Firefox to Fight 'Fingerprinting' Tracking

John Lister's picture

Mozilla is to block "fingerprinting" tracking in the Firefox browser. It's an alternative tracking technique to cookies and doesn't require any consent from users.

Most people know about cookies, which involves sites putting a small file on a computer to either identify a user for future visits or track their online activity. In most cases cookies both legally and practically need consent from the user before they can be issued.

Fingerprinting is a more creative technique that doesn't require consent and has proven harder to block. It's all based around the fact that a website is able to access a lot of detail about a computer so that it can correctly format a website to display as intended.

Some of these details are obvious such as the operating system and edition, the browser edition and the screen resolution. But there's all manner of details including the user's timezone, the installed fonts and the browser extensions.

Little Details Add Up

Taken on their own, each of these doesn't identify an individual: indeed most people use the same browser edition or have the same screen resolution as millions of other people. However, the combination of all these factors can be enough to identify a specific computer. (Source: techradar.com)

That means a web tracking company that has access to multiple sites can quickly spot a particular user and collate their activity. That gives much more insight into the user's tastes and interests, in turn producing far more attractive data for advertisers.

Mozilla's approach is designed to balance the benefits of sites being able to access information about a computer and the risks of fingerprinting. It's switching off some information and making other details less precise with the aim of making it harder to piece together the details.

For example, it will stop Firefox telling sites how much battery is left on a device, something Mozilla feels doesn't serve any useful purpose.

Gamers Could Be Affected

It will stop reporting the precise size of the browser window and instead report the width to the nearest 200 pixels and the height to the nearest 100 pixels. The idea is to drastically reduce the number of different reported combinations while still being close enough that pages adjust to fill the window cleanly.

The new set-up has already been in testing and users can manually switch it on in the Firefox settings menu. In a coming update it will be switched on by default, with users able to turn it off if they like. (Source: sophos.com)

Mozilla believes that for most people the trade-off will work well, but there will be some cases where it does more harm than good. For example, for most users the reporting of the mouse cursor only has to be precise enough for general navigation. However, some online games need the browser to report the mouse cursor position to the most precise detail possible.

What's Your Opinion?

Were you aware of the fingerprinting technique? Is Mozilla's approach a smart way to tackle it? Would you want more detailed options over what the browser reports rather than just switching the feature on or off?

Rate this article: 
Average: 4.4 (8 votes)

Comments

beach.boui's picture

I've known of this tracking method for years now and applaud Mozilla's decision to start limiting the information collected for fingerprinting. I use an anti-fingerprinting add-on with Firefox that blocks several apis used for fingerprinting. Readers can read about Canvas Blocker here: https://github.com/kkapsner/CanvasBlocker/

Beach

DavidInMississippi's picture

I may be one of the few who believe this, but I don't think tracking for marketing purposes is such a bad idea. First, we have to realize that advertising serves two purposes we all need: (1) Supporting websites like this one that bring us things we want, articles, videos, freebie software, etc.; and (2) Informing us of neato new stuff we never would have learned about otherwise. Second, it is not only a waste of money for advertisers to pay money to show you ads in which you have no hint of interest, but it will also irritate you the consumer. For example, as a senior adult male, I would be very happy to see ads for new computer gadgets, bargain travel destinations, or new sheet music releases for my concert band. On the other hand, it would be a total waste to show me ads for sewing machines, medical gadgets, diapers, or tampons.

With these considerations in mind, can someone explain to me why topic-targeted marketing is such a bad idea? Is it hypersensitivity to privacy considerations?

On the other hand, I DO object to big tech using their power to try to influence my views by slanting their results, permissions, and presentations to show only one side of an issue and suppress others, as was made evident by the papers recently released by Google whistleblower Zach Vorhies, who has been called the Edward Snowden of big tech. I strongly believe in every person's freedom to make up their own minds, but to do that properly, we must have ALL the information, not just one side of it.

Bottom line here, tracking for targeted marketing is, I feel, not so bad. Slanting what's presented as "neutral" to try to sway me to a viewpoint IS bad.

David's picture

All tracking is bad.

I'm ok with a website logging my IP address and serving up generic ads based on my location and the content of the page I am viewing, but when they get to analyzing me to the Nth degree in the mistaken belief that ANY of their ads are of particular interest, that's when I get pissed. If you don't have a FaceBook provile they still have one on you. Flipboard wants to narrow my content down to what they think interests me, trying to push me further and further into an echo chamber they think I want to be in.

rohnski's picture

While fingerprinting a user / computer by a single company in itself is not so bad. You get "customized" advertising / spam.

The problem comes when companies intentionally "share" / sell their user information collection, or worse yet they get hacked. The information in a single company database is relatively innocuous, but by linking info from 2 or 3 databases you can uniquely identify individuals by name and or address. Depending on the specific pieces of information it can take as little as 6 or 7 pieces of information to uniquely identify you.

Here are a couple of articles about "de-annonimizing" information. All together scary!

http://www.theregister.co.uk/2014/09/22/your_location_info_is_too_revealing_data_boffins/

Simple Demographics Often Identify People Uniquely
Latanya Sweeney, Carnegie Mellon University
https://privacytools.seas.harvard.edu/publications/simple-demographics-often-identify-people-uniquely
surprising results using only three fields of information, even though typical
data releases contain many more fields. It was found that 87% (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}. About half of the U.S. population (132 million of 248 million or 53%) are likely to be uniquely identified by only {place, gender, date of birth}, where place is basically the city, town, or municipality in which the person resides. And even at the county level, {county, gender, date of birth} are likely to uniquely identify 18% of the U.S. population. In general, few characteristics are needed to uniquely identify a person.

A Little Digging Unmasks DNA Donor Names
http://online.wsj.com/article/SB10001424127887323783704578247842499724794.html
Experts Identify People by Matching Y-Chromosome Markers to Genealogy Sites, Obits; Researchers' Privacy Promises 'Empty'

Robust De-anonymization of Large Sparse Datasets
http://www.cs.utexas.edu/~shmat/shmat_oak08netflix.pdf/
We apply our de-anonymization methodology to the
Netflix Prize dataset, which contains anonymous movie
ratings of 500,000 subscribers of Netflix, the world’s
largest online movie rental service. We demonstrate
that an adversary who knows only a little bit about
an individual subscriber can easily identify this sub-
scriber’s record in the dataset. Using the Internet
Movie Database as the source of background knowl-
edge, we successfully identified the Netflix records of
known users, uncovering their apparent political pref-
erences and other potentially sensitive information.

Why 'Anonymous' Data Sometimes Isn't

http://www.wired.com/politics/security/commentary/securitymatters/2007/12/securitymatters_1213

Last year, Netflix published 10 million movie rankings by 500,000 customers, as part of a challenge for people to come up with better recommendation systems than the one the company was using. The data was anonymized by removing personal details and replacing names with random numbers, to protect the privacy of the recommenders.

Third party trackers on web shops can identify users behind Bitcoin transactions
August 21, 2017
https://www.helpnetsecurity.com/2017/08/21/identify-users-behind-bitcoin-transactions/

Campaigners reveal government's secret spying regime
by: Jane McCallion 21 Apr 2016
https://www.itpro.co.uk/government-it-strategy/26403/campaigners-reveal-governments-secret-spying-regime
Security services MI5, MI6 and GCHQ have used Section 94 of the Telecommunications Act 1984 to justify gathering hundreds of millions of records on British citizens and other UK residents for the last 15 years, Privacy International found.

Spy agency analysts can then link together these records using filters such as telephone numbers or other values