Ad scripts track users via browser password managers

Researchers have spotted a sly new technique adopted by advertising companies to track web users that can’t be stopped by private browsing, clearing cookies or even changing devices.
The method, discovered by Princeton’s Center for Information Technology Policy, exploits the fact that many web users rely on the login managers built into browsers to autofill login details (email address and password) when they visit a familiar website.
Normally this is an innocent process, but on a small number of sites that have embedded either one of two tracking scripts – AdThink and OnAudience – the user is fed a second invisible login screen on a subsequent page that is autofilled by most browser password managers without the user realising this is happening.
At this point, the scripts capture a hashed version of the user’s email address, which is sent to one or more remote servers run by the advertising companies including, in the case of AdThink, large data broker Acxiom.
But what use is a hashed and therefore unusable email address? Quite simply:

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier.

Email addresses don’t change often or at all, which means:

The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps.

The researchers speculate that tracking users via an email address identifier might even allow advertisers to join different browsing histories together even after cookies have been cleared.

This means that changing browsers, or devices, or even deleting cookies after every session would offer little protection as long as a user’s email address remains the same and is used regularly enough.
It sounds alarming, so let’s mention the technique’s limitations.
The first is simply that it is not common, with the two scripts being found on only 1,110 of the Alexa top one million websites.
The user must also be using a browser’s integrated login manager rather than a third-party platform such as LastPass, 1Password or Dashlane (which don’t autofill invisible forms), and importantly, to have entered their login information on the domain – just visiting isn’t enough.
It’s likely that browser script blockers such as Ghostery, NoScript or Privacy Badger would make short work of the scripts assuming they have been updated to add them to their list of invisible trackers.
The problem is that there will be plenty of internet users who continue to use browser login managers out of convenience, and who don’t run script blockers.
As the researchers point out, the underlying fault here is the Same Origin Policy model of web trust in which publishers either completely trust or mistrust third-parties.
When a script is embedded on a site by an ad partner the easiest option is simply to trust it because not doing so might limit its functions – even if that third-party script is capturing hashes of email addresses entered by customers.
For users, the latest discovery only adds to the strong sense that ad tracking is running out of control in ways that can be extremely hard to keep tabs on. Tracking can be mitigated to some extent but only if users understand such a thing is necessary in the first place.
Today, the default position is that users should take web tracking systems on trust. The discovery of AdThink and OnAudience suggests they need to become far warier.