Nonconsensual User Tracking? Is That Like Nonconsensual Sex?

I'm a big fan of Steve Gibson's Security Now! podcast. I've learned more about computer security from a year of listening to SN than I did in TWO security/networking classes I took in college. Cost me a lot less, too.

But I'm really disappointed in something he said in last week's podcast about a privacy threat that you wouldn't normally think about: nonconsensual user tracking. This is a euphemism for "tracking your movement across the Web without your knowledge or consent, without using cookies." By collecting the headers that every web browser provides to every web site it connects to (e.g., user agent header, accept header, accept-language header), a site can eventually identify a given user to a disturbing degree of accuracy. The part of the show where Gibson talks about it is after the break (assuming I can figure out how to do a break in my spiffy new Movable Type 4 setup).

So let's step back and look at this Panopticlick experiment, which was done during the first half of 2010 by the Electronic Frontier Foundation, EFF. . .. During the course of the first half year, this website was visited by 470,161 web browsers, so a little over 470,000 web browsers, just shy of half a million. The code which the Panopticlick site ran in people's browsers and also collected passively from their browser . . ..

. . .

So what they learned was that, without using cookies, with no cookies at all, just looking at passive browser headers and with the help of JavaScript that was able to enlist the help of Flash and Java - and Flash and Java, by the way, were used for the system font enumeration. JavaScript was able to be used for returning screen resolution, time zone, and enumerating the browser plug-ins and versions. So without Flash or Java, that got them to the 83.6 [percent unique]level. Flash and Java, which added the system font enumeration, brought them all the way up to, if you're willing to go for an instantaneously unique browser, that brought them to the 94.2 percent.

And it's not like changing these parameters will help, either:

Now, what they did recognize was that fingerprints are going to evolve over time. That is, my system, when I went to Panopticlick middle of this period, probably back in March, would have had a given fingerprint. I was one of those many browsers that went. But then I updated to a new version of Firefox. Well, that would have changed my fingerprint somewhat. Or NoScript came out with a new version, so I updated that. And that would have changed my NoScript plug-in. But what they recognized was, because they weren't just mashing all this together, that is, they didn't take all that and, for example, hash it into an opaque token. They kept all that separate, which allowed them to track the changes, that is, they knew when I updated my version of Firefox because only that one thing changed . . .. They were able to guess correctly, . . . just looking at the evolution of the fingerprint, they were able to lock on and hold onto the person 99.1 percent of the time. They guessed correctly about what change the fingerprint had made, and they were able to still lock onto the return visitor only using their fingerprint. And their false positive rate of guessing incorrect was 0.86 percent.

So here's the part where I expect Steve to lay out exactly what you have to do to evade being tracked this way, much like dozens of other times where he breaks down a newly-discovered security vulnerability and what you need to do about it before Microsoft issues a patch. So what's his advice?

You want to recognize that this is what's going on, unfortunately. Also unfortunately, our computers are just bleeding information about us as we use the Internet. I mean, it's pouring out of every contact we have with websites. All of this is available. So rather than imagining that you are not trackable, or that you're achieving something from deleting your cookies, recognize that you've lost that battle [emphasis added].

That's his advice? "Recognize that you've lost the battle?" I don't think I've been this disappointed since New Coke. Or maybe last year's Illinois game. I'm really looking forward to this week's podcast - by convention, it'll be a listener Q&A - and I'm hoping he has to face some tough questions about why he doesn't think anything can be done. First of all, a lot of this information gathering is done via JavaScript served by admongers like DoubleClick. Disabling JavaScript would stop that, although it's not a realistic solution since so much of the Web depends on it. Seems like a plug-in like AdBlockPlus would really help here - I run ABP and haven't seen any ads in a long time. Maybe an add-on that randomly changes multiple parts of your fingerprint dynamically, to prevent the admongers from 'getting a lock' on you. Maybe that's not feasible, I don't know.

Although the Panopticlick people are quick to point out that they can't tell who has a given fingerprint, just what web activity that fingerprint is doing, all it takes is for that fingerprint to be cross-referenced against ONE personally-identifiable transaction and it's all over. The admongers will know what you're doing AND who you are. We can't just give up; there's too much at stake.


Monthly Archives


Powered by Movable Type 4.34-en

About this Entry

This page contains a single entry by Chris published on September 9, 2010 12:08 PM.

On The One Hand, Michigan Did Just Lay A Smackdown on UConn. On The Other, They Started Last Year With A Smackdown Of WMU... was the previous entry in this blog.

How Do You Say "Tit For Tat" And "An Eye For An Eye" In Pashtun? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.