Privacy and Device Fingerprinting

18 October 2013

While reading DevOps news to keep Morpht in-line with the current best practices, I stumbled upon a paper called "FPDetective: Dusting the Web for Fingerprinters", covering a study performed by KU Leuven researches in Belgium. The team put together a web crawler called FPDetective and has crawled the million most popular websites of the Internet, detecting fingerprinting.

Device Fingerprinting is a technique, which uses a browser environment characteristics, like installed fonts, installed plugins, screen resolution,  to generate an unique device-specific fingerprint.

Visit the Panopticlick research project of the Electronic Frontier Foundations to find out how unique your browser configuration is.
My browser fingerprint was unique among the 3.5 million users who have visited the Panopticlick website before me!

The Panopticlick projects was covered in a paper called "How Unique Is Your Web Browser?" by Peter Eckersley in 2010. One of the finding was that 94.2% of browsers with Flash or Java were unique in their sample!

Device fingerprinting is increasingly used by advertising and anti-fraud companies. Basically, they don't need to use cookies anymore, they can recognise us using our device fingerprint! Even worse, that includes Private Browsing / Incognito mode.

While the Panopticlick project focuses on your browser uniqueness, the current FPDetective project (which will be presented at the 20th ACM Conference on Computer and Communications Security that takes place in Berlin in November 2013) wants to know how many websites out there already use device fingerprinting.

One of the most interesting conclusions I found in the FPDetective paper says that Flash-based fingerprinting was present the homepages of 145 out of the top 10,000 sites. That is 1.5% of the top 10.000 websites tracking you!

As all of this raises serious privacy concerns, I presented this topic as a lightning talk at October Sydney Drupal meetup, to make my friends, colleagues and customers aware of this. You can download the talk slides from here.