You’re only paranoid if they’re really not out to get you. Fearing that your every move may be tracked seems like a healthy reaction to the way in which ad networks, savory and otherwise, seems to want to use every tool in their arsenal to pinpoint you. A few weeks ago, two Princeton researchers released a paper describing their use of a tool developed in house to perform a wide-scale examination of tracking behavior across the top 1 million most visited websites. The results won’t surprise you! (Sorry for the anti-clickbait.)
The paper is interesting reading if you want to know more about the way in which many tracking networks evade your stated preferences or implicit behavior to keep you in their affiliated sites’ sights. But the nasty part really starts on page 13, where they show how several techniques to “fingerprint” a browser are actively in use.
Fingerprinting relies on taking seemingly arbitrary information, such as a browser’s ability to render a drawing and which fonts are available to do so, as part of a constellation of browser information that can identify it uniquely within a certain degree of confidence—no matter how much effort you’ve put into your privacy.
This allows ad networks and websites to associate your ostensibly otherwise unidentified browsing session—whether in a browser’s private mode, using Ghostery and other tracking blockers, or passing through corporate firewalls that scrub and block details—with previously tracked instances of usage by that browser, or by you on other browsers on the same or other devices.
Last week, a researcher involved in examining the risk related to browsers having access to information about remaining battery life on the device on which they’re running called attention to the paper, as the Princeton paper confirmed the early work’s concern as valid: trackers were making use of that seemingly meaningless battery information.
Not long after the Princeton paper was released, the Mozilla Foundation, makers of the Firefox browsers, announced plans to clamp down on aspects of Flash used for tracking users that also happen to cause a substantial number of browser crashes.
Get the picture?
A Web browser has become a more complicate beast over time as the limits keep getting pushed for Web apps. Better Web apps require more complete APIs (application programming interfaces) that provide abstracted, consistent access to Web developers across browsers, operating systems, and hardware platforms to underlying hardware and rendering capabilities.
The W3C, the standards body that keeps the Web moving forward, has adopted dozens of new APIs that have been adopted piecemeal by different browser makers. With so many options being added so quickly, the privacy and security aspects of each haven’t been fully explored. In most cases, each browser implements a feature with unique programming code, making it hard to exploit a software bug. But fundamental issues are more subtle. (You can see a list of features and APIs and then click to see which browsers by version support which features at Can I Use.)
The Princeton researchers, Steven Englehardt and Arvind Narayanan, found several kinds of fingerprinting in use related to HTML5 and new (or newish) browser APIs by from a sliver to several percentage points of the million sites they tracked, with more fingerprinting used by scripts on the more popular sites. They called out six kinds:
Canvas. Two are related to the canvas tag, used in HTML5 to draw objects in a browser, a replacement for SVG and bitmap-rendered images. The particular options available in a given browser allow its capabilities to help fingerprint it. Since its exposure in 2014, it’s deployed less by heavily used tracking services, but is still found on more sites overall than two years ago. The paper’s authors also found a novel use of indirectly determining which fonts are available to the browser; that can vary a surprising amount among computers.
WebRTC. Did you know that JavaScript can be used by a website for peer-to-peer communication, including discovering all the local network addresses? A handful of sites (715 out of a million) use one of 57 different scripts that extracts local IP addresses. In this context, it’s not an attack, but the distinctness of each network’s set of local addresses helps identify the browser.
AudioContext. Another “did you know”: some browsers support audio synthesis, creating sounds via JavaScript commands, primarily for use in games. The AutoContext interface that’s part of the Web Audio API that’s part of this set of features can generate audio without playing it, and analyze the results. Audio hardware varies enough to assist in fingerprinting.
Battery Status API. The Battery Status API was created to let sites recognize if a device is running low on power, and potentially switch to a power-optimized version of a site, or to save changes in a Web app before a device sleeps or conks out. The precision with which battery status gets reported is so high, with many decimal points, that it can be used as yet another signal. This is used just by two scripts.
Taken together, fingerprinting can pierce the veil of any obfuscation you might use, tying together sessions on the same browser—and sometimes on the same computer, no matter the browser. If you normally use a VPN to avoid connecting out through the local network you’re on, or you use the Tor network for a measure of anonymity, some fingerprinting features could identify you with those remote sessions if you ever use the same browser or computer for local sessions.
Browser makers are stepping up
Unfortunately, none of these elements is easily controlled by a user. Browser makers who have adopted these features or plan to add them may need to add more granular controls, just like those used when a site wants your location. The Princeton paper’s authors tested Ghostery and EasyList/EasyPrivacy to see how they blocked these fingerprinting scripts. The results were poor; even for the better-established canvas techniques, the two systems blocked only use only on 80 to 90 percent of sites employing them in scripts.
Changes do get made, however. After Łukasz Olejnik and three co-writers showed the risk of the Battery Status API in 2015, Mozilla changed its practice in reporting remaining power to a rounded-off value. The W3C also updated its specification, strongly suggesting a less-precise reported value and a way to ask or alert users about revealing how much juice is left. (Test your browser via this page.)
The Battery Status API can be queried in Firefox, Opera, Chrome (mobile and desktop), and Android Browser, but not in Safari (nor Internet Explorer or Edge). Apple may have privacy concerns in mind as well, but it has little motivation to give non-native Web apps access to something that can improve how native apps perform. Apple does include Canvas and Web Audio support but, no surprise, doesn’t incorporate WebRTC for peer-to-peer communication.
Meanwhile, Mozilla also released its roadmap of reducing reliance on Flash in Firefox. While this is partly related to battery usage, performance, and reliability, the group now blocks invisible uses of Flash that either track a user or store an “evercookie,” an unkillable tracking code that some tracking scripts cache everywhere in a browser they can. Privacy modes in browsers can prevent this caching during a session, but evercookies remain hard to kill in regular use.
Now, none of us want every single Web feature to ask us for permission for every site. Given the complexity of what can be done on a regular website or in tailored Web app, we’d be bombarded with mostly unnecessary prompts. But it does seem like more attention needs to be paid to fingerprinting and tracking, given the continuous discovery of privacy leakage.
The Princeton Web Transparency Research group at least can provide an advance warning of new privacy-leaking techniques through its OpenWPM tool used to capture data for the paper. The tool is available for other researchers and companies to use, and the paper cited in this article notes five groups have published seven studies relying on it.