Web tracking is the practice by which websites and third-party companies collect information about users online activity.
The conventional solution to implement identification and tracking is savingweb cookiesto the users net internet ride.
How does cookie-based tracking work?
Imagine that user Alice visits an online store and puts a T-shirt in her basket.
The previous scenario sounds pretty normal, but cookies can be used for tracking purposes too.
Imagine that Alice reads about antidepressants on a medical website.
The previous example shows why the tool of third-party cookies is considered a questionable practice that violates users privacy.
Major browsers have already started to take action against this practice.
Safari blocks third-party cookies by defaultsince 2017.
Firefox has also done thissince 2019, and Chromeplans to join themtoo.
40% off TNW Conference!
As cookie-based tracking becomes more difficult, the tracking business is moving toward different techniques such asbrowser fingerprinting.
The attributes are concatenated into a long string, and the fingerprint is defined as ahashvalue of the string.
One might ask how unique these online window fingerprints are.
It turns out that they tend to be unique in the majority of cases.
Curious readers can check it for their own internet tool atamiunique.org.
Specifically, I will use Incognito mode Chrome so that all extensions are turned off.
Also, the fingerprinter scripts sometimes get a version update.
Therefore, 100-percent reproducibility cannot be guaranteed.
Having that said, lets pop pop the website mobile.de.
Here is the source code of the function:
The fingerprint string is accumulated in the variablet.
And it isnt just mobile.de using thisfingerprint()function.
For example, immobilienscout24.de, spiegel.de, and wetteronline.de also embed and run it.
A similar jot down of fingerprinting can be observed on the news site lemonde.fr.
The relevant JavaScript code is loaded fromhttps://cdn.keywee.co/dist/sp-2.9.1.js.
The code is minified, which makes it more difficult to follow.
On my machine, the fingerprint string is
and the computed hash code is 641572758.
More subtle techniques are also present on the web.
For example, express.co.uk uses many external resources.
Among others, it loads and executes JavaScript code fromhttps://securepubads.g.doubleclick.net/gpt/pubads_impl_2020020309.js.
The domain is owned by the ad serving companyDoubleClick.
The code is minified again.
Then step-by-step execution allows us to investigate what happens here.
Lines 1 to 11 prepare the dictionaryfand fill it with various internet tool attributes.
At line 12 the functionErinitiates a chain of function calls.
The first parameter ofEris a complex data structure that was created before.
One of its attributes is the arraya.Bthat already has 40 elements whenEris called.
The main effect ofErfrom our perspective is that it appends all key-value pairs offto arraya.B.
Then the rest of the code augmentsa.Bwith other attributes.
I have found no sign of computing a hash code from the fingerprinting related elements ofa.B.
However, this can be easily done on the server-side after the data is transferred to DoubleClick.
The online window fingerprinting landscape
Of course, the landscape of online window fingerprinting is diverse.
That is why we are working on algorithms that detect internet tool fingerprinting activities.
We collect and analyze known cases of internet tool fingerprinting and identify patterns based on them.
However, more can be done withartificial intelligence.
An AI-based fingerprinting detector is able to perform inexact pattern matching and detect novel fingerprinting methods.
Users , therefore, get a stronger defense against online window fingerprinting.
