Modernizing Authentication — What It Takes to Transform Secure Access
Advertising networks, Web analytics companies and just about anyone else who's interested can track your online activity thanks to the unique digital fingerprints your Web browser leaves at every site you visit.
The simplest way that an advertising network can track you is by putting a "third party" browser cookie on your computer when you visit a site to which it supplies advertisements. When you visit another site that uses the same advertising network you can be identified by that cookie. As time goes on, it will build up a picture of your browsing habits
But your browser's cookie storage is not the only place that websites can place information to track you. Researcher Ashkan Soltani recently revealed how San Francisco, CA- based analytics firm KISSmetrics uses "supercookies" -- cookies that recreate themselves (or respawn) -- after they are deleted. This is done using information the company stores in a variety of places such as the storage area on your hard drive used by Adobe Flash (effectively creating a Flash cookie,) a local storage area used by HTML5 (creating a an HTML5 cookie,) and in ETags in your browser cache -- pieces of data that a browser stores to help it work out if the contents of its cache are up to date. They were never designed to store cookie data.
KISSmetrics' system can track your Web usage even if you are using your browser in private mode, have set your browser not to accept cookies, delete your browser's cookies (because they respawn) and even if you use multiple browsers.
- Standard HTML cookies
- Flash cookies
- Local storage used by Silverlight ("Silverlight cookies,")
- Cached images using steganography to store data in the bits that make up the image
- A variety of HTML5 cookies
- The browser history of links that have been visited in a different color to links that haven't to store cookie data in using the color information
If you delete the information in any of these places Evercookie simply puts it back, using the information stored in any of the other places.
Wait, there's more ...
But it turns out "supercookies" or Evercookies are just the tip of the iceberg when it comes to getting a digital fingerprint from your browser when you visit a Web site. That's because just as a ballistics expert can match a bullet to a particular gun from the barrel marks left on the bullet casing, it's possible to identify you by the various bits of information that can leak from your computer whenever you visit a site.
For example, every time you visit a website your browser will supply the site with a piece of information called user agent, which looks something like Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0, which, in this case, would tell the site that you are using Firefox version 6.0, on Windows 7, using version 6 of Microsoft's Common Runtime Language. About one in 8,000 visitors to the Web site might be expected to have that exact user agent string so it's certainly not unique and couldn't be used to identify you by itself.
But that's not the only information that your browser leaks. It will also reveal the exact version and other details of every browser plug-in you have. There are so many possibilities here that only one in a million or so other browsers will have exactly the same plug-in fingerprint. There's also information about your screen resolution and color depth, your time zone, language information, the system fonts you have installed, and so on.
When all these are combined, it can result in a digital fingerprint that uniquely identifies you or, more accurately, your browser. The Electronic Frontier Foundation's Panopticlick project illustrates this: 85% of the almost two million Web users who visit the site have a unique digital fingerprint using just eight sources of information from visitors' browsers.
And, inevitably, there's more.
Companies such as ThreatMetrix and 41st Parameter claim to able to get digital fingerprints from your computer using other information that they don't disclose. This may include measuring CPU characteristics, examining clock discrepancies, checking for the presence of certain pieces of malware and even analyzing the TCP/IP packets produced by a computer to identify it.
For the moment there is no obvious way to prevent companies using these sorts of technologies from collecting a fingerprint from your computer. So what can you do to protect your privacy from adverting networks and other organizations that may wish track your activities on the Internet?
Do not track (DNT)
You can tell Web sites that you do not wish to be tracked by setting your browser to use the Do Not Track (DNT) header, which is communicated to every Websites you visit. You can set the Do Not Track header in the latest versions of Firefox and Internet Explorer and Safari, although Chrome does not support it at all.
Unfortunately honoring your DNT preference is entirely voluntary, and many organizations choose to ignore it. (That shouldn't be surprising: supercookies have been expressly designed to ignore users preferences by respawning cookies when they have been deliberately deleted.)
However, Elise Dietrich, a privacy and data security legal expert at Washington based law firm Sullivan & Worcester, believes that honoring DNT could soon be made the law.
"There are some bills pending, although at the moment they are a little light on technical specifics," she said. "Ultimately, what will be important is whether consumers have to opt in or opt out of tracking, and under current U.S. law opt-out is the norm. But, either way, I definitely think we will see some legislation in the next year or two."
In the mean time, here's a few things you can do now to protect your privacy:
Opt-out - You can use the Network Advertising Initiative (NAI) online Opt-Out Tool to replace cookies placed by some advertising networks on your computer with an Opt-out cookie, which can prevent them from sending tailored advertisements to your browser, although they may still track you. Google offers a plug-in for Chrome called Keep My Opt-Outs that allows you to prevent your Opt-out cookies being deleted when you delete all the other cookies in your browser.
Disable third party cookies in your browser - This can be done with a few mouse clicks in most browsers. Disabling third party cookies will help to reduce the number of sites that track you using conventional browser cookies, but not ones that store cookie information in Flash local shared object storage
Disable Flash cookies - you can disable and delete them directly using the Adobe's online control panel or by right clicking on Flash content displayed on a Web page, choosing settings, and then selecting the options you want in the Storage tab. Internet Explorer 8 should delete them along with standard third party cookies -- if you have Flash version 10.3 or higher on your machine.
Clear your browser cache - Although KISSmetrics has stopped using ETags to track website users, there's no guarantee that other companies won't adopt the technique. To defeat them, clear your browser cache after each Web site you visit
Some useful privacy tools
CCleaner (Windows) registry cleaner tool which also removes Flash cookies.
FlusApp (MacOS) tool for reviewing and removing Flash cookies.
Betterprivacy (Firefox) add-on offering selective Flash cookie blocking.
TrackerBlock (Firefox) add-on offers selective cookie blocking, control over Flash and HTML5 cookies and the ability to prevent Opt-Out cookies from being deleted.
Ghostery (Firefox, Chrome, Safari, Opera and Internet Explorer) browser tool for shows you which companies are tracking you on any given webpage, and also provides the option to remove Flash and Silverlight cookies when you exit your browser.
Collusion (Firefox) add-on builds up a graph of all the organizations that track you, and how they are connected, while you browse.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.