#RSAC: Reality of Browsers Leaking Identifiable Information Detailed

In a talk at the RSA Conference in San Francisco, Lexis Nexis Risk Solutions director of product management Daniel Ayoub and VP of product management Dean Weinert talked about the reality of which metrics and identifiers browsers release on users.

In a talk titled “Creepy Leaky Browsers,” Ayoub said that the classic cartoon “on the internet no one knows you’re a dog” was becoming less apparent, as there is so much more info available via a browser. The concept of a browser fingerprint involves a combination of persistent and non-persistent identifiers gathered passively through application programming interfaces (APIs) built into modern web browsers.

Ayoub said these browser fingerprints are typically used for:

  • Digital marketing
  • Improving the user experience
  • Return device recognition
  • Fraud prevention

Weinert said that this all “began with cookies” but browsers went steps forward when cookie use was limited, so identifiers could be determined on a user’s network information, external IP address, screen resolution, and the type of GRU. Ayoub said that many introductions were made in the late 2000s before concerns were raised regarding browser privacy in 2010 by the EFF.

“As time moved on, we saw more APIs added to browsers, and they offered details on what hardware was added, how much RAM was used, and which CPUs were now baked into the browser,” he said. This allows someone to know how a user interacts with a device, and “the key point is that real work apps that benefit consumers take into account fingerprinting, and these are used every day in the background, and most people are unaware of it.”

Their research into different browsers showed that there were different details revealed; for example, Firefox doesn’t reveal the device memory, while Google Chrome OSX does, and some browsers support Bluetooth adapters, while some do not.

To better protect yourself while using the internet, Ayoub and Weinert recommended trying to “blend in” rather than stand out, “as more people don’t try to hide, and the best strategy is to use common operating systems and browsers.”

However, this causes an issue when trying to spot cyber-criminals, as Weinert said that the “bad guys look like regular users,” and as more browsers obfuscate, “if everything is vanilla it is harder to find the wolf among the sheep.”

Weinert said that browser vendors realized that they had to put privacy first, and he urged vendors to collaborate better to a degree where standards can be determined. “Also do the right thing” when device profiles are offered in bulk resale.

For users, Ayoub recommended using current and latest versions of browsers, going to fingerprinting sites to see what they are comfortable with, and considering using browser tools that are designed for privacy.

“Also opt-out where appropriate,” he said, and recommended finding your Advertiser ID on your device and switching it off or resetting it.

What’s Hot on Infosecurity Magazine?