A team of researchers have recently developed the first cross-browser fingerprinting technique to use hardware and operating system features to track users.
The technique, described in a paper titled “Cross-Browser Fingerprinting via OS and Hardware Level Features,” relies on technologies that have been recently added to browsers, which had initially been written off as incapable of tracking users in more than one browser.
Fingerprinting, with the current technologies, has been limited to individual web browsers, meaning that if a user is accustomed to switching browsers frequently, the technique cannot be used to identify and link the user with the browsers.
Single-browser fingerprinting tests such as Browserprint and Electronic Frontier Foundation’s Panopticlick study the device’s operating system and the browser, record the data stored and try to replicate it in subsequent browsing sessions.
For years, cross-browser tracking using fingerprinting has been seen as a pipedream due to breakthrough trials that have failed miserably.
Other methods have instead been used to track users across browsers, some of them requiring users to subscribe to certain services and create and log into accounts before sessions, sometimes requiring users to even provide their IP addresses.
The team’s step forward, however, gives a lifeline to the technique, and will prove particularly useful to advertisers who can use it to reach target users even if they try to avoid them by switching browsers.
Led by assistant professor of computer science and engineering at Lehigh University in Bethlehem, the team’s Yinzhi Cao explained in an online tutorial how they measured underlying computer/browser operations and the responses they initiated and used the information to identify hardware rigs, different for each user regardless of the browser being used.
The features being adopted by the technique include graphic cards, CPU, and audio stack.
According to the researchers, the accuracy of this form of fingerprinting would be compromised by only 0.3 percent at most if any single feature was removed, which makes it not only reliable but also more accurate than single-browser fingerprinting.
The team used crowdsourced data to demonstrate the technique.
They asked participants to browse the internet using two different browsers and even offered them pay to use a third browser.
They collected more than 3,600 fingerprints from 1,900 users over a period of three months, and were able to successfully identify 99.2 percent of the users.
AmIUnique – a popular single-browser fingerprinting technique – had a lesser success rate of 90.8 percent.
That said, the new technique still sports the same pitfalls that have rendered single-browser fingerprinting unpopular among end users.
If anything, this technique is worse in that department.
According to the lead researcher, Cao, people can use cross-browser fingerprinting to provide customized advertisements, which will be violation of user privacy.
He reckons that the fact a website can identify a user even when they switch browsers can be a loophole that ad companies would happily exploit and make browsing a difficult experience.
That is, however, not to say that the technique is entirely bad.
In some scenarios, it can come in handy and even offer benefit to the end user.
Institutions and service providers, for instance, can use data collected using cross-browser fingerprinting to identify if the person logging into an online account is indeed the owner of the account by checking if the computer being used has been used during previous visits.
The bank can then check with the user by phone or other secondary authentication procedures if they detect any suspicious activity.
What’s more, individuals using the Tor browser in its default installation form won’t be affected by cross-browser fingerprinting.
Some tweaks on the settings however, such as those required by certain gaming sites to support graphics, may jeopardize the user’s immunity to fingerprinting.
The team has advised users who dread cross-browser fingerprinting to use this browser without an attached speaker or microphone.
They also stated that running browsers inside virtual machines would make render the technique useless.
To them, that is a flaw that will require rectifying in the future.
“The approach is lightweight but we need to identify all possible fingerprintable areas such as audio context and canvas,” read their statement.
“If there is a missing place, the browser can still be fingerprinted.”
The researchers will present their work on cross-browser fingerprinting at this year’s Network and Distributed System Security Symposium in San Diego, California.