Advertising networks, Web analytics companies and just about anyone else who's interested can track your online activity thanks to the unique digital fingerprints your Web browser leaves at every site you visit.

The simplest way that an advertising network can track you is by putting a "third party" browser cookie on your computer when you visit a site to which it supplies advertisements. When you visit another site that uses the same advertising network you can be identified by that cookie. As time goes on, it will build up a picture of your browsing habits

But your browser's cookie storage is not the only place that websites can place information to track you. Researcher Ashkan Soltani recently revealed how San Francisco, CA- based analytics firm KISSmetrics uses "supercookies" -- cookies that recreate themselves  (or respawn) -- after they are deleted. This is done using information the company stores in a variety of places such as the storage area on your hard drive used by Adobe Flash (effectively creating a Flash cookie,) a local storage area used by HTML5 (creating a an HTML5 cookie,) and in ETags in your browser cache -- pieces of data that a browser stores to help it work out if the contents of its cache are up to date. They were never designed to store cookie data.

KISSmetrics' system can track your Web usage even if you are using your browser in private mode, have set your browser not to accept cookies, delete your browser's cookies (because they respawn) and even if you use multiple browsers.

If you think things couldn't get any worse, think again. Researcher Samy Kamkar illustrates the point with Evercookie, a Javascript API that produces "extremely persistent cookies in a browser" that would enable a tracking company to identify your browser by replicating standard cookie information in no fewer than 13 different places including:

  • Standard HTML cookies
  • Flash cookies
  • ETags
  • Local storage used by Silverlight ("Silverlight cookies,")
  • Cached images using steganography to store data in the bits that make up the image
  • A variety of HTML5 cookies
  • The browser history of links that have been visited in a different color to links that haven't to store cookie data in using the color information

If you delete the information in any of these places Evercookie simply puts it back, using the information stored in any of the other places.

Wait, there's more ...

But it turns out "supercookies" or Evercookies are just the tip of the iceberg when it comes to getting a digital fingerprint from your browser when you visit a Web site. That's because just as a ballistics expert can match a bullet to a particular gun from the barrel marks left on the bullet casing, it's possible to identify you by the various bits of information that can leak from your computer whenever you visit a site.

For example, every time you visit a website your browser will supply the site with a piece of information called user agent, which looks something like Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0, which, in this case, would tell the site that you are using Firefox version 6.0, on Windows 7, using version 6 of Microsoft's Common Runtime Language. About one in 8,000 visitors to the Web site might be expected to have that exact user agent string so it's certainly not unique and couldn't be used to identify you by itself.

But that's not the only information that your browser leaks. It will also reveal the exact version and other details of every browser plug-in you have. There are so many possibilities here that only one in a million or so other browsers will have exactly the same plug-in fingerprint. There's also information about your screen resolution and color depth, your time zone, language information, the system fonts you have installed, and so on.

When all these are combined, it can result in a digital fingerprint that uniquely identifies you or, more accurately, your browser. The Electronic Frontier Foundation's Panopticlick project illustrates this: 85% of the almost two million Web users who visit the site have a unique digital fingerprint using just eight sources of information from visitors' browsers.

And, inevitably, there's more.

Companies such as ThreatMetrix and 41st Parameter claim to able to get digital fingerprints from your computer using other information that they don't disclose. This may include measuring CPU characteristics, examining clock discrepancies, checking for the presence of certain pieces of malware and even analyzing the TCP/IP packets produced by a computer to identify it.