Your browser is obsolete!

The page may not load correctly.

Spies are everywhere


Other issues in this category (27)
  • add to favourites
    Add to Bookmarks

Evercookie in the crosshairs

Read: 17914 Comments: 2 Rating: 42

Tuesday, March 28, 2017

Some users are still surprised that as soon as they start searching the Web for something, they instantly begin seeing advertisements that match the topic of their query. Once the author of this issue found himself on the receiving end of loads of malware download links after his ad blocker got disabled. Targeted advertising factors in user interests. :)

The reason behind this phenomenon is quite obvious: programs (especially freeware) collect information about users and relay it to their developers' partners.

The US Federal Trade Commission (FTC) filed a complaint against Vizio, one of the largest manufacturers of "smart" TVs. Under a court settlement, the company was required to pay 2.2 million USD in fines for spying on its customers. Vizio sold the gathered information to other companies.

According to the FTC, Vizio installed monitoring software on 11 millions of its “smart” TV sets and used it to gather information about user behaviour, IP addresses, Wi-Fi hotspots and ZIP codes. The manufacturer also collected date, time, and channel information about the shows users watched, and whether they watched the shows live or DVRed them for later viewing, etc. Vizio sold the data to other companies that used it for targeted advertising.

In addition, advertising companies received comprehensive information about the viewers including their age, sex, marital status, and income and education level.

Vizio disguised their spyware as the Smart Interactivity feature that was supposed to recommend content to users. In reality, the feature provided no suggestions and users never realised that it was watching their every step. According to the plaintiffs, Vizio deliberately released updates to deliver Smart Interactivity, even to older TV models, to gather as much information as possible.

It is not quite clear how the TV sets could collect information about sex and age. But it’s not impossible. Since modern TV sets make use of voice commands, they are always listening to what is happening around them.

Samsung "smart” TVs not only recognise voice commands but also relay them to third parties. "To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you."—that's what is stipulated in the Samsung privacy policy Samsung.

In addition, the company reserves the right to store voice commands and the associated text. This enables Samsung to identify users and hear everything they say to their TV sets.

"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition", Samsung warns. This implies that those who use "smart" TVs for remote banking may have their passwords relayed to a third party regularly.

An excellent gift for those engaged in industrial espionage!

But collecting information is not enough. Today’s user often has several computers and mobile devices and can attend to personal matters on the Web from home as well as from (let's be honest here!) their office computer. And how wonderful would it be if the user could be identified on the Internet regardless of their location! And, that is possible—because people's habits and preferences remain the same wherever they are.

Researchers from Stanford and Princeton universities designed a method to link anonymous web-browsing histories with social networking profiles. They managed to pick the correct profiles in 72% of the cases, and in 81% of the cases, the profiles they chose appeared among the top 15.

The researchers operated under the assumption that people are more likely to click on the links that their friends shared with them rather than open random ones. They used anonymous browsing history information (acquired using a browser plugin) to link the data to a certain profile on Twitter, with a certain probability of success. By clicking on links in social media, users “de-anonymise” themselves, and the process takes less than a minute.

And what about a user who doesn't spend much time on Twitter or any other social media website and thus can't be tracked by various advertising companies? Well, once a user's identity has been determined, those companies can target that user by honing in on certain properties of the computer they’re using. And this is feasible too!

Information about machines, including their unique browser settings can easily be retrieved over the Internet. This data is merged into a single string which is converted into neat browser fingerprints.

Here we won't list all the parameters that can be used to create a fingerprint. But here are several examples. The requested information may include the time zone (which may also help determine one's location with an accuracy that is quite sufficient for advertising), the system and browser languages, screen size and colour quality. A browser can also be requested to provide a list of the technologies it supports and the plugins installed in it. The operating system version, CPU type and installed applications aren't the only tell-tale system parameters.

Font-rendering technologies are very platform dependent. Similarly, identical images in windows of different browsers will be converted into different arrays of bytes. Why? Because it depends on the CPU, the video adapter and its drivers, the system libraries such as DirectX, and font-rendering technologies—all those things can be unique to each machine, and the resulting byte array will be different for virtually all PCs with different hardware and software configurations. And this long Canvas serialisation output will be appended to the final fingerprint.

Research has shown that computer identification accuracy can reach 90%-91% A great result for the curious!

Once a fingerprint is acquired, it should be hidden on the machine so that the user won't delete it.

Many people know that browsers store various settings in http cookie files. So the fingerprint can be written into them, but users have learnt a few things and often delete cookies. Here is where the evercookie and the persistent cookie come to the rescue of advertisers.

So advertisers and other "spies" who want to obtain information about you have several options. Modern browsers still use Flash—a plugin that also stores settings in its own Flash cookies. And those aren't deleted by browsers.

Until recently it was virtually impossible to delete them. On the macromedia site there was a special page on which one could press the button "Yes, I want to clear flash cookies" and then the cookies would be deleted, i.e., performing the task without this page was impossible.

Silverlight is another browser plugin that makes use of Silverlight Cookies which are written into the Isolated Storage. This is a special hard drive area used for data storage. And the feature that clears browser cookies doesn't delete its contents either.

A fingerprint can also be stored in a browser's cache. When a web-server passes a file to a browser, it can indicate that the file won't be modified for, say, another fifty years, and the browser will no longer request an updated version of the file. Thus fingerprints can be stored as part of an image file. Whenever a user visits a certain site, a sequence of bytes is read from the image to restore information that could otherwise be saved in a cookie file.

And that's not all. SQLite can be used to keep information safe in HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, and HTML5 Database Storage. (

#cookies #JavaScript #anonymity #security #tracking-location #monitoring #browser

The Anti-virus Times recommends

As you visit online stores and other sites, sooner or later you are bound to end up on advertisers’ lists—there’s nothing you can do about it. But you can reduce your risks by disabling JavaScript (on sites where this is possible) and unused plugins. And also by cleaning your browsing history regularly (delete saved cookies and clear the browser cache).


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.