Browser Fingerprints: A Big Privacy Threat
Forget cookies--even the ultrasneaky, Flash-based "super cookies." A new type of tracking may identify you far more accurately than any cookie--and you may never know it was there.
The method pulls together innocuous data about your browser, such as plug-ins, system fonts, and your operating system. Alone, they don't identify you. Together, they're a digital fingerprint.
It's like describing a person. Just saying "brown hair" won't identify anyone. But add in "5 feet, 10 inches tall," "chipped right front tooth," "size 12 shoes," and so on, and soon you have enough information to pull someone out of a crowd, even without their name, Social Security number, or any other of the usual identifiers.
More Than a Rumor
Peter Eckersley, a staff technologist with the EFF, says he and his colleagues decided to create the site when he heard rumors about this kind of tracking. He wanted to see how accurate it might be.
Well, it's pretty accurate. And as it turns out, its use is more than a rumor.
Browser fingerprinting was developed for banks to employ to prevent fraud. But now one company, Scout Analytics, offers it as a service to Web sites, and it collects not just browser data but also data about how you type--things like your typing speed and typing patterns.
Short of in-depth analysis of a given page, browser fingerprinting doesn't leave tracks, so it's hard to pinpoint sites that use it. But clearly advertisers want accurate tracking.
Is It Legal?
Can sites legally use this fingerprinting? Existing guidelines from the Network Advertising Initiative, an online advertiser group focused on industry self-regulation, wouldn't allow it if a target had opted out of it for use in behavioral advertising, according to Ari Schwartz, deputy director of the Center for Democracy and Technology.
But hard-set rules vary among business sectors and states. Because of this and other variables, its legality remains fuzzy. Schwartz adds that, hypothetically, a site could be in the clear if the practice was disclosed in those long privacy policies that nobody reads.
And countering the technique can be problematic. The EFF lists some options, but none are as simple and painless as deleting a cookie.
In the arms race between online advertisers and Web surfers, this new technology could be a pretty big gun.