The data is the gold mine of the companies. Most web services seek to develop a specific profile of users to sell something. The usual way is through the known and famous cookies, the files that store our activity on the network. But companies go beyond the proliferation of options that block or erase them and have developed techniques that collect information from browsers or devices to identify the user and his activity. It is the so-called digital fingerprint. The Spanish Agency for Data Protection (AEDP) has published a study that analyzes how it works and how to avoid this monitoring.
The tracking of our steps on the Internet can be permanent. The report Fingerprinting or fingerprint of the device points out how current programs allow to know where the mouse stops, browser models, operating system version, screen resolution, processor architecture, sources, IP addresses (identity of devices), peripherals or installed programs and any type of information that allows to identify the user and his activity.
These programs (canvas fingerprint, canvas font fingerprint, webRTC fingerprint or audio fingerprint), known as cookieless monsters, in some cases, they seek to improve the user experience and personalize or adjust contents to the needs, but they can annul the main objective of data protection: the impossibility of identifying an individual if he does not give his explicit consent.
"Fingerprint techniques allow the same user to be re-assigned the information linked to the identifier of the cookie eliminated and not lose trazabilidad on the data of navigation of the user or simply to carry out the pursuit on the basis solely to the fingerprint ", warns the study. This report shows as an example the websites hotjar.com or crazyegg.com, "that allow record journeys of the mouse, the clicks of the user, the navigation, the way in which the users use the forms and other activities ".
"Currently it is estimated that there are about 4,000 million computers, smartphones and other types of terminals in the world. With a sufficient set of discriminatory data you can get to individualize all of them and this is precisely what makes the footprint, "says the study.
Luis Salvador, head of the Evaluation Unit of the AEDP, explains that the techniques are not "intrinsically an invasion, but can be used for illegitimate purposes", so companies or entities have to be vigilant if they incorporate pages or programs of third parties and the user must know that he has the right to choose if he allows them. The AEDP, as it explains, monitors and acts if it detects or receives a report for interference. "It's proactive," he says.
Sex, religion and politics
Pages like AmIUnique.org or Panopticlick they allow us to know the configuration details of our navigation programs and to what extent they allow the tracking of them. The AEDP research, conducted with the Princeton University OpenWPM program, detected a high activity of fingerprint tracking techniques in searches related to sex, pornography, religion, health and politics.
In addition to the browsers' own tools to limit the tracking, there are other programs (uBlockOrigin, Ghostery, Disconnect, Adguard, Adsafe and Adblock) to avoid them, but their effectiveness does not always give results.
The best known methods, like the private browsing offered by some browsers to not save information about web pages visited, history, cache, passwords, forms information or cookies. "It may seem that allows the user to be protected, but it is a feeling of false security, because the techniques used in making the fingerprint make private browsing transparent, since the features they record are the same with or without it and the user's equipment will also be individualized, "warns the study.
In the same way, the use of anonymization networks or VPNs prevent the destination server from knowing the IP address of the device used, but they do not filter the collection of data on the characteristics of the terminals that allow association with a specific user.
"The objective of the AEDP study is to publicize the complex monetization ecosystem and help both web developers and the recipients to use them within the margins established by the standard." Sometimes they are not aware that a tool it can be used potentially for other purposes ", concludes Luis Salvador.
The study of the AEDP indicates some actions that we can perform the users to avoid the non-consensual follow-up:
Use of the option Do Not Track. Activated in the browser options menu
Installation of blockers. They allow the user to avoid advertising and tracking. Some of the most effective, according to the study, are Ghosteryy and Block Origin.
Toggle the use of browsers. It allows that not all the information about the activity of the user is easily associated with the same identifier.
Execution of Internet access in virtual machines. It consists of the execution of applications that simulate devices that use different operating systems and browser configurations.
Reduce installation of extensions. One of the objectives of fingerprint identification is precisely to obtain a list of extensions or plugins of the browser. "The more extensions are installed and the more remote the browser is from its default configuration, the more capacity to singularize will have," warns the report of the AEDP.