Browser Fingerprints, Zombie Cookies, & the Death of Privacy

In the scramble to collect data, it seems trackers are always one step ahead of us.

If you're using incognito browsing or disabling cookies, you're ahead of the crowd. Most people aren't aware of just how closely their online activity is tracked, and by whom.

1. Browser Fingerprints, Zombie Cookies, and the Death of Privacy
1.1. What is Browser Fingerprinting?
1.2. How Did We Find Out About It?
1.3. How it Works
1.4. Zombie Cookies?!
1.5. Can You Protect Yourself?
2. Sources

You know the truth: that every site you visit, every button you click, and everything you do is being tracked. Whether it's advertisers, the government, your ISP, or other organizations doing the tracking, that data is being stored, and could potentially be used against you.

Even when you're aware of this, it's tricky to keep up with all the techniques being used to track you. Incognito browsing might prevent your own browser from saving your history, but your ISP and the websites you visit can still track you. Blocking cookies might make it a bit tougher for them, but cookies are really just a shortcut - there are still ways to recognize your computer without them.

The sum of your computer specifications, the browser and other software you use, the fonts you have installed, and other clues make up a unique profile that, statistically, no other computer is likely to match. This unique profile can be used to identify your individual computer, and track your movement within and across websites, even without the use of cookies. Since this profile data isn't stored on your computer, there's no way for you to delete it.

And even certain browser cookies can get around your blocks: so-called "zombie cookies" are just as sinister as they sound, designed to raise themselves from the dead after being deleted.

Is there anything that can be done against these tracking methods, or are we all doomed to be spied on with no defense?

While spying technology is always developing, so is technology to keep your data safe and private.

Check out the graphic below for details on how these tracking technologies work, and tips for keeping yourself safe while you browse the web.

Browser Fingerprints, Zombie Cookies, and the Death of Privacy

So you've got cookies turned off and you're browsing in an incognito window? You think you are safe from all the shadowy eyes that want to follow your every move? Maybe not. Websites are using innovative techniques such as "browser fingerprinting"Â and "zombie cookies"Â to track you. But you have some options to fight back against this.

What is Browser Fingerprinting?

A common way for websites to remember and track individual computers or devices is by loading a small packet of data onto visitors' computers
- These data packets are called "cookies"
Now, websites can contain code that simply takes the fingerprint of the computer accessing them
- The websites are able to identify individual computers for the same reasons fingerprints identify individual humans:
  - It's unlikely that two people's computers will be exactly alike
These websites are able to fingerprint computers using new coding features in HTML5, the coding language used to build websites
- These fingerprints are based on the HTML "canvas" element, originally designed to create scripting-based graphics
  - This is why such tracking is often called "Canvas Fingerprinting"
- Fingerprints are taken using a JavaScript program
- Nothing is loaded onto the user's computer
  - User cannot delete their fingerprint, since it is stored elsewhere
- Some sites use it to gather information for targeted advertising

How Did We Find Out About It?

Computer scientists Keaton Mowery and Hovav Shacham presented a paper on browser fingerprinting in 2012
A recent study examined the top 100,000 websites to see which ones included browser fingerprinting scripts
- More than 5.5% ran fingerprinting scripts
- 95% of these scripts came from a software company called AddThis
  - AddThis claimed that the use of browser fingerprinting was only a test. It said it never used the data for marketing purposes, and has ended the test.
  - Other firms that provided browser fingerprinting scripts included:
    - Plenty of Fish, a dating website
    - Ligatus, a German marketing website
      - Like AddThis, Ligatus announced that it was only running a test of the browser fingerprinting script. It does not plan to use the technology in the future
- Some of the websites using browser fingerprinting were:
  - WhiteHouse.gov
  - CBS.com
  - YouPorn.com
    - After an article was published about the issue, YouPorn announced that:
      - They had removed the fingerprinting scripts
      - The website was "completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users"

How it Works

By analyzing how your computer processes certain data in the website, like text font, images and audio, a site can gather information about your computer, such as:
- Operating system
- Hardware configuration
- Video card
- Browser version
- Installed Fonts
- Installed plugins
- But note: no personal data!
  - Reports specifications of computer systems only
This information can be used to tailor targeted advertising or to track Internet browsing habits across multiple sites that take these fingerprints

Zombie Cookies?!

The same study mentioned above also focused on cookie syncing and zombie cookies, a different kind of tracking method:
- Cookie syncing allows different trackers to link the IDs they've assigned to the same user. (This is how advertising can follow you from one website to another).
- Zombie cookies are created by a JavaScript program called evercookie
  - They are designed to respawn, even if users delete them
    - Zombie cookies are backed up in a browser
    - If evercookie detects that a version of a zombie cookie has been deleted, it will restore it from these backups

Can You Protect Yourself?

Probably not completely. But there are a lot of tools to help you increase your privacy.
- Browsers built specifically for privacy
  - Comodo Group provides various authentication tools, website and information security measures, and ongoing maintenance:
    - Comodo Dragon, which is Chromium-based
    - IceDragon, which is Firefox-based
  - Epic Privacy Browser is the first privacy browser built on Chromium.
- Browser extension tools like uBlock Origin, AdBlock Plus and Blur (formerly DoNotTrackMe) can block privacy threats
  - Blur spots a browser making a request to AddThis for content and blocks the JavaScript it uses to execute fingerprinting
- Panopticlick and amiunique.org allow you to test how trackable your computer is

Although all of these tips and tools will reduce your security risks, none of them is foolproof. Hackers will always be working on ways to invade our computers using new techniques, and this privacy-based cat-and-mouse game will continue. As long as there are computers and mobile devices, there will be those who want to take advantage of their vulnerabilities. All we can do is stay aware and fight them with the best tools available.