Your Privacy – Visitor Fingerprinting A Cookieless Tracking Method

Filed under: Industry News

Recently the EFF released a report examining the use of visitor information gathering as a method of tracking visitors without cookies.  In the experiment they set a cookie with the visitors permission and then collected a variety of information available through the browser of the visiting user.

The information that they collected included browser type, version, available plugins, ip and other information that can change over time.

Their results were interesting but the report seems to be misleading.

As many of you may know the European Union is trying to block websites from using tracking cookies. Unfortunately not allowing websites to use cookies has functional and security drawbacks.

It seems that the EFF was trying to prove that enough information can be gathered about a visitor that tracking cookies are meaningless.  You have to love them for the effort but their own data proves the point that Cookies are a more reliable method of tracking users.

Within just a week over 80% of the browsers they were examining lost their test fingerprint but that does not mean the visitors can not still be tracked.

The main problem is when advertising or cross site content is introduced.

If an Ad sets a cookie on your computer and you visit a number of different sites your history in the logs of the advertising agency is not site unique. Meaning you can visit Ebay then Amazon then sky news and if they all make use of Google Ads a cookie at google will be tracking your travels.  If you were to then login to GMail Google would be able to connect all of your internet travels directly to you if they merged the advertising logs with the GMail Logins.

But this is not limited to Google because the information gathered by different companies can be shared or sold under user agreements.

Additionally if this information is subject to a search warrant an amazing amount of data can be found or compiled.

What the EFF research may have been trying to prove is that a single website could track visitors for a single session and then also for return sessions based on all of the data that is collectible outside of the use of a cookie but when you look at their data it proves that idea wrong. Well it proves that they did not use the correct method to prove their point.

The first thing you have to do is separate someone who does not want to be seen from the average internet user.  There are a number of methods to spoof IP’s, User Agents of Browsers and provide misleading information to a webserver to reduce their ability to track you. But even so the best methods can always be tracked back to the originator eventually… We are talking computers that need to send data between systems… you can not do that randomly no matter what precautions or methods you take although you can make the task difficult to unwind.

If you exclude this set of persons then you have a wide number of people that can be tracked without cookies.

First is your IP address. When you logon to dialup or when your brodband provider gives you an ip that is a pretty safe method for tracking someone.

If you are going through a Proxy at work or school then there are logs in the proxy that show the assignments of internal ip’s to specific computers based on MAC addresses.

If you are using the average ISP meaning all of the big cable providers or Fios or dialup then you are going through a squid server which can collect data on every page and image that you download.. it can also cache those downloads and it can mirror those downloads. And by downloads that means every page, image, tweet or keystroke in a chat.

Add to the fact that an individual isp or business may use a proxy or squid server that many also employ outside services from akamai or other backbone companies to cache data locally.

So, what does all of this mean for the average user?

You must always consider that transferring data on a network from one computer to another requires routing of binary information inside data packets. There is no getting away from this.

You can always be tracked.

The difference between understanding that you can always be tracked and cookies is a huge jump.

As a user you have the ability to turn off or clear your cookies at any time.  You can do this after you visit every individual site and you can disallow any advertising site from not only setting a cookie but making that connection that displays an ad.

BUT cookies are a necessity for content providers. They keep you logged into your accounts.. they display information that you want to see.

In fact they are a necessary evil in many ways that can’t easily be eliminated without also eliminating the ability of internet commerce.

If you don’t like it then find a way to stay off the net… or educate yourself a bit about the technology and reduce your exposure.

But more straight to the point this is much to do about nothing.

It is more about the EU atempting to find lawsuits they can cast on large American content providers.

You know EU we are sorry your movies suck.. we are sorry you haven’t introduced a decent band since led zeppelin… and we are sorry for the most part that American Porn is more popular HA! but you need to start developing and stop suing.

Its just that simple.

Stop making people paranoid or trying to charge YouTube when your end users decide to use them instead of your local video sites…

Go out and develop… and people will come to you.

And be thankful that the Chinese haven’t taken over everything yet the same way you can’t walk into a store and buy clothing or electronics or anything else that isn’t made in China.