Do you still use fingerprinting?

Maybe you have noticed it. Privacy is an issue. A bit strange since there are only 21 days left until the new EU General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union.

So before end of May 2018 all organizations that process data of EU citizens must comply with this General Data Protection Regulation. Determining how to design your systems to meet the GDPR is not straightforward. Especially when you make use of third-party services.

But tools and methods that can detect if you track users can help you when creating new Internet facing systems. If you want to minimize the risks that third party services you use on your site have a different ethical and moral view regarding privacy, fingerprinting tools come to the rescue.

Device fingerprinting or browser fingerprinting is systematic collection of information about a remote device, for identification purposes. With the ultimate goal: To identify you as person and sell you things.

Fingerprinting techniques are so good nowadays that asking for user login name with user credentials is more error prone than identifying an user by using advanced fingerprinting techniques. Fingerprinting is stateless and transparent for the user. Any third-party interested in fingerprinting can still get some piece of information of you.

Client-side scripting languages enabled in browsers (e.g. Javascript) make it possible to collect very rich fingerprints. Browser fingerprints are also called “cookieless monsters” because it is not necessary to use cookies to collect a rich fingerprint of an user. And the good news is: Detection for users is difficult, unless you have some inside information on how a company really deals with the GDPR and how they are using this gathered personal data.

Everything you use to make a network connection is vulnerable for network fingerprinting tools. E.g. TCP/IP stack fingerprinting can be used to identify types of systems and used network configurations.

Average users are of course not aware of fingerprinting techniques used. But to give you some information on what information is (easily) retrievable when you visit a web site:

  • Type of browser
  • Language
  • Color Depth used
  • Screen Resolution
  • Timezone
  • Information on browser session storage
  • Information if a browser has IE specific ‘AddBehavior’
  • CPU class of your machine
  • Platform (Operating system)
  • DoNotTrack settings enabled in your browser
  • Full list of installed fonts (maintaining their order, which increases the entropy)
  • Information on Plugins (IE included)
  • Information on AdBlockers  installed
  • Information if the user has tampered with its languages settings in the browser
  • Information if the user has tampered with its screen resolution in the browser
  • Information if the user has tampered with its OS settings
  • Information if the user tampered with its browser settings
  • Touch screen detection and capabilities
  • Pixel Ratio
  • Number of logical processors available to the user browser or device
  • Device memory
  • Microphone, Camera (in use, present etc)

And this list is not even complete. Storing this information or pieces of this information will expose some of your privacy. Various researchers have shown that the accuracy to identify users using only finger printing technique is highly accurate.

Using tools like Fingerprint2 within your Secure Software Development Life Cycle Processes will minimize the risks that third party service providers you use for your Internet facing systems (rich websites) are a risk for your GDPR compliance efforts. If you have a good valid reason to use fingerprinting techniques to identify your users you should ask for permission from your users if you want to meet the GDPR.

This blog post will be added (after rewrite) as an extension on the ‘Open Reference Architecture for Security and Privacy‘. We are working on an renewed version. Please join us!