An Inria research project tries to uncover how websites can dig into your preferences online

LINC (Vincent Toubiana, Technologist, and Geoffrey Delcroix, Innovation & foresight): Fingerprinting is a powerful tool for online tracking, and your research team is devoting a lot of energy to make these techniques more transparent. What are the different techniques that you’re exploring?

Inria Privatics: The main goal of online tracking is to follow website visitors across websites. Trackers recognize visitors by reading unique user’s identifier stored in cookies, or by identifying a unique collection of user’s device characteristics: this is called device fingerprinting. Such unique collection of device’s properties, or a fingerprint, can often uniquely identify the user who visited the website. Usually, fingerprint includes technical parameters like what browser and operating system a visitor is using, what timezone he or she is from or what screen size he or she has.

Beyond purely technical characteristics, which are not explicitly chosen by the user, users can be identified by more “preferential” characteristics, such as the fonts list. When we install the apps we prefer, we also install new fonts to our computers – thus websites explicitly detect our preferences when they detect what fonts we have installed.

LINC : Your team launched a “Browser Extension and Login-Leak Experiment”. Can you tell us more about that?

Inria Privatics: The INDES and PRIVATICS teams at Inria started a new privacy-awareness raising project that evaluates the privacy risk of exposing more on our preferences, such as the browser extensions we have installed and the websites where we have logged in. Websites may collect these pieces of information for various reasons; either to track you, or to learn more about you.

There could be more reasons for detecting your extensions and logins, which are beyond tracking (as tracking is mostly used for behavioral advertising and dynamic pricing). For example, extensions can reveal your religious background (e.g., if you are using the KnowTheBible extension or one of the many such extensions), or preferences against advertisements (e.g., using AdBlock) or privacy-invasive tracking (e.g., having PrivacyBadger). Detecting extensions is especially worrisome for pro-privacy people as the more extensions they install to their browsers, the more trackable they are – as privacy extensions are less widely adopted, especially in specific combinations.

Websites detecting where you are logged in can leak to very similar problems: revealing your preferential profile and can also make you more trackable. They can reveal private information such as your dating interests or if you are concerned with health issues. But you are also more likely to be targeted with phishing attacks, if someone learns that you use PayPal or shopping websites. Furthermore, if you log in to your company intranet, there is a chance, that it could be detected and your workplace be learned (e.g., people working for Inria this can be detected).

LINC: From your point of view of researchers specialized in privacy, what advices would you give for self-protection?

Inria Privatics: If you want to protect yourself from websites seeing which extensions you use, the only advice we can give for the moment is to switch to another browser. For example, in Firefox only few extensions are detectable. You could use other browsers too, but we can’t tell which one would be the best in terms of protection: it has not yet been evaluated.

The good news are: blocking login detections is easy — all you need to do is to disable third party cookies in your browser. Some tracking blocking extensions, such as Privacy Badger could also help — but don’t forget: the more extensions you install, the more trackable you’ll be!