The shocking truth of how you'll be tracked online and why

Online tracking used to be all about getting you to buy stuff but in the future, it's going to be far more insidious and new tracking techniques, such as audio fingerprinting, are the tip of the tracking iceberg

Credit: TNS Sofres / Flickr

A recent study, Online tracking: A 1-million-site measurement and analysis, conducted by researchers at Princeton University discovered that Google is tracking users on nearly 80 percent of all of the Top 1 Million Domains. How are they doing this? Not surprisingly, they’re using a variety of tracking and identification techniques and they’re doing it for the obvious reason: To manipulate you. In the beginning tracking you was just about getting you to buy stuff; now, it’s evolving, and in the future, it will be all about subtle, insidious manipulation.

Over the years we’ve seen a succession of these techniques, collectively known as “fingerprinting,” employed in the tracking of Internet users. HTTP cookies were arguably the first method used (1994 appears to be the first year they appeared in Web browsers) which was way before Google appeared and those were easily circumvented with cookie management tools. After that, the race for organizations to effectively track you at higher and higher levels of accuracy was on.

2005 saw the invention of Zombie cookies which were really hard to get rid of followed in 2010 by Evercookie, a JavaScript-based application that made cookies that were really, really hard to get rid of. 2014 saw the invention of HTML5 canvas fingerprinting which relies on the unique characteristics of your computer’s interaction with its graphics subsystem under HTML5.

Alongside these active technique has been passive fingerprinting which is based on detecting a whole list of client-side attributes including the client's TCP/IP configuration, OS fingerprint, IEEE 802.11 (wireless) settings, and hardware clock skew. You can find an excellent example of how much data can be gathered by both active and passive fingerprinting on the Electronic Frontier Foundation’s Panopticlick site. 

For my browser, Panopticlick reckons my browser fingerprint appears to be unique among the 135,923 tested so far and “we estimate that your browser has a fingerprint that conveys at least 17.05 bits of identifying information.” 17.05 bits may not sound much but it’s more than enough for me to be tracked fairly closely as I meander across the ‘Net. Now we have a new technique that Panopticlick has yet to implement that’s going to become widely used to improve the accuracy of identifying users online: The technique is called audio fingerprinting

Audio fingerprinting relies on testing the audio subsystem of your browser through the AudioContext API. The World Wide Web Consortium explains that the API is:

… a high-level JavaScript API for processing and synthesizing audio in web applications. The primary paradigm is of an audio routing graph, where a number of AudioNode objects are connected together to define the overall audio rendering. The actual processing will primarily take place in the underlying implementation (typically optimized Assembly / C / C++ code), but direct JavaScript processing and synthesis is also supported.

The organizations doing tracking this way send low-frequency sounds to the user’s browser and measure how the audio data is processed. This creates a fingerprint that depends on the user's hardware and software capabilities and configuration at a level of detail that makes it possible to distinguish individual user; in other words, it produces a measurement that has enough bits of identifying data to be useful for fingerprinting.

screen shot 2016 05 28 at 9.10.11 pm

My browser's audio fingerprint from the AudioContext Fingerprint Test Page.

How useful?  Princeton’s AudioContext Fingerprint Test Page, which uses JavaScript, CSS, and Flash font detection methods provided by fingerprintjs2 library explains:

This page tests browser-fingerprinting using the AudioContext and Canvas API. Using the AudioContext API to fingerprint does not collect sound played or recorded by your machine - an AudioContext fingerprint is a property of your machine's audio stack itself. If you choose to see your fingerprint, we will collect the fingerprint along with a randomly assigned identifier, your IP Address, and your User-Agent and store it in a private database so that we can analyze the effectiveness of the technique. We will not release the raw data publicly. A cookie will be set in your browser to help in our analysis. We also test a form of fingerprinting using Flash if you have Flash enabled.

Apparently this technique is not yet in broad use but it’s pretty much guaranteed that in short order, it will be.

So, where will this all end? Will we ever be able to have a truly private online experience? For 99.99% of Internet users that answer is almost certainly “no” and of those people, pretty much all of them won’t care. Sure, they’ll hate the intrusive advertising and they’ll complain about the lack of privacy when they’re reminded of it but what they won’t be aware of will be how much their view of the world will be, shall we say, “curated.”

When large corporations, particularly Big Media, know who you are and where you go online and can then slice and dice your behavior with statistics and AI software to figure out what drives your interests and decision making, there is a 100% chance that data will be used for both commercial and political ends. And you’ll hardly be aware of the degree to which you’re being manipulated.

So, here's the future: You won’t have to welcome our overlords robotic or otherwise. You'll happily do what they want because you'll think it's what you want and you won’t even know they’ve taken over.

Comments? Thoughts? Suggestions? Send me some closely surveilled feedback via email or comment below then follow me on Twitter and Facebook. The NSA does, why shouldn’t you?

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.