Your Digital Fingerprint: What The Web Doesn’t Want You To Know

Panopticlick

Have you noticed that the websites you use are getting more and more dependent on JavaScript routines that don’t appear to do anything other than make the whole experience that little bit more sluggish? Simple, fast and perfectly usable systems have morphed into more resource-hungry and generally more annoying environments. Do they do any more for users today than they did in the past? In most cases, no. So why are online businesses investing so much time and money in these extensive updates?

It’s important to stress that this is not just about dot-coms adding JavaScript features – it’s about dot-coms making sure their sites are completely unusable without JavaScript. But let’s be fair: with some JavaScript environments, the dependency is understandable. On a site like Twitter, for example, JavaScript lies at the centre of the core goal. The whole point of Twitter is and always was to seamlessly run live, realtime updates, and that can’t be achieved without scripting capability. So with Twitter, there was always a real user advantage to building a JavaScript-dependent environment.

But many other sites are not founded on that same realtime capability, and don’t specifically need JavaScript in order to carry out the basics of their remit. Furthermore, a significant chunk of these other sites have worked for years without being JavaScript-reliant, and making them wholly dependent on JavaScript has not altered their basic functionality, from the user’s side.

Worse still, the JavaScript implementations often cause insurmountable functionality problems with browsers which are in any way non-standard, or a little out of date. Try clicking certain buttons/tabs with an older or non-standard browser, and they don’t work. This is because they’re not conventional buttons. They’re JavaScript enactments that require new browser functionality in order to perform. So in short, far from improving the user experience, JavaScript-dependency is frequently making it worse. Not just slower, but sometimes impossible.

No doubt the site support teams will respond to complaints with a nifty: “Well, keep your browser updated then!” That’s fine (provided you have a modern computer with the resources to run a massively bloated and RAM-hungry current browser), but it doesn’t explain why a website would make its functions JavaScript-dependent when they work better, faster and more reliably without JavaScript. And no site wants to offer an explanation. Not an explanation that really makes sense, anyway. What’s the big secret?

THE TRUTH

Again, I want to stress that JavaScript can achieve some great benefits for the user, and when that’s the case, no one would question its implementation. But when all it’s doing is making the site heavier and more demanding, the truth can only be that the dot-coms don’t want you using their sites if your JavaScript is not fully functional. They want to force you to enable JavaScript. Pressure also appears to have been placed on browser developers to eliminate the option of disabling JavaScript.

Why is this? Well, one of the reasons could be that if you don’t have fully functional JavaScript, the dot-coms can’t use a covert tracking method called digital fingerprinting, to recognise and track your movements.

ER… WHAT HAPPENED TO COOKIES?

Traditionally, cookies have been at the centre of Web tracking. But there are a number of reasons why they’re losing traction as a sole tracking resource…

  1. They’re not reliable, because they’re easily blocked and easily deleted by the user.
  2. Legislation is forcing sites to be more clear about their use of cookies, which is raising the profile of the traditional-style tracking system and giving more and more users the choice to opt out of being tracked with cookies.
  3. Privacy features in some browsers – such as Incognito Mode – disable the transfer of, and access to, conventional cookies, meaning sites can neither drop nor read data.
  4. If a site relies purely on cookies, a regular visitor will show up as a completely new visitor, every time they clear their full browser history. That massively distorts the data being collected.

Cookies are still in frontline use, as they aid site functionality as well as helping to pass information from one website to a partner. One site places a piece of info onto your drive, and another, related site reads it. That super-convenient method of transmitting info, rather than purely identifying a computer, means that cookies will have a role in computer browsers for a long time yet.

Indeed, some sites have sought to improve the reliability of cookies with a newer and more evasive option known as the LSO or Supercookie, which bypasses the standard methods of detection and deletion. LSOs rely on Flash routines to transfer and read information, as opposed to storing cookies in the usual folders. But providers are still technically required to make users aware of these tactics, and worst of all from the providers’ angle, there are privacy apps available which seek out and delete Supercookies. That’s not the case with digital fingerprinting… yet.

SO WHAT IS DIGITAL FINGERPRINTING?

Digital fingerprinting uses JavaScript to form a complex picture of your computer system and browsing setup. The picture is so complex, that it can uniquely identify a specific computer or device. The picture encompasses such elements as your individual arrangement of browser plugins, and crucially, the exact permutation of fonts you have installed. In combination with your computer details, your choice of browser, your screen size, your OS version, any LSO info you’ve inadvertently picked up from Flash routines, etc, this can easily make you identifiable on odds of a million to one or greater.

If you look at the capture heading this post, you can see that when tested, the computer I used was unique to something approaching a million and a half to one. For privacy reasons, I’ve cut out the huge rundown of identifying features the test revealed, but you can see for yourself the extent of the information your computer is leaking by visiting the test site Panopticlick and running your own test. If you thought the sites you visit could only collect your IP address and browser version, brace yourself for a huge shock. It doesn’t matter if you’re browsing ‘incognito’ either. JavaScript still enables this mass of info to be collected.

Panopticklick Browser Study

But your digital fingerprint cannot be read with anything like the same accuracy when JavaScript is disabled. You’ll see in the screen capture above what using a JavaScript-disabled browser like Tor actually does to the test. Very little information can be gleaned, and the small amount that remains is nothing like enough to uniquely identify a computer. You can see the computer I used was only identifiable to a uniqueness of one in 388. In other words, incredibly common. Far too common for most sites to even attempt identification. My fingerprint can’t be taken, because effectively, I’m wearing digital gloves.

But instantly, you can see from your own test why commercial Internet sites – especially those who make a big chunk of their revenue from data mining and sharing – are so incredibly keen to force you to use JavaScript. If you and lots of other privacy-aware users disable JavaScript, the sites can’t get the data they need, and they’re literally going to lose money.

Never underestimate how big a business data-mining is for cyber powers. The key issue is not whether one specific site you log into can recognise and track you. Of course they can recognise and track you – you’re logged in with a password. The key issue is whether other sites can work together with that initial site to build a much bigger and wider picture of your online activity, which is then combined and stored by ALL partners involved. Larger collections of sites may not be able to share cookies due to your browser’s settings and plugins. But if you have JavaScript enabled, they can still identify you through your digital fingerprint.

SURELY THIS IS NOT LIFE OR DEATH?…

You may say: “Oh come on, it’s only about marketing”. And to an extent that’s true (though there will inevitably be other uses for this technology). It’s also, however, covert, and it’s sly. It’s spying. The businesses using digital fingerprinting are not telling you what they’re up to. There’s no little tab on the site that details their Digital Fingerprinting Policy. It’s totally underground, and even the specialists with a vested interest in spreading the word for their own gain don’t want to talk about it. The secrecy surrounding this – the fact that people don’t know it’s happening – is what makes it unacceptable. It makes no difference what the data is used for.

HOW TO FIGHT DIGITAL FINGERPRINTING

The obvious answer is to disable JavaScript. But when a site makes all its features JavaScript-dependent, you can’t disable JavaScript. If you do, you simply can’t use the site.

Other options? Well, you obviously can’t delete your computer, or constantly change your browser plugins, fonts and other system parameters so as to evolve your fingerprint from day to day. But what you can do is allocate different browsers to different tasks.

For instance, keep one browser with cookies and JavaScript completely disabled for general Web browsing. Tor would be great for this purpose. Then dedicate other browsers to sites that you log into, and which force you to accede to their JavaScript demands. You could split up your logins across a range of different browsers, including: Firefox, Opera, Safari, Internet Explorer, Chrome, Chromium, Light, SeaMonkey, K-Meleon, etc.

All of these browsers will work independently of each other on one PC, and importantly, they’ll each give you a different fingerprint, so what one site sees won’t be the same as what another sees. This doesn’t, of course, stop each site recognising you when you log in, and recording everything you do. But if you’re selectively blocking cookies, it does stop the site’s partners from recognising you when you visit them, and then helping assemble all your Internet use into one big picture.

It makes sense to try and keep the sites that request the most information about you as isolated as possible. Ideally, you’d want to keep a site that knows your name, address and telephone number ‘quarantined’ in a browser of its own. Naturally, depending on how often you share this kind of personal info, isolating individual sites could be impractical. If you enter your name and address into scores of big, data-hungry sites every year, ostracising domains to specific browsers will not be the answer. But then, if you have such scant regard for your data and privacy, you’re probably not going to be reading a post like this in the first place.

You could also attempt to make yourself difficult to identify by using a very typical browser and computer setup. But remember, you need to make sure you’re not adding unusual combinations of fonts – which you may be doing inadvertently when you install software. It’s impractical really.

The best answer would be for law-makers to step in and legislate against these covert behaviours. But since data-mining is a such a massive business, and at its most sophisticated may have parallels with the kind of tactics law enforcement groups use to thwart criminal behaviour, law-makers have to be careful what they draw public attention to. Sometimes it’s just better, for them, for things to be swept under carpet until the wider public raises a concern. And as regards digital fingerprinting, with its veil of silence, that seems to be a long way off.

  Author: Bob Leggitt

Advertisements