Smile, you’re being watched!
(CC BY-NC 2.0) Twistiti
Fingerprinting makes it possible to secretly collect data from net surfers that makes it possible to identify them. This is known as “fingerprinting”. The process is as effective as it is hard to detect. Two Inria teams, based inRennes and Lille,are seeking to exposethis potential menace to privacy.
We are all aware of cookies, those tiny files that install themselves on someone’s computer whenever they visit a web site, allocating an identifier to the user so that he/she can be recognized at each new visit. Fingerprinting goes even further. It is not just a matter of identifying a server but of collecting potentially private information about him/her. “There are several ways of remotely capturing data relating to a particular computer ”, explains Walter Rudametkin, a lecturer-researcher in the Inria Lille - Nord Europe Spirals project-team (a joint project with Lille 1 University*), specializing in dynamic reconfiguration. “Some are hardware-oriented. At Inria Lille, we are specifically working on the ‘browser fingerprint,’ that is the fingerprint left by navigators .” The principle is that when someone visits a site, the navigator sends out various items of information about the configuration of the computer terminal from which the connection has been made (applications, fonts, plugins, etc.). In about 95% of cases, this information makes it possible to identify automatically the computer as soon as subsequent visits are made.
“The procedure is used first and foremost for security and authentication purposes, ” Walter Rudametkin stresses. “If you connect to a messaging service from a computer that is not the one you normally use, thanks to fingerprint analysis the service will detect that this is an unaccustomed terminal and start a checking procedure. The same applies to online banking operations. But nowadays, in view of the huge financial investment represented by advertising on the Web, more and more sites use fingerprinting for commercial purposes. And this time, they do so without the user’s knowledge. ” That is the key point, because, unlike cookies, over which users have some control, fingerprinting scripts never ask users’ permission to capture the “characteristic data” of their configuration. Furthermore—and this is another crucial
difference from cookies—no information is stored on the user’s computer. “This is unique identification without notice ”, specifies Walter Rudametkin. “And consequently it is very difficult to regulate the practice.”
Tracing in complete secrecy
In view of the undoubted power of the fingerprint, companies have been eager to employ this tool in the service of advertisement targeting. BlueCava, the best-known player in the field, offers scripts to online merchants that they can use to secretly trace visitors to their sites. “Worse still, BlueCava is now offering its customers the option of accessing navigation data collected via fingerprinting performed on other sites!” notes Walter Rudametkin. “By using these tools ad hoc, this makes it possible to deduce the gender of the surfer, his/her age group, geographical location, and even his/her CSP and focuses of interest… BlueCava is even capable of reconstituting the navigation history of a particular user via various different terminals! ”
We have established to what extent, with the increase in this practice, net surfers no longer have privacy on the Web. We therefore considered that our research community needed to go on the offensive to protect against something that had become a real problem for society.
“Attacking a problem of society”
Through their work that is designed to combat the software monoculture, Inria’s researchers have highlighted the extent of the threat posed by fingerprinting. “Since 2013, Inria Rennes – Brittany Atlantic Diverse Project Team has been working in partnership with the Spirals project team on the Diverse European Project that is designed to promote software diversity ”, Walter Rudametkin explains. “We have established to what extent, with the increase in this practice, net surfers no longer have privacy on the Web. We therefore considered that our research community needed to go on the offensive to protect against something that had become a real problem for society. It was a big challenge, considered by certain computer safety researchers as being insoluble because it was too complex. But as specialists in computer engineering, we developed ‘randomization’ know-how that we thought would be interesting to put to good use in this field. ” The principle involves combining Spirals’ expertise in modeling and dynamic reconfiguration and that of Diverse in the field of software diversity.
With this in mind, in November 2013, Benoit Baudry, a member of the Diverse project team and Walter Rudametkin together launched a master’s research project dedicated to fingerprinting. Pierre Laperdrix, a student at INSA Rennes, devoted his doctoral thesis to the subject under the supervision of Benoît Baudry. “We began by developing Blink, a software prototype capable of generating a different fingerprint for eachnavigation session. We did this by regularly changing the computer’s configuration. But if these modifications, performed automatically and randomly, were to be credible, a database had to be created that was capable of performing statistical analyses. ”
In the long term, we hope to perfect an accessible tool that will enable the general public to achieve anonymity on the Web.
A site for achieving anonymity
The result of this work, the “Am I unique” site was born in 2014. In one year and without any special publicity, the “Am I unique” script has scanned 100,000 terminals. Its purpose is first and foremost educational. Net surfers need to have explained to them how fingerprinting works and show them which personal data are liable to be transmitted to third parties via their navigator. The site also provides explanations about the Blink software. “The site currently provides information that makes it possible to determine what changes should be made to its configuration, but Blink remains a prototype that not everyone is able to use,” stresses Walter Rudametkin. “In the long term, we hope to perfect an accessible tool that will enable the general public to achieve anonymity on the Web. ” At the moment it is possible, via the site, to recommend simple operations such as changing the language, times of day or install or uninstall an unusual font. Benoit Baudry and Walter Rudametkin are currently looking for a doctoral candidate who will work with them on this next stage. “Our projects are in open source and our research is open, ” he adds, inviting all those of goodwill to take part.
* within the UMR 9189 CNRS-Centrale Lille-Université Lille1, CRIStAL.
These articles could interest you:
En savoir plus
- Follow Diverse project-team on Twitter @DiverSE_inria