EFF Shows How Web Companies Can Track Cookie-Deleters

Flash cookies aren't the only way of circumventing users' ability to opt out of online tracking.

Web publishers also can extract a host of information from users' browsers -- including operating systems, time zones, screen size, plug-ins installed and system fonts -- and can use that trove of data to create digital fingerprints. What's more, those fingerprints can be used to identify returning users even if they've deleted their cookies.

The Electronic Frontier Foundation this week detailed how companies can use browser-configuration information to identify users, and also launched a new project, Panopticlick, aimed at testing just how useful this type of data is for tracking people.

Peter Eckersley, staff technologist at the EFF, says the group decided to study the issue after hearing rumors that analytics companies were indeed using information from people's browsers to track them.

Once Web sites collect browser "fingerprints," then those sites can theoretically recognize some visitors upon their return regardless of whether they still have their cookies, Eckersly says. Additionally, he says, sites that identify a returning browser based on the configuration data -- or, perhaps, a combination of configuration data and IP address -- can then restore any cookies previously associated with that browser.

Obviously, some Web companies would like to garner more information about their visitors than those visitors want to share. But using technology that effectively thwarts people's decisions to erase cookies is clearly a bad idea -- and one that could potentially land Web companies in court in the near future.

1 comment about "EFF Shows How Web Companies Can Track Cookie-Deleters".
Check to receive email when comments are posted.
  1. Chris Nielsen from Domain Incubation, January 29, 2010 at 9:31 p.m.

    When you combine the available user data, such as OS, user agent, and other data with an IP address you clearly have at least a "partial print" that carries a high probibility that you are tracking the same computer if not the same person. Only AOL and other proxy-filtered systems throw a wrench in this tracking machine.

    I guess our choice now is to make the providing of additional information an option with the browser, or my personal choice: Create a standard by which users can CHOOSE to be recognized and tracked. A "super-cookie" if you will that site owners can use as a real finger print that is unique to each user/computer and at last providing marketers with the holy grail they are seeking: 100% opt-in from the user.

    Of course, this would not be free to the marketer. They would have to pay a fee to each user to gain access to this information. The users would then start to get paid for providing their information, rather than have it "taken" without their permission or even knowledge most of the time.

Next story loading loading..