North Bay Web
Web Design, Development & Technical Support

View Archive The North Bay Web Blog

Category - Fingerprinting,Privacy,Security
Posted - 11/05/2020 02:28pm
0 Comments | Add Comment
This is Your Digital Fingerprint
Nick Briz July 26, 2018
This piece was originally published in The Disconnect.

Mozilla invited Chicago-based teacher and activist Nick Briz to explain how people are tracked, surveilled and monetized on the web. In the fall, Nick will be leading a speaker series in Chicago on how date rules everything around us  (the D.R.E.A.M series).

Today, anonymity is no longer the default of the web. While still free, the internet that was once predicated on privacy is now dominated by the information economy. For the sake of capital, tech firms and advertisers track, identify, and monetize our every move across the digital landscape, touting this exploitation as a method for a more personalized and convenient digital experience.

Even so, there is an overwhelming understanding of the importance of privacy. In 2015, at least 90% of Americans reported that privacy is “very important” to them, according to a survey by the Pew Research Center. For this reason, savvy internet users install ad-blockers to ward off malicious cookies, while savvier users will use VPN software to mask their true IP addresses. Even casual internet users clear their cookie cache now and again or use private browsing functions.

However, even as awareness grows, many users regard online surveillance as the nature of the modern web, complacently agreeing to the terms and conditions and accepting constant monitoring as a necessary trade-off for a taste of convenience and personalization. This view is a risk to the fundamental values of liberty that define privacy as a right.

This brings us to your digital fingerprint, which is made up of tiny bits of your personal data. This  distinct, data-driven identifier is currently in the possession of countless corporate entities. The artwork above is a visual representation of your unique fingerprint, and it uses the same data as those corporations. (Curious how we did this? See the addendum.) It was created to serve as a reminder that we’re never truly anonymous online and, just as you have a right to privacy, you have a right to know when and how that privacy is being violated.

Understanding how specific tracking methods work should not be the exclusive domain of those who seek to capitalize on your web activity. In this case, we will be shedding light on a widely used yet rarely discussed tracking technique: browser fingerprinting.

What is Browser Fingerprinting?
Initially developed for security purposes, browser fingerprinting (also known as device fingerprinting) is a tracking technique capable of identifying individual users based on their browser and device settings. In order for websites to display correctly, your browser makes certain information available about your device, including your screen resolution, operating system, location, and language settings. These details essentially make up the ridges of your digital fingerprint.

Much like detectives piecing together clues from a crime scene, trackers can assemble this data into a recognizable “fingerprint” and then use this identifier to trace your activity across the web. It might seem impractical to derive a unique fingerprint from a pool of innocuous settings and data, but considering the number of browsers and configurations available to a given user, there are a lot of possible combinations. In fact, the fingerprint of the laptop we wrote this piece on was completely unique among the 1.7 million fingerprints collected by Electronic Frontier Foundation’s Panopticlick tool.

In addition, once it has been assembled, your digital fingerprint is persistently accurate. With recent developments in cross-browser fingerprinting, this technique is capable of successfully identifying users 99% of the time. That means even if you were to employ multiple recommended privacy precautions (masking your IP address through a VPN and deleting or blocking cookies) trackers can still use your digital fingerprint to re-identify and re-cookie your device when you visit a website.

Why is It Used and Who Uses It?
Increased public concern for internet privacy has made precautionary methods more accessible and easier for users to implement, making traditional cookie-based tracking relatively untenable. This decline in cookie efficacy has led trackers to seek out more advanced ways of monitoring their users. Many of the companies that pioneered browser fingerprinting saw this as a commercial opportunity and quickly expanded their services into the world of online tracking.

Browser fingerprinting is just one of many other tracking techniques used by companies known as “data brokers.” These third-party companies use your digital fingerprint to discreetly trace your activity across the web, collecting little bits of data about you along the way.

While trackers won’t necessarily match your activity with a face or a name, the data they derive from websites you visit, social platforms you use, searches you perform, and content you consume, can be considered personally identifiable. With this data, brokers build a general profile of who you are (age range, location, language, interests, etc.) and sell this insight to advertisers and marketers who use it to relentlessly serve you personalized ads and content recommendations across the web.

While they are overwhelmingly used to violate user privacy, fingerprinting and other online tracking techniques are not all bad. For one, browser fingerprinting technologies are still used for the security and authentication purposes they were initially developed for: to prevent software piracy, identity theft, and credit card fraud among other security risks. For example, software security firms such as Sift Science offer enterprise solutions that employ fingerprinting technologies to help websites track, identify, and block “the bad guys.”

On a larger scale, these tracking techniques, and the intrusive ads they facilitate, make the modern internet possible. The large players that arguably shape the course of the web sustain their businesses on the profits made through targeted online advertising. In 2017, both Alphabet (Google’s parent company) and Facebook made an overwhelming majority of their total profits through digital advertising—88% and 97%, respectively. Online advertising also plays a crucial role in supporting free journalism and keeping media outlets afloat. Without ads, we’d have very limited options for staying informed.

Privacy is clearly a difficult challenge to tackle in an increasingly digitized world. On one hand, companies consistently violate our privacy and exploit our data, while on the other, they make the web as we know it a sustainable hub for information and social connection. Some accept this condition as the nature of the web—just something that we have to deal with to ensure two-day shipping. However, you shouldn’t have to decide between privacy or convenience every time you open your laptop or pick up your phone. We should have equal access to privacy and convenience. Is it possible for us users to have our cake and eat it too?

What Can We Do?
The most obvious approach to this dilemma is to protect yourself by any means necessary. That entails employing all the appropriate measures to ensure your privacy. However, due to its nature, browser fingerprinting is not easy to circumvent. While it’s technically possible to thwart this technique by exclusively using the privacy-focused Tor Browser or by blocking all JavaScript with a browser add-on like NoScript, to say these options are impractical is an understatement. (NoScript renders most websites you visit, including The Disconnect, virtually unusable.) It’s also worth noting that some measures, while intended to improve your privacy, can actually make a browser more distinct and therefore easier to fingerprint and identify.

A simpler (and arguably more effective) approach to this dilemma is education. As stated earlier, it is important to understand how your privacy is being violated—not to make you feel scared or apathetic, but to make you aware, which is our exact purpose for writing this piece. Improving our current digital circumstances starts with education. A true calibrated response to our current fingerprinting situation should include advocacy and innovation, but for either to be effective, a bit of digital literacy is a prerequisite.

Education reinforces consumer advocacy. Though policy has been relatively slow to react to our privacy concerns, consumers saw a major win earlier this year with the General Data Protection Regulation (GDPR), which is a new set of European Union rules aimed at giving users more control over their personal data online (and the reason for all those “privacy update” emails that flooded your inbox). It has only recently gone into effect, so we’ve yet to see how this might affect browser fingerprinting; however, the GDPR is a testament to the positive results that can come from consumer advocacy.

In addition, spreading knowledge of how our privacy is currently handled creates a larger demand for privacy-focused developers and entrepreneurs. Armed with an understanding of our current circumstances, these individuals will be able to effectively question the ways in which the internet works for us and against us, allowing them to develop new, creative, and practical ideas that protect the future of online privacy as well as allow companies to prosper and profit on the web. In an industry defined by innovation, we can’t be completely out of ideas, right?

In order to truly reform online tracking practices, we must understand the issue in its entirety. This means that, in addition to understanding the conditions and technologies we’re up against, we must also understand the importance and value of privacy.

Why is Privacy Important?
Privacy is often seen merely as a safeguard against prying eyes and exploitative corporate entities. However, to summarize the ideas of Georgetown University law professor Julie E. Cohen, privacy is more than an instrument to advance liberty or check control. It is a buffer for self-development free from the influence of society and culture. It enables all the factors we need to develop distinct identities: autonomy, free thought, creativity, experimentation, and exploration. And through this same buffer, we are afforded the resources to discover the type of society we want to be a part of and the steps we need to take to get there. These are decisions we need to make while we still have the agency to do so.

By regarding the internet as unregulable, we are giving companies the green-light to continue building technologies (like browser fingerprinting) that have the potential to manipulate the way in which people think and behave, setting society on a path mirroring a dystopian sci-fi. Surveillance creates an environment that breeds conformity, obedience, and submission; the very ingredients that define the totalitarian societies feared by the likes of Orwell, Bradbury, and Huxley. And as things stand now, it feels as if we are moving in this direction.

Because data is the lifeblood for developing the systems of the future, companies are continuously working to ensure they can harvest data from every aspect of our lives. As you read this, companies are actively developing new code and technologies that seek to exploit our data at the physical level. Good examples of this include the quantified self movement (or “lifelogging”) and the Internet of Things. These initiatives expand data collection beyond our web activity and into our physical lives by creating a network of connected appliances and devices, which, if current circumstances persist, probably have their own trackable fingerprints. From these initiatives, Ben Tarnoff of Logic Magazine concludes that “because any moment may be valuable, every moment must be made into data. This is the logical conclusion of our current trajectory: the total enclosure of reality by capital.” More data, more profit, more exploitation, less privacy.

In a recent interview with O’Reily Media, author and digital rights activist Cory Doctorow paraphrases Harvard Law School professor Lawrence Lessig’s four modalities of regulation: “…the world is influenced by four forces: 1) code, what’s technologically possible, 2) law, what’s legally available, 3) norms, what’s socially acceptable, and 4) markets, what’s profitable.” Together, these forces are what regulate the internet. Lessig’s modalities suggest that if privacy is not a priority and there are no incentives for it, then the technologies built under these circumstances will not provide it. By this reasoning, the key to preventing device fingerprinting and similar privacy-killers from developing any further boils down to normative intervention. Norms dictate what is profitable; therefore,we get to choose how these forces should regulate. The choice is not whether the web should be regulated or not, rather it is whether we, the users, should be present in choosing the code that will ultimately choose our values as a society.

While markets may drive the development of device fingerprinting techniques, we need to look to what Lessig describes as “technologically possible” in order to truly regain agency in this space. Through proper education, relentless advocacy, and creative innovation, we can evolve social norms to prioritize online privacy. And even though we may have already seen new regulations drafted to reflect this shift in social norms, there is still quite a bit of work to be done. In the cat and mouse game for online privacy, device fingerprinting currently gives trackers the advantage. If that makes you feel powerless, it shouldn’t. Remember that control over our data and agency online is a never-ending negotiation. Digital rights, like all human rights, must continually be defended

Addendum: How We Get Your Fingerprint
The strings of text that make up the ridges of the algorithmically-generated fingerprint in the piece above are unique to you and are made up of the same data points used by commercial device fingerprinting. Typically, this array of attributes is compressed into a shorter ID number using a cryptographic “hash” function. It’s worth noting at this point that The Disconnect is not tracking its readers’ fingerprints and thus isn’t hashing these attributes to send that unique ID back to The Disconnect’s server. Instead, the code used to render the piece is only ever executed locally and never leaves your device.

So what are these attributes and how do websites get access to them? JavaScript, the de facto programming language of the internet, is regularly used to convert simple websites into interactive applications like Google Maps. In order for these web applications to work properly, the web developer often uses JavaScript to detect information about your particular device. If you are on a desktop or laptop browser, you can actually do this yourself using your browser’s JavaScript Console:
  • Firefox: Control+Shift+K (or Command+Shift+K on Mac)
  • Chrome: Control+Shift+J (or Command+Shift+J on Mac).
  • Safari: Command+Option+C
  • Edge: F12
Once open, type navigator.userAgent and hit enter. You should see your device’s “user-agent” print to that console. The “user-agent” is used to identify what browser and platform you are using.

The “user-agent” is the first bit of data you’ll see on the cover. This is followed by other information specific to your browser like the current language it’s set to (navigator.language), whether or not you have “do-no-track” set (navigator.doNotTrack) and a list of any plugins (navigator.plugins) you may have installed. This is followed by information about your device including your screen’s resolution (screen.width and screen.height) and color-depth (screen.colorDepth), what time zone your clock is set to (Intl.DateTimeFormat().resolvedOptions().timeZone) the platform underlining your operating system (navigator.platform), how many CPU-cores your computer has (navigator.hardwareConcurrency), what GPU (or graphics processor) vendor and renderer is and whether or not you’re on a touch device. After this you’ll see a list of storage types and whether or not your browser supports them. Printing the GPU and touch information to the console requires a bit more code than the previous attributes, but you can view a fully annotated version of the source code behind the cover art here if you’re curious to learn more.

The last two data points you’ll see animating on the cover are the “font-list” and a “canvas-hash.” The former is the list of fonts you have installed on your computer. Browsers need access to your fonts in order to render the texts on your screen, but because users often add to the list of fonts that come default on their devices, this can become a particularly effective way to identify you online. The “canvas-hash” is perhaps the most unique characteristic. The HTML5 canvas is used by developers to draw 2D and 3D graphics in the browser using JavaScript. Though the same canvas code executed on different devices will render images that appear the same to our eyes, because of a list of differences among devices, the images will not be 100% identical at the pixel level. For this reason, when the pixel data of a rendered canvas image is sent through a cryptographic “hash” function, the resulting ID will be unique to that device and thus ideal for fingerprinting.

Add a Comment

Category - Fingerprinting,Privacy,Security
Posted - 11/05/2020 02:22pm
0 Comments | Add Comment
Digital Fingerprinting, What is it and why do you care?

Good article about Digital Fingerprinting from SSD

Fingerprinting is done extensively by tracking companies, who use this information to target users with ads or sell that information to data brokers. Digital advertising is a business worth hundreds of billions of dollars. Retargeting, or recognizing a return visitor and marketing materials based on their previous browsing, is a powerful way for marketers to increase click-through rates and generate revenue.

The most common way to retarget ads on the web is through browser cookies, and apps can use the advertiser ID provided by both iOS and Android. But the user can clear cookies and advertiser IDs to remove the persistent identifier linked to their particular browser or mobile device. Think of your browsing habits as a string that connects different pins on a board. Each pin represents a site that you've visited, and a tracker can trace that string to see what you've visited in the past. Clearing your cookies is like cutting that string into different segments, and the more often you cut the string, the smaller the segments become. The tracker can no longer see what you've visited in the past.

Fingerprinting creates a string that can't be cut by creating a new persistent identifier. It uses your browser or device characteristics against you, since the identifier is a summary of all the characteristics of your browser or device. The reason why fingerprinting exists is to circumvent the normal controls users have that enable them to control their own browsers. In order to take control of our browsers and devices back, we have to use special tools that resist fingerprinting.

First, it has to be persistent. If the user's fingerprint changes rapidly, there would be no way for the tracker to tell one visit of a user from the next visit. This ability to link visits is essential to determine that it is the same user visiting websites or using apps over time. This persistent identifier is used as a substitute for a cookie, which can be easily deleted by the user. A fingerprint can not be removed, since it does not store anything on the users' machine.

Second, it has to be unique. If two or more users have the same fingerprint, the tracker loses the ability to identify a single individual using fingerprinting. Without this ability, the tracker can not track the user individually and place them in specific marketing categories, such as "baking hobbyist" or "aircraft enthusiast." In our Panopticlick study of user browsers, launched in 2010, we discovered that the vast majority of browsers satisfied these two criteria.

In order for tools for combatting fingerprinting to be effective, they can follow one of two strategies. First, they can attempt to remove one or both of the two criteria above that make fingerprinting effective. Second, they can develop a list of trackers and block each of them from loading in the browser or on a mobile device.

There are many tools that attempt to break the persistence of fingerprints in the browser. Some will attempt to randomize the results of certain characteristics, such as a canvas fingerprint and AudioContext fingerprinting. This can be an effective method for breaking persistence, but it is important to note that a tracker may be able to determine that a randomization tool is being used, which can itself be a fingerprinting characteristic. Careful thought has to go into how randomizing fingerprinting characteristics will or will not be effective in combating trackers.

Browsers can also combat fingerprinting by making all instances of the browser look the same. By making the fingerprinting characteristics on all instances of browsers the same, a particular instance of the browser can not be uniquely pinpointed. This is the method adopted by the anonymity tool Tor Browser.

This is highly effective against fingerprinting when done right. Tor Browser has identified dozens of places where work needed to be done to make all their browsers look the same across all characteristics. This is important because it is easy for a user who is changing individual settings with the intention of throwing off trackers to actually make their browser easier for trackers to identify.

Finally, a tool can develop a list of trackers and block them directly. This is the method employed by many browser addons or extensions, such as EFFs own Privacy Badger. By blocking trackers, these tools are able to remove the bulk of the fingerprinting trackers from being loaded in the browser. Third-party trackers, which are the majority of the ones that use fingerprinting to identify users, are not able to identify user browsers.

Though this is a highly effective method to block fingerprinters, it does not completely block the ability to do fingerprinting. Sneakier trackers which haven’t been identified yet, or fingerprinting done directly by a site the user is visiting rather than by a third-party, will most commonly be permitted. This is good enough for most use cases, but does not guarantee strong anonymity.

For instance, you might be inclined to change the user-agent string, which identifies the browser and version you are using, to the most common browser user-agent string used across the web. This makes some intuitive sense: using a common user-agent string will result in a more common and less trackable fingerprint, right? In some cases, however, using the most common user-agent string will make you more fingerprintable, not less. This is counter-intuitive: how could choosing a more common metric make one stick out more?

This comes down to how independent your user-agent string is from the other fingerprintable metrics in your browser. For instance, Safari on iOS is actually a fairly non-fingerprintable browser, due to the relative similarity of hardware, software, and drivers across different devices. Most users of Safari for iOS look relatively similar.

But Safari for iOS is not the most common user-agent on the web by a long shot. Let's suppose for the moment that the latest version of Chrome for Windows is the most common user-agent. If the user were to change the user-agent string in Safari for iOS to Chrome for Windows, without changing anything else, they would appear completely unique. They would be the only one who has Safari for iOS results for canvas fingerprinting that also has the Chrome for Windows user-agent.

That's why those that are trying to avoid fingerprinting have to be extra careful that they don't accidentally hurt their privacy instead of helping it. In order to blend in, you have to join a "privacy pool" of other users that have the exact same fingerprint as you across all metrics. To do this, the safest bet is not to change settings individually, but instead to choose something like Tor Browser, Brave, or Firefox which use techniques to make all instances of their browser relatively common.

Add a Comment

Category - Cyber Security
Posted - 08/24/2018 05:09pm
0 Comments | Add Comment
Where are you going today? It's ok, we know where you're going today
This is something I have been talking about for more than 10 years now, and important for everyone to read, whether they care or not, it concerns them and everyone they know.
Times Opinion, Dec 20th, 2019
f you own a mobile phone, its every move is logged and tracked by dozens of companies. No one is beyond the reach of this constant digital surveillance. Not even the president of the United States.

The Times Privacy Project obtained a dataset with more than 50 billion location pings from the phones of more than 12 million people in this country. It was a random sample from 2016 and 2017, but it took only minutes — with assistance from publicly available information — for us to deanonymize location data and track the whereabouts of President Trump.

a senior Defense Department official told Times Opinion, even the Pentagon has told employees to expect that their privacy is compromised:

“We want our people to understand: They should make no assumptions about anonymity. You are not anonymous on this planet at this point in our existence. Everyone is trackable, traceable, discoverable to some degree.”

We were able to track smartphones in nearly every major government building and facility in Washington. We could follow them back to homes and, ultimately, their owners’ true identities. Even a prominent senator’s national security adviser — someone for whom privacy and security are core to their every working day — was identified and tracked in the data.

Read the full text of the article

Add a Comment