Cookies and fingerprints: main differences
Cookies are an important part of many operations in the Internet. They are considered one of the main tools for site owners to track their users. However, this method is now outdated and rarely effective.
There are several reasons for that. Today, any user can just turn off cookie saving or save them only for the current session utilizing the Incognito mode in his or her browser thus hiding his presence on the site. Cookies send data not to the resource owner alone, but to users too. A client sees both the cookies and their sender and can always block them.
The fingerprints is a completely different story. This technique is based on analyzing the information that a browser sends to the site a client visits. It creates a whole picture of the browser resembling a fingerprint based on several types of data: language settings, installed system fonts, time zone, screen resolution, plugins, digital versions of programs, etc. As a result, a resource is still able to correctly identify an individual user by his or her browser settings even with no cookies at all.
It is vital to understand that even changing the IP address does not help against fingerprints.
In fact, fingerprints replace cookies and actively used by some sites as such. The paradox is that the main weapon of an Internet user in the war for his or her privacy may work against him. The anonymity advocates enable special settings in order to protect from website tracking, but many do not realize that this very measure makes them more recognizable on the background of other Internet visitors.
Studies show that about 875,000 users have computers with standard browser settings. Sites identify them similarly, which prevents any precise sampling. But browsers with even slightly unusual settings were identified as unique among 4.4 ml counterparts.
Dangers of fingerprints
1. Privacy risk is the main reason why a user should keep on watch. Fingerprints are much more cunning in comparison with cookies. They are difficult to protect from, and you just cannot know whether you are tracked or not. The system traces your PC with a special digital mark – hash sum which is based on your settings and recorded with a special algorithm, and you never know that. Later, the system looks up each incoming client in its marks database, and if they match the user is identified.
2. Fingerprints as a global identifier. Browser fingerprints make its owner recognizable not on resources he or she visits often, but on other digital resources too. Fingerprints register the whole picture the resource receives from the browser which allows it to identify a client even after some settings changes. The fingerprints can neutralize privacy of both private and business communications.
3. Fingerprints as a malicious cookies generator and user IP sharer. Many sites utilize so called Flash LSO super cookies that can restore normal cookies in the case of their removal by the client. A browser fingerprint can not only restore the entire cookies library but also track the user by his main network data. It makes cleaning cookies useless since the site would still recognize a client.
4. It is quite possible to identify fingerprints of a particular browser without any cookie libraries. A user cannot be sure that fingerprints will not mark his or her PC even after blocking execution of all potentially malicious operations.
Fingerprints studies, their methodology and results
Many researchers have tried to find out how the system identifies the browser. The latest study gathered all the browser characteristics that allow to pinpoint a single browser. All the main parameters were taken into account, both well-known and rare. The researchers defined eight attributes that fingerprints use for identification.
Some settings were not tested due to the following reasons:
1. Difficulties in the parameters measurement and lack of time. Microsoft’s ActiveX and Silverlight API were not tested in full, CPU type check was not employed. Since Internet Explorer is not very popular these days, the specialized plugins for it were tested very briefly. The researchers decided not to waste much time on super cookies of various kinds and system fonts that can be traced by the CSS analysis.
2. Often-changed parameters like geolocation and floating IP, as well as router-connected hardware, were not tested.
3. Browsers with custom operations completely defined by users were excluded from the tests.
The main part of the study was the math analysis based on checking browser uniqueness after introducing changes in the standard layout.
An existing fingerprints algorithm was used as a basis, it was marked by a special symbol. The algorithm itself was based on the so called “own info” or “surprisal.” A “surprisal” element was certain data about an object (browser in this case). Each piece of data was regarded as a separate variable. After several visits to a web resource, a number of variables were memorized, and the browser became recognizable.
Gradually, the algorithm was changed: existing variables were rewritten, new ones were set up. Sometimes, values were combined and moved into separate equations. In some cases, statistically independent elements were added which decreased the magnitude of error.
The next step was data processing. A separate code was deployed with the following data:
1. HTTP cookies ID (if the browser received cookies).
2. HMAC IP address of the user (obtained with a special key that was later dismissed).
The study led to a unique result. If the IP address of a machine received a so called interchanging cookies, the machine transmitted information that each cookie is a separate element. As a result, the browser that worked from one IP had several different fingerprints. The system showed a virtually impossible thing: multiple users worked behind a single firewall. “Interchanging” cookies were transmitted to just one IP out of 2585 counterparts, which is 3.5% of the total number of addresses accounted for in the study.
Some other factors were noticed regarding IP addresses. The researchers decided to check whether the browser uniqueness changes after an IP change. The result was saddening for the privacy advocates: only 4.6% of the changed addresses affected browser fingerprints. In all the other cases, the system relied on other user-sourced data. The result: a fake IP does not guarantee successful privacy safeguards. Totally, 321,155 addresses were sampled.
The study confirmed that privacy protection was still a difficult task. Whooping 83.6% of browsers with different settings turned out to be unique (or easily recognized). 8.1% were so called “non-rare analogs,” and only 8.2% were relatively well protected from identification. The study showed that the degree of protection with standard settings does not depend on the browser type.
Almost all browser versions and analysis methods were utilized, but with a single result: 92% of browsers in the Internet are unique. This is like a chip under your skin – anyone with a scanner will be able to know who you are.
Less recognizable were browsers with various plugins like NoScript plus standard browser settings. The uniqueness can decrease 40-50% in this case. However, this plugin should be used with standard parameters only (you can also disable Javaand Flash), otherwise the recognizability of the browser will increase.
The results of the study were a bad sign for Windows: other operating systems (OS X, Android) are much less vulnerable to identification. The cookies transmitting process and browser fingerprints formation are more complex in them.