Browser data is valuable data. Marketing companies and advertising agencies want to know everything they can about user surfing and buying habits, and cybercriminals leverage this information to create targeted attacks. To accomplish this aim, advertisers and fraudsters widely use single-browser fingerprinting (SBF) to keep tabs on users without their knowledge.

As noted by Bleeping Computer, however, a team of U.S. researchers developed a set of cross-browser fingerprinting (CBF) techniques to identify underlying hardware components and snoop on users, no matter which browsing platform they choose.

Cross-Browser Fingerprinting Tracks User Habits

Single-browser tracking has enjoyed marked success, but attempts to follow users from browser to browser largely fell flat since each offering processed and handled information differently. According to ZDNet, the new work by Yinzhi Cao and Song Li of Lehigh University in Pennsylvania and Erik Wijmans of Washington University in St. Louis resulted in a cross-browser method able to identify 99.24 percent of desktop users.

The trick lies in making browsers perform operations using computer hardware rather than staying in-program and then tying these hardware components to specific systems. Already, the team has tracked users via:

  • Screen resolution: Often used for SBF, this measure was considered unreliable for CBF. With in-browser zoom levels factored in, this is a reliable tracking method.
  • Audio context: By measuring how audio signals are processed and handled by the onboard sound card, it’s possible to identify the same user across different browsers.
  • Vertex shader: Since vertex shaders are used by the graphics processing unit (GPU) and graphics driver rather than the browser, they can be traced to specific users.
  • Number of central processing unit (CPU) virtual cores: Using the browser parameter “hardwareConcurrency,” researchers were able to determine unique maximum thresholds.

All major browsers are vulnerable to these techniques, except for the Tor browser. Since its primary function is internet anonymity, the browser intentionally normalizes outputs to obfuscate user details.

Ad Absurdum

So what does the advent of more powerful CBF techniques mean for users? In all likelihood, it means more tailored advertisements appearing more often, since companies have access to a bigger pool of increasingly specific data. Of course, big browser-makers such as Microsoft and Google could push back to reduce the chance of fingerprinting, but the chances are hit-and-miss since ad revenue is a huge part of their business models.

Consider the recent removal of Chrome extension AdNauseum, which not only hid ads from users but actively clicked every ad in the background to create fake data profiles and confound marketing agencies. At the start of 2017, the extension was suddenly dropped and its creator given a stock explanation. In all likelihood, it stems from a need for tech giants to walk the line between protecting user privacy and leveraging their data for profit.

Tor: An Illusion of Privacy

It’s also worth noting that the Tor browser isn’t entirely safe from tracking. According to Naked Security, a technique called ultrasound cross-device tracking (uXDT) emerged in 2012. Put simply, it uses ultrasonic sounds played during TV or computer advertisements, which are then picked up by smartphones using uXDT-enabled apps. Users don’t hear the sound, and details about their viewing and surfing habits are sent to companies or cybercriminals without their knowledge or consent.

Applied to the Tor network, researchers discovered that it’s possible to set up a beacon site that plays the ultrasonic sound. If Tor users visit the site, their own phones could pick up the signal and unmask their activity.

The bottom line is that browser data is big business. New CBF techniques make it easier for companies to follow web surfers wherever they go — and harder for users to hide in plain sight.

more from

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal […]