Memo to web users with “Do Not Track” enabled: You’re being tracked anyway.

do not trackFor anyone who thinks he or she is circumventing web tracking via enabling Do Not Track (DNT) functionality … think again.

A recently released study from researchers at KU Leuven-iMinds, a Dutch-based university think tank, shows that nearly 150 of the world’s leading websites have ditched tracking cookies in favor of “device fingerprinting” (or “browser fingerprinting” as it’s sometimes called).

What’s that?  It’s the practice of evaluating selected properties of desktop computers, tablets and smartphone to build a unique user identifier.  These properties include seemingly innocuous details found on each device, such as:

  • Versions of installed software and plugins
  • Screen size
  • A listing of installed fonts

An analysis by the Electronic Frontier Foundation (EFF) has shown that for the majority of browsers, the combination of these properties creates a unique ID – thereby allowing a user to be tracked without the perpetrator needing to rely on cookies — or having to deal with pesky legal restrictions pertaining to the restriction of cookies’ use.

Overwhelmingly, browser fingerprinting targets popular and commonly used JavaScript or Flash functions, so that nearly every person who accesses the web is a target – without their knowledge or consent.

According to the Leuven-iMinds analysis, the use of JavaScript-based fingerprinting allows websites to track non-Flash mobile phones and devices.  So it’s cold comfort thinking that the iPad platform will offer protection against this form of “non-cookie tracking.”

Is there anything good about device fingerprinting?  Perhaps … in that it can be used for some justifiable security-related activities such as protection against account hijacking, fraud detection, plus anti-bot and anti-scraping services.

But the accompanying bad news is this:  It can also be used for analytics and marketing purposes via the fingerprinting scripts hidden behind banner advertising.

How to fight back, if one is so-inclined?  The Leuven-iMinds researchers have developed a free tool that analyzes websites for suspicious scripts.  Known as FPDetective, it’s being made available to other researchers to conduct their own investigations.

So you’re able to identify the offenders.  But then what — short of never visiting their websites again?

2 thoughts on “Memo to web users with “Do Not Track” enabled: You’re being tracked anyway.

  1. One thing that such news carries with it, like a deadly pathogen, is that it’s likely to make people willing to give up privacy to protect their privacy.

    Alternately, it may drive people to a convenient sense of resignation. And very few will take action that might entail giving up one of their countless unnecessary conveniences and distractions …

  2. You can always disable JavaScript and/or uninstall Flash, then visit any website you want. No JavaScript or Flash = no unique ID that can be tracked.

    Sure, you’ll miss out on all the fancy animation and gizmos that come with JavaScript and Flash, but to be perfectly honest I find many of today’s websites are way too overloaded with the stuff anyway.

    This was called “bloatware” in an earlier time, referring to the useless and performance-degrading software that found its way onto PCs whenever you installed, for example, an HP printer.

    The proliferation of JavaScript and Flash in modern Web pages is simply bloatware of another sort. It often refuses to work on even the most up-to-date browsers, and frequently slows down my PC.

    If enough people simply switch off the bloatware, it won’t be long before web designers sit up and take note, then start removing the bloat from their Web pages … or dream up the next generation of uninvited technology that lets advertisers subsidize the Internet so we can use it for free.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s