This is all great stuff, but unfortunately far more advanced techniques are now being used. Years ago I read about typing fingerprinting. Each person has certain things that make their typing...
This is all great stuff, but unfortunately far more advanced techniques are now being used.
Years ago I read about typing fingerprinting. Each person has certain things that make their typing unique and specific to them. Things you wouldn't really notice when watching someone type, but when you can calculate the time between keystrokes down to the millisecond it's a different story. I'm sure it takes other things into account too, such as your common errors and misspellings.
They also use "tracking pixels". In HTML you can fire off a javascript function when someone hover's over an HTML element. This was intended to help with UI functionality. BUT, sites now create many many super tiny elements all over the screen and each one sends its location on the screen back to the server, meaning they can see exactly where you move your cursor. I haven't read about using this for fingerprinting, but I have no doubt in my mind that with enough data on a known user this could help in that fingerprinting.
I'm not trying to be a defeatist, but this is a fight that we ultimately can't win. Websites get to execute code in our browsers when the page loads. As long as that's true there's only so much we can do to stay private. So many sites are broken without javascript that the web is essentially unusable without it.
I don't think that's what people mean by "tracking pixels". Tracking pixels have been used for tracking for a really long time, and javascript isn't necessarily involved. In fact I'm pretty sure...
They also use "tracking pixels". In HTML you can fire off a javascript function when someone hover's over an HTML element. This was intended to help with UI functionality. BUT, sites now create many many super tiny elements all over the screen and each one sends its location on the screen back to the server, meaning they can see exactly where you move your cursor.
I don't think that's what people mean by "tracking pixels". Tracking pixels have been used for tracking for a really long time, and javascript isn't necessarily involved. In fact I'm pretty sure they're mostly used when javascript isn't available, say in emails.
If someone sends you an email, they have no way of knowing whether you've read it or not. If you embed a 1px transparent image in your email though, the email client needs to request that image, and in doing so it sends a request to a server. That server now has a log that you've opened that email. They get your IP address, browser and operating system from their logs, and if they've given you a unique URL for the pixel they know which email address that info is associated with.
Tracking mouse position is trivial in javascript, and you don't need any crude hacks using tiny images to send that data to a server.
Thanks so much for the correction! I guess I got technologies switched around on this one. I am glad that it was only the term I got wrong, rather than the tech capability itself.
Thanks so much for the correction! I guess I got technologies switched around on this one. I am glad that it was only the term I got wrong, rather than the tech capability itself.
This is an extremely interesting article, showing the difficulty of defending against browser fingerprinting.
Users who reported the experiment failed had more common configurations. For example, I talked about Firefox's resistFingerprinting feature above, which helped make browsers look like everyone else's. This helped quite a few people evade detection by my experiment. Some users reported the experiment being able to track them despite resistFingerprinting being enabled. However, this is most likely because they had an extension making them stand out.
In addition to Firefox, Safari on iPhone did a pretty good job overall at protecting users. Users using default Safari settings (meaning default Webkit experiment settings) on the same iOS version saw the same fingerprint, reducing the accuracy of the experiment.
This is an extremely interesting article, showing the difficulty of defending against browser fingerprinting.
This is all great stuff, but unfortunately far more advanced techniques are now being used.
Years ago I read about typing fingerprinting. Each person has certain things that make their typing unique and specific to them. Things you wouldn't really notice when watching someone type, but when you can calculate the time between keystrokes down to the millisecond it's a different story. I'm sure it takes other things into account too, such as your common errors and misspellings.
They also use "tracking pixels". In HTML you can fire off a javascript function when someone hover's over an HTML element. This was intended to help with UI functionality. BUT, sites now create many many super tiny elements all over the screen and each one sends its location on the screen back to the server, meaning they can see exactly where you move your cursor. I haven't read about using this for fingerprinting, but I have no doubt in my mind that with enough data on a known user this could help in that fingerprinting.
I'm not trying to be a defeatist, but this is a fight that we ultimately can't win. Websites get to execute code in our browsers when the page loads. As long as that's true there's only so much we can do to stay private. So many sites are broken without javascript that the web is essentially unusable without it.
I don't think that's what people mean by "tracking pixels". Tracking pixels have been used for tracking for a really long time, and javascript isn't necessarily involved. In fact I'm pretty sure they're mostly used when javascript isn't available, say in emails.
If someone sends you an email, they have no way of knowing whether you've read it or not. If you embed a 1px transparent image in your email though, the email client needs to request that image, and in doing so it sends a request to a server. That server now has a log that you've opened that email. They get your IP address, browser and operating system from their logs, and if they've given you a unique URL for the pixel they know which email address that info is associated with.
Tracking mouse position is trivial in javascript, and you don't need any crude hacks using tiny images to send that data to a server.
You can also measure differences in when resources are requested. Gives a measure of unique screen sizes and scrolling behavior.
Thanks so much for the correction! I guess I got technologies switched around on this one. I am glad that it was only the term I got wrong, rather than the tech capability itself.
This is an extremely interesting article, showing the difficulty of defending against browser fingerprinting.