GULYÁS, Gábor György, Ph.D.


Fighting fingerprinting: not as trivial as it looks

2013-09-30 | Gabor

Back to the archives

For starters

In a previous article we presented fingerprinting, the state-of-the-art tracking technique on the web. Although this method is not yet widely adopted, but due to the potential it has, this is likely to change in the (near) future. In this article we discuss how webizens should protect themselves against fingerprinting.

The Panopticlick project highlighted one of the main sources suitable for tracking, the lists of installed fonts, which still plays a central role in fingerprinting today, according to a novel Oakland paper. Therefore, disabling font detection seem to be a logical precautionary step.

In order to do so, first Flash and Java should be disabled in the settings (as these plugins can provide a list of installed fonts with unique ordering!), or temporarily removed with addons, like FlashBlock for Firefox. Secondly, for Firefox users there is a setting which allows disabling the use of custom fonts on websites. While this slightly degrades user experience, it also disables an important feature used for fingerprinting (i.e., JavaScript detection of fonts). Alternatively, tracker blocking addons can also be used for disabling the fingerprinting scripts, such as Ghostery.

The anonymity paradox

While these precautions sound reasonable, there are some important caveats to be aware of, like the anonymity paradox. This is easy to imagine: let’s pretend there is a guy in the crowd in a bank, with a mask on his face, dressed in black. While he is anonymous (his personal identity is hidden) he is also quite identifiable as he is the only one in that kind of (weird) suit. This problem could be circumvented by having more (and practically a lot) guests wearing the same outfit.

This paradox is also applicable for fingerprinting: if someone uses privacy-safe, but rarely chosen settings, opposite as expected, this can increase the number of attributes available for fingerprinting. For instance, this was the case for the Privoxy users participating in the Panopticlick project: there were only a few users, so their settings made them even more unique. Therefore, more widely adopted privacy-enhancing utilities should be favored for protection.

Anonymous web browsers and other solutions

As continuously developed and fingerprint-aware anonymous web browsers have large user basis, these seem to be the most suitable choices. For instance, the two of the strongest possible picks, JondoFox and Tor Browser Bundle are based on preset Firefox Portables, including vital (and only the necessary!) extensions for protecting user privacy. In addition, these Firefox variants are rebuilt from the sources in order to incorporate additional features, like the custom settings limiting the number of font load attempts and accessible fonts (these can be even found in the settings as browser.display.max_font_count and browser.display.max_font_attempts). Furthermore, anonymous web browsers protect their users against regular privacy-infringing attempts (e.g., cookie and IP tracking).

Nowadays, these choices seem to be effective enough for avoiding fingerprinting; however, there is no scientific evidence rigorously confirmation for this. If someone is looking for more concrete-proof protection, she may use techniques providing more user control (for less comfort), like using specific virtual machines for consuming content on the internet – although that may seem to be a bit paranoid for an average user. Tracking companies fortunately have limited resources, and while only the minority is using privacy-enhancing technologies for browsing, they will not probably care dealing with them.

This post was originally written for the Tresorit Blog.

Tags: tracking, device fingerprint, fingerprint blocking

Back to the archives

Blog tagcloud

CSP (1), Content-Security-Policy (1), ad industry (1), adblock (1), ads (1), advertising wars (1), amazon (1), announcement (1), anonymity (9), anonymity measure (2), anonymity paradox (3), anonymity set (1), boundary (1), bug (2), code (1), control (1), crawling (1), data privacy (1), data retention (1), data surveillance (1), de-anonymization (2), definition (1), demo (1), device fingerprint (2), device identifier (1), disposable email (1), ebook (1), el capitan (1), email privacy (1), encryption (1), end (1), extensions (1), fairness (1), false-beliefs (1), fingerprint (3), fingerprint blocking (1), fingerprinting (3), firefox (1), firegloves (1), font (1), future of privacy (2), google (1), google glass (1), home (1), hungarian keyboard layout (1), inkscape (1), interesting paper (1), internet measurement (1), keys (1), kmap (1), latex (1), location guard (1), location privacy (1), logins (1), mac (1), machine learning (3), neural networks (1), nsa (2), osx (2), paper (2), pet symposium (2), plot (1), price of privacy (1), prism (1), privacy (8), privacy enhancing technology (1), privacy-enhancing technologies (2), privacy-enhancing technology (1), profiling (2), projects (1), raising awareness (1), rationality (1), re-identification (1), simulation (1), social network (2), surveillance (2), tbb (1), thesis contest (1), tor (1), tracemail (1), tracking (12), tracking cookie (1), transparency (1), tresorit blog (4), uniqueness (3), visualization (1), web bug (3), web privacy (3), web security (1), web tracking (3), win (1), you are the product (1)

Gábor György Gulyás, PhD – © 2021 all rights reserved