Authentication: unique fingerprints to identify Internet users
It is clear that we are spending more and more time on the Internet and that the number of Internet users is constantly growing. Faced with this high demand, browsers are developing more and more features. Their objective: to make access to the web more attractive, interactive, and available. This revolution is achieved by collecting seemingly insignificant data each time we connect to a site: operating system, device language, fonts, screen resolution, etc. For example, knowing the resolution is used to adapt the display of pages or to adjust the size of a video when we reduce the window. In short, this data is collected using a simple script in the background, in order to make the user experience pleasant.
Only the data mentioned above is not very sensitive. However, by cross-referencing them, they form unique digital fingerprints, which can sometimes have advantages. For example, these attributes facilitate the identification of an Internet user via his machine (computer, phone, tablet). Through the ANR FP-Locker project, the Spirals project-team of the Inria Centre at the University of Lille is proposing to use them to protect accounts when authenticating a user. "They also make it possible to block bots, which account for more than half of all web traffic, including web scrapers, which are often unwanted by websites," says Walter Rudametkin, a lecturer in computer science at the University of Lille and a member of the Spirals project team. His work has enabled him to obtain a habilitation to direct research in 2021, after having been awarded the CNIL-Inria "protection of privacy" prize in 2018.
However, these same properties can also be used to track people's online activities. Some advertising agencies are already using them to collect information on the habits and tastes of Internet users without their knowledge. "This method is still not very common. According to various studies, it is found on about 4% of the top million most visited sites in the world. But it is often used in addition to cookies," explains the researcher.
Cookies supplanted by browser fingerprinting
Research into these methods is all the more important as cookie tracking becomes obsolete.
Browser fingerprinting is therefore an 'invasive way to replace cookies', and Google, which controls the development of Chrome and strongly influences its derivatives, is trying to exert pressure to control the tracking methods of the future, adds Walter Rudametkin.
When a user visits a site, the site can store a cookie in the user's browser and collect the user's fingerprint simultaneously. If the person has deleted their cookies between visits to protect themselves, the site can still identify them via their fingerprint. It then recreates its tracking cookie. And since the fingerprint is not stored on the user's device, the user cannot prevent its collection. Worse still, the more information a site has about a person, the easier it is to identify him or her. The Spirals project team has shown that collecting the digital footprint, cookies and IP address makes it possible to identify 98% of people on the web...
Powerful tracing tools
Walter Rudametkin and his team have shown that fingerprinting applies to both computer and mobile phone browsing. In order to better understand how they work and how to counter them, the researchers got under the skin of these dubious advertising agencies by collecting fingerprints via their dedicated research site AmIUnique.org. The site invites visitors to share their fingerprints for research purposes while offering ways to protect themselves.
For the researchers, the power of fingerprints as a tracing tool comes from three major properties: their uniqueness, the ease of linking fingerprints with a few modifications, and their consistency. "About 80% of people have a unique fingerprint, which allows them to be recognised. It is enough, for example, to install a rare font to make it easily recognisable, or to have an extension that is not often downloaded," says the researcher.
However, a fingerprint is not eternal. It constantly undergoes changes associated with updates. It also changes when the user adds a screen, extensions, changes its configuration, etc. Is it therefore possible to trace a person over the long term? "We observe that the changes made are often small. So we could easily trace 20% of the people for the entire duration of our four-month study using only their fingerprints, because they had such distinctive attributes that they remained recognisable under all circumstances," describes Walter Rudametkin.
The researchers also wondered whether it was possible to hide, block or alter certain settings to protect themselves. "We discovered that these tools are all detectable. Some are even so bad that they transmit even more information about the user than without masking. This is often counterproductive, as it can reinforce the uniqueness of the fingerprints," the researcher notes.
The ball in the developers' court
Is it possible to protect yourself? The first thing to do is to regularly delete your cookies. Ad blockers also limit the collection of fingerprints by blocking the domains of the tracking sites to which they are sent.
If you have to choose, the fingerprinting attack is less dangerous and less widespread than cookies. In order to protect your privacy, it is better to opt for browsers such as Tor, Firefox or Brave that have built-in defences against several tracking techniques, recommends Walter Rudametkin.
But for the researchers, the best solution lies closer to the source of the problem. "We notice that in their race to add features, browser developers often create systems that identify people," observes Walter Rudametkin. Working with developers would therefore make it possible to implement solutions directly in browsers in order to protect everyone's data.
This is why researchers are developing automated systems for testing and analysing fingerprints. These programs allow security flaws to be corrected before features are integrated into a browser. "Developers are listening, but as long as they are not legally obliged to correct privacy flaws, this will not be a priority. Appropriate regulations are therefore needed to strengthen the protection of Internet users," the researcher stresses. An initiative that is only waiting to happen
Walter Rudametkin's short bio
2013 – After studying in Mexico, obtained a PhD in software engineering at the University of Grenoble Alpes on dynamic updates in applications.
2014 – Created the AmIUnique.org website for data collection and to present the risks of browser fingerprinting.
2018 – CNIL-Inria « privacy protection » award (in French) on browser fingerprinting.
2021 – Habilitation to direct research at the University of Lille: Improving the Security and Privacy of the Web through Browser Fingerprinting.
- Onligne tracking: what are its different natures and why protect yourself from it? Clubic, 25/11/2021 (In French)
- Everything you always wanted to know about web-based device fingerprinting (but were afraid to ask), Microsoft Research, 27/07/2016.