Massive new study lifts the lid on top websites’ tracking secrets

I worked on designing tracking scripts for six months (fortunately they aren&#x27;t in production). Flash cookies aren&#x27;t a very useful tracking mechanism anymore, mainly because Google and other browsers now clear Flash cookies when you clear your regular cookies. Fingerprinting was very difficult to pull off in practice: even with canvas fingerprinting, font enumeration, plugin enumeration, etc. etc. most mobile phones are indistinguishable, and even when you find devices with unique fingerprints (usually because of the unique set of plugins installed) it&#x27;s difficult to be certain the new device you&#x27;ve seen is the same as the old device unless they are coming from the same ip address.<p>Now, the one mechanism that was very effective was ETag tracking. When you request a picture or other asset from a website, the website can send you an etag id which is supposed to signify the picture&#x27;s version. When the client revisits the page, the client sends back the etag to confirm the version cached is the same as the version on the server. The security leak is that the etag protocol allows arbitrary text to be set as an etag, so to set an etag cookie all you have to do is place a 1x1 pixel on each page with a random GUID, and when the user revisits the page the browser will resend the tracking etag in its request for the 1x1 tracking pixel. This works for browsers with cookies disabled, and will remain when cookies are cleared. The only way to clear it is to clear all browsing history entirely, including cached images.

REI knows how to close the deal:<p>I was shopping a while back for a new tent. Wondered if I should wait for a 20% off single item coupon event like they do a couple times a year. Googled &quot;when is the next rei 20% coupon?&quot;. I got the expected results: probably around labor day.<p>Lo and behold, a couple days after this I received an email from REI with a 25% off single item offer code.<p>I don&#x27;t know of I should be frightened or not, but I got a new tent!

Is there any tool that tries to prevent fingerprinting by unifying browsers&#x27; behavior into one single promoted &quot;common&quot; one? Well, completely preventing is probably impossible, but at least lower the number of unique properties.<p>E.g. a software-only... err... shim (or how should I call it?) for canvas and audio APIs, and only allow fast native one to a trusted whitelisted parties. And an uniform list of fonts and plugins, despite of what&#x27;s actually installed.<p>Of course, I know about NoScript. It can&#x27;t be mass-used as a &quot;just install this and you&#x27;re good&quot; strategy, thus doesn&#x27;t help much - the fingerprints would still remain quite unique. Yet, if something is less obtrusive - just slow at times (and then it asks &quot;hey, this site does something fancy with canvas, maybe allow it to speed up at the cost of your privacy?&quot;) may work.

I seem to recall that this study had a major discussion on HN not too long ago. Anybody have a link?