Fingerprinting You and All of Your Things

By on Jun 15, 2016

Your phone checks your identity with your physical fingerprint. We also use the term ‘fingerprint’ to described methods of identifying software and hardware with algorithms that calculate a unique code based on the software structure, operating behavior, or other characteristics. Apps and devices can also potentially identify you by your pattern of behavior or idiosyncrasies. The more data you can collect and correlate, the more accurate a fingerprint you can create.

Identifying humans by their behavior is not new. Many of us can recognize our close friends by their walk, and experienced telegraph operators could identify each other based on their ‘fist’, or quirks in their tapping. However, this is moving to a whole new level, as more devices gather more data and powerful processors are available to synthesize the data into unique identifiers.

Many organizations would like to be able to track your activities. They keep coming up with new techniques that others then try to block, delete, or otherwise defeat. Emerging techniques that can identify an individual or machine based solely on behavioral or operating characteristics, requiring no biometrics, cookies, or other data that can be withheld or deleted, are provoking a new round of privacy issues and concerns.

Web browsers contain more than 18 bits of unique data. Using this info alone makes it possible to uniquely identify 94% of website visitors, and over 99% of returning ones. Many anti-fingerprinting plug-ins and extensions are accidentally contributing to this data set instead of occluding it. As the number of devices per user grows, the ability to correlate identity to location and activity could become insurmountable.

There are a host of other fingerprinting techniques being evaluated, from unique radio-frequency emissions to GPS profiles to passive biometrics. As we move further into our brave new world of connected things, companies will be looking to leverage fingerprinting in ways we do not expect or anticipate.

This issue extends far beyond your browsing activity. A group of researchers recently published their study that leverages data from an automobile’s internal computer network to correctly identify a driver. No cameras for facial recognition, no thumbprint reader on the dashboard. Simply leveraging the existing data in the car and creating a fingerprint of the driver’s behavior, the researchers were able to correctly identify the driver 100% of the time.

Smart cars are collecting significant amounts of data about their drivers. Insurance companies want to use this data to individualize premiums. Could law enforcement use this to prove it was who the operator was? Could I program an autonomous vehicle to use my driving fingerprint to fool someone else into thinking I was behind the wheel when in I was not?

The data exists and is ripe for collection, despite our best efforts to protect privacy. With enough data – even seemingly anonymous data – fingerprinting algorithms can and will be cleverly applied to uniquely identify individuals.  The algorithms may not start off knowing specifically “who”, but will identify one fingerprint as different from another; which, eventually with enough data, means it will discover the “who”.

There are no secrets from the data, so it is very important to understand what is being collected, what it identifies, who has it, and whether or not you trust them to keep your interests in mind.

About the Author

Eric Wuehler

Eric Wuehler is a Principal Engineer in the Office of the CTO at McAfee. He is a seasoned developer and architect with more than 20 years of experience in product innovation, research and development with a strong focus in security since 2004. In his free time, Eric pokes around with mobile development, wires together homemade ...

Read more posts from Eric Wuehler

Subscribe to McAfee Securing Tomorrow Blogs