Have you noticed that the customized advertisements on certain web pages you visit seem to persist? Or perhaps the online store you visited still recalls the items you browsed even after you’ve cleared your temporary cache and cookies?
If you answered “yes” to any of these questions, then your system may have tracked you. I’ll introduce the concepts of browser fingerprinting and tracking using cookies, and I’ll discuss ways to evade them.
Cookies have been used since the dawn of web browsers to store tiny bits of information such as a unique system identifier, shopping cart and automatic authentication details in temporary user end storage. Although cookies can, and have, been exploited in a few ways that concern user privacy, their usage can be regulated based on browser settings and privacy policies.
This cookie jar of user data has caused tension between privacy advocates and online advertisers, each trying to find ways to ward the other off. In this arms race, the deep-reaching abilities of a piece of software code can be notorious to track.
Evercookie is a smart workaround that combats the problem of missing cookies on a user’s system when the temporary cache is cleared. It works to revive cookies by looking into small pockets of possible data storage locations using an array of ingenious techniques. It only requires that users leave their browser in default settings with the “allow scripts” option enabled.
This method of persistent tracking is a “proof of concept” by Samy Kamkar, who is infamous for his work on the Myspace worm Samy in 2005. Evercookie has caught plenty of attention from the information security community and international news outlets. With ways of tapping into data storage in the new standards in HTML5, plus the improvements on Evercookie, respawning cookies may soon become more ubiquitous.
Workings of Evercookie
Evercookie is an open source application programming interface (API) that can be used by a web developer to store small packets of information in various locations. It later looks for traces to rebuild the cookie if it was found to be lost. In his personal blog, Samy lists a suite of smart methods which are based on idea of finding an unique ID that helps find the rest of the missing pieces of the cookie puzzle.
This small piece of token data can be stored in various points on the system such as Local Shared Object (LSO), Internet Explorer userData storage, and PNG files. Once found, the host website can once again view the user’s profile. This makes cookies more persistent than their conventional lifespans.
The list of ways to use the API include some methods to store and retrieve cookies, including:
- Storing small PNG files in the user cache, whose encoded RBG values can be translated back to the user-specific token. Once found, it can be used to rebuild the lost cookie.
- A CSS feature used to color code visited sites and rebuild web page visits history. It can recreate the links that were visited and then translate that to unique combination to find a user-specific token.
- Using isolated storage feature of Microsoft Silverlight to store unique token.
A functional demo of these and other methods can be viewed on Samy’s blog.
Beyond Cookies: Fingerprinting Browsers
When a web browser communicates with any website using standard HTTP, it shares a string called User- Agent. The string contains information such as name of the browser, operation system and browser version. Together, these details can define a degree of uniqueness to each system.
According to the project’s website, “Panopticlick will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of many other Internet users’ configurations. Then, it will give you a uniqueness score — letting you see how easily identifiable you might be as you surf the web.”
According to the test results to far, 85 percent of the visitors have been uniquely identified using bits of user information. Since the tracking is based on browser characteristics, it has better accuracy than using cookies. However, using multiple browsers on the same machine and disabling scripting will reduce the effectiveness of traceability in this technology.
Finding Middle Ground
In most cases, users must be wary of a false sense of security. Clearing cookies, erasing history and using browser add-ons can help limit tracking. Other measures, like using disabling scripting and private browsing, can ensure a better degree of anonymity.
However, resorting to these steps involves a trade-off . Reasonable uses of tracking may improve usability of websites, such as remembering usernames and authentication details. In extreme cases, using websites that are heavily dependent on scripts may become difficult. For practical reasons, some level of cookies and scripts are required to continue using websites normally. A possible middle ground would be to allow privileges to run scripts, and storing cookies on only trusted sites.
For more information, read the Federal Trade Commission’s best practices for online privacy issues here.
Do you think user privacy is being run over by such tracking technologies? Share your thoughts in the comments section, or feel free to reach out to me at abhilashachar [at] gmail [dot] com.