Top sites (and maybe the NSA) track users with “device fingerprinting”

Discussion in 'privacy problems' started by lotuseclat79, Oct 11, 2013.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Top sites (and maybe the NSA) track users with “device fingerprinting”.

    FPDetective: Dusting the Web for Fingerprints (PDF: 346.6 KB).

    By reading the PDF paper, there is a Firefox proof-of-concept add-on named Firegloves available to impede fingerprinting-based tracking while maintaining browsing experience.

    Cross-browser fingerprinting test 2.0.

    Firegloves.

    Preventing misuses and misapprehensions of FireGloves. (followup: FireGloves is no longer being developed according to developers, and caused Font size webpage corruption problems for me)

    -- Tom
     
    Last edited: Oct 14, 2013
  2. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    i'm wondering why their lawyers advised them not to disclose the sites using device fingerprinting.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Those sites will be likely to reconsider their relationship with the NSA after the public backlash.
     
  4. mattdocs12345

    mattdocs12345 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    1,785
    Location:
    US
    Hmmm so how do we counter this? Run Windows XP in VM with Internet Explorer?
     
  5. Snoop3

    Snoop3 Registered Member

    Joined:
    Jan 2, 2011
    Posts:
    474
    shouldn't be too difficult to design a batch file or script or small program that effectively gives you a randomized portable disposable browser. it should delete random 5-10% of (lesser used) available fonts, select randomly from the thousands of user agents available, and also install some random 5 or so low impact or no impact extensions so that you'd have a different fingerprint each time. then on exit it deletes browser folder and the cookie and temp files it may have added to in the OS drive, or run it sandboxed. also it should drop in custom user.js file for the config settings, maybe the user chooses from 3 or so different ones depending the level of privacy and security desired. same thing with the extensions installed, just select from an local cache of the XPI files.

    i'm wondering why nobody has done this yet. seems like it would be pretty easy to do for a programmer.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Hey, I don't mind device fingerprinting, because any particular device only gets used for stuff that I don't mind associated.

    As long as they can't fingerprint VM hosts, I'm OK.

    For stuff that I really don't want linked, I do use different hosts.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting (paper)

     
    Last edited: Jan 15, 2014
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From 2nd link in first post:
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Tracking and Fingerprinting in E-Business: New Storageless Technologies... (paper)

    From the paper "Tracking and Fingerprinting in E-Business: New Storageless Technologies and Countermeasures" (found at http://gulyas.info/):
     
    Last edited: Jan 15, 2014
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper "User Tracking on the Web via Cross-Browser Fingerprinting" (found at http://gulyas.info/):
     
  13. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,003
    Location:
    USA
    Secret Agent may be of some value as well. Works well most of the time, but you may run into a little trouble on some sites. Those sites can be whitelisted if desired.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Another fingerprint test site: hxxp://noc.to
     
  15. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    @MrBrian,

    Thanks for sharing this very informative site. I was comfortable with my current setup, but after checking this site out I feel even better. Took quite a bit of sabotage on my part to leak anything even remotely revealing about my system.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :). I got that link from http://en.wikipedia.org/wiki/Device_fingerprint.

    Be aware though that, according to one (or more) of the above papers, commercial solutions may use techniques that these test sites don't. From the 5th link in the 1st post (my bolding):
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper "Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting" (direct link: hxxp://www.w2spconf.com/2013/papers/s2p1.pdf ):
     
    Last edited: Jan 16, 2014
  18. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper "XSS-FP: Browser Fingerprinting using HTML Parser Quirks" (direct link: hxxp://arxiv.org/pdf/1211.4812 ):
     
  19. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    The IP check is a free and easy understandable anonymity test. The test shows at a glance
    which attacks a website may launch on your privacy. Moreover, you get recommendations for
    possible counter measures. It explains which data your own web browser sends to websites.
    A website may use this data to create an individual profile. By misusing such a profile,
    you may later get identified reliably on this or on another website.

    http://ip-check.info/description.php?lang=en
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Table 1 in the paper in post #7 shows features used by Panopticlick vs. those of three fingerprinting companies.
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper "Searching for Indicators of Device Fingerprinting in the JavaScript Code of Popular Websites" (2013) (direct pdf hxxp://www.truststc.org/education/reu/13/Papers/RauschM_Paper.pdf ):
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From paper "Host Fingerprinting and Tracking on the Web: Privacy and Security Implications" (2012):
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From thesis "Browser Fingerprinting" (2012) (direct pdf hxxp://publications.lib.chalmers.se/records/fulltext/163728.pdf ):
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Fingerprinting, CDI & How to Deal With It

    I've come to the conclusion that fighting device fingerprinting is futile. I'm now in the same camp as the author of the above link and mirimir: things you don't want linked should be done in separate instances of operating systems, each with a different type of browser. Depending on how you do this, the different operating systems might or might not use the same IP address. So maybe you'd have the following:
    operating system #1: activities that involve your real name, or anything that might be linked to it already (email addresses, etc.)
    operating system #2: any "interesting" activities
    operating system #3: everything else
     
    Last edited: Jan 20, 2014
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Browser Fingerprinting: 9 Facts:
     
Loading...
Thread Status:
Not open for further replies.