Websites use hidden scripts to extract device fingerprints from users’ browsers without the users’ consent, a Belgian study has found.
The techniques in question frequently use some rather controversial strategies such as revealing a user's original IP address when visiting a website through a third party.
The fingerprinting scripts were found to be probing a long list of fonts – sometimes up to 500 – by measuring the width and the height of secretly-printed strings on the page.
The researchers identified a total of 16 new providers of device fingerprinting, only one of which had been identified in prior research.
It has been revealed that users are frequently tracked by these technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.
To detect websites using device fingerprinting, the researchers developed a tool called FPDetective, capable of scanning websites for suspicious scripts.
Device fingerprinting, also known as browser fingerprinting, is the practice of collecting information from PCs, smartphones and tablets to identify and track users. Information gathered includes screen sizes, versions of installed software and plugins, and the list of installed fonts.
According to the 2010 finding of the Electronic Frontier Foundation, such a combination of data is unique for the vast majority of browsers, providing a ‘fingerprint’ that can be used to track individual users without relying on cookies.
Device fingerprinting can be used for various security-related tasks, including fraud detection, protection against account hijacking and anti-bot and anti-scraping services. But it is also being used for analytics and marketing purposes via fingerprinting scripts hidden in advertising banners and Web widgets.