Belgian researchers have created a tool to monitor secret device fingerprinting

Secret web-user tracking more widespread than expected

Websites use hidden scripts to extract device fingerprints from users’ browsers without the users’ consent, a Belgian study has found.

According to information obtained by researchers at the Catholic University Leuven, Belgium, hundreds of the Internet’s 10,000 top websites track users without permission, taking advantage of some common software, such as the Flash plugin for playing animation, videos or sound files, or the JavaScript, a common programming language for Web applications.

Using hidden scripts, the websites circumvent legal restrictions imposed on the use of cookies and ignore the Do Not Track HTTP header.

The techniques in question frequently use some rather controversial strategies such as revealing a user's original IP address when visiting a website through a third party.

The fingerprinting scripts were found to be probing a long list of fonts – sometimes up to 500 – by measuring the width and the height of secretly-printed strings on the page.

The researchers identified a total of 16 new providers of device fingerprinting, only one of which had been identified in prior research.

It has been revealed that users are frequently tracked by these technologies even if they explicitly request not to be tracked by enabling the Do Not Track (DNT) HTTP header.

To detect websites using device fingerprinting, the researchers developed a tool called FPDetective, capable of scanning websites for suspicious scripts.

Device fingerprinting, also known as browser fingerprinting, is the practice of collecting information from PCs, smartphones and tablets to identify and track users. Information gathered includes screen sizes, versions of installed software and plugins, and the list of installed fonts.

According to the 2010 finding of the Electronic Frontier Foundation, such a combination of data is unique for the vast majority of browsers, providing a ‘fingerprint’ that can be used to track individual users without relying on cookies.

Device fingerprinting can be used for various security-related tasks, including fraud detection, protection against account hijacking and anti-bot and anti-scraping services. But it is also being used for analytics and marketing purposes via fingerprinting scripts hidden in advertising banners and Web widgets.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them