Websites are increasingly tracking users without their knowledge or permission by using "device fingerprinting" to identify individual web users.
Device fingerprinting uses the data sent by a PC, smartphone or tablet computer to websites to help them send back the right data. The researchers put together their own automated scanning tool, called FPDetective, in a bid to discover which major websites might be using this technique to track users.
"In 2010, [Peter] Eckersley demonstrated that benign characteristics of a browser's environment, like the screen dimensions and list of installed fonts, could be combined to create a unique device-specific fingerprint," say the researchers.
Eckersley is a senior staff technologist at US privacy group the Electronic Frontier Foundation.
According to the researchers, 145 out of 10,000 major websites currently use the device fingerprinting technique to surreptitiously identify and track users.
"In the modern web, the browser has emerged as the vehicle of choice, which users are to trust, customize, and use, to access a wealth of information and online services. However, recent studies show that the browser can also be used to invisibly fingerprint the user: a practice that may have serious privacy and security implications," they claim.
Device fingerprinting is able to build up profiles of web users because certain attributes do not change over time - people tend to use the same browser, for example, and may not change their screen when they upgrade their PC.
"Web-based device fingerprinting is the process of collecting sufficient information through the browser to perform stateless device identification. These fingerprints may then be used as identifiers for tracking the device in the web," say the researchers. The technique typically uses either Javascript or plugins such as Adobe Flash.
The Tor web browser, used to browse the "dark web" with encrypted communications, has built-in defences against device fingerprinting, but is also vulnerable to a number of attacks, say the researchers. Firegloves, a browser extension for Firefox, was also vulnerable - not least because its presence, used by just 1,750 Firefox users - is also an identifier.
"Our findings are in line with prior results showing that user-agent-spoofing extensions can be straightforwardly discovered and bypassed."
"Do not track" HTTP header fields, which is being pushed as a privacy standard by companies such as Microsoft, also did not protect users.