It’s common knowledge that websites are able to give users free content by serving advertisements and performing analytics in order to generate revenue (full disclosure: if you check this page’s source code, you’ll see Google Analytics and HubSpot). It turns out that between you and the website you’re browsing, there are a few friendly third parties who are very interested in your data. Let’s take a surface level look into how online tracking works, and how you may be uniquely identified with a few JavaScript API calls.
Stateful Tracking
Some quick background on how tracking originated and still works on many sites is required. Stateful tracking is the classic version of third-party tracking. Cookies are small bits of text that websites can put onto your disk in order to maintain state - such as for authentication. When you sign in to a website, that website can check if you already have a cookie that they’ve issued, which tells them that you’re already authenticated. Websites are only allowed to access the cookies that they’ve set in your “Cookie Jar”, otherwise any website could steal all your sessions. For tracking purposes, a third-party advertiser can set a cookie on your browser, and if you access another website that they are also loading content on, they can access that cookie again. Through this, they can see that you’ve visited a website and looked at shoes, so on the next website you go to there’s a chance the ad exchange will serve you ads for shoes.
Preventing third party cookie tracking is fairly straightforward. There are many extensions out there that will either block requests coming from known advertising domains (ex: DoubleClick), or will load their content but prevent them from setting a cookie on your browser. Privacy Badger is a personal favorite, as it’s from the EFF and open sourced. It also doesn’t rely on domains, and instead looks for third party cookies that have appeared on multiple websites you’ve visited.
Stateless Tracking
However, newer technology doesn’t need to maintain state in order to track a user, and instead they can use built in browser functionality. When developing a website, it’s important for the developers to know what kind of device that they’re showing content to in order to show them the correct version (Ex: Mobile vs Desktop websites). As such, there’s a lot of functionality implemented in JavaScript API calls that can be used to determine some of these features, such as what kind of operating system is being used or what kind of fonts are available to the browser. Every one of these API calls leaks a bit of information about your device, and they can all be put together to form a “browser fingerprint”.
Part of the browser fingerprint is based on things like HTTP headers, such as acceptable encodings, the user agent, and if the Do Not Track flag is set (a bit ironic). The other part is based on JavaScript API calls. Here’s a few fun things that we can check with JavaScript:
- All installed plugins and specific versions
- Screen size
- Installed fonts
- Time zone
- How the browser renders a specific image containing the whole alphabet and an emoji. There are differences in the results based on unique hardware quirks.
- Turns out the competing emoji ecosystem allows trackers to tell if you’re on iOS, certain Android versions, a Samsung device, or any other device with a varying standard for emoji Unicode
Some of these things may not seem like they would reveal a lot of information about your browser versus other browsers, but when we put all that information together it forms a VERY unique profile about your machine. After running my browser through amiunique.org, they stated that out of 62,109 browsers observed in their dataset (in the last 30 days), mine was entirely unique. In fact, it was unique for their all-time dataset of 1,276,470 browsers. Panopticlick reported that only 1 in 45,244 browsers observed (in the last 45 days) had the same fingerprint as mine. Both of these tools test your browser using the same methods as trackers do and will show you how you compare to other user’s fingerprints. AmIUnique will also breakdown how unique you are in each test performed. If you’re curious about why uniqueness is such an issue, the EFF has a great primer on how this applies to privacy (https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy)
So how can you prevent these kind of tracking methods? Turns out it’s a hard problem to solve. The nuclear option is running a plugin like NoScript, which blocks JavaScript entirely and lets the user whitelist it in an extremely granular fashion. However, a significant portion of the internet runs on JavaScript to dynamically generate pages and disabling JavaScript will break a lot of websites. So, our second approach is to try and make our browser as indistinguishable as possible. If you’re familiar with the TOR Project, this is the approach that they take. While it’s very easy to identify vanilla TOR traffic, it’s very hard to attribute that traffic to any one person within the anonymity set of TOR users.
AmIUnique offers a great list of tools that you can use to implement these measures. But if you don’t feel like browsing to another website, I’ll briefly summarize a few:
The TOR browser aims to make all of its users’ traffic as identical as possible, in order to create a large anonymity set. However, the nature of onion routing means that TOR traffic is not as fast as some users would like it. The TOR browser is security focused and has tools like NoScript installed.
TAILS is The Amnesiac Incognito Live System, a live operating system that doesn’t touch the disk and aims to make every user identical. Since it is live, all memory is wiped each time it boots. It also may land you on an NSA watchlist, ironically due to NSA fingerprinting efforts. (https://www.digitaltrends.com/computing/nsa-labels-linux-tails-users-extremists/)
Privacy Badger, as mentioned earlier, helps prevent stateful tracking by blocking third party trackers that it sees appearing on multiple websites.
The problem of blocking JavaScript API calls for tracking is a very hard one to solve and is a very active area of research. There is no silver bullet solution that doesn’t require a hefty trade off in usability.
The subject of internet tracking is incredibly complex and this post is fairly surface level, so I would recommend checking out any of the fantastic research papers that take a deeper dive into the technology and methodology behind it. Hopefully this helped shine a little more light on what’s going on behind the curtain while you’re browsing online.
References:
Pierre Laperdrix, Walter Rudametkin, Benoit Baudry. Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. 37th IEEE Symposium on Security and Privacy (S&P 2016), May 2016, San Jose, United States. ffhal-01285470v2