This is why running Whonix (ideally) and tails (if you use it under 1 identity only) is increasingly important especially if you are a vendor.
From: https://freedomhacker.net/web-tracking-aggressive-new-hardware-level-fingerprinting-5310/
By Brandon Stosh on February 14, 2017
Online web tracking has gotten even more aggressive overnight, as a group of researchers have developed a browser fingerprinting method so intrusive, it tracks you at the hardware level. The newest technique, which currently cannot be blocked, allows for websites to track visitors even if they are using two entirely different browsers.
Browser fingerprinting is one of the most effective techniques at identifying individuals across the web to date. This is due to the way browsers interact with websites to make them function properly. To visualize how fingerprinting works, the Electronic Fronter Foundation has a free privacy tool known as Panopticlick. The service measures how effective your browser is against online web tracking, and more specifically fingerprinting. Results vary based on every specific setting on your computer, including everything from fonts, to specific plugins, to time zones and the site can actually give you your fully identifiable fingerprint.
Up until this point, while this tracking is extremely aggressive, it's always been constrained to one browser. This means that if you used a service in Firefox, and then did the same thing in Chrome, you wouldn't be identifiable specifically due to your browser. In the latest technique outlined by researchers, in a paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features, researchers are able to identify users across multiple browsers. The latest technique is actually more accurate than previous fingerprinting methods available right now.
Fingerprinting isn't inherently evil, and can, at select times, offer potential benefits to you. An example of this would be with banks, tracking fingerprints to know if the person logging into the account is actually you and not an unknown device. Based on automation techniques, banks are actually able to identify suspicious activity in real-time and contact account holders to confirm the device is in fact them. However, not every website you visit a bank, which poses huge privacy concerns.
"From the negative perspective, people can use our cross-browser tracking to violate users' privacy by providing customized ads," Yinzhi Cao, the lead researcher who is an assistant professor in the Computer Science and Engineering Department at Lehigh University, told Ars. "Our work makes the scenario even worse, because after the user switches browsers, the ads company can still recognize the user. In order to defeat the privacy violation, we believe that we need to know our enemy well."
The new technique relies on code that instructs each browser to perform a variety of system tasks. These tasks can actually impact system and hardware performance, these include tasking the graphics card, multiple GPU cores, audio cards, and system fonts, which can vary greatly for each computer. The cross-browser fingerprinting carries out 36 new features to track browsers, 20 of which use the WebGL standard for rendering 3D graphics in browsers.
Researchers explain how these tasks work in their paper, detailing:
We propose a (cross-)browser fingerprinting based on many novel OS and hardware level features, e.g., these from graphics card, CPU, audio stack, and installed writing scripts. Specifically, because many of such OS and hardware level functions are exposed to JavaScript via browser APIs, we can extract features when asking the browser to perform certain tasks through these APIs. The extracted features can be used for both single- and cross-browser fingerprinting.
99% Success Rate on Average
The cross-browser tracking technique relies on compacted JavaSctipt code that can quickly be ran in the background while visitors focus on their web page, such as reading an article or viewing a video. The researchers launched a website to demonstrate the techniques live, and released the corresponding, now, open-source code. In a test that collected 3,615 fingerprints from 1,903 individual users over a three month period, the techniques were able to identify users with a 99.2% success rate. By contrast, previous techniques that rely on single-browser fingerprint known as AmIUinque, had a success rate of 90.8% on the same test group.
One upside is cross-browser tracking doesn't affect the default installation of the Tor browser, leaving Tor as a somewhat viable privacy solution. A portion of users that use Tor regularly will often times slightly modify their Tor browser to make it more accessible to the web, however, the latest techniques could de-anonymize a whole lot of Tor users extremely quick. Cao said he is not aware of any sites that currently deploy cross-browser fingerprinting.
Cross-browser fingerprinting is only the latest tool developers can add to their evil toolbox of extremely identifying techniques. Tracking has gotten far more aggressive over the past year techniques including TV commercials trying to inject inaudible sounds to track devices across specific locations, or the rate at which people type in their browser. Yes, the way you type is identifying.
The best defense against these latest cross-browser fingerprint techniques is to use the Tor browser, although researchers did note that running browsers inside a virtual machine could also prevent the tracking.
"This approach is lightweight, but we need to find all possible fingerprintable places, such as canvas and audio context," researchers said, theorizing over the virtual machine defense. "If one place is missing, the browser can still be somehow fingerprinted. We leave it as our future work to explore the correct virtualization layer."
This is nothing new. In my profession I interact with some commercial marketing software, and the way it works from a legal/ethical/technical standpoint is clever. First, the company that runs it offers it like SASS meaning that, you pay them a yearly fee. As a result, from an administrative standpoint it can avoid most IS/IT departments as it's seen in the same way a google account would be (not IT's problem) Secondly, the actual software is just a plugin for your existing website. So your marketing department pops it in, viola, you're done.
Technically however, what it's doing is tracking users to the site in about as an invasive way as you could possibly imagine. I don't care what you do to hide your identity, they have you. IP, browser, typing style, they have a fingerprint that IDs you. They might not know who exactly you are, but they don't care. They just want to be able to uniquely identify you as potential customer #1234 and they have your full browsing history across hundreds if not thousands of sites.
But what good is that? you may ask... if they don't know who you are or how to contact you? Well, this is where things get legally clever. That marketing SASS company sells their services to thousands of companies. Every single site that uses their plugin is aggressively trying to get that user to create an account on their website. These are commercial high dollar products, so they're throwing iPods, TVs, you name it at them, all to get an account. All of these websites seem completely and totally unrelated as far as the user is concerned. One might be an automotive parts company, the other commercial kitchenware, what do they have to do with each other? They use the same marketing plugin, that's what.
As soon as that customer creates an account at any one of these hundred sites, the marketing company has them. That user has become a salable asset. They now know your name and contact information and tie your browsing history across all of those sites to it. They then cross pollinate all of their customers with a new "target" and the marketing SASS product has done it's job. It's all done with a nod and a grin... it's illegal for these companies to share their customers data with one another in this fashion, but as far as they're concerned they're not and they had no idea the 3rd party company was doing it.
I think that it's only a matter of time before this sort of tracking gets taken too far and lands in court. They way it's setup now seems to be designed specifically to help marketing departments avoid review by their ethics and tech departments. I stumbled into it a few times during projects and tried to raise the point of how unethical the practice seemed but the fact that all of the "Evil" seemed to be offloaded to a third party made it hard to prove exactly what was going on. This seems to be the route modern corporate evil has taken. Outsource the evil, protect yourself from litigation with plausible deniability.