Online Trackers Follow Our Digital Shadow By 'Fingerprinting' Browsers, Devices

Sep 26, 2016
Originally published on September 27, 2016 12:42 pm

As we surf from website to website, we are being tracked — that's not news. What is news, revealed in a recent paper by researchers at Princeton University, is that the tracking is no longer just about the "cookies" that record our tastes. The researchers surveyed a million websites and found that state-of-the-art tracking is a lot more sophisticated, allowing websites to track the fingerprints left by our devices.

Princeton's Arvind Narayanan and Steven Englehardt studied how all the things we do not see as users are valuable to someone on our digital trail, as our presence may be authenticated and tracked through such minutia as personalized browser settings or even our laptops' battery levels.

Fingerprinting "allows a tracker to put an identifier on your entire history of online activity," Narayanan, assistant professor of computer science, tells NPR's Robert Siegel. "They've been collecting those histories, that's not new — that's a given. But what the technological sophistication is for, is for linking all of your online breadcrumbs together, even if you're not necessarily putting your real name or email address into all your online interactions."


Interview Highlights

On how fingerprinting techniques work

It turns out that websites as well as the hidden so-called third parties that track us online can ask your browser for the entire list of fonts or extensions that you've ever installed. And that list could be different from almost anybody else on planet Earth. And so that might present a nearly unique or completely unique fingerprint of your device that can help a website or a third-party tracker recognize you when you come back. ...

These fingerprinting techniques are not directly getting at what sort of person you are; they're merely trying to develop some sort of recognizable pseudo identity of you. ... If you have this pseudo identity based on the fingerprint of your device, then what the website is going to be able to do is piece together all of the online breadcrumbs that you've left in different places and compile that into a profile, into a dossier of you. And using that, they can apply algorithms and infer your interests and preferences and so on.

On how fingerprinting can follow you across devices

This is best seen if you think about you as a traveler with two different devices, let's say your laptop and your mobile phone. What some website or tracker is going to observe is that there are two different devices over and over again connecting from the same networks, from the same set of IP addresses. ... Over time, that allows this online tracker to put together a profile of the behavior of those two devices and infer statistically, with a very high degree of confidence, that this pattern of coincidences could not have happened by chance — it must be because these two devices belong to the same individuals. ...

For the most part, these are very new and interesting technologies, but also creepy from a privacy perspective and more-or-less unregulated.

On the uses of online tracking

The most obvious consequences are certainly going to be online ads that you see and targeted offers that you get. Occasionally, we know that websites have been experimenting with price discrimination based on your online activities and trying to infer if you're a more affluent or less affluent type of consumer online. That's not so widespread yet, but there are a few studies that have revealed that it does happen from time to time. ...

Increasingly, people are discovering new uses for all of this online tracking information. For example, there are concerns that political campaigns might be using this data to specifically, individually target political messages to us. To the point where someone else might be getting a slightly different message that is tuned to their tastes or political proclivities or whatever. This has implications for democracy, and we need to have the societal conversation about this.

On ways to combat tracking technologies

There are many extensions that you can install in your browser that are going to block all of these online tracking technologies. One of them is Ghostery that we studied in our paper. There are a variety of others. The Electronic Frontier Foundation has released one called Privacy Badger. And these are tools — some of which I use myself and my colleagues employ — that are going to cut down on tracking. Although they come with some trade-offs. Occasionally one of the websites you're visiting might break, might not work exactly as you wanted it to. ...

These measures are a sort of Band-Aids. We do need systemic solutions, but that conversation is not happening yet.

Copyright 2016 NPR. To see more, visit http://www.npr.org/.

ROBERT SIEGEL, HOST:

As we surf from website to website, we are being tracked. That's not news. What is news - and we learn it from researchers at Princeton University - is that the tracking is no longer just about cookies that aim to record our tastes. The researchers surveyed a million websites and found that state-of-the-art tracking is a lot more sophisticated than cookies.

They write about websites tracking the fingerprints that our devices leave. Joining us now is Princeton's Arvind Narayanan. Welcome to the program.

ARVIND NARAYANAN: It's great to be here.

SIEGEL: And what are my fingerprints or the fingerprints that my devices leave?

NARAYANAN: These things can be hard to visualize. But let's say you have a new computer that as far as you know is identical to the computer of the person sitting next to you. But over time you browse different websites, and you might install different fonts and extensions on your web browser.

It turns out that websites as well as the hidden so-called third parties that track us online can ask your browser for the entire list of fonts or extensions that you've ever installed. And that list could be different from almost anybody else on planet Earth. And so that might presents a fingerprint off your device that can help a website or a third-party tracker recognize you when you come back.

SIEGEL: To what end? They can - I understand if I'm hacking into someplace where I'm unwelcome, it would be useful for them to recognize me. But what else would they do with all of that information, the fonts that I've added and the like?

NARAYANAN: Primarily this is being driven by online advertising technology. Being able to recognize you as you browse from site to site allows these online ad tech companies to build up a profile of your interests and things that you've done in the past and so on.

So if you've ever encountered, for example, adding a pair of shoes to your shopping cart and then you find that an ad for those shoes follows you around the web, all of that is driven by these types of fingerprinting and other online tracking technologies.

SIEGEL: If fingerprinting is that effective, that should mean that when I am working on my personal laptop computer at home and when I'm working on the laptop that I work on here at the office, something about what I'm doing would make it evident to some third party that I'm the same person.

NARAYANAN: That can indeed happen sometimes. So this is best seen if you think about you as a traveler with two different devices, let's say your laptop and your mobile phone. And so what some website or tracker is going to observe is that there are two different devices over and over again connecting from the same networks.

And so over time that allows this online tracker to put together a profile of the behavior of those two devices and infer statistically with a very high degree of confidence that this pattern of coincidences could not have happened by chance. It must be because these two devices belong to the same individuals.

SIEGEL: Is there something that I can do when I go online that would make me harder to track any countermeasures that I as a consumer or a reader can take?

NARAYANAN: Certainly there are many extensions that you can install in your browser that are going to block all of these online tracking technologies. One of them is Ghostery that we studied in our paper. There are a variety of others. The Electronic Frontier Foundation has released one called Privacy Badger.

And these are tools, some of which I use myself and my colleagues imply that are going to cut down on tracking. Although they come when some tradeoffs. Occasionally one of the websites that you're visiting might break, might not work exactly as you wanted it to.

SIEGEL: Arvind Narayanan, thank you very much for talking with us today. This was great. Thank you very much.

NARAYANAN: Arvind Narayanan is an assistant professor at Princeton's department of computer science. Transcript provided by NPR, Copyright NPR.