Understanding Fingerprinting

Gass

Member
Hello All,

I'm all for giving to Adguard in it's development towards stopping these Very Nasty IDing tracking vipers.
It's not going to be like Magic in pulling a rabbit out of an hat though, if there was something like a GoFundMe or similar account set up for donations. Helping out for the manpower, research and overhead Adguard would be faced with in delivering a great product in anti-fingerprinting, like it did with Adguard. I'd give willingly !!!

I've put this in the OFF-TOPIC General discussion area cause it deals with multiple OS's, Platforms, Devices, Browsers etc. Here are various knowledge excerpts I've collected. I'm by no means an expert, just trying to help.

A fingerprint is primarily based on browser, operating system, and installed graphics hardware.
Most everything on this subject I find in being some years old, so I think not good for todays age and world.
If anyone of you care to share your knowledge or link an article to anything of resent events in 2016 and
forward on FRINGERPRINTING, please do so.

Thank You,
Gass

A RESEARCH PROJECT OF THE ELECTRONIC FRONTIER FOUNDATION
Panoptoclick website, which actively fingerprints your browser, and tells you how unique it is.
https://panopticlick.eff.org/

What is browser fingerprinting?
Whenever you visit a website your browser sends data to the server hosting that site. This data includes
basic information, including the browser name, operating system, and exact version number of the browser.
This information is known as passive browser fingerprint because it happens automatically.

However websites can also easily install scripts that ask for additional information, such as a list of
all installed fonts and plugins, supported data types (so-called MIME types), screen resolution, system
colors and more. Because this information has to be solicited from your browser, it is known as active
fingerprinting.

Taken altogether, the various fingerprint attributes can be almost instantly (it takes just a few
milliseconds to run algorithms that compare millions of fingerprints) combined to create a unique
fingerprint that can be used to very accurately identify an individual user, no matter if cookies have
been deleted or IP address changed between website visits.

Every time you install a new font or plugin, or otherwise change one of the fingerprinted attributes, you
change your fingerprint. The most important attributes in this regard are the list of installed plugins,
supported MIME types, and installed fonts, which alone when combined with the browser’s User Agent (which provides information about the browser) allow unique identification with an 87 percent accuracy.

Unfortunately, the EEF determined that even when ‘fingerprints changed quite rapidly, even a simple
heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed
browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%’.
https://www.bestvpn.com/blog/8159/browsers-fingerprint-reduce/


What’s in a Fingerprint?
Browser fingerprinting is an increasingly common yet rarely discussed technique of identifying an individual user by the unique patterns of information visible whenever a computer visits a website. The information collected is quite comprehensive and often includes the browser type and version, operating system and version, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations.
These identifiers may seem generic and not at all personally identifying, yet typically only one in several million people have exactly the same specifications as you.


Circumventing the Fingerprint
Since the fingerprint is derived from a host of system-based characteristics, circumvention is far more
complex than the historical process of deleting cookies. While its possible to make system changes by hand, doing so after each browsing session could prove laborious and annoying at best.

A better approach is to make your browser fingerprint as common and generic as possible. You can do that
by running the browser inside a clean and un-customized virtual machine.
It’s only in this kind of environment that it’s feasible to revert to the clean state at the end of every use, preventing the accumulation of identifying changes. This approach gives the browser a truly generic identifier, while eliminating all other kinds of tracking techniques.

The virtual machine solution works because an out of the box installation is very standard. There will be
many people with brand new computers who would have very similar or identical configurations. The more
people who do this, the less identifying it becomes.
http://www.networkworld.com/article/2884026/security0/browser-fingerprints-and-why-they-are-so-hard-to-erase.html


Bowser Fingerprinting
Collection of your data by websites you visit using any browser and identifying you based on that data is
Bowser Fingerprinting. Not only browser information, but it is also possible for websites to run a JavaScript or Flash script to know the type of the computer screen you own, fonts on the system, Cookies and so on.
A Proxy just changes your location. It does not add or remove extensions from your browser or change its
settings. Likewise, a VPN too will not change your screen resolution and pixel-depth. None of them can stop the website from querying the fonts installed on your computer or hide their sequence to make it look like a
different computer.
You can also use some third-party tools to help in reducing, tracking and tracing you. They do work, but
they cannot block queries coming from the websites. Now that you know that websites can identify you using
different methods, you might want to know how to escape this kind of snooping.
http://www.thewindowsclub.com/browser-fingerprinting


Canvas fingerprinting
Canvas fingerprinting takes advantage of the canvas API in modern browsers.
The canvas API interacts with a computer's graphics chip and allows us to play games and interact with
webpages. However, with canvas fingerprinting, invisible images are sent to the browser, then returned to
the server with a "fingerprint" of the computer and location.
http://digiwonk.wonderhowto.com/how-to/canvas-fingerprinting-stop-webs-sneakiest-tracking-tool-your-browser-0156506/
AND ALONG THE SAME INFO.
http://www.pcworld.com/article/2458280/canvas-fingerprinting-tracking-is-sneaky-but-easy-to-halt.html
[Note] See the comments of the above link / of Rich Morgan @ Chuck and Rich Morgan @james and then
Rich Morgan about Keystroke tracking / when I visited - there were only 13 Comments back 720+ days ago.


Householding
A company called BlueCava takes device fingerprinting one step further. BlueCava is able to identify and
track users online across multiple devices, a practice BlueCava refers to as “householding.”
They can associate multiple devices to the same person or household, by attaching an IP address to a
BlueCava identifier and by recognizing and collecting information about the various computers, smart phones, and tablets that people use to connect the internet. Thus, your behavior on one device can be
associated with other devices from both your home and office. This information can be very valuable for
marketing purposes.

BlueCava's technology enables them to recognize computers and devices by collecting information about
your screen type, IP address, browser version, time zone, fonts installed, browser plug-ins and various other properties of your screen and browser. This information is put into a “snapshot” and is sent to their servers to create a unique ID for every browser and to “match” the snapshot to the snapshots they receive from their marketing partners.
When they use snapshots to create a unique ID, they are also able to group related screens into “households” based on common characteristics among the snapshots, such as IP addresses.
https://www.privacyrights.org/online-privacy-using-internet-safely


Fingerprinting Technology Evolving
One business transparent about such efforts is a San Francisco start up called AdStack.
They have developed a technology that allows firms to send an email but deliver the content only when a
user opens it, giving the sender a chance to change the message in a few milliseconds. The email is sort of like a picture frame, with the content delivered interactively much as a webpage.
They aim to deliver a personalized message at the right time. For example, if you open a restaurant promotion in the morning it might advertise a lunch special, or later in the day, dinner. And perhaps they know you like sushi rather than steak. A flower store might advertise different specials depending on their inventory at the time a person opens their email.

In helping clients decide what ads to send via email, AdStack partners with Rapleaf to learn more about
people from their email addresses. Rapleaf appends data as such as age and gender, and says it has at least one field of additional information for about 80% of all U.S. consumer email addresses.
Armed with this extra personal data, the advertiser, using an AdStack plugin generating code in their email, tries to serve up the most relevant ad to an individual user.
http://www.forbes.com/sites/adamtanner/2013/06/17/the-web-cookie-is-dying-heres-the-creepier-technology-that-comes-next/#5ed971403e45


FINGERPRINTING WITH THE MOST RECENT WEB TECHNOLOGIES
A. Canvas fingerprinting
The canvas element in HTML5 allows for scriptable rendering of 2D shapes and texts.
This way any website can draw and animate scenes to offer visitors dynamic and interactive content.
As discovered by Mowery and al. and investigated by Acar and al., canvas fingerprinting can be used to
differentiate devices with pixel precision by rendering a specific picture following a fixed set of instructions.
This technique is gaining popularity in tracking scripts due to the fact that the rendered picture depends on several layers of the system (at least the browser, OS, graphics drivers and hardware).

B. WebGL fingerprinting
WebGL uses the Canvas element described before to render interactive 3D objects natively in the browser,
without the use of plugins. With the final specifications in 2011, WebGL 1.0 is now supported in all major
browsers. The WebGL API, through the WEBGL_debug_renderer_info interface (as the name indicates, it is
designed for debugging purposes), gives access to two attributes that take their values directly from the device’s underlying graphics driver. AmIUnique’s fingerprinting scriptcollects these two properties, namely:
- the WebGL vendor: name of the vendor of the GPU.
- the WebGL renderer: name of the model of the GPU.
These attributes provide very precise information about the device.

C. Additional attributes
We collected the following attributes to study their utility to discriminate browsers, to strengthen a fingerprint by verifying values, and to detect inconsistencies.
Platform:
Even though the platform attribute does not add new information, it can be used to detect inconsistencies.
For example, on an unmodified device, if the browser indicates in its user-agent that it is running on a Linux system, you expect to see “Linux" as the value of the “platform" property.
Do Not Track & Ad blocker:
These two attributes have a very low-level of entropy, their values are either ‘Yes", “No" or
“Not communicated" (for the DNT preference). Without the Do Not Track attribute, the percentage of unique
fingerprints drops by 0.07% which is negligible. The Ad Blocker attribute is slightly better, with a drop of 0.5%, but still insignificant compared to other attributes like the user-agent or the list of plugins.
The additional attributes collected by AmIUnique are game changers: they strengthen fingerprints, allow
identification through inconsistency detection.
https://hal.inria.fr/hal-01285470/file/beauty-sp16.pdf

Other LINK's of Interesting Information
https://en.wikipedia.org/wiki/Canvas_fingerprinting
https://en.wikipedia.org/wiki/Device_fingerprint
http://linuxbsdos.com/2015/12/18/trying-to-prevent-browser-fingerprinting-the-odds-are-against-you/

http://arstechnica.com/security/2013/10/top-sites-and-maybe-the-nsa-track-users-with-device-fingerprinting/

https://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block
https://www.eff.org/search/site/browser fingerprint
https://wiki.mozilla.org/Fingerprinting

https://isc.sans.edu/forums/diary/11+Ways+To+Track+Your+Moves+When+Using+a+Web+Browser/19369

http://forum.palemoon.org/search.phpkeywords=Canvas+fingerprinting&sid=42fc9a1125063bcd7c69b4392083c56f

http://www.csoonline.com/article/3096747/security/meet-riffle-the-anonymity-network-from-mit-that-promises-to-outdo-tor.html

https://www.privacyrights.org/online-privacy-using-internet-safely
 

Gass

Member
Hm, you know, in fact I has read it once before.

Here is a discussion:
https://github.com/AdguardTeam/AdguardForAndroid/issues/249#issuecomment-168033562

At the moment fingerprinting is not used widely due to low precision. That's why there's no "standard" for it and almost no real-life examples.

Hello Avatar,

I'm not the one who made the post on Canvas Fingerprinting and HTML5 Canvas Fingerprinting in Adguard for Windows.
https://forum.adguard.com/index.php?threads/canvas-fingerprinting-and-html5-canvas-fingerprinting.5747/

Just the same I'm going to post some thoughts there in a couple of days, besides answering you here now.

The github link you gave hasn't had a new post since April 28, I did see some links I'm going to read through though.
Is it still being maintained and active at github Adguard Team?

I'm not sure what you mean by low precision but I see it has something to do with setting a standard, comes to mind false positives -
variables - entropy. Am I close to understanding?

Wouldn't some real life examples be as what being done as I've written about above of Householding "BlueCava" and Fingerprinting Technology Evolving - San Francisco start up called "AdStack" , both source links are give after each entry.
Granted and agreed it's not widely used yet, just the same it's creepy.

UPDATE: - direct links
AdStack has been acquired by TellApart - leverage their deep understanding of customer identity
http://adstack.com/

BlueCava
We connect the dots between mobile, desktop and tablet screens across all channels, resulting in an actionable map of today’s consumers, households and their many devices. BlueCava:
We excel at correctly identifying devices, the foundation of all accurate cross-screen mapping. BlueCava IDs are long lasting and self healing, extending identification up to 2500% longer or more over cookies. http://bluecava.com/how-it-works/

That's just two companies right now, where it going to be in 2, 5, 8 years from now?
Visit this site and see what you have active that could be used against you - http://fmbip.com/

Avatar - how does it look to you I mean will something be incorporated in Adguard, specifically Stealth Mode to counter this tracking/IDing happing.
Will it be a separate stand alone program maybe such as virtual, to take a form of a USB we use as a browser that way, or something
like a program like Shadow Defender we'll install and then nothing real of our journey on the web will be able to ID us.
Maybe a combination of different approaches, where one could not possibly address it all.

What did you think about accepting donations for Adguard's endeavor to pursue this to a working product?

Thanks for your answers and taking the time,
Gass :D
 

Gass

Member
In 2017 now
Anyone know of a detailed web listing of websites using Fingerprinting tracking (across the web) that's currently being maintained?
Actual sites that use any kind of fingerprinting in your visits.

What are your feelings about being tracked and profiled across the web with any KIND OF FINGERPRINTING BEING USED TODAY ?

Gass :D
 
Last edited:
Top