NEWS


Computing Now Exclusive Content — April 2010

News Archive

July 2012

Gig.U Project Aims for an Ultrafast US Internet

June 2012

Bringing Location and Navigation Technology Indoors

May 2012

Plans Under Way for Roaming between Cellular and Wi-Fi Networks

Encryption System Flaw Threatens Internet Security

April 2012

For Business Intelligence, the Trend Is Location, Location, Location

Corpus Linguistics Keep Up-to-Date with Language

March 2012

Are Tomorrow's Firewalls Finally Here Today?

February 2012

Spatial Humanities Brings History to Life

December 2011

Could Hackers Take Your Car for a Ride?

November 2011

What to Do about Supercookies?

October 2011

Lights, Camera, Virtual Moviemaking

September 2011

Revolutionizing Wall Street with News Analytics

August 2011

Growing Network-Encryption Use Puts Systems at Risk

New Project Could Promote Semantic Web

July 2011

FBI Employs New Botnet Eradication Tactics

Google and Twitter "Like" Social Indexing

June 2011

Computing Commodities Market in the Cloud

May 2011

Intel Chips Step up to 3D

Apple Programming Error Raises Privacy Concerns

Thunderbolt Promises Lightning Speed

April 2011

Industrial Control Systems Face More Security Challenges

Microsoft Effort Takes Down Massive Botnet

March 2011

IP Addresses Getting Security Upgrade

February 2011

Studios Agree on DRM Infrastructure

January 2011

New Web Protocol Promises to Reduce Browser Latency

To Be or NAT to Be?

December 2010

Intel Gets inside the Helmet

Tuning Body-to-Body Networks with RF Modeling

November 2010

New Wi-Fi Spec Simplifies Connectivity

Expanded Top-Level Domains Could Spur Internet Real Estate Boom

October 2010

New Weapon in War on Botnets

September 2010

Content-Centered Internet Architecture Gets a Boost

Gesturing Going Mainstream

August 2010

Is Context-Aware Computing Ready for the Limelight?

Flexible Routing in the Cloud

Signal Congestion Rejuvenates Interest in Cell Paging-Channel Protocol

July 2010

New Protocol Improves Interaction among Networked Devices and Applications

Security for Domain Name System Takes a Big Step Forward

The ROADM to Smarter Optical Networking

Distributed Cache Goes Mainstream

June 2010

New Application Protects Mobile-Phone Passwords

WiGig Alliance Reveals Ultrafast Wireless Specification

Cognitive Radio Adds Intelligence to Wireless Technology

May 2010

New Product Uses Light Connections in Blade Server

April 2010

Browser Fingerprints Threaten Privacy

New Animation Technique Uses Motion Frequencies to Shake Trees

March 2010

Researchers Take Promising Approach to Chemical Computing

Screen-Capture Programming: What You See is What You Script

Research Project Sends Data Wirelessly at High Speeds via Light

February 2010

Faster Testing for Complex Software Systems

IEEE 802.1Qbg/h to Simplify Data Center Virtual LAN Management

Distributed Data-Analysis Approach Gains Popularity

Twitter Tweak Helps Haiti Relief Effort

January 2010

2010 Rings in Some Y2K-like Problems

Infrastructure Sensors Improve Home Monitoring

Internet Search Takes a Semantic Turn

December 2009

Phase-Change Memory Technology Moves toward Mass Production

IBM Crowdsources Translation Software

Digital Ants Promise New Security Paradigm

November 2009

Program Uses Mobile Technology to Help with Crises

More Cores Keep Power Down

White-Space Networking Goes Live

Mobile Web 2.0 Experiences Growing Pains

October 2009

More Spectrum Sought for Body Sensor Networks

Optics for Universal I/O and Speed

High-Performance Computing Adds Virtualization to the Mix

ICANN Accountability Goes Multinational

RFID Tags Chat Their Way to Energy Efficiency

September 2009

Delay-Tolerant Networks in Your Pocket

Flash Cookies Stir Privacy Concerns

Addressing the Challenge of Cloud-Computing Interoperability

Ephemeralizing the Web

August 2009

Bluetooth Speeds Up

Grids Get Closer

DCN Gets Ready for Production

The Sims Meet Science

Sexy Space Threat Comes to Mobile Phones

July 2009

WiGig Alliance Makes Push for HD Specification

New Dilemnas, Same Principles:
Changing Landscape Requires IT Ethics to Go Mainstream

Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing

New Approach Fights Microchip Piracy

Technique Makes Strong Encryption Easier to Use

New Adobe Flash Streams Internet Directly to TVs

June 2009

Aging Satellites Spark GPS Concerns

The Changing World of Outsourcing

North American CS Enrollment Rises for First Time in Seven Years

Materials Breakthrough Could Eliminate Bootups

April 2009

Trusted Computing Shapes Self-Encrypting Drives

March 2009

Google, Publishers to Try New Advertising Methods

Siftables Offer New Interaction Model for Serious Games

Hulu Boxed In by Media Conglomerates

February 2009

Chips on Verge of Reaching 32 nm Nodes

Hathaway to Lead Cybersecurity Review

A Match Made in Heaven: Gaming Enters the Cloud

January 2009

Government Support Could Spell Big Year for Open Source

25 Reasons For Better Programming

Web Guide Turns Playstation 3 Consoles into Supercomputing Cluster

Flagbearers for Technology: Contemporary Techniques Showcase US Artifact and European Treasures

December 2008

.Tel TLD Debuts As New Way to Network

Science Exchange

November 2008

The Future is Reconfigurable

Browser Fingerprints Threaten Privacy

by George Lawton

The ongoing contest between Web users' privacy and behavior-tracking browser applications has moved from cookies to fingerprints. By gathering seemingly insignificant bits of information, such as a browser's version number and plug-ins, websites can uniquely identify ("fingerprint") a browser and, in extreme cases, its user. Browser fingerprints track users more accurately than cookies. They're also harder to detect and erase than predecessor technologies — including supercookies such as Flash local stored objects (LSOs). Moreover, their presence and sophistication are growing — not least because the technology has useful applications in detecting fraudulent online bank and merchant transactions.

And right now, websites can implement browser fingerprinting without user consent or knowledge, said Seth Schoen, staff technologist at the Electronic Frontier Foundation (EFF).

"We might not object to a financial site using these techniques to reduce fraud," Schoen said, "but that doesn't necessarily mean the technique should exist or that browsers shouldn't take measures to reduce distinctiveness. It's a problem when people can be tracked without their knowledge in a way that doesn't let them take measures to control tracking."

Internet Tracks

Websites commonly drop small files on visitors' browsers to record information about their visit, such as the items they looked at on a store or the articles they read at a news site. The practice can benefit visitors in some ways — for example, by reducing the need to reenter their names and passwords every time they check into a site.

However, privacy advocates have long condemned the practice when it's implemented without users' knowledge. They've focused on sites that didn't disclose the activity and on services, such as Doubleclick, that tracked a user's actions across multiple sites. Browser makers have responded by developing more sophisticated privacy-management tools that let users better manage cookies or choose a private browsing mode to surf anonymously. As consumers began adopting these tools, cookies became less effective for tracking online behavior. Many websites subsequently began using Flash LSOs. Because Flash is installed on over 99 percent of all browsers, it served essentially the same function as cookies. Additionally, it allowed multiple browsers to use the same LSOs.

This issue drew a lot of attention last year, when Berkeley researchers found that many sites were using Flash cookies without noting it in their privacy policies (www.computer.org/portal/web/computingnow/archive/news032). Adobe responded by improving the user tools for managing Flash supercookies. Flash version 10.1, which is scheduled for general release later this year, will include privacy enhancements that the company says will better mirror a local browser's privacy settings, including the option to completely disable Flash cookies and surf in a private browsing mode.

Again, these improvements are reducing tracking effectiveness. Results from a 2010 study conducted by Scout Analytics, a Web analytics service provider, showed that generic cookies overstating the number of unique users by two to four times and Flash cookies overstating results by 10 to 15 percent, which could increase when Flash upgrades its privacy-management tools.

Browser Entropy and User Privacy

Browser fingerprinting is the next generation of tracking technology. It's based on the idea of reducing the information entropy, or randomness, associated with identifying a variable. We can measure entropy in bits, and new information can reduce the amount of entropy by a certain number of bits. For example, learning someone's sex reduces entropy by 1 bit (21 = 2), while learning their birth month reduces entropy by 3.58 bits (23.58 = 12). Not all information bits lead to a closer identification, but to put this idea in context: In 2000, Latanya Sweeny — a professor of computer science at Carnegie Mellon University and director of its Laboratory for International Data Privacy — showed that 87 percent of Americans could be uniquely identified from three bits of information: birth date, zip code, and sex.

Some combinations of browser information can reduce device entropy by 18 bits or more. A crude form of the technique has been possible since HTTP 1.1 began supporting queries of up to 11 browser variables, such as its operating system, browser version, language, remote address, and file types it can open. About half these variables are useful for identifying a device, said Avivah Litan, research director at Gartner Group. But these don't reduce entropy enough to uniquely identify users.

Henrik Gemal, Danish Web applications developer, introduced JavaScript-based browser fingerprinting in 1999, when he built BrowserSpy as a collection of JavaScript utilities that could detect a browser’s name and version. At the time, he meant merely to demonstrate the privacy weaknesses in all browsers.

Browser Fingerprinting in Fraud Detection

In 2005, researchers at the University of California, San Diego, found variables that could measure across browsers or even multiple virtual machines on the same physical device. By measuring subtle shifts in the way different clocks track time, they reduced entropy in device IDs by 6.44 bits, making the odds of identifying a unique machine 1 in 86. This spurred the interest of Web fraud-detection vendors, who were developing techniques to help banks and merchants, noted Cory Siddens, senior product manager at CyberSource.

These vendors began using device fingerprints to identify multiple logins or purchases from otherwise unique identities. "Fraudsters are often very good at obtaining complete identities with no interconnected characteristics," Siddens explained. "But placing orders and logins from unique machines is much more difficult. Typical fraud-detection systems will contain functionality to look for linkages between orders and velocities around transactions. Without a device fingerprint, the fraudsters are using perfect fraudulent identities to evade linkage/velocity-checking systems."

According to a 2009 report from Javelin Research, identity fraud costs about $54 billion per year in the United States alone. Sophisticated browser finger-printing techniques could decrease fraud by 15 percent, said Gartner's Litan. Consequently, several vendors have sprung up to apply them to banking and merchant transactions as well as to travel agency and even dating sites, said Ori Eisen, chair of The 41st Parameter, a technology provider for online device intelligence and identification. Other vendors include CyberSource, Arcot, Iovation, ThreatMetrix, and Scout Analytics.

Burton-Taylor, which tracks the financial services publishing market, estimates the annual information services market at US$23 billion. Scout Analytics has launched a service to reduce password sharing for these exclusive publishing services. The service combines browser fingerprinting with a unique biometric based on a user's typing pattern to distinguish an authorized user from, say, a friend. Publishers generally see a 15 percent revenue increase from deploying this type of security, said Matt Shanahan, Scout Analytics' senior vice president of strategy.

One limitation of browser fingerprinting is that applications are more difficult to program than they are with other client-identification techniques, said Shanahan. They also require more storage, computation, and bandwidth, and functions such as link checking increase resource requirements even further. Finally, browser fingerprinting isn’t as effective on mobile platforms, which tend to have more constant font sets and browser versions.

Privacy Holes

Privacy concerns go beyond identity theft and fraud, of course. One fingerprinting technique can track browser history by asking a series of yes/no questions about whether a browser has visited a particular site. This approach consumes even more computer, communications, and storage resources than other techniques, but it can reveal an alarming amount of information about users. Sites such as "I want to know you" (http://agph.dyndns.org/IWTKY) demonstrate this privacy hole.

Beencounter.com recently launched a commercial service that lets a website managers see if you've visited any one of up to 50 different sites that they can select. In the interest of privacy, the company claims to block searches for visits to adult sites, gambling sites, and financial institutions.

Arvand Nayaranan, a postdoctoral privacy researcher at Stanford, has discussed several invasive uses of history tracking. For example, he described techniques that let a site gather information about the social networking groups an individual visited as a basis for uniquely identifying the person. The EFF's Schoen said that public versions of these techniques have been out since 2006, and any Web developer could code a version of it without any restrictions. Firefox was recently the first to fix this hole by letting users block a server's access to their history. Schoen expects other browsers to soon follow suit.

Addressing the Privacy Gap

Right now, there's no way to tell if a website is tracking users with browser fingerprinting. In the case of the Berkeley research on Flash LSOs, the researchers compared the site's stated policies against a measurement of LSO actual usage to determine discrepancies. So far, no tools are available to test a site's use of browser-fingerprinting technologies.

Furthermore, users don't yet have tools for making a browser more anonymous. You can turn off JavaScript, but at the cost of losing many useful website features. You can also use services such as TorButton (https://www.torproject.org/torbutton), which improves privacy in Firefox but slows down the Web surfing experience. Few similar tools exist for other browsers.

Most industry experts agree that websites must be transparent about their tracking policies to build trust. For example, John Lovett, a senior partner with the Web Analytics Demystified industry-consulting firm, said, "It borders on ethical boundaries when the consumer can't shake the browser fingerprinting."

Schoen said, "A lot of the privacy and ease-of-tracking issues on the Web are not because the browser developer intended to make it easier to track people, but because of the unintended consequences of making the Web more usable."

The legal framework regarding tracking is still in its infancy, noted Gartner's Litan. There's been considerable discussion about the use of tracking cookies in the US and Canada, and a European directive recently mandated that websites ask users to opt in to cookies. But at the moment, no regulators have even considered the possibility that PCs could be tracked without leaving a trace. "They haven't caught up with clientless device identification," Litan said, "but they will get to it."

The EFF's Primer on Information Theory and Privacy gives an excellent summary of entropy as it relates to privacy: https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy.

George Lawton is a freelance writer based in Guerneville, CA. You can reach him at http://glawton.com.