Browsing the Web just got a little less anonymous. The software that lets websites identify you by certain characteristics of your computer and software was usually thwarted if you switched browsers. But now computer scientists have developed new browser fingerprinting software that identifies users across Web browsers with a degree of accuracy that beats the most sophisticated single-browser techniques used today.
The new method, created by Yinzhi Cao, a computer science professor at Lehigh University, in Pennsylvania, accurately identifies 99.24 percent of users across browsers, compared to 90.84 percent of users identified by AmIUnique, the most advanced single-browser technique.
That fingerprint includes information about users’ browsers and screen settings—such as screen resolution or which fonts they’ve installed—which can then be used to distinguish them from someone else as they peruse the Web.
In the past, though, these techniques worked only if people continued to use the same browser—once they switched, say, to Firefox from Safari, the fingerprint was no longer very useful. Now, Cao’s method allows third parties to reliably track users across browsers by incorporating several new features that reveal information about their devices and operating systems.
Cao, along with his colleagues at Lehigh and Washington University, in St. Louis, began creating their tech by first examining the 17 features included in AmIUnique, the popular single-browser fingerprinting system, to see which ones might also work across browsers.
For example, one feature that AmIUnique relies on is screen resolution. Cao found that screen resolution can actually change for users if they adjust their zoom levels, so it’s not a very reliable feature for any kind of fingerprinting. As an alternative, he used a screen’s ratio of width to height because that ratio remains consistent even when someone zooms in.
Cao borrowed or adapted four such features from AmIUnique for his own cross-browser technique, and he also came up with several new features that revealed details about users’ hardware or operating systems, which remain consistent no matter which browser they open.
The new features he developed include an examination of a user’s audio stack, graphics card, and CPU. Overall, he relied on a suite of 29 features to create cross-browser fingerprints.
To extract that information from someone’s computer, Cao wrote scripting languages that force a user’s system to perform 36 tasks. The results from these tasks include information about the system, such as the sample rate and channel count in the audio stack. It takes less than a minute for the script to complete all 36 tasks.
To test the accuracy of his 29-point method, Cao recruited 1,903 helpers from Amazon Mechanical Turks and Microworkers. He asked them to visit a website from multiple browsers and found that the method worked across many popular browsers, including Google Chrome, Internet Explorer, Safari, Firefox, Microsoft Edge Browser, and Opera, as well as a few obscure ones, such as Maxthon and Coconut.
Cao tried removing several of the 29 features, and their related tasks, to see if he could use even fewer to achieve the same degree of accuracy, but he found that doing so lowered the accuracy slightly each time. “One is not a standout,” he says.
The only browser that his method didn’t work on was Tor. Earlier this month, Cao published the open source code for his technique so that anyone could use it. His next step? To work on more ways that users can avoid being fingerprinted across browsers, should they wish to opt out.