User tracking without cookies

[borked]

Could be a real money spinner and/or invaluable way to track your vids ending up on the tubes (combine with quantum-x's open source method of adding frames to vids to track vids).

Basically a fantastic way to track the vast majority of your users without using cookies, but simply their unique browser fingerprint....

the science

test yourself

I've been "tracking" my JS users for 7 days (not 'my' users but those of sites that use my service) and I have to say it looks pretty remarkable to date with 9.2 million unique fingerprints and 38 million "tracked" fingerprints over that time period (8 million had to be 'tracked' using the python script to match signatures that had gone through updates (browser update or font addition/deletion) ). Disclaimer though, as I don't 'own' those users and so set cookies etc I can't say at all what my false positive/negative rate is.

This could be *very* big indeed and could easily find its place in DRMing vids to find out who uploads stolen content (unless CDNs are used to distribute said content)... tag in an md5 hash of the browser fingerprint and check that off against member logins/hash's.

I remember wanting a browser uniqueness possibility about 2 yrs ago but everything I tried was too unreliable - this however, with its bit scoring to give confidence values on uniqueness is a frikken gem

If you can understand the reasoning and algorithms behind it. knock yourselves out! I have millions of hits but it's not my traffic, so I can't experiment with understanding if I'm dealing with false positives (tracking one unique user that is in fact multiple different people) or false negatives (scoring multiple uniques when in fact it's the same person). If you have something similar in traffic, then give it a go and compare with unique cookie IDs over a period to see if you've got a good method of server-side tracking...

[Barefootsies]

Time will tell on this one. I would like to see some better tracking tools in regards to video.

[borked]

Quote:

Originally Posted by Barefootsies

I would like to see some better tracking tools in regards to video.

Quantum-x (the cool photog guy in paris) had a real gem of a script that could 'track' a video and strangely enough it was never adopted by anyone that I know of. Tag his gem with this one and you can pinpoint who (which member) is/was responsible for leaking content.

It does however require direct server-to-client interaction so CDNs are out, unless one of the good guys in CDN start to offer this as an 'add-on'.
Log the member and unique fingerprint and server up the content DRMd with that data....

[ShellyCrash]

This is interesting but I need to dig into it more. I don't really look at the advantages from a content site perspective, but from a sponsor program / affiliate perspective I agree that cookies are becoming more and more an unreliable way to track surfers.

People wipe their cookies more and more frequently, and with the dating model sometimes users convert days, weeks, even months out. I'm doing some pretty cool things with the sales tracking on swurve so our affiliate backend isn't dependant on cookies to give webmasters credit for sales.

Coming out of beta soon so don't want to go into too much detail but hit me up on ICQ if you want to discuss.

[borked]

Quote:

Originally Posted by ShellyCrash

...but from a sponsor program / affiliate perspective ...

bingo

I'm not at all familiar with swurve link?), but I'm 100% all for thinking outside the box and it looks like your program is doing just that

[ShellyCrash]

Trying to get you on ICQ but it says you're not online. I'm @ 196766477

[ShellyCrash]

Also on a side note for the content guys out there, Adobe was in Vegas at Internext in Jan saying they were coming out with some really awesome new content protection. Just throwing that out there to you guys as well.

[TheDA]

"Your browser fingerprint appears to be comparable with another 12,285 fingerprints among the 940,561 tested so far."

[BIGTYMER]

That is pritty interesting to say the least.

[borked]

Theda - I guess you had noscript installed....
Nothing is 100% and noscript does a good job of being very restrictive on everything. This is gotten around by s simple login requiring java or JavaScript activated dnd then you're fine


Fuck I hate browsing on s phone .... As my Internet went titsup during an interesting icq convo I went to the phone. But this tiny thing was mexnt for one thing only and that's talking not typing!!

[rowan]

Your browser fingerprint appears to be unique among the 944,853 tested so far.

Interesting... I've been using something similar (or maybe the same - haven't read the entire article yet) to calculate uniques from logs that don't include an IP address, but do include all request headers.

[TheDA]

Quote:

Originally Posted by borked

Theda - I guess you had noscript installed....
Nothing is 100% and noscript does a good job of being very restrictive on everything. This is gotten around by s simple login requiring java or JavaScript activated dnd then you're fine


Fuck I hate browsing on s phone .... As my Internet went titsup during an interesting icq convo I went to the phone. But this tiny thing was mexnt for one thing only and that's talking not typing!!

Yes I do, but I had to 'allow' eff to run the test.

[rowan]

BTW... this makes my anonymous proxy less useful! LOL

Although it does strip and replace the user agent...

[AdultSoftwareSolutions]

I was reading this the other day. Interesting stuff.

For those of you who are curious, what it does is query the browser to find out the surfer's agent tag, fonts installed, flash / java version, etc. From there it combines all that info. The chances of each system having exactly the same thing installed is pretty rare. The question remains is it rare enough to be commercially viable.

[LoveSandra]

Quote:

Originally Posted by ShellyCrash

Trying to get you on ICQ but it says you're not online. I'm @ 196766477

[BestXXXPorn]

Quote:

Originally Posted by rowan

Your browser fingerprint appears to be unique among the 944,853 tested so far.

Interesting... I've been using something similar (or maybe the same - haven't read the entire article yet) to calculate uniques from logs that don't include an IP address, but do include all request headers.

This is WAY not accurate enough to even be considered a replacement for cookies...

The largest diff in these sets of info is going to be the installed system fonts... That means every single layman user that never adds fonts is going to fall into some rather large buckets. Not to mention... I just installed a font and now I'm not even in the same bucket...

Serving DRM content... well if it's using DRM in the first place it would have to be cracked to be reused... or capped, or whatever... in which case your unique code would also be destroyed. Except this unique code isn't really unique... far from it... and all the user would have to do is install a single font or remove one to become a different "user"... Unless you plan on logging every single request with IP and browser signature... but even then they can change who they are by installing a font...

[TheDA]

Quote:

Originally Posted by LoveSandra

What the fuck has that got to do with anything? Fuck all as usual!

[BestXXXPorn]

Quote:

Originally Posted by TheDA

What the fuck has that got to do with anything? Fuck all as usual!

Hahhaa you know I've seen the damn random smiley post many places and this is proof positive it's a bot. It's just selecting a random post and replying with a message generic enough to fit ALMOST any post. Key word being "ALMOST"

[ShellyCrash]

Quote:

Originally Posted by AdultSoftwareSolutions

For those of you who are curious, what it does is query the browser to find out the surfer's agent tag, fonts installed, flash / java version, etc. From there it combines all that info. The chances of each system having exactly the same thing installed is pretty rare. The question remains is it rare enough to be commercially viable.

Not at the level where it could replace cookies- BUT- in time, possibly.

Also, again coming from a community background, I see high potential to use this to identify fraud. Not only could you use this to identify people like nigerian scammers, but maybe could use it to identify chargeback customers down the line.

Again, the technologly doesn't seem to be there yet, but I see alot of potential in it.

[CYF]

Your browser fingerprint appears to be unique among the 948,773 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 19.86 bits of identifying information.

[ProG]

I like the idea but I'm struggling to think of a use for it other than Google Analytics using it to track surfing habits to target ads based on your fingerprint lol.

[rowan]

Quote:

Originally Posted by BestXXXPorn

This is WAY not accurate enough to even be considered a replacement for cookies...

The largest diff in these sets of info is going to be the installed system fonts... That means every single layman user that never adds fonts is going to fall into some rather large buckets. Not to mention... I just installed a font and now I'm not even in the same bucket...

Did you even read the article? Their algorithm is still capable of identifying, with a low false positive rate, a computer that has made a minor change such as adding a font.

[rowan]

^ In addition, to track theft of content you don't need the ID to be unique for an indefinite/long period, since their unique ID is detected at the time they download the customised movie, which is then stored in a database along with their member account name. If that unique ID shows up in 2 years time on a tube then you'll know which account it originally came from... even if the thief has purchased a new computer since.

[ottopottomouse]

My firefox result gives a huge list of plugins but for internet explorer its much less.

The main thing seems to be the nine million fonts i've got though.

[SmokeyTheBear]

Quote:

Originally Posted by ProG

I like the idea but I'm struggling to think of a use for it other than Google Analytics using it to track surfing habits to target ads based on your fingerprint lol.

theres lots of different things you can do, lets say you own a tubesite, after a surfer has drained a certain amount of bw you could make the ads twice as big for that surfer.

but the idea in general is tracking a user from your end instead of letting a user tell you who they are by the cookie on a users computer.

[Davy]

Quote:

Your browser fingerprint appears to be unique among the 985,161 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 19.91 bits of identifying information.

Interesting.

Where would you store all that info? In a database?

[Davy]

Quote:

Originally Posted by ShellyCrash

but from a sponsor program / affiliate perspective

Most programs would be more than happy to loose the tracking and instead make the sale on their own.

[ProG]

Quote:

Originally Posted by SmokeyTheBear

theres lots of different things you can do, lets say you own a tubesite, after a surfer has drained a certain amount of bw you could make the ads twice as big for that surfer.

but the idea in general is tracking a user from your end instead of letting a user tell you who they are by the cookie on a users computer.

well I think you could accomplish that by simply tracking usage by IP address or username, or random keys.

I thought the first idea about embedding the fingerprint into a video to track it back to an IP address or username was feasible but still you would have to maintain the database of fingerprint to IP relations and hope that the fingerprint isn't removed in a re-encode.

Then if you found a video with one of your members fingerprints on a tube site- what would you do with that information? Are you going to ban the fingerprint from your server (requiring you to check every fingerprint on entrance)? Do you send them threatening emails about stealing content? heh

I still think it's a great idea to track users without dependency on an IP address it's just a matter of why you would need to do that. Affiliate tracking via fingerprint?

[ShellyCrash]

Quote:

Originally Posted by Davy

Most programs would be more than happy to loose the tracking and instead make the sale on their own.

I don't want to trash anyone so I will just say from my perspective- there is a long term benefit to taking additional measures to ensure your affiliates get credit for all the revenue they generate for your business. Fatter paychecks = happier webmasters & happy webmasters will continue to send you traffic.

[borked]

Quote:

Originally Posted by ProG

well I think you could accomplish that by simply tracking usage by IP address or username, or random keys.

My IP changes daily at 9am, so tracking me visiting your tube site via that is useless. Never seen a tube site requiring username to view vids.... so username tracking is out. Random keys? you mean in the URL, then that's only session based so may as well track via sessions.

The rest depends on how you want to tackle your own problems and why you would want to do that. My reason for eg is on a PPV site, 10 minutes are offered free with an email signup. Abuse goes that people use their 10 mins, signup with a new email, get another 10 mins etc. Cookie tracking for this is useless cos the people scamming/abusing the system know how to delete cookies so this is a great way to say "Oy no, you've already signed up (if the number of bits of information reliably tells you it's a very very good chance their fingerprint is unique.

Each to their own, and for those that would find this beneficial will find this benefical, which is why I threw it out there. Smokey's example for eg I'd never thought of, as was Shelly's. Those that have no idea have no reason to be bothered by it as they don't have such problems/come across them yet

[borked]

Quote:

Originally Posted by Davy

Interesting.

Where would you store all that info? In a database?

In it's simplest form, you would take all those paramters of the fingerprint and make an hash of it (eg MD5: 32-digit character string) and store that. On subsequent visits, compare the hash value of the user against the hashes in the db.

This however kills all possibility of detecting the same user coming back after eg they installed/remnoved 1 font, or ones that updated their browser, since the algorithm to extrapolate/interpolate (not sure which is the best to define) the difference between fingerprints to link one fingerprint to another due to slight changes would lose all information by hashing it. I think for the most part the hash structure is the least database and CPU intensive with the caveat it will give more false negatives due to users updating browser/font/anything.

[borked]

In any case, I think the chance of identifying a false positive - ie saying someone is not unique/already identified when in fact this is their first visit - (the most damaging) is far far less than coming across a false negative - ie saying someone is unique when they've already been there before) - (meaning they got in under the barrier undetected)

Without something like this (for whatever reason you would want it), a false negative is totally acceptable, but a false positive isn't since you would be "restricting" a unique user incorrectly.

Unless of course, you're shelly who would die in shame of letting a false negative through, since the affiliate that originally sent that user wouldn't get credit. Still, for an aff programme, combining this with traditional methods could end up with something quasi-bulletproof