James Koons

If you are headed to the RSA Conference (April 20 - 24, 2015 at the Moscone Center in San Francisco, CA), I suggest checking out this session on Wednesday, April 22nd from 10:20 - 11:10 AM:

Session code TECH-W03

Email is the most effective cyber-attack vector, targeting users and businesses by initiating account takeovers, driving identity theft and serving as the data breach gateway.  This session will share research into worldwide adoption of email authentication and DMARC, to show which technologies are proving to be effective countermeasures to thwart social-engineering email exploits and spear-phishing. This session will feature:

Milos Vujanic, 34, who was convicted for his role in what Chief U.S. District Judge Sidney A. Fitzwater previously called “a massive, complicated, multi-year scheme to defraud a large number of victims,” was sentenced this week to 48 months in federal prison and ordered to pay approximately $17.3 million in restitution.  Acting U.S. Attorney John Parker, of the Northern District of Texas, made the announcement today.

Vujanic pleaded guilty in December 2014 to a superseding information charging one count of fraud and related activity in connection with electronic mail (CAN-SPAM Act).

A citizen of Serbia, Vujanic was arrested in May 2012, in Paris, France. After a lengthy extradition process, Vujanic first appeared in the U.S. District Court in the Northern District of Texas in April 2014.

Nineteen defendants were originally charged in this massive telecommunications fraud conspiracy.  Two of the defendants, Nathan Todd Shafer, 32, of Irving, Texas, and Matthew Norman Simpson, 26, of Red Oak, Texas, were convicted in December 2011 following a 10-week trial before Judge Fitzwater.

Simpson was sentenced to 40 years in federal prison and ordered to pay restitution of approximately $17.6 million and a forfeiture money judgment of the same amount.  In addition, the Court also forfeited specific assets such as precious metal certificates worth approximately $3 million and additional cash and computer equipment worth an additional $2 million.  Simpson was convicted on one count of conspiracy to commit wire fraud and mail fraud, one count of fraud and related activity in connection with electronic mail, one count of obstruction through destruction of evidence and one count of false registration of a domain name.  Additionally, shortly after Simpson’s conviction at trial, the Court entered an order finding that Simpson committed perjury during his testimony.

Shafer, who was convicted on one count of conspiracy to commit wire fraud and mail fraud, was sentenced to nine years in federal prison and ordered to pay approximately $3.3 million in restitution as well as a forfeiture money judgment of the same amount.

Michael Blaine Faulkner, of Southlake, Texas, was sentenced to 30 years in federal prison and ordered to pay approximately $18.2 million in restitution, a forfeiture money judgment of the same amount, and forfeit a host of computer equipment.  Faulkner pleaded guilty in October 2011 to one count of conspiracy to commit wire and mail fraud and one count of obstruction through hiding assets.  His wife, Chasity Lynn Faulkner, who also pleaded guilty in October 2011 to one count of conspiracy to commit electronic mail, postal mail and wire fraud, and was sentenced to 60 months in federal prison.

According to documents filed in the case Michael and Chasity Faulkner fled to Mexico in 2009 after they learned of the FBI’s investigation into their activities.  They lived in Mexico, under assumed aliases, until January 2010 when they were arrested and returned to the U.S. to face charges.

One defendant remains a fugitive and is believed to be living outside of the U.S.  Two defendants were acquitted at trial.  Of the remaining defendants, all have pleaded guilty and been sentenced.

In March and April 2009, the FBI executed numerous search and seizure warrants at locations including the Faulkner’s residence in Southlake, Faulkner’s business known as Crydon located at 1950 Stemmons Freeway in Dallas, Matthew Simpson’s residence, a business operated by Simpson known as Core IP located at 2323 Bryant Street in Dallas, and at other related businesses.

During trial, the government presented evidence that Shafer, Simpson and their coconspirators conspired to defraud various telecommunications companies including AT&T; Verizon; XO Communications; Excel Communications; Waymark Communications; Bandwidth.com; CommPartners; the lessors of properties at 2020 Live Oak, 2323 Bryan Street and 1950 Stemmons Freeway in Dallas; leasing companies and creditors, including Wells Fargo and AT&T Capital Services; credit reporting agencies; and various other service providers, such as power companies, insurance companies, air-conditioning companies, and web site developers and others for goods and services amounting to more than $20 million.

The conspirators also made false representations to obtain goods, such as computers and telecommunications equipment and infrastructure, to include racks to hold computer equipment, generators to provide power for the equipment, and office space to install the equipment, as well as services related to the operation and use of computers and telecommunications.  The conspirators created, purchased and used shell companies to hide the identity of the owners or operators of the companies, or the relationships between the companies.  The conspirators paid persons including homeless persons for the use of their identities to “act” as the officers, directors or managers of the shell companies.  They also used P.O. Boxes, commercial remailer services, shell offices, apartments or other physical locations to hide owners’ or operators’ identities or the relationships between the companies.  They assumed other identities to hide true ownership of the shell companies and made materially false representations to their victims, by mail, fax, telephone, email or other communications, to obtain goods and services from them.  In addition, the coconspirators ran a data center that provided a safe haven for those engaged in the sending of SPAM, hiding the senders’ information from law enforcement and other regulators.  Vujanic worked for Faulkner and he assisted in the SPAM fraud by 1) ensuring the networking equipment and computers were operational, 2) setting up the telephone systems in the office; 3) providing false information to creditors; 4) providing false information to regulators such as ARIN (American Registry of Internet Numbers); and 5) providing false information to customers and suppliers.

Learn how retailers are using Google Apps to increase store associate engagement, drive revenue, and bring products to market faster.

Facebook is now offering feedback to marketers.  This new service, called Topic Data, will provide anonymized and aggregated information about the social chatter around events, brands, and even specific products.  The social network will team with a company called DataSift to package the data into a form that can be analyzed for insights and sold to marketers interested in the feedback.

Because much of Facebook’s data is private, unlike Twitter, offering Topic Data in a privacy-safe way is a top concern and might explain why Facebook waited so long to offer this functionality that brands have been begging for.  To ensure personal info is not divulged, Topic Data is aggregated and anonymized, so brands can’t know or piece together exactly who said what.

Surprisingly enough, Facebook is giving DataSift the keys to the castle for free in exchange for helping it rapidly break into the market with the startup’s tech and relationships.  DataSift will charge analytics firms a fee for queries, who will then mark up the price and sell it to brands.

Last week while attending the International Association of Privacy Professionals' Global Privacy Summit in Washington, D.C., I learned that Canada had issued it's first fine under their new anti-SPAM legislation which went in to effect July 1, 2014.

The Canadian Radio-television and Telecommunications Commission (CRTC) issued a $1.1 million fine against Compu-Finder, a business training firm located in Québec.  According to reports, Compu-Finder accounted for about 26% of all SPAM complaints filed in its industry sector last year, and made up almost 250,000 complaints received at Canada’s Spam Reporting Center.

Reports indicated the company sent unsolicited messages with non-functioning unsubscribe links.  The emails were promotional in nature containing advertisements for various training courses on topics such as management, social media and professional development.

"Despite the CRTC's efforts, Compu-Finder flagrantly violated the basic principles of the law by continuing to send unsolicited commercial electronic messages after the law came into force, to email addresses it found by scouring websites,” said Manon Bombardier, Chief Compliance and Enforcement Officer at CRTC, in a statement. “Complaints submitted to the Spam Reporting Centre clearly indicate that consumers didn't find Compu-Finder's offerings relevant to them.”

Under the Canadian Anti-SPAM Legislation (CASL), the CRTC may levy corrective actions to individuals, firms or organizations, and can also issue warning letters, preservation demands, notices to produce, restraining orders and notices of violation.  Compu-Finder has 30 days to justify its actions to the CRTC or pay the penalty.  It also has the option of requesting a hearing with the regulator.

“By issuing this Notice of Violation, my goal is to encourage a change of behavior on the part of Compu-Finder such that it adapts its business practices to the modern reality of electronic commerce and the requirements of the anti-spam law,” Bombardier said. “We take violations to the law very seriously and expect businesses to be in compliance."

So what does this mean for marketers sending email in the US?  Well, it's certain that the Canadian government will continue to enforce CASL and this enforcement will not only be within the borders of Canada.  The legislation needs to be taken seriously by those sending bulk commercial email.  Manon Bombardier has made it very clear - the expectation is that businesses are compliant.

During this years’ Email Experience Council, I had the unique opportunity to speak with key email program personnel from Comcast, Microsoft, AOL and Google to discuss how they measure activity within the inbox and what senders of commercial email should be doing from their point of view.  Matt Moleski from Comcast, Paul Rock from AOL, John Scarrow from Microsoft and Sri Somanchi from Google were on hand to give some insight, helpful tips and answer questions regarding their organization’s email programs.

Initially we spoke about the concept of engagement and all four agreed that the inbox is not the same for everyone – and senders do not measure engagement the same way receivers do.  As a sender, you may have a great reputation with the receiver, but messages still end up in the SPAM folders of some users.  This is because those users have demonstrated, through their actions, that the messages (or similar messages) are not relevant to them.  A sender’s reputation and inbox placement are two different things.  The inbox is not a global concept, they are different for each user, and an overall reputation isn’t created based on how one or two users treat the mail.

It looks like once again Yahoo! Mail is having issues.  I was made aware that folks were unable to log in on on January 21, 2015.  Users were seeing ‘Temporary Error 14′ messages.

I immediately looked to Yahoo! for any information on the issue and an ETA for a resolution.  Unfortunately, none of my contacts on the Yahoo! team were able to say when the service would be restored.

The official Yahoo! Mail Team Twitter page and the Yahoo! Mail Tumblr blog do not have any details on the issue at this time. 

The above clip shows that Yahoo! is in fact aware of the situation and has provided a workaround for the 'Temporary Error 14'. 

By James Koons

January 21, 2015 - Internet Retailer

President Obama outlined last night new legislation on notifying consumers in the event of a data breach and protecting consumer privacy. Listrak’s chief privacy officer says the new rules should not mean major changes for marketers following good privacy practices today.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”

Last night President Barack Obama spoke these words during the State of the Union Address.  In the weeks leading up to the address, privacy was definitely in the spotlight.  While it wasn’t the focal point of the President’s address, it is very clear that more is to come regarding privacy legislation. Obama spoke to the FTC last week saying, "If we're going to be connected, then we need to be protected.  As Americans, we shouldn't have to forfeit our basic privacy when we go online to do our business."

The president proposed the Personal Data Notification and Protection Act, which would require companies to notify customers within 30 days if their personal information has been compromised. The bill quickly earned approval from many business groups, who would prefer to comply with a single national notification standard rather than the current patchwork of state laws. Consumer support is also substantial, as they would know their credit card (and/or personal information) has been stolen before the bad actors are able to use it.

The new Student Digital Privacy Act was also outlined.  This bill would restrict the ability of companies to mine the data of children. The measure, which is modeled after California’s Student Online Personal Information Protection Act, would prevent companies from selling student data to third parties for non-educational purposes or from targeting advertising to students based on data collected in schools.

The President also renewed his push for a sweeping Consumer Privacy Bill of Rights. The White House first outlined the online privacy rights in 2012 and urged Congress to take up the issue (The Whitehouse Report). The FTC also issued recommendations on protecting consumer privacy at that time (The FTC Report). But there has been little movement on the Hill, and no legislation has been introduced. Next month, the White House plans to release legislative language to enact the principles into law.

“As Americans, we cherish our civil liberties — and we need to uphold that commitment if we want maximum cooperation from other countries and industry in our fight against terrorist networks. So while some have moved on from the debates over our surveillance programs, I haven’t. As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse. And next month, we’ll issue a report on how we’re keeping our promise to keep our country safe while strengthening privacy.”

As a privacy advocate and board member of the Online Trust Alliance, I had the honor of participating in a Senate hearing on Online Advertising and Hidden Hazards to Consumer Security and Data Privacy. Led by Senator John McCain, the U.S. Senate Permanent Subcommittee on Investigations issued a formal staff report reflecting interviews with dozens of advertising and industry experts (including me, as Listrak’s Chief Privacy Officer), reviewing data collection processes and security vulnerabilities that have inflicted significant costs on Internet users and American businesses. In addition to that, I’ve had the opportunity to participate in various one-on-one meetings and roundtable discussions with the House, Senate and Federal Trade Commission.

So, the question I am asked often, “What will the Privacy Bill of Rights mean for digital marketers?”

I feel we won’t have to make too many drastic changes in our data lifecycle practices. Considering that the measure is mainly to set out “basic baseline protections across industries” and will limit a company’s ability to collect data from consumers without their consent, there will not be much change needed. As responsible, permission-based marketers, this is something we’re doing already – and have been doing for years.

The bill also appears likely to include prohibitions against collecting data for one purpose and then using it for a different one. Again, no major changes here, as this is generally outlined in the privacy statements of marketers, and they are already held accountable to these data practices by the FTC.

In a speech today at the Federal Trade Commission, U.S. President Barack Obama announced a sweeping series of privacy initiatives, calling for federal breach notification law, stronger protections of student data and stronger cybersecurity and identity theft prevention efforts as part of a Consumer Bill of Rights. Angelique Carson, CIPP/US, rounds up the major points of emphasis in his speech and gets reactions from around the privacy community in this exclusive for The Privacy Advisor.

A cut underwater fiber cable is leaving some Yahoo email customers unable to access their accounts for days. UK-based internet providers BT and and Sky customers are affected since both use Yahoo’s email servers.

According to the BT website, the Yahoo email issue is not yet resolved. Sky updated its site Monday to say it has a temporary fix and “that engineers arrived at the site of the break and have started repair work. We don’t yet have confirmation on when a permanent fix will be in place but we’ll provide further updates soon.”

Consistent with other outages at Comcast, HostGator and 24/7 Hosting, customers biggest complaints on Twitter are regarding the lack of clear communication by the company. This seems to be a theme with outages in general. Service providers should note that customers like to be updated often even when there is nothing new to report.

Yahoo’s help site said the cable problem is due to a third party but has not said when it expects the repair to be finished. Metro is reporting that a ship cut through the data cable while fixing a separate pipe nearby.The last update to its twitter feed regarding the incident was on Friday and the help site hasn’t been updated since Thursday. Email giant Gmail also experienced an outage in October but updated it’s customers much more quickly.

Users began reporting login issues on Tuesday and the Yahoo twitter feed said problems had been resolved for most customers that same day. Some users are still reporting they can’t access email. Twitter users are using the hashtag #yahoomaildownto express their outrage.

This outage comes shortly after Mozilla dumped it’s long time partner Google to take on Yahoo as it’s default search engine. Yahoo also had outages earlier this month.

Bill Davis

The birth of e-commerce dates to August 11, 1994 — the date when what was likely the first secure transaction over the World Wide Web occurred in Nashua, N.H.

Someone purchased Sting’s Ten Summoner’s Tales CD from Noteworthy Music’s website.

While this transaction wasn't scalable, it leveraged the Pretty Good Privacy (PGP) algorithm and demonstrated the Internet was open for business. It would take several years before a critical mass of sales was reached, but the doors of e-commerce were officially open.

Mike Elgan

U.S. hospital operator Community Health Systems Inc said on Monday personal data, including patient names and addresses, of about 4.5 million people were stolen by hackers from its computer network, likely in April and June.

The company said the data, considered protected under the Health Insurance Portability and Accountability Act, included patient names, addresses, birth dates, telephone numbers and Social Security numbers. It did not include patient credit card or medical information, Community Health Systems said in a regulatory filing.

It said the security breach had affected about 4.5 million people who were referred for or received services from doctors affiliated with the hospital group in the last five years.

The FBI warned healthcare providers in April that their cybersecurity systems were lax compared to other sectors, making them vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions, Reuters previously reported.

The company said it and its security contractor, FireEye Inc unit Mandiant, believed the attackers originated from China. They did not provide further information about why they believed this was the case. They said they used malware and other technology to copy and transfer this data and information from its system.

Community Health, which is one of the largest hospital operators in the country with 206 hospitals in 29 states, said it was working with federal law enforcement authorities in connection with their investigation into the attack. It said federal authorities said these attacks are typically aimed at gathering intellectual property, such as medical device and equipment development data.

It said that prior to filing the regulatory document, it had eradicated the malware from its systems and finalized the implementation of remediation efforts. It is notifying patients and regulatory agencies as required by law, it said.

In what appears to be the biggest data breach ever, a Russian gang reportedly has stolen 1.2 billion user names and passwords and more than 500 million email addresses from 420,000 websites.

The scale of the attack and the fact that it comes after multiple reports of previous cyber assaults raises significant questions about the security practices of thousands of companies around the globe and puts at risk the financial and personal information of a significant fraction of the planet's population.

"This sounds all too familiar -- weakly secured sites, preventable vulnerabilities that aren't patched," said Mark Bower of Cupertino-based Voltage Security.  "Yet more evidence the bad guys are winning big at consumers' expense."

The breach was discovered by Hold Security of Milwaukee, which could not immediately be reached for comment by this newspaper.  But according to the New York Times, the security firm didn't name any of the victimized websites because of nondisclosure agreements with those sites or because the host companies remain vulnerable.

"They targeted any website they could get, ranging from Fortune 500 companies to very small websites," Alex Holden of Hold Security told the Times.  "And most of these sites are still vulnerable."

Hold drew criticism late Tuesday when it reportedly posted a notice on its site offering to let companies know if their site was affected by the breach for "as low as $120" a month.  The company quickly took down the notice.  The Times said it asked for an analysis of the database by an outside expert, who confirmed its authenticity.  The Times also said Hold had a history of revealing major hacking attacks.

While there is little evidence so far of any financial losses from the breach, experts say the Russian thieves might be able to access bank accounts and other valuable information.

Despite repeated and increasingly devastating cyber attacks, experts say companies are still not taking the steps to bolster their networks against hackers and protect the data they gather from consumers or other sources. They advise companies to establish layers of security measures, which not only try to prevent crooks from getting into their networks but also monitor them when they're inside, divert them to nonessential data and otherwise limit what they take.

"It's frustrating," said James Pledger, head of research for San Francisco security firm RiskIQ. "It's not an issue of it being unsolvable. People just need to be more accountable to users and take ownership of their users and protect them. That's really the takeaway of this." In many instances, he added, "it's negligence."

Pierluigi Stella of Houston-based security firm Network Box USA was similarly critical.

"We're playing with fire, underestimating the importance of security, although we continue to talk about it as something beyond vital," he said. "At the end of the conversation, there's always someone asking about costs and slashing budgets."

Robert Capps of Sunnyvale security firm RedSeal Networks noted that storing data online has become less expensive in recent years, "allowing every company on the planet to amass information about consumers in a cost-effective way," he said.  "Sadly, not all companies are equipped to manage the security practices required to protect this data. The results are evident in the daily news stories of cybercrime, fraud and data breaches."

In January, retail giant Target disclosed that thieves stole payment card and other information from at least 40 million of its customers, costing the company close to $1 billion and prompting the resignation of its CEO.  In April, government authorities said they were investigating the criminal sale of Social Security numbers, bank account data and other personal information for up to 200 million U.S. citizens after a breach at the subsidiary of credit-reporting giant Experian.  And the so-called Heartbleed bug has exposed a flaw in the software used to encrypt sensitive information on nearly two-thirds of all websites.

But the breach identified by Hold Security appears to be the biggest to date.

Instead of selling the stolen records online, the culprits seem to be using the information to send spam on social networks like Twitter on behalf of other crooks, the Times reported.  Noting that Hold Security has determined the hackers include fewer than a dozen individuals from a small city in south central Russia, the newspaper said the gang has been around since 2011, buying stolen databases of personal information on the black market.  Then, more recently, it said the crooks began stealing information with botnets, networks of computers they've taken over and can command to do whatever they want.

By July, the newspaper said, the crooks had amassed 4.5 billion records -- each a username and password -- though many were duplicates.  After further analysis, Hold Security determined that 1.2 billion of the records were unique and contained 542 million email addresses.

With the information they stole, the crooks "can access bank accounts or steal identities," as well as siphon confidential intellectual property from companies, said Eric Chiu of Mountain View security company HyTrust.

While a credit card can be easily canceled, email addresses, Social Security numbers or passwords can be used for identity theft.  Nonetheless, most consumers can greatly minimize the chances of having their information stolen, said Jeremy Gillula of the Electronic Frontier Foundation.

You may have heard of Silk Road, an online marketplace that enabled hard-to-trace buying and selling of illegal goods. The court says it was “as if the purchases were occurring on eBay;” buyers and sellers could even leave feedback about each other. Silk Road’s alleged creator and operator was Ross William Ulbricht (a/k/a “Dread Pirate Roberts,” a/k/a “DPR”). As you can imagine, especially given that Silk Road was used to trade illegal narcotics, the U.S. government came down on Silk Road and Ulbricht like a ton of bricks. Facing a staggering array of criminal charges and an opponent with unlimited resources (the U.S. government), Ulbricht is now in the fight of his life.

Ulbricht asked the court to dismiss the criminal charges against him. In a recent ruling, federal district court judge Katherine Forrest rejected Ulbricht’s arguments. While her ruling isn’t good news for Ulbricht, it’s a troubling ruling for the larger Internet community. Though the judge tried to distinguish Silk Road from other types of “legitimate” online marketplaces, the judge’s fine distinctions threaten to cast a chill on one of the most promising sectors of the Internet economy.

A great question was sent in today during our webinar, Everything You Need to Know about Privacy and Deliverability, and I wanted to follow up and provide an answer.  I didn't have the time to answer this during the presentation, but it's an excellent question and one I get often.

Here is the question:  "What is the penalty for not abiding to these new CAN SPAM (Canadian) laws? Are these just best practices suggestions we should "try" to follow, or are there legal repercussions?"

Answer Canada’s new Anti-SPAM Legislation was designed to capture as many spammers as possible. The drafters of the legislation seek to achieve this wide sweep by including language in the law that specifically states that if any part of the transaction or communication in question occurs in Canada, the law applies.

Your email servers are located in Canada? The law applies.

Your recipients are located in Canada, even if temporarily (the recipient does not have to be Canadian)? The law applies.

Your recipient is using a credit card issued by a Canadian bank to buy a product or service from you? The law applies.

So, will a fine issued by the Canadian government or a lawsuit judgment under CASL be enforced by the courts in the United States?

The enforcement of fines and judgments across borders can be a very complicated matter. In general, private lawsuit judgments obtained in Canada can be enforced in the United States through the Uniform Foreign Money-Judgments Recognition Act. For government fines, Canada and the United States have a number of treaties allocating the enforcement of legal rulings, although it is not clear at this time which approach will be taken with the enforcement of CASL violations. There are defenses that can be asserted in each situation to challenge the judgments or fines. Whether any of these defenses will prevail is something that will only be determined through years of litigation and many hundreds of thousands of dollars in legal fees.

Does this mean you can ignore the CASL? Certainly not.  If your business is fined or sued under the legislation, the first step of enforcement will be to move for a court order barring your business from appearing online in Canada. Orders will then be issued to Google, Bing, Yahoo and other search engines to exclude you from their Canadian rankings, which may result in your site being de-indexed in the United States as well. The same process will occur with social media platforms.

At this point, the enforcement process moves to the United States court system. Litigation will be instituted in an effort to have the judgments or fines enforced. If the case is lost and the judgments/fines are enforced against your business in the United States, the amounts in question must be paid. In many cases, this will effectively bankrupt the defendant in question due to the massive administrative monetary penalties of up to $10 million per violation.

In addition, the government actions under CASL are considered criminal in nature. The penalty is not jail time. Instead, the protective shields of corporations and limited liability companies will be automatically pierced and the owners, officers, directors and employees of the business in question will be held personally liable for the CASL violations.

So in short, yes, it is a very good idea to comply with CASL.

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

The type of tracking, called canvas fingerprinting, works by instructing the visitor’s web browser to draw a hidden image, and was first documented in a upcoming paper by researchers at Princeton University and KU Leuven University in Belgium. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard web browser privacy settings or using anti-tracking tools such as AdBlock Plus.