Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Privacy Your Rights Online

Race On To Fingerprint Phones, PCs 139

theodp writes "Advertisers no longer want to just buy ads, reports the WSJ. They want to buy access to specific people. In response, the race is on develop digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. Start-up BlueCava, an anti-piracy company spinoff, is building a 'credit bureau for devices' in which every computer or cellphone will have a 'reputation' based on its user's online behavior, shopping habits and demographics. By the end of next year, BlueCava says it expects to have cataloged one billion of the world's estimated 10 billion devices, and plans to sell this information to advertisers willing to pay top dollar for granular data about people's interests and activities. It's 'the next generation of online advertising,' said Blue Cava's David Norris. As controversy grows over intrusive online tracking, regulators are looking to rein it in — the FTC is expected to release a privacy report Wednesday calling for a 'do-not-track' tool for Web browsers."
This discussion has been archived. No new comments can be posted.

Race On To Fingerprint Phones, PCs

Comments Filter:
  • by Anonymous Coward

    Time to grab a copy of BeOS and start doing random stuff.

    Cock-sucking mother fucking advertisers. Someone should start "removing" them from the gene pool.

    • by Lumpy ( 12016 )

      You do not need to. Simply run your browser in a sandbox. they cant keep ANYTHING there.

      Better yet, Run your browser in a VM that is a standard OS install and a sandbox inside that. They cant fingerprint that which looks like everything else. (XP standard install with no added fonts /etc...)
      Also you can add a blocking hosts file. this really screws with advertisers as it destroys all their cookie attempts in any form.

      • "Also you can add a blocking hosts file.

        Uh, yeah, about that... did it. Assuming you keep on top of it and updating it every time you don't like a particular host the file grows to be quite large, which isn't a problem, but keeping the file updated gets to be quite a chore. Best to use white/black lists with the help of community updates. You might add to the black list occasionally, but so does everyone else. And there's no Firefox add-on like NoScript; best way to keep those pesky java script hooks out of your hair at the browser level.

      • OK lumpy, free of charge, I am giving you this idea. Make what you said folks should do an easy, as in click and install, thing and sell it for a reasonable price (one that nets you a profit). I will buy it for my own computers and buy and install it on at least 5 of my relatives.
        • Make [...] an easy, as in click and install, thing

          Consider it as evolution in action : those who don't have the gumption as adults to have a reasonable understanding of their important services and how to manage them, get thrown to the wolves. I mean, "thrown to the advertisers."

          • By that logic then, when your heating, cooling or refrigerator breaks, you should fix it yourself, and not call a trained professional. And when your car breaks, grab a book and a wrench and get busy. And hope if you fall off the roof, you can remain conscious so you can operate on yourself. Fact is that no one person can be skilled in every field. So instead of sitting on your high horse acting smug and uber because you have some computer skills, think about the fact that you can't do a whole bunch of thin
            • By that logic then, when your heating,

              [breaks]

              Of course I get down and fix it.

              cooling

              What the fuck would I need cooling for? Do you think I choose to live in one of those places which are excessively hot? I work in those places, sure ; if you pay me well enough to put up with that sort of shit.

              or refrigerator breaks,

              Fridges are so cheap as to not be worth repairing. And I've never in my life seen one stop working. (If you live in hot climates and have such problems, well that's just another reason for not living in such shitholes.)

              you should fix it yourself, and not call a trained professional.

              Professionals are available. Next week. At

    • by lpq ( 583377 )

      Don't confuse spammers w/advertisers, and, unfortunately, in the US, w/o advertising, you won't have any support of media (TV, magazines, newpapers, radio, internet)....basically, everything goes away.

      That's what you want?

      You're so intelligent! But then, that was evident by your vocabulary.

  • by phyrexianshaw.ca ( 1265320 ) on Wednesday December 01, 2010 @12:02PM (#34405680) Homepage
    put together a company that rents out devices.

    "monthly/weekly/daily device rentals, just pay your cell phone bill on time and we'll ship you a used device every month! just hang onto your SIM/SD card and we'll default the device/let somebody else use the 'fingerprinted hardware'"
    • Wouldn't the SIM/SD card make the process entirely irrelevant? If your number is sticking with you, your fingerprint will too.

    • That won't help. It's not the hardware being fingerprinted. It's the user. The phone is scanning the fingerprint of the user and sending that to the advertiser. Besides, if it is the hardware, do I want to get a phone that the previous owner may have taken to every strip club, brothel, Al Qaida meeting, and presidential assassination attempt? No thanks. I get into enough trouble on my own.
      • do I want to get a phone that the previous owner may have taken to every strip club, brothel, Al Qaida meeting, and presidential assassination attempt? No thanks. I get into enough trouble on my own.

        Oh I know eh? It's hard to keep that sex-addiction-secret-terrorist life under-wraps with the Misses always checking my phone.

      • Why? it's not like the police will jail you because of what a mobile phone anonymous last user did.

        Unless you are intending to put the phone in your mouth and suck hard trying to extract any residual crack or whatever you're expecting to find there.

    • by nurb432 ( 527695 )

      You mean like virtual machines? you can do that yourself.

  • by ecklesweb ( 713901 ) on Wednesday December 01, 2010 @12:04PM (#34405692)

    Anonymous proxy?

    • by memnock ( 466995 )

      so if i surf a lot of pr0n and republican/conservative websites (not my usual fare) it might throw them off of me personally, but i wonder how popular of a customer i'd become? if i have multiple tabs open in a variety topics, how will they catalogue me?
      or what if i use lynx? will they be able to tell i have a visual impairment?

      • by Anonymous Coward

        Or that you have a case impairment?

        /ducks

    • If all the anonymous proxy does is hide your IP address then it probably won't help much. Device fingerprinting is done using much more information than that (obviously, given the article mentions mobile devices which are highly unlikely to have a static IP).
    • Yes, you can probably use an anonymous proxy and/or randomly scrambling your device's external signature (MAC address, browser string, response time, etc.) in order to make it harder to track you.

      What I wonder is if companies will start differentiating between "good consumers" and "bad consumers". Right now we have access to many services because of an implicit agreement: "I'll let you access the site but you'll see some ads". But if they have a very fine-grained way to determine what consumers respond t
      • Actually that's fine, too. If they start blocking people who don't spend enough money pre-emptively then suddenly they've sent potential future customers directly to their competitors. If you stop someone from even being able to be your customer, you can be certain they will never change their mind.

        It's the same thing that happens to sites that have a following, then erect a paywall and discover nobody reads the site any more. They take the paywall down, but the users never come back. Any site that tries to

  • Each user could be assigned a block of IP addresses, like a persons telephone number
    Any devices owned by the user would use those IP addresses..
    Quite easy to manage I guess
  • then this start up has left their start a little late. There's already a few people doing similar things, for example:
    threatmetrix.com [threatmetrix.com]
    www.iovation.com [iovation.com]
    • by d6 ( 1944790 )
      I expect the company is getting attention due to a sudden influx of cash [worldnews.se]

      >> There's already a few people doing similar things

      Yep. My hosts file is full of them (and I am sure nowhere near being complete).
      • Good point. The Web sites are not going to do the analysis themselves: they're going to include a link to BlueCava. You and I will block BlueCava but they won't care because we are too small a minority to matter to advertisers. Thus we can "opt out" as we did with DoubleClick.

  • by Anonymous Coward

    Of course right now anyone who care enough can block tracking scripts, web bugs, ad servers, and so on.

    But if something like this would ever catch on in a big way, the internet could eventually be increasingly closed off to those without a good "score". The very act of acting to avoid being tracked will also put ever increasing amounts of the internet off limits.

    Make no mistake, the internet may have started as an open thing, but it is a HUGELY juicy target for people wanting to control it. Anything they

  • by bc90021 ( 43730 ) * <bc90021&bc90021,net> on Wednesday December 01, 2010 @12:10PM (#34405802) Homepage

    This has VERY interesting possibilities for digital forensics as well. I get the feeling that the bluecava guys aren't even aware of that possibility yet. This would allow web interactions to be more thoroughly traced to a particular machine. Given the ability of most companies to put a particular person behind that machine (whether surveillance or electronic controls), suddenly your machine AND your interactions are subject to investigation at any time.

    • by _Sprocket_ ( 42527 ) on Wednesday December 01, 2010 @12:34PM (#34406136)

      This has VERY interesting possibilities for digital forensics as well. I get the feeling that the bluecava guys aren't even aware of that possibility yet. This would allow web interactions to be more thoroughly traced to a particular machine. Given the ability of most companies to put a particular person behind that machine (whether surveillance or electronic controls), suddenly your machine AND your interactions are subject to investigation at any time.

      I would be very surprised if it hasn't dawned on them yet. From an interview [adexchanger.com]:

      Businesses can also determine if devices have a history of committing fraud, so they can protect themselves.

      Note in that interview, BlueCava CEO David Norris is very careful to portray the technology as linked solely to the device and not the user. And there is a lot of effort to portray BlueCava as providing control of information to the end user. But the reality is that linking user to device is trivial (as you noted) and end users tend to not grasp implications of data security. However, the initial money is unlikely to be in forensics and for the system to work, you have to convince people to not fight it.

    • by t2t10 ( 1909766 )

      There is tons of technology on this, and, yeah, people working in forensics know about it. There are also countermeasures.

  • Don't MAC addresses do this already (aside from some of them removable)?
    • No, because the MAC address isn't visible beyond the first router.

      • True. That doesn't preclude the "fingerprint" technology using that as part of a unique hardware signature.

    • I believe that routers tend to fiddle with MAC addresses as the packets pass through them so they aren't something that is generally usable for that purpose over the internet.
    • by Lumpy ( 12016 )

      ALL MAC addresses are changeable. and they dont survive the first router.

  • by phantomfive ( 622387 ) on Wednesday December 01, 2010 @12:13PM (#34405838) Journal
    How about we make it a 64 bit id and call it an ip address? Having a static, routable IP address would make it worth it to me. Then when I really want privacy I can use a proxy.

    It looks like in this case they are trying to use the UserAgent and other info available to javascript, like the EFF warned about [eff.org]. Check that link out, you can discover how unique your browser is.
    • by Lumpy ( 12016 )

      Someone can easily write a Firefox plugin that will munge the javascript data. Make it random every time or hide everything but "standard" stuff. if you look like everyone else, you can hide in plain sight.

    • If we can find out what all of the information they are tracking to create this fingerprint is there should be a way via browser extension (which would need to be created) to whittle down what is actually transmitted to the most generic set that provides the minimal info necessary to correctly view the page. For example, I don't see why the user agent string needs to be accurate beyond your browser and major version.
    • Within our dataset of several million visitors, only one in 394 browsers have the same fingerprint as yours.

      Fun fact: a browser that doesn't send a User-agent header and uses a whitelist for cookies and JS is actually damn hard to fingerprint.

      Better not tell the BlueCava guys about this super-secret hax0r trick...

  • Techniques (Score:2, Insightful)

    by vlm ( 69642 )

    So, lets make fun of their proposed techniques. From the fine article:

    1) Delta T between local clock and webserver clock. solution, NTP brings that to zero aside from timezone, and also don't let your browser tell the server what time it thinks it is.

    2) Fonts. You gotta be kidding. Surrogate for the combo of OS and locale. I have not installed a font on a microsoft product since winders 3.11 era.

    3) Screen size. Again, you gotta be kidding. Also tell your browser not to tell the server, or lie with a

    • 1) Except for the round trip time for you to talk to the server. It only makes it better for them that NTP makes this more accurate.
      2) You manually did not install it, but some applications still install fonts they use.
      3) You would be identified as someone who changes screen size too often and after awhile become unique.
      4) Refer 3. Besides the version of flash, acrobat reader, you are running also make you unique
      5) That makes you unique. You must be the only one with user agent as "recently updated FF, MSIE

      • by treeves ( 963993 )

        So I'm forced to use hardware and software I don't want to use and not allowed to use hardware and software and fonts I do want just so I can avoid being tracked? BS.

    • See this is what I'm thinking. Do-not-track regulation? Fuck that. What we need are general tools to fuck up their tracking. It's a system we're against? So we need laws? No, we need counter-tactics.
      • by 0123456 ( 636235 )

        So we need laws? No, we need counter-tactics.

        Ideally we need to get rid of Javascript and Flash. Allowing people to run arbitrary code on your computer from a remote system was always going to turn out to be a really bad idea.

        On the plus side, by blocking Javascript and Flash from sites which do this tracking your 'unique fingerprint' suddenly becomes a lot less unque.

        • Yes, but as with anything, JavaScript was also extremely powerful. Flash not so much (extremely SLOW). A lot of really nice stuff exists solely because of javascript, without which we would have a lot more loading and reloading the same content.
    • 1) Delta T between local clock and webserver clock. solution, NTP brings that to zero aside from timezone

      I suggest you go back and re-read "Time, Clocks and the Ordering of Events in a Distributed System". I don't think you understood it the first time.

    • There have been fingerprinting systems posted to Slashdot that were surprisingly specific.

      Panopticlick [eff.org], the one that EFF runs for awareness says I'm unique, out of 1.2M visitors.

      My plugin config is unique. My font config is 1 / 16,000 users. Admittedly, I'm using a non-default browser on a niche operating system, but you'd be surprised what does install things like fonts and plugins - applications (like Office), etc.

    • by Lumpy ( 12016 )

      1 - send random time to javascript and flash. Foiled.
      2 - send ONLY standard OS install font list to javascript and Flash. Foiled.
      3 Screen size send 1024X768 only.. Foiled.
      4 List only standard plugins.
      5 User Agent, again munge it to only send a generic.

      Firefox is open source. all of the above can easily be done to make a "screw you" version of firefox that will hurt fingerprinting. if a LOT of people use that version then it goes even further to destory the fingerprinting.

      Honestly, why are the creator

      • 3. Yeah foolproof unless it measures the size of the banner that has been set to stretch till it fits the width of the screen
        4. Until the server tries to poke you by sending a flash video (when you claim to not have it) and may be try to display an ad (when you claim to not have adblock)
        5. Depending on the User Agent you send, the server can send you a set of Javascript tests that run on your machine and see if you are lying.

        Besides you only have to go wrong once and you become completely unique henceforth.

    • Make fun all you like but this is already being done and works rather well.
      Try your own computer [eff.org] (and that's using very basic fingerprinting).
      That a tiny percentage of users may take measures against such fingerprinting is irrelevant. At worst they are an irrelevantly small number and the fact such machines would appear to be attempting to avoid fingerprinting might be enough of a risk identifier in itself (for ecommerce transactions for example).
    • If you're so certain, try the Panopticlick from the EFF. See how unique you truly are [eff.org].
  • My profile will tell advertisers to leave me the f*ck alone. I don't want all their crap. I don't want them tracking me. I won't buy the crap they push on me. They're wasting their time and money by trying to track me and advertise to me.

    • That is an interesting take. Let the advertisers target the hyper-consumerists (ie, the majority) and leave the rest of us alone.

      Of course, then they might object to giving "deadbeats" access to "free" content which is ad-based. Why allow us to watch X if we're not going to pony up for the shiny things being advertised between bits of content?

      • That is an interesting take. Let the advertisers target the hyper-consumerists (ie, the majority) and leave the rest of us alone.

        Of course, then they might object to giving "deadbeats" access to "free" content which is ad-based. Why allow us to watch X if we're not going to pony up for the shiny things being advertised between bits of content?

        Do they have the right to discriminate who to provide service to if they claim their service is free? I don't know.

  • Damn, I love capitalism!

    You have every right to track my activities and I have every right to purchase back my own privacy.

    Is everybody happy? I am.

    • You have every right to track my activities and I have every right to purchase back my own privacy.

      Why should you have to purchase back something that rightfully belongs to you?

      • by xkr ( 786629 )
        I personally think there should be a constitutional amendment protecting privacy. But there is not. Beside, buying your privacy is surprisingly cheap.
    • I don't buy liberty or privacy. I take it as my rightful due by virtue of my human nature. If necessary, I claim my rightful due at gunpoint.
  • They not only have to profile all devices on almost all sites, they also have to get merchants to share who made a purchase. Vendors aren't going to share this for free and without any control. Then they'll have to get the EU to approve it.

  • The way I see it, people need to share their surfing. Make the tracking companies see the aggregate of several (random) people's surfing habits rather than just one. Maybe random swapping of IP addresses from time-to-time? (I'm not trained in internet protocols, so I have no idea how this would be done.)

    • it'd be like random swapping of addresses. Think how ZIP codes work.
    • by hAckz0r ( 989977 )
      Changing the IP would not work well and it may be different from session to session anyway due to dynamic IP allocation at your ISP. What you need is a browser plugin that injects a seed of randomization into the browser information returned to the collection server, which changes that seed on an unpredictable way. If each http connection back to the server exchanges different "user" information then their whole scheme for collecting 'some sense of uniqueness' is blown completely out of the water.
  • anything more than a new gee-wiz "service" for Madison Ave. to tout. Where's the demonstrable benefit to businesses ?
  • by Anonymous Coward

    In a few years, we can all dine out at Taco Bell as we watch President Schwarzenegger discuss how our corporate overlords love and cherish us, and how they have our best interests at heart.

    This has 1984 written all over it. This technology can and will be abused.

    • We can and will abuse this technology with anti-forensics. Eventually our user agent will say, "Firefox on Windows. Fuck you, bitch." Today it says "Firefox on Windows XP with these plug-ins, these fonts, given time, screen resolution, patch level, version of .NET installed..." Uh. We should have a per-site configuration to even identify that Flash is installed or run add-ons, much less tell the world what we have or let them query everything through Javascript.
  • Either a way to completely disable their ability to do this, or to get off the internet permanently. DO. NOT. WANT.
  • Terminology (Score:5, Insightful)

    by HTH NE1 ( 675604 ) on Wednesday December 01, 2010 @12:53PM (#34406426)

    When one person does it to another, it's called stalking. When a corporation does it to everyone it's called marketing.

  • ...I don't view ads on the internet. Ever. Not on my phone, not on my desktop/laptop, nowhere. The only advertising I see is on live sporting events on TV. Otherwise I watch TV delayed on my DVR and zap through the ads. They can waste all the money they want on me. I'm not looking at ads.

  • There I fixed their shithole tag-line. (Making a note not to ever do work or business with these annoying assholes.)

  • So the new status symbol will be constantly complaining that you're being spammed by the Bentley Dealer's Association to come to their annual golf outing to Dubai.

  • I vow to never buy from the company advertising. If everyone did that, the problem would cease to exist.

  • The internet is built by geeks... yet geeks hate what this internet is becoming. I think it's high time tech workers built a world wide union and got themselves some professional standards.

  • The village elders are about to break their buckled hats and shoes out of storage. Some think the most precious future resource will be potable water. Nope: it will be true anonymity.
  • How about this for a plug-in:

    It will upload addresses you visit to a huge anonymous pool, and retrieve random addresses from this pool as well, loading them (fully) in the background. Say a random page once every 10 seconds (or even better - at random time intervals). It will also visit a minimum of four links from each page it visits.

    It will install random plug-ins as well (preferably making them inactive, but without revealing it), just to hide that as a potential signature.

    It uploads tracking cookies to

"jackpot: you may have an unneccessary change record" -- message from "diff"

Working...