Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

HTML5 may as well stand for Hey, Track Me Longtime 5. Ads can use it to fingerprint netizens

This language is wired for sound

Iain Thomson in San Francisco Wed 17 Jan 2018  //  20:21 UTC

Usenix Enigma HTML5 is a boon for unscrupulous web advertising networks, which can use the markup language's features to build up detailed fingerprints of individual netizens without their knowledge or consent.

In a presentation at Usenix's Enigma 2018 conference in California this week, Arvind Narayanan, an assistant professor of computer science at Princeton, showed how some of the advanced features of HTML5 – such as audio playback – can be used to identify individual browser types and follow them around online to get an idea of what they're into.

For example, different browsers process sound files in slightly different ways, and allowing an ad network – or any website – to potentially work out which version of a browser is being used on which operating system. Couple this with other details – such as the battery level and WebRTC – and you can start to form a fingerprint for an individual user.

Of course, your browser typically reveals its version number and the underlying operating system's details to web servers when fetching pages and other materials. However, from what Narayanan is saying, it is possible for ad networks and webmasters to bypass any attempts to suppress that information by probing the browser with HTML5 for traceable details. It also means that dumping JavaScript and cookies, and relying on purely HTML5, won't mean you're completely free from online tracking by advertisers.

“HTML5 browsers use a library to do audio processing, but different software stacks produce a unique fingerprint in combination with other data,” he explained. “Similar techniques also work on the battery and WebRTC functions.”

Fingerprint ... Each browser type has its own way of processing audio that makes it easy to track, according to this slide by Arvind Narayanan

Narayanan and his team have been monitoring the behavior of ad trackers for years. In 2014, they discovered 5,000 of the world's top 100,000 most-visited websites were, in one way or another, using a canvas fingerprinting technique to identify and follow netizens around the internet, as they moved from page to page, site to site, without their knowledge.

Further research last year found that ad networks were using session replay scripts, which he described as “analytics on steroids,” to stalk people online. Narayanan said he and his team found ad trackers on 8,000 websites leaking visitors' information in this way – including code on the website of American pharmacy chain Walgreens, which apparently handed confidential patient records to advertisers via forms, as well as the Gradescope assignment-grading software used by Princeton.

“This [session replay technique] left website owners and users pissed off,” he said. “Once we detailed the technique, the largest ad tracking providers stopped doing it. It seems sunlight is a great disinfectant.”

But this scrutiny only works up to a point, he warned. Netizen-tracking firms aren’t going to stop following people around the 'net and working out what interests them so they can be served targeted adverts and special offers. Narayanan was one of the team overseeing the now-imploded Do Not Track browser feature, and the ad industry was adamant: if 15 per cent or more of internet users turned tracking off, the banner networks would refuse to play ball and track them anyway.

Technical workarounds by ad blockers, such as Privacy Badger and Ghostery, are of some use, he said. But they are usually playing catch up with ad trackers, not blocking them from the start.

The only way this is going to stop is if web browser programmers step up and build in measures to curb the ability to stalk users. But Narayanan said browser makers don’t want to get involved.

“Historically, web browsers consider it’s not their problem. Vendors are attempting to be neutral on this, and leave it to users to sort out,” he said. “To users that’s like an email provider saying that they are neutral on spam. Protection of privacy is a core reason for user choice.”

There have been some encouraging moves. The Brave browser has been developed specifically to neuter naughty advertising trackers, and both Firefox and Safari are making more of an effort in this area, he said. Chrome is also, we note, making noises in that direction.

But what’s needed is a fundamental rethink, with features that ensure tracking-free browsing, just as private browsing doesn’t record session data on a local workstation. Some kind of warning, similar to the HTTPS icon, would also be useful.

It’s important that these anti-surveillance techniques are implemented, he said, because privacy is vital to society – and there’s plenty of evidence showing a lack of privacy stifles debate. “Privacy is a lubricant that allows for social adaptability,” Narayanan opined. “If we move to a state of pervasive surveillance we lose that mobility.” ®
Send us news
47 Comments

Google Chrome coders really, truly, absolutely ready to cull third-party cookies from 2024

Bonfire of the web trackers is coming, industry ready or not

Rights warriors claim online ad auction data a danger to national security

'The industry can not be allowed to put elected leaders, military personnel at risk'

UK's cookie crumble: Data watchdog serves up tougher recipe for consent banners

30 days to get compliant with tracking rules or face enforcement action

Meta's fix for teen online mental health? Hold Apple and Google responsible

Facebook: If only we had a national law to ensure kids get parental permission to indulge in damaging social media

Google, Amazon, Microsoft make the Mozilla naughty list for Christmas shopping

Big Tech's toys have privacy problems. Why not buy utterly unconnected dead-tree books instead?

Net privacy wars will be with us always. Let's set some rules

Size matters, and what you do with it. But keep it safe

Meta sued by privacy group over pay up or click OK model

Scrolling through endless humblebrags without targeted ads is a fundamental right, according to privacy expert

When is a privacy button not a privacy button? When Google runs it, claims lawsuit

'It looks like even Sundar Pichai is confused about how this control works'

IBM pauses advertising on X after ads show up next to antisemitic content

Twitter, meanwhile, tells us its brand safety controls are just as strong – or stronger – than other platforms

Either the FBI is recruiting in Iran – or some govt Google ad buyers are getting a lousy deal

Advertisers may be surprised to find where their banners appear

Plex gives fans a privacy complex after sharing viewing habits with friends by default

Grandma is watching what?!

US govt pays AT&T to let cops search Americans' phone records – 'usually' without a warrant

At least get a court order before mining Hemisphere Project data, says Senator