Research Develops First Reliable Method for Websites to Track Users With Multiple Browsers

Either legal or technological defenses will be required to stop this tracking that so invades personal privacy.

Researchers have recently developed the first reliable technique for websites to track visitors even when they use two or more different browsers. This shatters a key defense against sites that identify visitors based on the digital fingerprint their browsers leave behind.

State-of-the-art fingerprinting techniques are highly effective at identifying users when they use browsers with default or commonly used settings. For instance, the Electronic Frontier Foundation’s privacy tool, known as Panopticlick, found that only one in about 77,691 browsers had the same characteristics as the one commonly used by this reporter. Such fingerprints are the result of specific settings and customizations found in a specific browser installation, including the list of plugins, the selected time zone, whether a “do not track” option is turned on, and whether an adblocker is being used.

Until now, however, the tracking has been limited to a single browser. This constraint made it infeasible to tie, say, the fingerprint left behind by a Firefox browser to the fingerprint from a Chrome or Edge installation running on the same machine. The new technique—outlined in a research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features—not only works across multiple browsers, it’s also more accurate than previous single-browser fingerprinting.

Fingerprinting isn’t automatically bad and, in some cases, offers potential benefits to end users. Banks, for instance, can use it to know that a person logging into an online account isn’t using the computer that has been used on every previous visit. Based on that observation, the bank could check with the account holder by phone to make sure the login was legitimate. But fingerprinting also carries sobering privacy concerns.

“From the negative perspective, people can use our cross-browser tracking to violate users’ privacy by providing customized ads,” Yinzhi Cao, the lead researcher who is an assistant professor in the Computer Science and Engineering Department at Lehigh University, told Ars. “Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. In order to defeat the privacy violation, we believe that we need to know our enemy well.”

[…]

Cross-browser fingerprinting is only the latest trick developers have come up with to track people who visit their sites. Besides traditional single-browser fingerprinting, other tracking methods include monitoring the way visitors type passwords and other text and embedding inaudible sound in TV commercials or websites. The Tor browser without an attached microphone or speakers is probably the most effective means of protection, although the researchers said running a browser inside a virtual machine may also work.

Google Collecting the Location of Android Users Even When Location Services are Disabled

Google’s latest disrespect for personal privacy follows their censorship of many left-wing media outlets. Google has cooperated too much (see the U.S. PRISM program) with various governments in providing information on innocent people in the past, and it would be unwise to always expect them to do the same in the future.

Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months, according to a Google spokesperson. They were never used or stored, the spokesperson said, and the company is now taking steps to end the practice after being contacted by Quartz. By the end of November, the company said, Android phones will no longer send cell-tower location data to Google, at least as part of this particular service, which consumers cannot disable.

[…]

The practice is troubling for people who’d prefer they weren’t tracked, especially for those such as law-enforcement officials or victims of domestic abuse who turn off location services thinking they’re fully concealing their whereabouts. Although the data sent to Google is encrypted, it could potentially be sent to a third party if the phone had been compromised with spyware or other methods of hacking. Each phone has a unique ID number, with which the location data can be associated.

The revelation comes as Google and other internet companies are under fire from lawmakers and regulators, including for the extent to which they vacuum up data about users. Such personal data, ranging from users’ political views to their purchase histories to their locations, are foundational to the business successes of companies like Facebook and Alphabet, built on targeted advertising and personalization and together valued at over $1.2 trillion by investors.

More Than 400 of the World’s Most Popular Websites Try to Record Your Every Keystroke

This is significant work done by Princeton researchers. It’s honestly a pretty damning indictment of the world’s most visited websites.

Most people who’ve spent time on the internet have some understanding that many websites log their visits and keep record of what pages they’ve looked at. When you search for a pair of shoes on a retailer’s site for example, it records that you were interested in them. The next day, you see an advertisement for the same pair on Instagram or another social media site.

The idea of websites tracking users isn’t new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled “No Boundaries,” three researchers from Princeton’s Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world’s most popular websites track your every keystroke and then send that information to a third-party server.

Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers’ findings. If you accidentally paste something into a form that was copied to your clipboard, it’s also recorded. Facebook users were outraged in 2013 when it was discovered that the social network was doing something similar with status updates—it recorded what users they typed, even if they never ended up posting it.

These scripts, or bits of code that websites run, are called “session replay” scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don’t just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don’t run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions.

[…]

Most troubling is that the information session replay scripts collect can’t “reasonably be expected to be kept anonymous,” according to the researchers. Some of the companies that provide this software, like FullStory, design tracking scripts that even allow website owners to link the recordings they gather to a user’s real identity. On the backend, companies can see that a user is connected to a specific email or name. FullStory did not return a request for comment.

[…]

Companies that sell replay scripts do offer a number of redaction tools that allow websites to exclude sensitive content from recordings, and some even explicitly forbid the collection of user data. Still, the use of session replay scripts by so many of the world’s most popular websites has serious privacy implications.

“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording,” the researchers wrote in their post.

Passwords are often accidentally included in recordings, despite that the scripts are designed to exclude them. The researchers found that other personal information was also often not redacted, or only redacted partially, at least with some of the scripts. Two of the companies, UserReplay and SessionCam, block all user inputs by default (they just track where users are clicking), which is a far safer approach.

[…]

Finally, the study’s authors are worried that session script companies could be vulnerable to targeted hacks, especially because they’re likely high-value targets. For example, many of these companies have dashboards where clients can playback the recordings they collect.

[…]

It’s not just session scripts that are following you around the internet. A study published earlier this year found that nearly half of the world’s 1,000 most popular websites use the same tracking software to monitor your behavior in various ways.

If you want to block session replay scripts, popular ad-blocking tool AdBlock Plus will now protect you against all of the ones documented in the Princeton study. AdBlock Plus formerly only protected against some, but has now been updated to block all as a result of the researchers’ work.