Slashdot Mirror
Tracking Browsers Without Cookies Or IP Addresses?
Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string.
If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.
I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic.
Plugins were also completely unique and really easy to detect in any other browser than IE8. Interestingly IE's plugin list was really small and not at all so unique. IE's top "warning" bar asked me if I want to run specific plugins (probably to detect them). System fonts were completely unique and looks like easy to detect.
Remember that this is info that for example Google gets all over the internet via Analytics - they don't even need those tracking cookies because your browser leaves so much unique data behind it that it doesn't matter. And so does every website owner.
Another thing people usually forget about when clearing cookies is that Flash has cookies too and they don't clear along. When have you last time cleared them? Probably never. You can use BleachBit" to clear those along with other software, history and temp data.
I'm glad they gave me some new ideas for tracking.
Warning: mysql_connect() [function.mysql-connect]: Can't connect to MySQL server on 'db' (4) in /www/panopticlick.eff.org/docs/config/db.inc.php on line 3
/www/panopticlick.eff.org/docs/config/db.inc.php on line 4
/www/panopticlick.eff.org/docs/config/db.inc.php on line 4
Warning: mysql_select_db() [function.mysql-select-db]: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) in
Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in
Has the site been just slashdotted ?
Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
in the market research industry.
Unless you are one of the 100,000 using any particular Dell/HP/Apple default install on your pc.
2 ^ 10.5 is lost of combinations , but is bet there are lots of spikes on some.
Cruise TT
Researches have found a way to track web sites based on the MySQL errors they produce when they're slashdotted.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
The site says Only anonymous data will be collected by this site. Yet they are collecting data to see how un-anonymous you actually really are! :)
By subtly changing where the errors occur (and which ones are reported), they can correlate your slashdot post with the attempted page fetch...
I think nobody guessed anyone would care about visiting a website of a non-profit organization?
http://laxu.de/useragent.php test it ... a bit out of date (thinks arora is googlebot), but its still working good for the most common browsers.
We are all V
or
We are all Zero
Choice will of course depend on if you are a V for Vendetta or Code Geass fan. It will aso decide which mask you should wear when the revolution comes.
We could also use;
Ninjas (should Ninjas be blank?)
Pirates
Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements. Same for large networks that currently use NAT.
So the vast mayority of users will have a unique non-changeable ID, making cookies or this kind of tracking obsolete.
Browser Characteristic : User Agent
bits of identifying information : 11.09+
one in x browsers have this value : 2183
value : Lynx/2.8.5rel.1 libwww-FM/2.14FM SSL-MM/1.4.1 OpenSSL/0.9.7d-dev
(Course, i'm also two minor releases behind...but still, 1 per 2000 is more common than I would've guessed)
Woho!
"Your browser fingerprint appears to be unique among the 3,026 tested so far."
3026 is a super small sample though.
Belief is the currency of delusion.
It doesn't seem to work that well. I know for sure that my browser's UA string is globally unique - and am still
told that one in 4316 browsers will have that UA string.
Your browser fingerprint appears to be unique among the 5,465 tested so far.
Oh my browser is unique just like me.
The web site says I am unique (well I knew that). I'm still running WIN7 RC.. Maybe I should change the ver to WIN98ME. Then I would be unique and certifiable.
Sorry, but gray text on gray background is making my eyes bleed.
roughly one in five browsers has javascript disabled.
Then again, that's probably artificially high based on what circles this story has been circulating in.
My desktop environment is so far unique over 2,357 samples, and my iPod Touch is unique over 2,239 samples. Interesting. I know I have some interesting pieces to my desktop, but 1/2357 surprised me. My iPod Touch being unique, on the other hand, just tells me more about who they've sampled so far than about the uniqueness of the test.
Lets see whose tracking what :P
Somebody write a firefox plugin that changes "Fingerprints" to "DropDB" statements
Write a browser plug-in that randomly mangles these bits of information into to other valid values before passing them to the website, in known "good" combination. You'll start to look like other random people on each request.
Your browser fingerprint appears to be unique among the 6,764 tested so far.
Your browser fingerprint appears to be unique among the 7,335 tested so far.
slashwhat?
I look at user agents from time to time, and it blows my mind how much stuff some programs are permitted to put in there. It seems like every toolbar, add-on, and browser re-branding these days wants to put itself in you user agent.
I wonder what the longest non-fake user agent is these days? I recall there was a problem a while back on the Mozillazine forums because it records user agent strings for support purposes, but only allocated so many characters. Thanks to some new toolbars and such some people couldn't post because their user agent string was to long.
I don't think people realize that what some programs can add to their user agent sting can potentially be a privacy issue.
Really, even with a most basic user agent string there is, arguably, still information that probably doesn't need to be there any more. Do web sites really need to know your specific Windows version? CPU Type? Rendering engine version? Browser minor revision? And what is with all the MS .Net verison info anyway? It just seems like a lot of detail.
Revealing 10.5 bits of information about yourself will place you in one of roughly 1500 groups, not in a group of size 1500. With more than 1.5 billion internet users, you are "identified" as being in a group of 1 million.
unique so far?
There is an option for privacy enhanced web browsing: IE compatibility test virtualization images. A very common OS packaged with a vanilla install of a very common browser, neatly resettable in a virtual machine. Thank you, Microsoft.
When I went to their site to find out how "unique" I was, the site launched a java applet. This isn't tracking browsers at this point, it's tracking JVM's too. If you're allowed to have the browser launch a third party application, then might as well launch an .exe that scours your hard drive and does an HTTP call back to the EFF.... at that point, might as well just say every system is unique.
I did not realize that my plugins list was the largest source of fingerprint data. I didn't even know it was listed.
I imagine many people use Opera at my screen resolution, but I'd be interested in seeing how many people shared my particular combo of data (aside from the plugins list).
With javascript disabled, they said my browser was 1 in 140.
With javascript enabled, they said my browser was unique among all browsers seen so far.
NoScript is so great.
Your browser fingerprint appears to be unique among the 10,808 tested so far.
I just realised that the fact that I turn off all my plugins(and java) and have multiple languages enabled, probably gives a completely unique fingerprint to automated stalkers like google.
Funny thing is, my browser is unique every time I go there, thanks to Firesomething.
Nevermore.
"I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others."
Mr Taco must have laughed the laugh of a naive person.
These people made a /statement/, /trading/ this little aspect of their privacy in the process. Seeing they were at least smart enough to see there is a thorny privacy issue with the user agent string, it's also logical to assume they were very much aware of this trade.
As a graphic designer, suppressing the font list would help. Why is it even needed?
Or perhaps more interesting, can I somehow use a huge font list to mount a buffer overflow attack against such monitoring programs?
I'M BEHIND SEVEN PROXIES!!!!
What will happen when 'they' identify me and fail to correlate my purchase history with the ads I have been served?
"Oh jeez, another one who buys the same groceries every week, drives an old car and wears £3 Asda clothes until they fall to pieces!"
"Another windows 2000 user?"
"Yeah!"
"Dammit, just stop serving him any pages at all and put him on the 'to kill' list."
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
I got my entropy up to 14+ by becoming a Mozilla/4.78 (Macintosh; U; PPC).
I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information. I do graphic design work and I have a huge number of fonts on my system, some of them unusual. I certainly don't want nor need to have them all available to my web browser, and I certainly don't want my web browser to be broadcasting this list to the world. Does anyone know if I can configure Firefox to use only the "standard" fonts? I really don't think it's anyone else's business which fonts I have installed.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
With noscript enabled I came up as one out of around 1400, with noscript disabled I was completely unique out of the 19000 tests done so far. I'm special.
I noticed this years ago, when I noticed that compiling Firefox puts the exact date and time in your user-agent. The user-agent also contains the usual things like the OS, architecture, &c.. So how likely is it that someone else with the exact same system configuration and compiled the exact same version of Firefox at the same time? Probably zero.
Liberty in your lifetime
I tested my three browsers (Opera 10.10, Firefox 3.5.7, Chromium 5.0.306.0) on Ubuntu 9.10, and all three were rated "unique" among 18100 to 18200 signatures. In fact, they were all unique on browser plug-ins alone, and Firefox was also unique in its reported set of system fonts. This is troubling.
On other items, they were not unique, but often in a small set. The combination of a few rare settings could easily make the browser nearly unique in a far larger set. Chromium was nearly unique in fonts (2 browsers with the same set) and in user agent (about 10 browsers with the same user agent string). On screen size, about 9 browsers reported 3840x1080x24 resolution, and 3 of them were probably mine...
So, cleaning cookies and temporary files and flash droppings regularly may no longer be enough. [donning a tinfoil hat] do we have to install or remove some fonts every day, or change screen resolution and user agent string every few hours?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
I guess I'm somewhat paranoid/security conscious, e.g., I do clear out things like Flash cookies, and I block sites like Google Analytics. What surprised me was that Firefox, a browser I originally chose in part for its reputation of having better security and privacy settings than certain other browsers, seems to be broadcasting a signature that tells any site I visit all of the plug-ins I am using. This not only uniquely identifies me, it also paints a huge target if any of those plug-ins is found to have a security hole. This information should never have been broadcast publicly, and it should certainly be blocked by a patch in the immediate future!
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
All three of the browsers on my system (Firefox 3.6, Opera 10.x and IE8) show as unique, and I do have Noscript enabled on Firefox.
The irony is that the site uses cookies to determine if you are unique to the site or have been there before.
Deleting the cookie (and maybe changing your IP address) and revisiting would introduce spurious duplicates into the database.
Hello,
I would like to refer to an old project of mine. browserrecon is an implementation which uses application fingerprint techniques to identify web clients:
http://www.computec.ch/projekte/browserrecon/
Bye, Marc
Apparently My browser's UA was the first of its kind after 25,430 visitors ;-) My guess is that it has to do with the Chrome build number.
Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.43 Safari/532.5
14.63 bits of entropy and shrinking!
I got the SAME results using Firefox vs Safari in private mode? Look for yourself http://phatanium.com/firefox-vs-safari.png
the button to start the test is an image without alt text or other controls.
eff, please make the site usable without loading images.
thanks.
signed : gprs and other crappy internet connection users worldwide.
Rich
With NoScript blocking eff.org, I was unique to about 1:7000. Once I allowed eff.org on NoScript, I came up as completely unique - Fonts and Plugins seemed to be the most unique factors (as you might expect).
To be honest, if I was using this as a tracking tool I'd probably not put a lot of stock in Useragent, but instead on more unique things like fonts and plugins. Useragents can be spoofed easily, and are generally not that unique. Fonts and plugins, on the other hand, are less likely to be spoofed and are a lot more unique to the user. A lot of people have installed or deleted at least one font on their system, and that's a relatively unique fingerprint.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
If you do any graphic design work at all, odds are extremely strong that you will have a very distinctive set of fonts installed. My Firefox installation was a 1-of due to not only fonts but the particular mix of add-ons I am sporting. Interestingly enough my Chrome was unique for plug-ins--and not fonts, and IE was unique for (surprise!) the USER AGENT details. Go figure.
No, actually, that's bad. Well, if you care about being tracked, that's bad. If you don't care, then the test results are irrelevant to you and the only bad thing is that you've wasted time running the test. But you've contributed a new signature to the EFF so you've helped out with the test.
What the EFF is saying is that all of the attributes they are checking (which can be checked by any web server) combine to form a fingerprint. That fingerprint identifies you as a unique individual to a greater or lesser extent. The more uniquely you can be identified, the more likely it is that a web server (or coalition of web servers) can track your usage on their sites. All they need to do is gather this information for each page you view.
Let's use an automotive analogy, because they always work so very well on Slashdot. I'm making up the ratios, but they only serve to demonstrate the point.
I'm driving at random through a large city (one million cars on the road right now), and you have lots of people trying to track my movements as I drive through the streets and run my errands.
- If you only know that I drive a car, you'll never find out anything about me, because over half the people on the road drive cars. I'm anonymous to you. Over 500,000 chances for a false match all the time means you'll never ever be able to tell where I am.
- If you only know that I drive a green car, your confidence in identifying me is still pretty low, because (let's say) in 100 vehicles on the road are green cars. I'm still pretty anonymous, but in a city of 1,000,000 there are still 10,000 cars that could match. So for any practical purpose you can't tell who I am.
- If you only know that I drive a green Honda Civic, your confidence just went up, because green Honda Civics are unique to within (say) 1:2,000 - for every 2000 vehicles on the road there is one green Civic. There are still 500 cars that could be mine in the city, though, so it's still a really low confidence that you know where I am.
- If you know that I drive a green Civic with one headlight out, you've significantly upped your confidence, maybe to a useful level. There's still a chance of a false positive matching me, but you're pretty darned close. There may be 10 cars, at most, that match that description. But if you went up to one of them, there's still only a 1:10 chance it's me. I wouldn't bet on those odds.
- If you know that I drive a green Civic with one headlight out, the front drivers door has been replaced with a blue one, I've added a bumper sticker that reads "I BRAKE FOR CLOWNS", and the car has a scratch down the driver's side, it's unlikely in the extreme someone else's car looks like mine, so you can identify me with significant, if not absolute, confidence. Even in a city of a million people, it's terribly unlikely that someone else has a car that matches that description precisely.
- If you know my license plate number, you've got me identified with complete confidence (discounting the odd chance that someone has forged my plate).
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
That only changes one part of the fingerprint. The one part that is, for the most part, the LEAST unique. Personally, if I did this I'd ignore the useragent entirely, and go for the fonts and plugins. Those are more unique and harder to change.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
That's a pointless waste of time. Such manipulations can just be filtered out later. But hey, feel free to act like an ass.
You know, I'm tempted to keep a half-dozen fonts I'm not interested in around so I can randomly install and uninstall 2-3 of them each morning. That, and enable/disable a plugin or two each day. :)
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
There is, however, a very, very high correlation between Slashdot visits and cuteoverload.com on single-user computers over 3 years old. Not sure what that says about your thesis.
I checked with Mozilla 3.6, Mozilla with Noscript blocking Javascript, and IE. There are now 44000 users.
The tricky bit was that my fonts include the corporate-logo font for $DAYJOB, and I guess none of my coworkers have tried the system or have an earlier edition of the corporate-IT-installed vanilla fonts. (My laptop trashed itself last week, so it's running a vanilla image as of Monday, and I'll have to go reinstall those cool programmer-oriented monospaced fonts and Elvish and such.)
Are there any privacy extensions or options to Mozilla to tell it to only advertise boring fonts, or advertise your favorite choices of fonts so web pages display things the way you want?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You don't have to disable Javascript everywhere; you can use NoScript to enable it for sites you trust (or don't trust but want to get full functionality anyway). And most of the tracking seems to happen on tracker-company sites that the content-provider sites use, so you can use NoScript to block the ones that Adblock doesn't already block.
However, I recently installed Ghostery, and even with NoScript blocking popular trackers, there's apparently still a bunch of Javascript dreck on many popular web sites, especially blogger services and news sites, so I'm now using that to block more stuff.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It should make you more unique - but if it's actually different every time, you should be less trackable, because each time the web server sees a User Agent that it's never seen before, so you look like a different stranger every time.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Your browser fingerprint appears to be unique among the 46,001 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 15.49 bits of identifying information.
My list of plugins and my list of fonts are both unique in 46001. Interestingly, only 61 people ran the test in my timezone. But, I'm curious about the "bits of identifying information". Both fonts and plugins give 15.49 bits of info. Wouldn't their results combined give more "bits"?
How many more years will slashdot have an off-by-one error on your Score in your profile?
16.11 unique bits.
I suspect mainly because I have Quake Live installed.
I am also running Firefox Portable on Windows Server R2.
R2 should report the same as window 7 does, and firefox portable should not be able to be distinguishable from Firefox.
My resolution of 1680x1050 may also be less common.
After turning off JS, it became more interesting.
Still 10 unique bits, and only 1 in 1093 other browers did one have the same fingerprint.
I guess my firefox portable is giving off a unique string.
If you ignore ACs because they are anonymous - you're an idiot.
I claim prior art!
My first program:
Hell Segmentation fault
Out of the first 76,633 users, I'm the only person with my plugin selection and my available fonts.
Using Midori for the browser and Mandriva for the OS was a good start, obviously. The User-Agent string doesn't mention the distro name, though. It just says it's under X on Linux on an i686. One in every 25544.33 people (so two others) submitted to the test with Midori on Linux.
Having commercially-licensed fonts that don't come bundled with any OS helps, and how many people have identical sets of plugins?
When I'm really so worried about privacy, I'll be sure to use a browser that reports exactly what a stock XP or Win7 system would report. There's nothing in the world that forces your browser to tell the whole truth about what it can do.
Without Tor I'm unique with my fonts and browser plugins. With Tor I'm more generic in every category except screen resolution! Tor randomizes screen resolution but the res it gave me was very weird, and hence unique. I think reporting a generic screen res like 1024x768 would probably be more helpful than reporting weird resolutions.
Time makes more converts than reason
my iceweasel on debian: unique
my iphone: like any other iphone...