Device fingerprint

From Wikipedia, the free encyclopedia

 This article is orphaned as few or no other articles link to it.
Please help introduce links in articles on related topics. (March 2008)

A device fingerprint (or machine fingerprint) is a compact summary of software and hardware settings collected from a remote computing device.

Basic web browser configuration information has long been collected by web analytics services in an effort to accurately measure real human web traffic, and discount various forms of clickfraud. With the assistance of client-side scripting languages, collection of much more esoteric parameters is possible[1][2]. Assimilation of such information into a single string comprises a device fingerprint.

Recently such fingerprints have proven useful in the detection and prevention of online identity theft and credit card fraud[3][4].

Contents

[edit] Essentials

Motivation for the device fingerprint concept stems from the forensic value of human fingerprints. In the "ideal" case, all web client machines would have a different fingerprint value (diversity), and that value would never change (stability). Under those assumptions, it would be possible to uniquely distinguish between all machines on a network, without the explicit consent of the users themselves.

In practice neither diversity nor stability is fully attainable, and improving one has a tendency to adversely impact the other.

  • Diversity requires that no two machines have the same fingerprint. However, large numbers of machines are likely to have exactly the same configuration data, and thus the same fingerprint. This is particularly true in the case of factory installed operating systems. One remedy is to use a scripting language to harvest a large numbers of parameters from the client machine, however, this is likely to reduce stability, as there are more parameters that may change over time.
  • Stability requires that fingerprints remain the same over time. However, even by definition, browser configuration preferences are not tamper proof. For example, if one measured attribute is whether the browser has cookies on or off, then a simple change of that setting is sufficient to change the fingerprint. One remedy is to reduce the number of parameters collected to only those that are very unlikely to change, however, this is likely to reduce diversity, as fewer parameters are being measured.

If it were remotely accessible, the ideal device fingerprint would be simply the MAC address of that device on the network.

[edit] Limitations

Collection of device fingerprints from web clients (browser software) relies on the availability of JavaScript or similar client-side scripting language for the harvesting of a suitably large number of parameters. Two classes of users with limited client-side scripting are those with mobile devices, and those running privacy software.

A separate issue is that a single device may have multiple web clients installed. As each distinct browser version has distinct internal parameters, one may change the device fingerprint by simply running a different browser on the same machine.

[edit] Criticisms

Consumers and their advocacy groups may consider covert tracking of users to be a violation of user privacy[5]. Computer security experts may consider the ease of bulk parameter extraction to be a browser security hole[6].

[edit] References

  1. ^ gemal.dk - BrowserSpy
  2. ^ IE "default behaviors [sic]" browser information disclosure tests: clientCaps
  3. ^ CyberSource Brings New Levels of Automation to Online Fraud Control
  4. ^ Techworld.com - User confidence takes a Net loss
  5. ^ EFF's Top 12 Ways to Protect Your Online Privacy | Electronic Frontier Foundation
  6. ^ MSIE clientCaps "isComponentInstalled" and "getComponentVersion" registry information leakage