture

I guarantee this will be used for online advertising. The technology will likely be licensed (or copied), then sold for hundreds of thousands of dollars so that places like Google and friends can track your every move, then use it to sell the data they've compiled about you to third parties for the sole purpose of advertising. And yes, it would be nice if the same technology would be used for online banking to thwart hacking attempts, etc.

Kalisun's picture

I figured something like this would "eventually" become reality. The days of being anonymous is dwindling away. There's so many ways now of being tracked it's not even funny. A 99 percent hit rate is pretty dam good, as time goes on it will only get better and being able to track those who are really, truely "bad" people over the internet is good, BUT the possibility of this getting in the wrong hands and/or being used for the "wrong" purposes should also be of great concerns.

ecash's picture

"but rather that it's down to how people choose to use it."

by what I read, they ARNT telling us much about how/what is being sampled or tested..

IMHO..
Many programs have added parts that will GIVE identifying data to anyone that knows HOW to ask. It may not be your NAME and address, but it give out so much DATA, that you could ID the computer IF' you could get your hands on it..
Long ago, I suggested that Music and Pictures could have DATA installed in them to CALL HOME..well, its now true. but MOST of this is because of the programs that READ/PLAY them..
Win media player, and Adobe are on the TOP of the list..
Windows has a License, for internet sites that COSTS $99 per year. It wasnt hard for hackers to get it..It allowed Sites to gain Data from anyone using Win IE on the site. Then many Other browsers used the SAME reg/license..

Its just getting worse.
I dont know if Linux could SOLVE the piracy problem, but at least you would have a chance.. The only PROBLEM, is/are sites that will NOT give access unless you ALLOW them to read your data..(yes there are a few)

With all I have said, I find it interesting that Major sites get hacked, when you can sned a ?? to the persons Browser and KNOW so much about them, the ISP, and other info..UNLESS they are using Other OS's.. or Programs to HIDE their info..

sirpaultoo's picture

I really don't have anything to hide, but plenty of data to protect.
I just installed a new browser on Monday, visited 22 various sites on it, and earlier tonight received a notification that one of my anti-tracking add-ons has blocked 1000 tracking attempts.
Tracking methods have gotten to the point where users who value their privacy will need to change their configurations/settings on weekly/monthly basis just to stay ahead of advertisers.
The losers in all this are both the content creators, and the content consumers.

ecash's picture

Look up something on most sites that use Google tracking, and you goto Face book and they have ADVERTS for the products you looked at.
Iv been to sites that if you didnt ALLOW google ad service, you couldnt get on..

Let me say it this way...
ANDROID PHONE(never tried the others) the Programs DONT TURN OFF..
it Auto UPDATES..
It has GPS..
It can track you with the CELL system..(it tells you that..)
Windows10...
ADOBE??
Media player?
Win10 the xbox, win phone, Win anything is trying to all work about the same..
I can see you NOW, go shopping on the desktop, and adverts POP UP on xbox and your phone...
Waiting for AVON to knock on your door and ask if yo were shopping for makeup..
Get MAIL from companies that want to make a PARTY and sell ADULT TOYS..

REALLY this has been going on for YEARS and years...Advert corps would gather NEWS/magazine subscriptions and Correlate. Addresses with what people wanted..
THEN they added your NAME, and every time you MOVE...they find you..send you MORE mail..
And you dont think the Gov. ever figured this out??

THE ONLY safe system was created by Ben Franklin..the US MAIL..there are NO laws to protect you in ANY OTHER service...your PHONE USED to have protections..but most people use CELL PHONES..NOT PROTECTED..

dan400man's picture

"According to the researchers, when running tests on 1,903 computers over the course of three months, they had a 99.2 percent accuracy rate in identifying a particular computer."

Someone with better math and stats cred than me can confirm or deny, but I'm pretty sure you won't hit 99.2% when the pool of computers is in hundreds of millions. With that volume, I'm thinking it will be less than 1%. Basically useless.