November 14, 2013
Top Websites Use Device Fingerprinting to Track Users
As per Arstechnica, the researchers did not provide an exhaustive list of 404 or more websites that hosted tracking code. However researcher Gunes Acar of KU Leuven University in Belgium mentioned names of some of the websites that used device fingerprinting for tracking users like orbitz.com, tmobile.co.uk, pokerstrategy.com, anonymizer.com, westernunion.com, and t-online He stressed that his team may have missed some sites given the limitations of their scanning technology. The researchers also evaluated two privacy enhancing tools that provide resistance against device fingerprinting – Tor Browser and Firegloves. They identified some vulnerabilities in these tools that gives access to user ‘s identity.
The Firefox Browser that ships the Tor Browser Bundle has attempted to prevent fingerprinting by placing a cap on the number of fonts a web page can request or load. The fingerprinting researchers were able to bypass the cap on the fonts of the web page by using a web-programming tool called as CSS front face. This weakness was reported to the Tor developers and later on it was patched.
The revelations about the NSA’s surveillance program have been a wake up call for many of us and have put security front and foremost in our minds. It is extremely difficult for us to avoid being tracked by device fingerprinting technology. According to Peter Eckersley, staff scientist at the Electronic Frontier Foundation, a privacy-advocacy group, “when it comes to device fingerprinting, we have no convenient options for privacy. All the things we can do are inconvenient to the point of being really impractical.” In a study this year, Mr. Eckersley found that about 91% of nearly 1 million computer users surveyed could be fingerprinted simply by visiting a website.
Fingerprints are tough to avoid but we can do a few things to maintain our privacy while surfing the Internet and protect ourselves from device fingerprinting:
- To detect websites using device fingerprinting technologies, the researchers developed a tool called FPDetective. The tool crawls and analyses websites for suspicious scripts. This tool will be freely available at http://homes.esat.kuleuven.be/~gacar/fpdetective/ for other researchers to use and build upon.The findings will be presented at the 20th ACM Conference on Computer and Communications Security this November in Berlin.
Protect your data with SpiderOak
Users sometimes find that selecting a truly protected third party cloud service can be a challenge as most “secure” services on the market have glaring security gaps that leave their sensitive data wide open to third party attacks, leaks, and hacking. One rapidly expanding cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides users with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users and small businesses of all sorts and sizes can tailor the service to fit their needs.
SpiderOak protects sensitive user data with 256-bit AES encryption so that files and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, users can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and syncing on the go.