Remote device fingerprinting -- a new privacy concern

The linked paper describes a method for uniquely identifying computers from remote locations. This device "fingerprinting" relies on identification of clock skews -- the difference in the rate of "ticking" of a computer's internal clock versus some reference clock -- based on time stamps incorporated into the low-level packets of information that make up internet communications. It turns out that this skew is, to a great extent, unique to each combination of machine and operating system and is reasonably constant despite geographic location and network connectivity. This approach would allow a web site, for instance, to identify client computers without the use of cookies. It would also allow anyone who can attach a computer to a network backbone to scan for a set of computers that are under surveillance. Shades of Carnivore.

The article ends with the following: "Our results compellingly illustrate a fundamental reason why securing real-world systems is so genuinely difficult: it is possible to extract security-relevant signals from data canonically considered to be noise. This aspect renders perfect security elusive, and even more ominously suggests that there remain fundamental properties of networks that we have yet to integrate into our security models." Those of us concerned with our privacy take great care to ensure, for example, that we only allow certain sites to store cookies in our web browsers and that each cookie can only be retrieved by the storing site. In that respect, cookies are fairly privacy/security benign. Methods like those in this paper will require explicit counter-measures. For this particular approach, it appears (judging from the results in Table 5 of the paper) that software can be used to alter the skew, randomizing it to foil fingerprinting. But I wonder about other measurable patterns of computer network activity. It might even be possible to use network activity patterns to identify users, even if they switch computers.