Cross-Browser Fingerprints And Device Identification On The Web

As they say, there is no such thing as privacy online. Everyone has been taught when are looking up sensitive or personal information, to open a private browser on your laptop or even use a different browser all together. But what happens when your online identity isn’t tied to the cookies in one browser on your device but your computer as a whole? I will tell you:

Chaos.

Or at least that’s what I imagine from the findings of a 15-page research paper titled Cross-Browser Fingerprinting via OS and Hardware Level Features written by Yinzhi Cao and Song Li in the Security Lab at Lehigh University along with Erik Wijmans at Washington University in St. Louis. Erik contributed to this project when he was a Research Experience Undergraduate student at Lehigh University. They are going to present their findings at the Network and Distributed System Security Symposium in San Diego, California, scheduled to run from February 26 through March 1 of this year.

The paper explains that by using the specific hardware and software cues from the device, that a user could be tracked online across different browsers with up to 99.24% successful identification versus the standard single browser which only identified 90.84% of users in the same test data. They acquired this data by using Amazon Mechanical Turk and MacroWorkers and collected over 3,615 fingerprints from 1,903 users within 3 months.

The Cross-Browser Fingerprinting works by using specific code and scripts to identify the exact hardware such as the CPU and the graphics card for example. All told, the algorithm runs over 20 different test to produce a 32-digit string to identify the browser used and a separate 32-digit string to identify the computer used.

Here are my results just to give you a Real World taste of why our privacy is going out the window soon:

Chrome - 
Browser Unique Identifier - c3eddf2fd0cc10170bfeff04db37355e
Computer Unique Identifier - f9c0ce01e2d1d70ec2dc16d6940806ee
 
Chrome (Incognito) - 
Browser Unique Identifier - 020b9e14cfbca11ef98454537ba853e2
Computer Unique Identifier - f9c0ce01e2d1d70ec2dc16d6940806ee
 
Internet Explorer 11 -
Browser Unique Identifier - 4456d6bef4fc73c9dd574db68694b0b6
Computer Unique Identifier - f9c0ce01e2d1d70ec2dc16d6940806ee

Now you may look at this and go so what? But remember, their main goal is to use a unique identifier to identify the DEVICE that a user is using. And there isn’t a device out there today that can’t open a website. Look at the Computer Unique Identifier each test, the one ending in “…806ee”. That’s my Unique COMPUTER identifier. Notice how it didn’t matter what browser I used, the Unique Computer Fingerprint always matched up. Very soon, there could be a day where banner ads refer to you by name and show all of your private information. That’s a future that is always portrayed in Sci-Fi movies but it may be closer than we think.

“John, just buy the shoes already. You been looking at the page 33 times in the last 6 weeks. She will enjoy the surprise.”

– Future Banner Ads of 2020

Learn More:

2 Comments

  1. Really not surprised by this. Now all we need is someone to write an app that will change HW id of your devices on the fly every few seconds while browsing and let’s say randomly downclock your CPU freq. Only for this to be broken later by some other smart way of identifying you.Makes you wanna puke. Still I do not understand how is it possible that advertising is so big on internet anyways.Been online like 20 years now and only time clicked an add was by mistake and I really don’t know people who would click these.I see it as a huge bubble that has to pop sooner rather than later

    • Advertising is big business because of the nature of the Internet. For example, I see people only click the top link in Google for answers, which is mostly always an ad. But it will be interesting to see how adblock and such technologies affect the industry years down the line.

Leave a Reply