Browser Finger­print­ing: How EFF Tools Can Pro­tect You

Even though we think we have se­cured our brows­ing by us­ing con­ven­tional means, are we re­ally se­cure from tar­geted ad­ver­tis­ing? Is our pri­vacy se­cured when we browse the World Wide Web? Learn how we can se­cure our brows­ing and pro­tect our­selves from browse

OpenSource For You - - Contents - By: Nan­daku­mar Edamana

Sign out, clear the cook­ies, and switch over to the pri­vate brows­ing mode — this is the pri­vacy mantra of most In­ter­net users. If you too fall into this cat­e­gory, then you bet­ter be aware that you’re be­ing tracked. User ac­counts and cook­ies have be­come ar­chaic when it comes to track­ing. You might have no­ticed per­son­alised ads which are re­lated to your pre­vi­ous search queries, which seem to match your tastes ac­cu­rately. This hap­pens even when you are not logged in and have no cook­ies re­tained. This is made pos­si­ble by a new track­ing technique called browser finger­print­ing, ac­cord­ing to the Elec­tronic Fron­tier Foun­da­tion (EFF).

The EFF is a non-profit or­gan­i­sa­tion founded in 1990, aimed at pro­tect­ing user pri­vacy and free­dom of ex­pres­sion in the dig­i­tal era. It still fights this bat­tle by con­duct­ing cam­paigns, do­ing re­search, and de­vel­op­ing se­cu­rity and pri­vacy tools. This is a valu­able ef­fort con­sid­er­ing the fact that user track­ing and im­moral use of pri­vate in­for­ma­tion by web­sites have in­creased re­cently. You can learn more about EFF at eff.org.

Thanks to EFF and some soft­ware projects, we now have a bunch of free soft­ware tools to pro­tect our pri­vacy while brows­ing the Web. Let’s first learn what browser finger­print­ing is and find out the EFF tools that present us with the so­lu­tion.

Note: This ar­ti­cle ad­dresses track­ers only. Block­ing track­ers can help you pre­vent things like per­son­alised ads. But to be truly anony­mous, you have to use anonymity net­works like Tor, which is a topic be­yond the scope of this ar­ti­cle. Visit tor­pro­ject.org for more de­tails, and use it only for le­gal pur­poses.

Browser finger­print­ing

Browser finger­print­ing is a technique that can be em­ployed by web­sites to track your ac­tiv­i­ties even when you are not signed in and are brows­ing in pri­vate mode. But how does it work?

Well, it’s ob­vi­ous that web­sites can track and record your ac­tiv­i­ties while you are logged in since they clearly know who you are (at least what your user name is). Even if you are not logged in, they can still drop a cookie in your browser and as­so­ciate any ac­tiv­ity from the same browser with you, which is enough to serve you per­son­alised ads.

That’s why we switch over to the pri­vate mode, whereby we ex­pect to be im­mune to the track­ing mech­a­nism just be­cause we are not signed in and the browser doesn’t re­tain any cook­ies from our pre­vi­ous ses­sion. The site may still be able to ob­tain our IP ad­dress, but we feel it is of least im­por­tance when it comes to iden­ti­fy­ing us, since the IP

ad­dress changes each time we con­nect to the In­ter­net (un­less we have a static IP con­nec­tion).

But this as­sump­tion is false. Web­sites can still track you even though you are not will­ing to sign in or re­tain cook­ies. What they use to iden­tify you is the fin­ger­print of the browser you use. Un­like a se­rial num­ber, this is not some­thing im­posed on the browser by the de­vel­oper. In­stead, it is cal­cu­lated by the web­sites based on the con­fig­u­ra­tion and set­tings of the browser. They even con­sider the ex­ten­sions that you use.

To put it sim­ply, con­sider the ex­am­ple of iden­ti­fy­ing a ve­hi­cle. The most straight­for­ward and ac­cu­rate way would be to use the reg­is­tra­tion num­ber (ex­clude spoofs). But in most cases, we sim­ply say some­thing like, “…a red SUV with an ea­gle sticker on the hood, tops re­moved, one mirror slightly bro­ken.” This would be more than enough since such a com­bi­na­tion will be unique in a par­tic­u­lar city.

Browsers can also be iden­ti­fied like this. The pa­ram­e­ters start from ba­sic con­fig­u­ra­tions and the op­er­at­ing sys­tem to some unimag­in­able ones, such as:

Ex­ten­sions used

Plug­ins and file for­mats sup­ported

Screen res­o­lu­tion and colour depth

Lan­guage and time zone

Touch­screen sup­port

Quot­ing panop­ticlick.eff.org, “Browser finger­print­ing is a method of track­ing Web browsers by the con­fig­u­ra­tion and set­tings in­for­ma­tion they make vis­i­ble to web­sites, rather than tra­di­tional track­ing meth­ods such as IP ad­dresses and unique cook­ies.”

How to test your browser and what to do next

We’ve seen how a web­site can track our browser us­ing browser finger­print­ing. Now let’s fig­ure out how sus­cep­ti­ble our browser is. To check this, sim­ply visit panop­ticlick.eff.org, which is the re­sult of an im­por­tant re­search un­der­taken by EFF.

You can see a TEST ME but­ton on the home page it­self. Click on that, and your browser gets tested. It takes a while, and once com­plete, you are pre­sented with a quick re­port show­ing how your browser is sus­cep­ti­ble to dif­fer­ent as­pects of track­ing. You can get a de­tailed re­port, and in­stall the pri­vacy ex­ten­sion Pri­vacy Bad­ger from the same page.

Block­ing track­ers with Pri­vacy Bad­ger

There are hid­den track­ers em­bed­ded in many web­sites in the form of scripts and cook­ies. They are used to track you, i.e., to cre­ate a record of the pages you visit, things that you like and things you don’t. These de­tails are usu­ally used to serve per­son­alised ads, and some­times are sold to a third party for business pur­poses. The EFF Pri­vacy Bad­ger is a use­ful ex­ten­sion that blocks such track­ers. Visit eff.org/ pri­va­cy­bad­ger to in­stall this add-on in your browser.

When Pri­vacy Bad­ger re­alises that the ads in a page are track­ing you, it sim­ply blocks the track­ers from loading more con­tent. To bor­row the words used by EFF, “…to the ad­ver­tiser, it’s like you sud­denly dis­ap­peared.”

When you in­stall Pri­vacy Bad­ger and visit a web­site with track­ers, it will dis­play a list of these with slid­ers if you click on its icon in the browser tool­bar. The slider will prob­a­bly be green the first time, which means that the tracker is still not track­ing you and hence is al­lowed. As you con­tinue brows­ing, the slider might turn yel­low and then red, in­di­cat­ing Pri­vacy Bad­ger’s opin­ion on them, and the block­ing level.

You can say that Pri­vacy Bad­ger acts like an ad blocker and in fact, it is based on the code of AdBlock­Plus. Still, it’s a bit dif­fer­ent. Its aim is not to block ev­ery ad, but to block ev­ery track­ing el­e­ment. This is im­por­tant since not all ads

are track­ing you and we don’t want to block some in­no­cent ads that help the cre­ators run their web­sites. More­over, track­ing el­e­ments don’t al­ways come as part of ads. Pri­vacy Bad­ger tar­gets track­ers re­gard­less of their re­la­tion­ship with ads, which is a be­hav­iour that re­quires ad­di­tional con­fig­u­ra­tion in reg­u­lar ad block­ers.

The Do Not Track header

Do Not Track (DNT) is a pro­posed HTTP header field that tells a web­site that you wouldn’t like to be tracked. Fire­fox’s Pri­vate Mode has this fea­ture en­abled, by de­fault, whereas Chromium does not. You can en­able this fea­ture even in the reg­u­lar mode by vis­it­ing the pri­vacy and se­cu­rity sec­tions of your browser’s set­tings page, if it sup­ports it.

To know more and to check your browser, visit al­laboutdnt.com (not from EFF).

HTTPS Ev­ery­where

We all know that HTTPS is a mech­a­nism that helps us en­crypt our com­mu­ni­ca­tion with Web servers, mak­ing it im­pos­si­ble for eaves­drop­pers to tap or ma­nip­u­late our data. The URLs of HTTPS-en­abled pages start with https:// in­stead of http://.

How­ever, not all web­sites use HTTPS. And among the ones that are HTTPS-en­abled, not all en­force it. This means you might be at risk even if you are vis­it­ing an HTTPS-en­abled web­site, but have for­got­ten to en­sure that your ad­dress bar shows https:// in­stead of http://. An­other un­fair practice is web­sites loading some third-party or ad­di­tional re­sources over HTTP, even if the whole page’s ad­dress starts with https:// (some browsers dis­play a bro­ken lock icon to in­di­cate this).

The HTTPS Ev­ery­where ex­ten­sion helps you in such sit­u­a­tions by rewrit­ing the HTTP re­quests from your browser with HTTPS, if the servers sup­port it. Of course, it can’t make a web­site HTTPS-en­abled if the server doesn’t have an SSL/TLS cer­tifi­cate in­stalled or it in­ten­tion­ally dis­ables HTTPS for cer­tain pages. Then what is the use of such an ex­ten­sion, you might ask. But re­call the fact that not all HTTPS-en­abled sites de­fault to it, and not all se­cure pages are 100 per cent se­cure since they load non-HTTPS el­e­ments also. This is where HTTPS Ev­ery­where can be of some help and it re­ally mat­ters.

You can down­load this ex­ten­sion from eff.org/http­sev­ery­where. It is worth not­ing that the Tor Project has also con­trib­uted to it.

What about the sites that don’t sup­port HTTPS yet? Tell the web­mas­ters how im­por­tant HTTPS is, and how it can im­prove their rep­u­ta­tion. Web­mas­ters can get Let’s En­crypt SSL/TLS cer­tifi­cates for free, just by in­stalling the EFF tool Cert­bot (cert­bot.eff.org). If you are a web­mas­ter who hasn’t got HTTPS yet, take ac­tion quickly!

More from EFF

If you are in­ter­ested to learn more about In­ter­net pri­vacy, visit eff.org/pages/tools where the or­gan­i­sa­tion show­cases its pri­vacy re­sources. The list in­cludes Sur­veil­lance Self­De­fence (ssd.eff. org), a por­tal that high­lights how you lose your pri­vacy on­line, and how to pro­tect it by fol­low­ing some step-by-step in­struc­tions.

You can also visit email­selfde­fense.fsf.org, to learn ev­ery­thing you should know about e-mail en­cryp­tion.

Fig­ure 2: Pri­vacy Bad­ger de­tects 16 po­ten­tial track­ers on a pop­u­lar shop­ping web­site

Fig­ure 1: panop­ticlick.eff.org shows that the incog­nito mode of the Chromium Web browser is clearly sus­cep­ti­ble to track­ing

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.