Hidden dangers are lurking in your digital fingerprint. Here's how to manage it.
Online researchers are usually diligent by nature, thoroughly conducting investigations to aid in cyberthreat intelligence, law enforcement, trust and safety, or any number of topics. But while they may take some precautions to conceal their identity or affiliation — like using a VPN, private browser or other common solutions — there are dozens of details being passed by the browser to websites they visit. And the sum of these details could jeopardize their research.
The data points concerning a researcher’s computer, browser and browsing habits create a highly unique digital fingerprint. Traditional web browsers like Chrome, Firefox or Safari pass attribution vectors to websites to accommodate accessibility problems such as the language or regional relevance of tailored content and, of course, advertising. Unfortunately for researchers, conducting sensitive investigations, if a website owner can identify them — and doesn’t like what they’re up to — they could take action that could derail the investigation (e.g., block the researcher, target them with disinformation) and put the researcher at risk.
That’s why it’s crucial to understand the different flavors of digital fingerprinting, how to control and leverage it to protect sensitive online research and pitfalls to avoid.
Examples of the digital fingerprint being used against researchers
Example 1: Tools with broken promises
You’re investigating a botnet’s command and control (C2) that has been wreaking havoc on users in the United States. You’ve made the determination with firm confidence that this hypothetical command and control infrastructure is in a non-extradition country. Using your traditional VPN that is routing your connection through the same country as the target endpoint, you make the decision to connect directly to the C2 to get an understanding of how the control mechanism works. You visit it like you would a normal website to see if there’s any login panel that may lead you to the rest of the victims this attacker controls. All of a sudden you’re presented with an error 404 page, and you decide perhaps there is no web service for this C2.
So what went wrong? Is the 404 page legitimate or were you just tricked? This scenario C2 knows you’re a US endpoint, and to it, it’s quite odd that one of its potential victims decided to connect back in such a manner. It could have figured out your true location from numerous different vectors, it would have been your WebRTC IP address (which is a peer-to-peer style protocol). Maybe it was IPv6, or perhaps it was your local ISP DNS resolver looking up a subdomain it has never seen before. This all could have been done using basic routing measures and JavaScript, and many VPNs often overlook these areas. The next day the C2 changes its server, and you’re left in the dark.
Learn more: Safely investigate phishing sites without getting hooked >
Example 2: Tools that deceive you
Let’s say you’re hunting for the owner of a specific email address. You enter that email into a group of search engines that specialize in finding people. What you may not know is that while you’re looking for your adversary, the sites you visit are not only fingerprinting you, but also collecting and reselling the material you’re searching. They don’t even need that many attributes — the site owners may collect your IP address, your browser version number and observe which time zone you’ve set on your system to. Once they notice a pattern, they might alert the owner of the email address that someone is actively looking for them from a different service they offer under an umbrella company in order to tackle hypothetical online stalkers, a legitimate use case. This alone may cause the investigation’s subject to go deeper into hiding, cause them to initiate some form of damage control or do some digging of their own to see who is after them.
I’ll give you a perfect real life example of this. Back in 2015, one of the most popular methods of unmasking an individual behind a Skype account was by resolving their IP address. This took many forms, some would use modified Skype clients that output debugging information that contained the target Skype user’s IP address. Some would use public websites dedicated to just turning Skype usernames to IP addresses. One of the more popular sites was known as “MostwantedHF” (from the name, you can tell this was popularized on a forum called “HackForums”).
One of the things some users that leveraged this website didn’t know was that it tweeted out each Skype user it resolved. So what people at the time started doing was looking for active tweets that contained their own username, to give them a head start that someone may be looking for them.
Picture of MostwantedHF twitter account, shows the most recent resolved Skype user, 2.9M tweets/resolves.
This is just one of many examples of how a tool you use and plug in random pieces of information to may in the end deceive you and alert those that you’re looking for.
Keeping up with tracking tech changes is a tall order
Tracking mechanisms are placed around the web mostly for advertising purposes. These technologies give companies a way to target ads to consumers by collecting, storing and reselling information about their online behaviors and settings. That GDPR-infused (General Data Protection Regulation) cookie warning is nowhere close to the capabilities that advertisers have today in tracking you.
For researchers looking to control the appearance of their digital fingerprint manually or by a patchwork of solutions, it’s essential to keep up with changes in how browsers gather its details.
Take, for example, Google’s FLoC — or Federated Learning of Cohorts — which was designed to cluster people into groups (“cohorts”) by interests such as travel, crafting or sports. FLoC’s goal was to replace more traditional ways of tracking individuals online (like cookies) with a less invasive, more privacy-focused approach that still allows advertisers to reach their target audiences.
But in January of 2022, Google announced that FLoC will be replaced by Topics, which uses a person’s browsing history to determine their online interests and share them with advertisers. So for researchers who had become accustomed to counteracting FLoC tracking, they now have to readjust for how Topics tracks their digital fingerprint.
These types of changes, however subtle, can disrupt misattribution tactics and potentially spoil investigations.
Browser fingerprinting deep dive
I recently joined the NeedleStack podcast to talk about some specifics on the hidden risks of the digital fingerprint. Here’s a few short clips that dive deep into some common browser fingerprinting techniques and the challenges they present to managing attribution.
When trying to stay hidden online, consider all angles
Persistence is key to effectively controlling your digital fingerprint relative to a specific research target. While there are many tools and techniques that promise to spoof your online identity and location, a determined adversary can leverage modern techniques that are not accounted for, it’s a never-ending cat and mouse game.
Learn more: What VPN and Incognito Mode still give away in your online identity >
With so many different angles to consider, it is nearly impossible to create a piecemeal solution that would completely protect their identity and not reveal an occasional flaw in their environment.
Pitfalls of piecemeal digital fingerprint management
There are dozens of tools out there that promise to cloak your online identity by spoofing specific attributes. Majority of these tools handpick a variety of different attributes to modify, then call it a day. An extension may offer to change your browser’s signature, but only modify the user agent and nothing else. A VPN client may promise to mask your IP address, but only offer protections in the IPv4 layer.
None of these services, nor any combination of solutions offers a solid, persistent way of achieving anonymity and security online. For instance, let’s say you want to switch your browser from Chrome to Firefox. Most extensions that change the user agent overlook the need to change the internal object in the browser JavaScript engine called the “navigator” object, which causes a mismatch. The navigator object also supplies information on the CPU architecture of the browser, so if you are claiming to be using Chrome on Windows, while actually running a Linux machine, that, again, creates a consistency problem.
So, while there are lots of tools, including free ones, that might be doing a decent job concealing certain elements of your fingerprint, online researchers need to be wary of potential dangers stemming from holes in their disguise.
To learn more about digital fingerprints and how you can build a solid strategy for keeping your online investigations secure and anonymous, visit Experience Silo.
Tags Anonymous research Digital fingerprint