Stop "clearing your cookies."
The classic advice for the privacy-minded to protect themselves from internet trackers and targeted ads on websites doesn't work very well against the newest breed of sophisticated snoopers who are spying on you using everything from your iPhone's battery status level to the kinds of fonts installed on your browser, Princeton researchers say in a massive new analysis of 1 million web sites, the largest of its kind.
The "trackers" find out what kind of person you are, and then serve you targeted ads. If you visit those sites, data about you is gathered up and resold to other marketers. You read the news for free (sometimes) and someone gets paid to write it, and funny cat picture sites get their server costs covered.
But the trackers are also used to build profiles of consumers over which they have no control.
"Several features of the web...are being used or abused, depending on how one looks at it, by these tracking companies and various entities in the ad tech ecosystem," said study co-author Arvind Narayanan, an associate professor of computer science at Princeton. "They're being used in sneaky ways to track where users are going across the web."
The Princeton researchers scoured the internet's top sites and found signs of aggressive tracking. Two of the top sites each had over 81,000 trackers on them. Most of the tracking, however, was consolidated among a few giants. Google, Facebook, and Twitter were the only third-party trackers present on more than 10 percent of the sites.
While consolidation in the ad market is understandable, security professionals were alarmed by the more "esoteric" methods of tracking they uncovered.
These new techniques form a kind of "browser fingerprinting." Even if you're doing your best to clear your cookies and always fill out online forms using the name "Sir Fluffius Hottentot," sites can still identify you using these more discrete markers.
"It doesn't involve putting a cookie on the computer. It doesn't go away when you clear your cookies," said Narayanan. "Any time the company encounters you online they're going to know it's one particular device because your device behaves the same way."
The exact list of fonts you've installed can be a data point. How exactly your browser processes audio data can be another. Always resize your browser window to a certain point? That's another tell. Even your battery status level.
That last one could be used to unmask users who think they've taken steps to hide their web history.
"If your browsing one website and browsing another anonymously and the same tracker is embedded on both of those, the tracker can read your battery level and discharge rate and see both changing at the same rate," said Narayanan.
The researchers found instances of a kind of graphics function tracking called "Canvas Fingerprinting" on 14,371 sites, font list fingerprinting on 3,250 sites, audio fingerprinting trackers on 579 sites, and battery level tracking in two different tracking scripts.
"A combination of your browser version, OS version, Flash version, amount of RAM, etc. is a surprisingly accurate way of tracking users on the web," said Chester Wisniewski, principal research scientist at security firm Sophos.
However, he cautions that it's unlikely these methods will be widely used online.
"The advertising industry must be careful to not take steps that may draw attention from privacy regulators. We have seen limited use of these techniques to date, but the legitimate industry hasn't seemed to embrace the use of these details on most surfing," said Wisniewski.
The Princeton researchers say though is all it takes is one major third-party group to start using a method for it be found on thousands of sites. Narayanan cited an example where a previously little-used technique went to 5 percent adoption on the web after a single third-party developer deployed it. "That number can change in the blink of an eye," he said.
But what may be more alarming is that most consumers have no idea they're being tracked in these new ways.
"There's a total lack of transparency. We want to shine a light on the dark corners of the internet," said Narayanan.
Reached for comment, Laura Goldberg, a spokeswoman for the Interactive Advertising Bureau, an industry trade group, said the organization, "has a strong, long-held commitment to consumer privacy," a self-regulatory advertising standards program, and "regularly evaluates new tracking mechanisms."