Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Race On To Fingerprint Phones, PCs

CmdrTaco posted more than 3 years ago | from the i-see-what-you-did-there dept.

Government 139

theodp writes "Advertisers no longer want to just buy ads, reports the WSJ. They want to buy access to specific people. In response, the race is on develop digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. Start-up BlueCava, an anti-piracy company spinoff, is building a 'credit bureau for devices' in which every computer or cellphone will have a 'reputation' based on its user's online behavior, shopping habits and demographics. By the end of next year, BlueCava says it expects to have cataloged one billion of the world's estimated 10 billion devices, and plans to sell this information to advertisers willing to pay top dollar for granular data about people's interests and activities. It's 'the next generation of online advertising,' said Blue Cava's David Norris. As controversy grows over intrusive online tracking, regulators are looking to rein it in — the FTC is expected to release a privacy report Wednesday calling for a 'do-not-track' tool for Web browsers."

cancel ×

139 comments

Sorry! There are no comments related to the filter you selected.

Fuck that! (1)

Anonymous Coward | more than 3 years ago | (#34405678)

Time to grab a copy of BeOS and start doing random stuff.

Cock-sucking mother fucking advertisers. Someone should start "removing" them from the gene pool.

Re:Fuck that! (1)

Lumpy (12016) | more than 3 years ago | (#34406218)

You do not need to. Simply run your browser in a sandbox. they cant keep ANYTHING there.

Better yet, Run your browser in a VM that is a standard OS install and a sandbox inside that. They cant fingerprint that which looks like everything else. (XP standard install with no added fonts /etc...)
Also you can add a blocking hosts file. this really screws with advertisers as it destroys all their cookie attempts in any form.

Re:Fuck that! (1)

interval1066 (668936) | more than 3 years ago | (#34407290)

"Also you can add a blocking hosts file.

Uh, yeah, about that... did it. Assuming you keep on top of it and updating it every time you don't like a particular host the file grows to be quite large, which isn't a problem, but keeping the file updated gets to be quite a chore. Best to use white/black lists with the help of community updates. You might add to the black list occasionally, but so does everyone else. And there's no Firefox add-on like NoScript; best way to keep those pesky java script hooks out of your hair at the browser level.

Re:Fuck that! (2)

Lumpy (12016) | more than 3 years ago | (#34408928)

http://www.mvps.org/winhelp2002/hosts.txt [mvps.org]

click, save as... all done. I have a batch file that does it weekly for me with the AT command.

not a chore at all.

Looks like it's time to: (4, Interesting)

phyrexianshaw.ca (1265320) | more than 3 years ago | (#34405680)

put together a company that rents out devices.

"monthly/weekly/daily device rentals, just pay your cell phone bill on time and we'll ship you a used device every month! just hang onto your SIM/SD card and we'll default the device/let somebody else use the 'fingerprinted hardware'"

Re:Looks like it's time to: (0)

Anonymous Coward | more than 3 years ago | (#34405872)

So is this when I need to go buy a dozen 'throw away' 3G phones that should last me a few years? Or, at least until wifi becomes an open utility or some such thing.

Did I mention I loathe advertisers?

Re:Looks like it's time to: (4, Insightful)

silverglade00 (1751552) | more than 3 years ago | (#34406096)

NO! That lets them know it is okay and that we have to work around it. They need to stay out of our business. This needs to be illegal immediately. This is way over the line. I never gave them permission to track me. Bluecava needs to be shut down.

Re:Looks like it's time to: (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34406038)

Wouldn't the SIM/SD card make the process entirely irrelevant? If your number is sticking with you, your fingerprint will too.

Re:Looks like it's time to: (2)

camperdave (969942) | more than 3 years ago | (#34406140)

That won't help. It's not the hardware being fingerprinted. It's the user. The phone is scanning the fingerprint of the user and sending that to the advertiser. Besides, if it is the hardware, do I want to get a phone that the previous owner may have taken to every strip club, brothel, Al Qaida meeting, and presidential assassination attempt? No thanks. I get into enough trouble on my own.

Re:Looks like it's time to: (1)

noidentity (188756) | more than 3 years ago | (#34406182)

That won't help. It's not the hardware being fingerprinted. It's the user. The phone is scanning the fingerprint of the user and sending that to the advertiser.

Well, you might be interested in my finger-renting service. Every month, we ship you a new set of fingers. Some restrictions apply.

Re:Looks like it's time to: (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34406486)

do I want to get a phone that the previous owner may have taken to every strip club, brothel, Al Qaida meeting, and presidential assassination attempt? No thanks. I get into enough trouble on my own.

Oh I know eh? It's hard to keep that sex-addiction-secret-terrorist life under-wraps with the Misses always checking my phone.

Re:Looks like it's time to: (1)

Vetala (1543063) | more than 3 years ago | (#34407156)

No, it's the device. They are talking about a way to create a digital equivalent of a fingerprint for the device. The article talks about "device fingerprinting". And, try paragraph 5 of the article and see how it tastes:

It might seem that one computer is pretty much like any other. Far from it: Each has a different clock setting, different fonts, different software and many other characteristics that make it unique."

That's talking about identifying and tracking a specific computer, not fingerprinting a user.

Re:Looks like it's time to: (1)

camperdave (969942) | more than 3 years ago | (#34408060)

That's talking about identifying and tracking a specific computer, not fingerprinting a user.

Yeah. I did a quick skim of the summary and came to the incorrect (and scary) conclusion that they were developing tech for a cell phone to scan the user's fingerprints as they were using the phone so that advertisers could uniquely identify people. I'm sure law enforcement folk would be jumping on that tech as well.

So... What is the sensor resolution of a touch screen phone, anyway?

can you say (2)

ecklesweb (713901) | more than 3 years ago | (#34405692)

Anonymous proxy?

Re:can you say (1)

memnock (466995) | more than 3 years ago | (#34405820)

so if i surf a lot of pr0n and republican/conservative websites (not my usual fare) it might throw them off of me personally, but i wonder how popular of a customer i'd become? if i have multiple tabs open in a variety topics, how will they catalogue me?
or what if i use lynx? will they be able to tell i have a visual impairment?

Re:can you say (1)

Anonymous Coward | more than 3 years ago | (#34405976)

Or that you have a case impairment?

/ducks

Re:can you say (0)

Anonymous Coward | more than 3 years ago | (#34406468)

Well, it might "throw them off" in the sense of giving them bad advertising data.

But if you don't want to be identified easily, an unusual combination of behaviors would be counterproductive.

P.S.: That is on the assumption that your example is valid. I personally suspect "a lot of pr0n and republican/conservative websites" is a rather common combination.

Same goes for "a lot of pr0n" and anything.

Re:can you say (1)

Chuck Chunder (21021) | more than 3 years ago | (#34406054)

If all the anonymous proxy does is hide your IP address then it probably won't help much. Device fingerprinting is done using much more information than that (obviously, given the article mentions mobile devices which are highly unlikely to have a static IP).

Re:can you say (2)

cant_get_a_good_nick (172131) | more than 3 years ago | (#34408464)

I agree, my guess is they're using some techniques like panopticlick https://panopticlick.eff.org/ [eff.org]

I have a linux desktop with a couple programming fonts added, so i'm unique on the eff site.

Re:can you say (0)

Anonymous Coward | more than 3 years ago | (#34406074)

Won't matter how many proxies you use. It is looking at the details of your machine.

Re:can you say (2)

JustinOpinion (1246824) | more than 3 years ago | (#34406624)

Yes, you can probably use an anonymous proxy and/or randomly scrambling your device's external signature (MAC address, browser string, response time, etc.) in order to make it harder to track you.

What I wonder is if companies will start differentiating between "good consumers" and "bad consumers". Right now we have access to many services because of an implicit agreement: "I'll let you access the site but you'll see some ads". But if they have a very fine-grained way to determine what consumers respond to ads, and what consumers don't respond to ads, that might drastically change this balancing act. In particular, they would just block "bad consumers", meaning anyone who doesn't spend a lot of money in a way correlated to the ads they see. Anyone who tries to hide their behavior using proxies, randomizing their devices, or otherwise making their behavior inconsistent (e.g. swapping devices with other people) will get labeled as "bad".

On the one hand you might say "Great! I won't have to see ads anymore!" But in reality it will mean that any "bad consumer" will just be blocked from any ad-supported site (or maybe just de-prioritized so the site is unbearably slow). Now, it would difficult to condemn such actions: companies have the right to run their site as they see fit. It might also lead to a differentiated Internet, where some people (who are willing to be tracked and who spend "enough" to satisfy advertisers) go to ad-supported sites, and other people (who are "bad consumers") simply pay for access to sites/services without ads. Maybe that would be a good thing (advertising currently hides a lot of costs).

It's something to think about. If the advertisers have sufficiently fine-grained data, they can not only decide what ad to show you, but decide whether you're even worth the effort to give access to the site at all.

Re:can you say (0)

Anonymous Coward | more than 3 years ago | (#34407878)

But in reality it will mean that any "bad consumer" will just be blocked from any ad-supported site

Sold! If I can't visit a pay-per-click or pay-per-impression site, the site operator can't bill the advertiser for my visit. That's lower ratings=money for them, and less flashing neon "Shop for nuclear reactors in Yourtown" ads for me. Will I miss the content that I never get to see? Not as much as they'll miss getting paid if I did see it.

Re:can you say (1)

fractalus (322043) | more than 3 years ago | (#34408854)

Actually that's fine, too. If they start blocking people who don't spend enough money pre-emptively then suddenly they've sent potential future customers directly to their competitors. If you stop someone from even being able to be your customer, you can be certain they will never change their mind.

It's the same thing that happens to sites that have a following, then erect a paywall and discover nobody reads the site any more. They take the paywall down, but the users never come back. Any site that tries to block people based on their non-consuming will find themselves abandoned.

Could be a supporting reason for IPv6 (1)

mehrotra.akash (1539473) | more than 3 years ago | (#34405716)

Each user could be assigned a block of IP addresses, like a persons telephone number
Any devices owned by the user would use those IP addresses..
Quite easy to manage I guess

Re:Could be a supporting reason for IPv6 (0)

Anonymous Coward | more than 3 years ago | (#34405866)

That would require some central authority allocating those blocks of IPs.

Right now, I have internet on Comcast and phone on Verizon. Who is going to give both of those companies my block of IPs so that they can cooperate with each other and give me a list of IPs per device? There is no group or system that exists to do that.

Easy in theory, perhaps more difficult in practice until standards are produced.

Re:Could be a supporting reason for IPv6 (0)

Anonymous Coward | more than 3 years ago | (#34406212)

They don't need to, they just need some third party to associate the two. Let's say you log in to your Amazon account with IPs from each block? Well, now they're linked. You can have "degrees of confidence" of associations, etc. The technical details of how you'd set something like this up are interesting, even if the social results are horrifying.

Re:Could be a supporting reason for IPv6 (1)

mehrotra.akash (1539473) | more than 3 years ago | (#34406578)

Somewhat like Openid, where all the IP's belonging to a user are linked to a master ID.. To identify a person linked to a particular ip, its respective master ID is used which gives the required information

Where is T.J. Kaczynski Jr.? (-1)

Anonymous Coward | more than 3 years ago | (#34405750)

You mean the Unabomber did not procreate?!

Will the United States of America be renamed.... (1)

Tig3rzhark (1225008) | more than 3 years ago | (#34405758)

...The Coporate States of America, once this technology is enabled on the new smartphones? This looks like a freedom-lover's worst nightmare. We have enough pop-up ads on the internet, now I have to deal with them on my phone too??

Re:Will the United States of America be renamed... (2)

oldspewey (1303305) | more than 3 years ago | (#34405980)

You know, it's easy to get inflamed about this idea since it's all about advertising, tracking, privacy, and corporate profits ... but if a similar article appeared about a system designed to counteract spam and fraud, I wonder what the reaction would be here on slashdot?

Re:Will the United States of America be renamed... (3, Informative)

LordNimon (85072) | more than 3 years ago | (#34406068)

This would be the reaction:

Your post advocates a

( ) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Will the United States of America be renamed... (3, Insightful)

gstoddart (321705) | more than 3 years ago | (#34406204)

Psst ... you're supposed to check the appropriate boxes or it's not funny. ;-)

Re:Will the United States of America be renamed... (1)

gstoddart (321705) | more than 3 years ago | (#34406190)

but if a similar article appeared about a system designed to counteract spam and fraud, I wonder what the reaction would be here on slashdot?

If it was this intrusive, I suspect not so well either.

It's not like we've shown whole-sale support for "enhanced" pat-downs and invasive scans in the name of looking for bad guys. Most of us will be ready to pillory any idiot who says "if you're innocent, what are you worried about" -- because it's bullshit.

This level of invasiveness is just not something most of us are willing to live with. And, for the benefit of advertising, not at all.

Re:Will the United States of America be renamed... (1)

hedwards (940851) | more than 3 years ago | (#34406214)

Not likely, folks around here also get upset when this sort of thing is done for security reasons because it frequently ends up being used for other things. Sort of like the GPS built into handsets for 911 use which is now all of a sudden available for law enforcement surveillance. And how Onstar can initiate a session where they listen in to whatever you're doing in your car. Sure it doesn't have to happen, but in practice the spineless cowards demanding more safety tend to drown out the individuals who want a bit of balance.

Re:Will the United States of America be renamed... (1)

Lumpy (12016) | more than 3 years ago | (#34406246)

not really.

if you love privacy then you jailbreak/root your phone. and disable this crap or install safeguards. My iPhone for example serves up ZERO ad's in any apps and the browser, easy to do once you have access to the hosts file inside.

Re:Will the United States of America be renamed... (2)

mcgrew (92797) | more than 3 years ago | (#34408404)

Odd, a business can stalk you and it's "just business", but if I stalk you I'm a felon.

If the race is on (1)

Chuck Chunder (21021) | more than 3 years ago | (#34405770)

then this start up has left their start a little late. There's already a few people doing similar things, for example:
threatmetrix.com [threatmetrix.com]
www.iovation.com [iovation.com]

Re:If the race is on (1)

d6 (1944790) | more than 3 years ago | (#34406044)

I expect the company is getting attention due to a sudden influx of cash [worldnews.se]

>> There's already a few people doing similar things

Yep. My hosts file is full of them (and I am sure nowhere near being complete).

Re:If the race is on (1)

John Hasler (414242) | more than 3 years ago | (#34408396)

Good point. The Web sites are not going to do the analysis themselves: they're going to include a link to BlueCava. You and I will block BlueCava but they won't care because we are too small a minority to matter to advertisers. Thus we can "opt out" as we did with DoubleClick.

here's the real danger of this (1)

Anonymous Coward | more than 3 years ago | (#34405798)

Of course right now anyone who care enough can block tracking scripts, web bugs, ad servers, and so on.

But if something like this would ever catch on in a big way, the internet could eventually be increasingly closed off to those without a good "score". The very act of acting to avoid being tracked will also put ever increasing amounts of the internet off limits.

Make no mistake, the internet may have started as an open thing, but it is a HUGELY juicy target for people wanting to control it. Anything they can do to this end, they will do. Right now someone motivated enough can avoid this control, but that isn't an acceptable situation for people who want to "monitize" every last damn thing. Users having ultimate control is not going to be something they will tolerate, because users with control can subvert their tracking and monitization intentions.

Interesting For Computer Forensics (3, Interesting)

bc90021 (43730) | more than 3 years ago | (#34405802)

This has VERY interesting possibilities for digital forensics as well. I get the feeling that the bluecava guys aren't even aware of that possibility yet. This would allow web interactions to be more thoroughly traced to a particular machine. Given the ability of most companies to put a particular person behind that machine (whether surveillance or electronic controls), suddenly your machine AND your interactions are subject to investigation at any time.

Re:Interesting For Computer Forensics (3, Insightful)

_Sprocket_ (42527) | more than 3 years ago | (#34406136)

This has VERY interesting possibilities for digital forensics as well. I get the feeling that the bluecava guys aren't even aware of that possibility yet. This would allow web interactions to be more thoroughly traced to a particular machine. Given the ability of most companies to put a particular person behind that machine (whether surveillance or electronic controls), suddenly your machine AND your interactions are subject to investigation at any time.

I would be very surprised if it hasn't dawned on them yet. From an interview [adexchanger.com] :

Businesses can also determine if devices have a history of committing fraud, so they can protect themselves.

Note in that interview, BlueCava CEO David Norris is very careful to portray the technology as linked solely to the device and not the user. And there is a lot of effort to portray BlueCava as providing control of information to the end user. But the reality is that linking user to device is trivial (as you noted) and end users tend to not grasp implications of data security. However, the initial money is unlikely to be in forensics and for the system to work, you have to convince people to not fight it.

Re:Interesting For Computer Forensics (1)

bc90021 (43730) | more than 3 years ago | (#34406508)

Excellent points!

Re:Interesting For Computer Forensics (0)

Anonymous Coward | more than 3 years ago | (#34406682)

I'm sure it has not just crossed their minds, but has been a potential selling point. If advertisers have it, LEOs have it (or can easily get access) and can use it for a criminal investigation.

Redundancy? (1)

RandomStrategy (1951080) | more than 3 years ago | (#34405808)

Don't MAC addresses do this already (aside from some of them removable)?

Re:Redundancy? (2)

compro01 (777531) | more than 3 years ago | (#34405920)

No, because the MAC address isn't visible beyond the first router.

Re:Redundancy? (1)

HangingChad (677530) | more than 3 years ago | (#34406192)

True. That doesn't preclude the "fingerprint" technology using that as part of a unique hardware signature.

Re:Redundancy? (1)

Chuck Chunder (21021) | more than 3 years ago | (#34405990)

I believe that routers tend to fiddle with MAC addresses as the packets pass through them so they aren't something that is generally usable for that purpose over the internet.

Re:Redundancy? (1)

Lumpy (12016) | more than 3 years ago | (#34406268)

ALL MAC addresses are changeable. and they dont survive the first router.

anti-piracy (0)

Anonymous Coward | more than 3 years ago | (#34405810)

I thought that read "anti-privacy". It turns out to have the same meaning.

how about (2)

phantomfive (622387) | more than 3 years ago | (#34405838)

How about we make it a 64 bit id and call it an ip address? Having a static, routable IP address would make it worth it to me. Then when I really want privacy I can use a proxy.

It looks like in this case they are trying to use the UserAgent and other info available to javascript, like the EFF warned about [eff.org] . Check that link out, you can discover how unique your browser is.

Re:how about (0)

Anonymous Coward | more than 3 years ago | (#34406084)

I went to that site and, most of the entries were just listed as "no javascript", but interestingly, the UA string + enabled cookies were enough to peg me to 1:128000. My UA was:

Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.04 (lucid) Firefox/3.6.12

I'm surprised my value is so uncommon. Let's make something up and say there are 150 million people in the USA browsing the web from their PCs sometime during a day. So there are only around 1100 people in the whole United States using Firefox 3.6 on Ubuntu Lucid running on a 64 bit system? Really? Maybe, just seems hard to believe.

Re:how about (1)

H0p313ss (811249) | more than 3 years ago | (#34406196)

So there are only around 1100 people in the whole United States using Firefox 3.6 on Ubuntu Lucid running on a 64 bit system? Really? Maybe, just seems hard to believe.

With all those variables I'm surprised there are that many: [personal experience in parenthesis]

  • Firefox market penetration is dropping. [After years as a Firefox user I've actually moved to chrome on all my machines]
  • There are MANY flavors of Linux and you're using an out of date version of Ubuntu. [I moved to 10.10 months ago...]
  • Not everybody has migrated to 64 bit machines. [Well yes I have, but if I say 64 bit to anyone outside of work they look at me funny]

Re:how about (1)

vuke69 (450194) | more than 3 years ago | (#34406234)

"Your browser fingerprint appears to be unique among the 1,278,332 tested so far."

Well fuck me sideways.

Re:how about (2)

DrgnDancer (137700) | more than 3 years ago | (#34406576)

You think that's weird, try it with JavaScript enabled. My browser signature is *unique*. Apparently no one in the 1.2 million or so person sample group is using the latest Firefox on WinXP with my particular combination of add-ons (yes, it could see my add-ons). Which means... Relatively more "power-users" are easily identifiable by this technology than "normal people". The more vanilla your browser set-up is, the harder you are to recognize (at least through this metric)

Re:how about (1)

Inda (580031) | more than 3 years ago | (#34407360)

Unique too :(

We are the easiest to track because we are more likely to install add-ons, fonts, etc. Flash block is a dead give-away, according to the documentation.

We're all doomed.

Did you get the memo? (1)

daeglo (1822126) | more than 3 years ago | (#34407506)

Of course low numbers are to be expected with a Linux entry in the fingerprint: NEXT year is the year of the linux desktop!

Re:how about (1)

Lumpy (12016) | more than 3 years ago | (#34406312)

Someone can easily write a Firefox plugin that will munge the javascript data. Make it random every time or hide everything but "standard" stuff. if you look like everyone else, you can hide in plain sight.

Re:how about (1)

AltairDusk (1757788) | more than 3 years ago | (#34406964)

If we can find out what all of the information they are tracking to create this fingerprint is there should be a way via browser extension (which would need to be created) to whittle down what is actually transmitted to the most generic set that provides the minimal info necessary to correctly view the page. For example, I don't see why the user agent string needs to be accurate beyond your browser and major version.

Re:how about (1)

maztuhblastah (745586) | more than 3 years ago | (#34408930)

Within our dataset of several million visitors, only one in 394 browsers have the same fingerprint as yours.

Fun fact: a browser that doesn't send a User-agent header and uses a whitelist for cookies and JS is actually damn hard to fingerprint.

Better not tell the BlueCava guys about this super-secret hax0r trick...

So where's the Firefox fingerprint changer plugin? (1)

John Hasler (414242) | more than 3 years ago | (#34405860)

n/t

Simple (0)

Anonymous Coward | more than 3 years ago | (#34405874)

Don't use a cellphone. Use Web browsers you can control.

Re:Simple (1)

oldspewey (1303305) | more than 3 years ago | (#34406000)

There's a Soviet Russia meme hiding in your post somewhere ... I can feel it.

Re:Simple (1)

silverglade00 (1751552) | more than 3 years ago | (#34406138)

In Soviet Russia, cellphones don't use YOU!

There ya go.

Re:Simple (2)

Yvan256 (722131) | more than 3 years ago | (#34407268)

In Soviet USA, advertisers control YOU!

Techniques (1, Insightful)

vlm (69642) | more than 3 years ago | (#34405888)

So, lets make fun of their proposed techniques. From the fine article:

1) Delta T between local clock and webserver clock. solution, NTP brings that to zero aside from timezone, and also don't let your browser tell the server what time it thinks it is.

2) Fonts. You gotta be kidding. Surrogate for the combo of OS and locale. I have not installed a font on a microsoft product since winders 3.11 era.

3) Screen size. Again, you gotta be kidding. Also tell your browser not to tell the server, or lie with a small random delta.

4) Browser plugins installed. Again, you gotta be kidding.

5) User agent. People have been spoofing those for the past 15 years, mostly just "recently updated FF, MSIE, or ancient debris".

Adds up to .... Um... So my unique device lives in central time zone, has a 1600x1200 monitor, XP, and the standard plugins. That narrows me down to a couple million devices.

Re:Techniques (1)

iammani (1392285) | more than 3 years ago | (#34406174)

1) Except for the round trip time for you to talk to the server. It only makes it better for them that NTP makes this more accurate.
2) You manually did not install it, but some applications still install fonts they use.
3) You would be identified as someone who changes screen size too often and after awhile become unique.
4) Refer 3. Besides the version of flash, acrobat reader, you are running also make you unique
5) That makes you unique. You must be the only one with user agent as "recently updated FF, MSIE, or ancient debris".
The best is to hide in the crowd, get the most commonly used processor (sometimes websites can identify the processors), most commonly used OS and browser (do you use FF by the way?), and most commonly used setup (plugins, no hifi extensions)

Re:Techniques (1)

bluefoxlucid (723572) | more than 3 years ago | (#34406208)

See this is what I'm thinking. Do-not-track regulation? Fuck that. What we need are general tools to fuck up their tracking. It's a system we're against? So we need laws? No, we need counter-tactics.

Re:Techniques (1)

0123456 (636235) | more than 3 years ago | (#34407884)

So we need laws? No, we need counter-tactics.

Ideally we need to get rid of Javascript and Flash. Allowing people to run arbitrary code on your computer from a remote system was always going to turn out to be a really bad idea.

On the plus side, by blocking Javascript and Flash from sites which do this tracking your 'unique fingerprint' suddenly becomes a lot less unque.

Re:Techniques (1)

bluefoxlucid (723572) | more than 3 years ago | (#34408972)

Yes, but as with anything, JavaScript was also extremely powerful. Flash not so much (extremely SLOW). A lot of really nice stuff exists solely because of javascript, without which we would have a lot more loading and reloading the same content.

Re:Techniques (1)

H0p313ss (811249) | more than 3 years ago | (#34406242)

1) Delta T between local clock and webserver clock. solution, NTP brings that to zero aside from timezone

I suggest you go back and re-read "Time, Clocks and the Ordering of Events in a Distributed System". I don't think you understood it the first time.

Re:Techniques (0)

Anonymous Coward | more than 3 years ago | (#34406292)

http://panopticlick.eff.org/

Re:Techniques (1)

Dr_Barnowl (709838) | more than 3 years ago | (#34406392)

There have been fingerprinting systems posted to Slashdot that were surprisingly specific.

Panopticlick [eff.org] , the one that EFF runs for awareness says I'm unique, out of 1.2M visitors.

My plugin config is unique. My font config is 1 / 16,000 users. Admittedly, I'm using a non-default browser on a niche operating system, but you'd be surprised what does install things like fonts and plugins - applications (like Office), etc.

Re:Techniques (1)

Lumpy (12016) | more than 3 years ago | (#34406408)

1 - send random time to javascript and flash. Foiled.
2 - send ONLY standard OS install font list to javascript and Flash. Foiled.
3 Screen size send 1024X768 only.. Foiled.
4 List only standard plugins.
5 User Agent, again munge it to only send a generic.

Firefox is open source. all of the above can easily be done to make a "screw you" version of firefox that will hurt fingerprinting. if a LOT of people use that version then it goes even further to destory the fingerprinting.

Honestly, why are the creators of firefox and Javascript not already adding these changes?

Re:Techniques (1)

iammani (1392285) | more than 3 years ago | (#34406570)

3. Yeah foolproof unless it measures the size of the banner that has been set to stretch till it fits the width of the screen
4. Until the server tries to poke you by sending a flash video (when you claim to not have it) and may be try to display an ad (when you claim to not have adblock)
5. Depending on the User Agent you send, the server can send you a set of Javascript tests that run on your machine and see if you are lying.

Besides you only have to go wrong once and you become completely unique henceforth.

Re:Techniques (1)

Chuck Chunder (21021) | more than 3 years ago | (#34406446)

Make fun all you like but this is already being done and works rather well.
Try your own computer [eff.org] (and that's using very basic fingerprinting).
That a tiny percentage of users may take measures against such fingerprinting is irrelevant. At worst they are an irrelevantly small number and the fact such machines would appear to be attempting to avoid fingerprinting might be enough of a risk identifier in itself (for ecommerce transactions for example).

Re:Techniques (0)

Anonymous Coward | more than 3 years ago | (#34406464)

This has NOTHING to do with being able to actually track a user in a valid sense... and EVERYTHING to do with being able to convince OTHER companies to PAY YOU MONEY for what you claim to have.

Insert obligatory /. 1,2,...Profit here.

Re:Techniques (1)

phantomfive (622387) | more than 3 years ago | (#34406552)

If you're so certain, try the Panopticlick from the EFF. See how unique you truly are [eff.org] .

My granular data... (1)

Iphtashu Fitz (263795) | more than 3 years ago | (#34405900)

My profile will tell advertisers to leave me the f*ck alone. I don't want all their crap. I don't want them tracking me. I won't buy the crap they push on me. They're wasting their time and money by trying to track me and advertise to me.

So you're a deadbeat :/ (1)

Toe, The (545098) | more than 3 years ago | (#34406100)

That is an interesting take. Let the advertisers target the hyper-consumerists (ie, the majority) and leave the rest of us alone.

Of course, then they might object to giving "deadbeats" access to "free" content which is ad-based. Why allow us to watch X if we're not going to pony up for the shiny things being advertised between bits of content?

Re:My granular data... (0)

Anonymous Coward | more than 3 years ago | (#34406660)

Did you buy the computer you are posting on? How did you pick it? Did you buy it at a store that tracks orders in computer systems? TV ads, print ads, banners, magazine/blog articles that are just ads, sites like /. that have ads and were you logon... you're already advertised to and tracked, and it works. Stop kidding yourself.

Re:My granular data... (0)

Anonymous Coward | more than 3 years ago | (#34408650)

Slashdot has ads?

I love capitalism (1)

xkr (786629) | more than 3 years ago | (#34405932)

Damn, I love capitalism!

You have every right to track my activities and I have every right to purchase back my own privacy.

Is everybody happy? I am.

Re:I love capitalism (2)

Johnny5000 (451029) | more than 3 years ago | (#34406266)

You have every right to track my activities and I have every right to purchase back my own privacy.

Why should you have to purchase back something that rightfully belongs to you?

Re:I love capitalism (1)

xkr (786629) | more than 3 years ago | (#34407592)

I personally think there should be a constitutional amendment protecting privacy. But there is not. Beside, buying your privacy is surprisingly cheap.

Good Luck (1)

mounthood (993037) | more than 3 years ago | (#34405974)

They not only have to profile all devices on almost all sites, they also have to get merchants to share who made a purchase. Vendors aren't going to share this for free and without any control. Then they'll have to get the EU to approve it.

Raise the Noise Level (1)

Philomage (1851668) | more than 3 years ago | (#34405982)

The way I see it, people need to share their surfing. Make the tracking companies see the aggregate of several (random) people's surfing habits rather than just one. Maybe random swapping of IP addresses from time-to-time? (I'm not trained in internet protocols, so I have no idea how this would be done.)

Re:Raise the Noise Level (1)

bluefoxlucid (723572) | more than 3 years ago | (#34406216)

it'd be like random swapping of addresses. Think how ZIP codes work.

Re:Raise the Noise Level (1)

Philomage (1851668) | more than 3 years ago | (#34406344)

Actually, user vlm above has a post about techniques and that's more along the lines of what I was thinking (if I knew more about the internet and what they're actually tracking).

The more clutter the tracking agents receive, the better off the general public will be.

Besides, changing ZIP codes works fine; people do it all the time, just think "change of address forms".

Re:Raise the Noise Level (1)

hAckz0r (989977) | more than 3 years ago | (#34408096)

Changing the IP would not work well and it may be different from session to session anyway due to dynamic IP allocation at your ISP. What you need is a browser plugin that injects a seed of randomization into the browser information returned to the collection server, which changes that seed on an unpredictable way. If each http connection back to the server exchanges different "user" information then their whole scheme for collecting 'some sense of uniqueness' is blown completely out of the water.

That's What They Want You To Think: +1, True (0)

Anonymous Coward | more than 3 years ago | (#34405986)

"the race is on develop digital fingerprint technology to identify how we use our computers,
mobile devices and TV set-top boxes."

should read:

"the race, FUNDED BY THE N.S.A., is on develop digital fingerprint technology to identify
the USERS of computers, mobile devices and TV set-top boxes."

Yours In Minsk,
Kilgore T.

How is this (1)

bugs2squash (1132591) | more than 3 years ago | (#34406108)

anything more than a new gee-wiz "service" for Madison Ave. to tout. Where's the demonstrable benefit to businesses ?

As long as it's opt in, then fine (1)

Oflife (1636567) | more than 3 years ago | (#34406124)

(As subject line.)

The movies might not be wrong... (1)

Anonymous Coward | more than 3 years ago | (#34406166)

In a few years, we can all dine out at Taco Bell as we watch President Schwarzenegger discuss how our corporate overlords love and cherish us, and how they have our best interests at heart.

This has 1984 written all over it. This technology can and will be abused.

Re:The movies might not be wrong... (1)

bluefoxlucid (723572) | more than 3 years ago | (#34406240)

We can and will abuse this technology with anti-forensics. Eventually our user agent will say, "Firefox on Windows. Fuck you, bitch." Today it says "Firefox on Windows XP with these plug-ins, these fonts, given time, screen resolution, patch level, version of .NET installed..." Uh. We should have a per-site configuration to even identify that Flash is installed or run add-ons, much less tell the world what we have or let them query everything through Javascript.

I'm going to need one of two things then: (1)

kheldan (1460303) | more than 3 years ago | (#34406418)

Either a way to completely disable their ability to do this, or to get off the internet permanently. DO. NOT. WANT.

Terminology (5, Insightful)

HTH NE1 (675604) | more than 3 years ago | (#34406426)

When one person does it to another, it's called stalking. When a corporation does it to everyone it's called marketing.

That's Fine But... (1)

rshol (746340) | more than 3 years ago | (#34406428)

...I don't view ads on the internet. Ever. Not on my phone, not on my desktop/laptop, nowhere. The only advertising I see is on live sporting events on TV. Otherwise I watch TV delayed on my DVR and zap through the ads. They can waste all the money they want on me. I'm not looking at ads.

BlueCava, an anti-privacy company spinoff (1)

countSudoku() (1047544) | more than 3 years ago | (#34406526)

There I fixed their shithole tag-line. (Making a note not to ever do work or business with these annoying assholes.)

Privy, See? (1)

elkawuf (1925674) | more than 3 years ago | (#34406816)

Every time a story pops up about another company trying to figure out ways of monetizing personal information people get up in arms about privacy. I have mixed feelings on the subject, since advertising is what pays for a lot of free services. Between hulu, pandora, and gmail I am happy to be in the cross hairs of advertisers. That said, I do wonder precisely who this information would be valuable to. Imagine a potential employer being able to drop a few dollars to pick up data on your browsing history, buying habits, and memberships on different web sites. "Sure, we were going to hire you... but then we noticed you tend to post on slashdot during work hours!"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>