A recent paper published by two Princeton researchers sheds some light on privacy on web browsers. It is familiar territory that users are tracked when they navigate online. The paper was a major study into the tracking behavior of the top one million most popular websites.
It is hardly a surprise that users are tracked by websites. However, the scale of the privacy worries will likely shock some. The paper is particularly enlightening because it shows that trackers can keep tabs on users all the time. Even if you set preferences to block such tracking, it happens anyway.
To study the tracking capabilities of web browsers, the team created the OpenWPM tool. This tool has been used since June 2015 for the study, and now the findings have been released. Below are some of the key findings from the paper.
Fingerprinting
Fingerprinting has been used to identify a machine/user browsing the web. The practice takes a collage of browser information to identify a machine and/or user, even if there are cookies in place. Networks are able to track browser activity through fingerprinting even if the browser is in private mode. If there are other instances of usage, networks can track even on other devices.
“We show how the number of sites on which font fingerprinting is used and the number of third parties using canvas fingerprinting have both increased by considerably in the past few years. We also show how WebRTC’s ability to discover local IPs without user permission or interaction is used almost exclusively to track users.”
Types of Fingerprinting
Canvas – Two fingerprinting instances were found with the canvas tag with HTML5. The research found that this type of fingerprinting on 14,371 of the top 100 websites. This represented 1.6% of all the top 100. There was 3,500 URLs hosted on 400 domains.
WebRTC – The framework is used for peer-to-peer Real Time Communication in a browser, it is accessible via JavaScript. WebRTC is used by around 715 sites for 57 different scripts that extract local IP addresses.
AudioContext – The researchers found a number of fingerprinting scripts using AudioContext. The scripts show that tracking software are trying to access Audio API to fingerprint users.
The paper points out that users have little control over protecting their privacy from browser tracking. Firefox makers Mozilla has said that they will reduce the imprint of Flash on their browser in the wake of the research.