by Liam Tung
May 20, 2016

from ZDNet Website
 

News sites have the most trackers,

according to the researchers.
Image: Princeton University
 

Online trackers

add audio fingerprinting

to their arsenal of tools

to identify and follow people

on the web.

It turns out that you can be identified even without your IP or computer MAC address, because every computer and browser configuration has a unique audio signal that can be calculated remotely.

 

This is somewhat analogous to smart meter technology that can infer what devices you have in your home simply by reading their electric consumption signatures.

 

Unquestionably, the Intelligence community is already using this technology to identify people everywhere.

Source

New research into web-tracking techniques has found some websites using audio fingerprinting for identifying and monitoring web users.

During a scan of one million websites, researchers at Princeton University have found (Online Tracking - A 1-million-site Measurement and Analysis) that a number of them use the AudioContext API to identify an audio signal that reveals a unique browser and device combination.

"Audio signals processed on different machines or browsers may have slight differences due to hardware or software differences between the machines, while the same combination of machine and browser will produce the same output," the researchers explain.

The method doesn't require access to a device's microphone, but rather relies on the way a signal is processed.

The researchers, Arvind Narayanan and Steven Englehardt, have published a test page to demonstrate what your browser's audio fingerprint looks like.

"Using the AudioContext API to fingerprint does not collect sound played or recorded by your machine. An AudioContext fingerprint is a property of your machine's audio stack itself," they note on the test page.

The technique isn't widely adopted but joins a number of other approaches that may be used in conjunction for tracking users as they browse the web.

For example, one script that they found combined a device's current charge level, a canvas-font fingerprint and a local IP address derived from WebRTC, the framework for real-time communications between two browsers.

The researchers found 715 of the top one million websites are using WebRTC to discover the local IP address of users. Most of these are third-party trackers.

Another more widely used method is fingerprinting based on the HTML Canvass API, which aims to deduce the fonts installed on a browser. They found 3,250 first-party sites using this technique.

Meanwhile, Canvass fingerprinting was found on 14,371 sites with scripts loaded from 400 different domains.

The researchers analyzed canvass fingerprinting in 2014, and note three changes since then.

"First, the most prominent trackers have by and large stopped using it, suggesting that the public backlash following that study was effective.

 

Second, the overall number of domains employing it has increased considerably, indicating that knowledge of the technique has spread and that more obscure trackers are less concerned about public perception.

 

Third, the use has shifted from behavioral tracking to fraud detection, in line with the ad industry's self-regulatory norm regarding acceptable uses of fingerprinting."

The other key finding, which may be good news depending on your attitude to,

• Google

• Facebook

• Twitter,

...is that the number of third-party trackers that users will encounter on a daily basis is small.

"All of the top five third parties, as well as 12 of the top 20, are Google-owned domains.

 

In fact, Google, Facebook, and Twitter are the only third-party entities present on more than 10 percent of sites," the researchers note.

The researchers say their data suggests there has been a consolidation in the market for third-party tracking, which contrasts to the perception that there has been an explosion in third-party trackers.

And that could be good news in terms of pressuring the industry to make privacy-enhancing improvements.

"For 100 or so third parties that are prevalent on one percent or more of sites, we might expect that they are large enough entities that their behavior can be regulated by public-relations pressure and the possibility of legal or enforcement actions," they argued.