Read on Twitter
When you think of online tracking, chances are you think about third-party cookies that follow you from site to site. Third-party cookie handling has been a hot-button issue among the major browser vendors of late, with Google announcing that Chrome would deprecate them.
1/
1/
But third-party cookies are just the most obvious way that your online activity gets tracked. Far more insidious is "browser fingerprinting," in which the unique characteristics of your browser and computer are linked to your identity and tracked.
2/
2/
Browser fingerprinting and other de-anonymizing attacks are a reminder that the technical problems of anonymity are subtle and complex, which is generally true of all privacy questions.
3/
3/
It's also a reminder that privacy problems can't be solved with code alone: to be private, you also need legal recourse against companies that cheat and spy on you.
4/
4/
Finally, it's a reminder that we need independent security researchers, who can warn us about novel ways of attacking our digital privacy.
5/
5/
Researchers like Jonas Strehle, who just published a fascinating proof-of-concept demonstrating how favicons (the tiny icons in your browser tabs) represent a serious privacy vulnerability.
https://github.com/jonasstrehle/supercookie
6/
https://github.com/jonasstrehle/supercookie
6/
Strehle calls this tracking-by-favicon "supercookies," and his demo shows that these trackers defeat incognito mode, VPNs, and ad-blockers.
https://www.vice.com/en/article/n7v5y7/browser-favicons-can-be-used-as-undeletable-supercookies-to-track-you-online
7/
https://www.vice.com/en/article/n7v5y7/browser-favicons-can-be-used-as-undeletable-supercookies-to-track-you-online
7/
His work builds on an academic U Illinois Chicago paper from Network and Distributed Systems Security, published in 2020: "Tales of FAVICONS and Caches:Persistent Tracking in Modern Browsers"
https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf
8/
https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf
8/
Favicons are stored locally in a database called the F-cache; if a user requests a favicon from a site, the site can infer that the user has never visited the site before (or that the gap since their last visit was so long that the cache expired).
9/
9/
"By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client."
10/
10/
"When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser."
11/
11/
This confirms the original paper's theoretical prediction that favicon attacks "allow a website to reconstruct a 32-bit tracking identifier in 2 seconds."
Image: Thomas Hawk
https://www.flickr.com/photos/51035555243@N01/96968793/
CC BY-NC:
https://creativecommons.org/licenses/by-nc/2.0/
eof/
Image: Thomas Hawk
https://www.flickr.com/photos/51035555243@N01/96968793/
CC BY-NC:
https://creativecommons.org/licenses/by-nc/2.0/
eof/
