The illusion of privacy on the internet has once again been shattered, this time thanks to Yinzhi Cao, a computer science professor at Lehigh University in Pennsylvania. His software allows websites to identify you by reading characteristics from your computer that were previously misled by a simple switch in browser.
Previously, users could switch browsers to avoid tracking, but this new method identifies 99.24% of users across browsers — up from the 90.84% identified by AmIUnique, the single-browser technique.
Retail and banking sites use browser fingerprints to track people online and authenticate users for targeted advertising. The information given through the Flash plugin and JavaScript offers enough for outside entities to establish a fingerprint for each user, which includes information about their browsers and screen settings. These details include the resolution of their screen and the font packages they’ve installed and can distinguish them from other web users.
Cao writes in the full research brief, “On the one hand, web tracking can authenticate users — and, particularly, a combination of different web-tracking techniques can be used for multi-factor authentication to strengthen security. On the other hand, web tracking can also be used to deliver personalized service — if the service is undesirable — e.g., some unwanted, targeted ads — such tracking is a violation of privacy. No matter whether we like web tracking or whether it is used legitimately in the current web, more than 90% of Alexa Top 500 websites [39] adopt web tracking, and it has drawn much attention from the general public and media.”
He’s right — and using Cao’s new method, third parties can follow users from browser to browser because more information is revealed about their devices and operating systems. The technique was created by Cao and colleagues at both Lehigh and Washington University in St. Louis and began with an examination of existing single-browser technologies. By examining which features were reliable indicators of users and user activity, the team identified four that would work across browsers.
Flexibility was key. They discovered that screen resolution, which had previously been used, changed when users zoomed, so they scrapped it in favor of width-to-height ratio, which remains consistent as users zoom. By using four adapted features identified by AmIUnique and several new features that revealed more information, the team created a technique that identifies your fingerprint across browsers. In the end, Cao relies on 29 features (including the audio stack, graphics card, and CPU) to give users away.
Cao designed scripting languages that force a user’s system to do 36 things that result in third parties learning information about the system, and all in less than one minute. Using testers from Amazon Mechanical Turks and Microworkers, Cao tested a variety of browsers, including Google Chrome, Internet Explorer, Safari, Firefox, Microsoft Edge Browser, Opera, Maxthon, and Coconut. Then, he individually removed features to see if the same accuracy could be achieved with less than 29 features. It could not.
Cao’s method did not work on a browser called Tor, and he is dedicated to creating more workarounds for users who wish to opt out, so he’s published his code online for anyone to see. Next, he’s set to identify ways to beat his seemingly foolproof systems in the name of user privacy.
Sources: Yinzhicao.org , IEEE Spectrum , and Mashable
Advertisement
Learn more about Electronic Products Magazine
