New tool allows users to prevent themselves from being tracked online

Browser fingerprinting is more prevalent than ever before, new research suggests

With major web browsers now including privacy protections against cookie-based tracking, there’s been a rise in the use of fingerprinting – and researchers now say they’ve developed a way to spot and prevent these stealthy tracking techniques.

FP-Inspector, created by a team from the University of Iowa, Mozilla, and the University of California, uses a syntactic-semantic approach to detect fingerprinting (FP) scripts, using machine learning models based on static and dynamic JavaScript analysis.

Unlike techniques such as API changes and network request blocking, which require manual analysis, the open source tool automates the process of detection by extracting features such as syntax and execution from scripts and training a classifier to detect fingerprinting.

It does this through a complementary combination of static and dynamic analysis. Static analysis, says the team, helps FP-Inspector overcome the coverage issues of dynamic analysis, while dynamic analysis gets around the inability of static analysis to handle obfuscation.

And, says the team, FP-Inspector can identify fingerprinting scripts with 99.9% accuracy and half the amount of website breakage, compared with blanket API restrictions such as those enforced by Brave and Tor Browser.

Flying under the radar

Many of the fingerprinting scripts the team detected were missed by existing filter lists maintained by tracking protection organizations.

Disconnect, for example – used by Firefox and Microsoft Edge – didn’t list, while DuckDuckGo, used by Safari, omitted the domain.

RECOMMENDED Firebase messaging vulnerability allowed attackers to send push notifications to app users

EasyPrivacy, used by Brave and tracker blocking browser extensions such as AdblockPlus and uBlock origin, didn’t have on its list.

“We compared FP-Inspector to a prior approach on detecting fingerprinting scripts that uses manually crafted heuristics, and found that FP-Inspector, that uses machine learning, is 26% more accurate at detecting fingerprinting scripts,” author Umar Iqbal of the University of Iowa tells The Daily Swig.

Scanning the top 100,000 sites

The team took a list of the top websites ranked by Alexa and ran them through FP-Inspector’s detector. They found that browser fingerprinting was present on more than 10% of the top 100,000 websites, and on more than a quarter of those in the top 10,000.

These fingerprinting scripts, says Iqbal, are mostly served by ad tech companies that specialize in anti-ad fraud and cross-site tracking services.

The team found that nearly 14% of news websites used them, falling to just 1% of credit- and debt-related websites, probably because fingerprinting is more widespread on sites relying on advertising and paywalls for monetization.

Browser fingerprinting allows sites to track users across various servicesBrowser fingerprinting techniques allows sites to identify and track web users

The cookie crumbles

Discussing the increase in fingerprinting activity, Iqbal said: “All mainstream browsers – Chrome, Safari, Firefox, Edge – are building privacy protections against cookie-based tracking.

“For example, Safari blocks third-party cookies and Chrome has announced plans to phase out third-party cookies in the next two years.

“Considering these privacy protections around cookie-based tracking, fingerprinting provides an alternate approach to track users without relying on cookies; we suspect that it might be the reason for the rise of fingerprinting.”

And, he says, with privacy protections against third-party cookie blocking on the rise, he expects the use of fingerprinting for cross-site tracking to grow.

Read more of the latest browser security news

The team has reported the domains they found serving fingerprinting scripts to Disconnect, DuckDuckGo, and Easylist/EasyPrivacy.

“As a result of our reporting, EasyPrivacy has created a new category for fingerprinting in their filter list,” says Iqbal.

“We also reported previously unreported uses of web APIs by FP scripts to Firefox, and we expect that as a result of our reports, Firefox may decide to redesign these APIs to reduce their fingerprinting potential.”

To encourage follow-up research, the team plans to release the fingerprinting countermeasures prototype extension, as well as their list of newly discovered fingerprinting vendors and the bug reports they’ve submitted to tracking protection lists, browser vendors and standards bodies.

Iqbal and his colleagues offer a detailed analysis of their findings in a white paper, Fingerprinting the Fingerprinters (PDF).

More information on FP-Inspector can be found on GitHub.

YOU MIGHT ALSO LIKE Firefox 79 takes aim at website trackers