As you browse the web, your browsing activities may be monitored and aggregated by third-party agents with or without your knowledge and consent. The phenomenon is known as browser or online tracking, in which websites and advertisers team up to gather your browsing data in order to build up a detailed profile of your interests for commercial gain. It’s so stealthily done that you rarely get to experience the uncanny feeling of being watched; the feeling you get when you suddenly realize that lots of strangers are peeping at you through your windows or that you are being followed around by lots of salespersons in a store.
Techniques commonly used
They use all sorts of techniques such as web beacons, server logs, user agents, cookies, browser fingerprinting and tracking scripts to track your browsing activities.
Web beacons are tiny graphic images embedded on web pages that alert the server when the page is loaded. Ad companies use these beacons to tell who opened a web page or email and when. This is why most email applications will before it displays images ask you if you trust the sender.
Server logs is another browser tracking technique used to keep track of requests web servers receive from browsers such as what page was loaded and when, what site the browser was on before it came to that page (http referrer) and internet address (for location tracking).
Browser user agents are small applications that reveal information about the browser properties and the underlying operating system. This allows advertisers to gather intelligence about the identity of website visitors.
Cookies are among the most prominent browser tracking technologies known to man. A cookie is basically a small string of text stored on your computer by the sites you visit that uniquely identifies your browser. When a website sees the string of text it set in a cookie, it knows the browser is one it has seen before. Advertisers use this technology to monitor user browsing behaviour in order to target ads. As user awareness about the intrusiveness of cookies grew, browser developers responded by adding “private browsing” mode to their products, independent developers also started creating privacy-preserving plugins and users gradually regained control of their privacy by learning to clear or sidestep cookies.
Like a cat-and-mouse game, the ad companies in turn resorted to a new technique that hides information (cookies) in Adobe Flash which can be stored or retrieved whenever a user accesses a page containing a Flash application. Like regular cookies, Flash cookies contain information that uniquely identify your browser and can survive the clearing of normal cookies. The data hidden in the Flash cookies would then be used to restore the deleted normal cookies. Ad agencies relied on this clever tactic for a few years until researchers busted their shady practices.
In recent times, advertisers have shifted to a new powerful form of tracking that has more enduring information about user identity even if cookies are turned off or completely erased. This new technique is called browser or device fingerprinting. It allows a website to identify devices or visitors to the site via user browser configuration settings or other discernible characteristics. For example, if you visited a website yesterday and visit it again today, you could be identified by your browser fingerprint even if you cleared all cookies and disguise your IP address.
Browser fingerprinting stems from the concept of human fingerprinting used as a unique long-term marker of human identity. The assumption is that it would also be possible to uniquely distinguish between all computers on the Internet, without the explicit consent of the users themselves. This is done by obtaining information about a user’s browser environment such as screen settings, browser name, version number, installed plugins, fonts and other properties in order to create a unique “fingerprint” of a user’s computer. The combination of these properties is unique for the vast majority of browsers.
Fingerprinting isn’t always unpleasant though, it can be used to combat click fraud or for user authentication and fraud prevention especially in online banking and retail sites. However, fingerprinting also presents a potential threat to users’ online privacy as it represents another front in a long-running battle to track users browsing behaviour which can be quite intrusive if tied to any personally identifying information. In the past, browser fingerprinting was limited to single browsers. However, researchers in early 2017 developed state-of-the-art fingerprinting technique known as cross browser fingerprinting that are more accurate and works across multiple browsers on the same device. The implication is that even if you switch browsers, the ads company can still recognize and track you.
As if that was not enough, a recent discovery by Princeton University researchers prove that browser tracking is far more invasive than we previously thought. The research reveals that over 400 popular websites are running a script called session replay script capable of tracking everything you type into a website including the ability to link recordings directly to your real identity without your knowledge or consent. This is akin to using traditional keyloggers to steal personal data. The implication is that sensitive information such as your debit card details, passwords and other personal information may seep out to the wrong hands. This may expose you to identity theft and other online scams.
How you can protect your privacy
Protecting your device from fingerprinting can be very difficult to achieve. Disabling JavaScript and Flash using tools such as NoScript or ScriptSafe can greatly reduce your exposure to fingerprinting. However, the challenge is that most websites rely on them to function properly.
A more effective means of lowering the risk of having a unique fingerprint would be to ensure your browser configuration blends with the rest. The more your browser configuration settings closely align with others on the Internet, the harder it would be to identify you. This is already happening with mobile device browsers, which can’t be uniquely customized to the extent that computer browsers can. Tor browsers have also been found to be very effective against cross-browser fingerprinting. You may use tools such as AmIUnique (single browsers fingerprinting) and Uniquemachine (cross browser fingerprinting) to learn how identifiable you are on the Internet. The EFF’s Panopticlick tool can also show you how well your browser is protected against fingerprinting and tracking in general.
Use a VPN service to mask your IP address and encrypt your browsing data for your desktop and mobile devices. Although VPNs mask your IP address, they won’t necessarily protect you from invisible trackers and ads. To protect against ubiquitous ad tracking, use ad blockers such as uBlock origin or Ghostry and tracking blockers such as DoNotTrackMe, PrivacyBadger or Disconnect. A useful approach to prevent session replay script is to completely block all scripts from being loaded on websites you visit, and only allow scripts from sites that you trust, using tools like NoScript or uBlock Origin. AdBlock Plus has also been updated to block session replay script.
To sum it all, as long as advertising remains a vital element of the Internet business model, suffice it to say that browser tracking in general and fingerprinting in particular are here to stay. You have no choice but to embrace privacy-preserving technologies if you really care about your privacy.
