Race On To Fingerprint Phones, PCs

theodp writes "Advertisers no longer want to just buy ads, reports the WSJ. They want to buy access to specific people. In response, the race is on develop digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. Start-up BlueCava, an anti-piracy company spinoff, is building a 'credit bureau for devices' in which every computer or cellphone will have a 'reputation' based on its user's online behavior, shopping habits and demographics. By the end of next year, BlueCava says it expects to have cataloged one billion of the world's estimated 10 billion devices, and plans to sell this information to advertisers willing to pay top dollar for granular data about people's interests and activities. It's 'the next generation of online advertising,' said Blue Cava's David Norris. As controversy grows over intrusive online tracking, regulators are looking to rein it in — the FTC is expected to release a privacy report Wednesday calling for a 'do-not-track' tool for Web browsers."

Techniques

[vlm]

So, lets make fun of their proposed techniques. From the fine article:

1) Delta T between local clock and webserver clock. solution, NTP brings that to zero aside from timezone, and also don't let your browser tell the server what time it thinks it is.

2) Fonts. You gotta be kidding. Surrogate for the combo of OS and locale. I have not installed a font on a microsoft product since winders 3.11 era.

3) Screen size. Again, you gotta be kidding. Also tell your browser not to tell the server, or lie with a small random delta.

4) Browser plugins installed. Again, you gotta be kidding.

5) User agent. People have been spoofing those for the past 15 years, mostly just "recently updated FF, MSIE, or ancient debris".

Adds up to .... Um... So my unique device lives in central time zone, has a 1600x1200 monitor, XP, and the standard plugins. That narrows me down to a couple million devices.

Re:Looks like it's time to:

[silverglade00]

NO! That lets them know it is okay and that we have to work around it. They need to stay out of our business. This needs to be illegal immediately. This is way over the line. I never gave them permission to track me. Bluecava needs to be shut down.

Re:Interesting For Computer Forensics

[_Sprocket_]

This has VERY interesting possibilities for digital forensics as well. I get the feeling that the bluecava guys aren't even aware of that possibility yet. This would allow web interactions to be more thoroughly traced to a particular machine. Given the ability of most companies to put a particular person behind that machine (whether surveillance or electronic controls), suddenly your machine AND your interactions are subject to investigation at any time.

I would be very surprised if it hasn't dawned on them yet. From an interview [adexchanger.com]:

Businesses can also determine if devices have a history of committing fraud, so they can protect themselves.

Note in that interview, BlueCava CEO David Norris is very careful to portray the technology as linked solely to the device and not the user. And there is a lot of effort to portray BlueCava as providing control of information to the end user. But the reality is that linking user to device is trivial (as you noted) and end users tend to not grasp implications of data security. However, the initial money is unlikely to be in forensics and for the system to work, you have to convince people to not fight it.

Re:Will the United States of America be renamed...

[gstoddart]

Psst ... you're supposed to check the appropriate boxes or it's not funny. ;-)

Terminology

[HTH NE1]

When one person does it to another, it's called stalking. When a corporation does it to everyone it's called marketing.