Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking Browsers Without Cookies Or IP Addresses?

Posted by CmdrTaco on from the just-how-private-are-you dept.

Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string. If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.

33 of 265 comments (clear)

  1. Results and flash cookies by sopssa · · Score: 5, Informative

    I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic.

    Plugins were also completely unique and really easy to detect in any other browser than IE8. Interestingly IE's plugin list was really small and not at all so unique. IE's top "warning" bar asked me if I want to run specific plugins (probably to detect them). System fonts were completely unique and looks like easy to detect.

    Remember that this is info that for example Google gets all over the internet via Analytics - they don't even need those tracking cookies because your browser leaves so much unique data behind it that it doesn't matter. And so does every website owner.

    Another thing people usually forget about when clearing cookies is that Flash has cookies too and they don't clear along. When have you last time cleared them? Probably never. You can use BleachBit" to clear those along with other software, history and temp data.

    1. Re:Results and flash cookies by Archangel+Michael · · Score: 4, Interesting

      And someone will create a Firefox Plugin in a few days that will randomize the variables being reported back, thus invalidating this.

      I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.

      Now I also realize, that I'm not a "normal" case. Here's to being "odd" !

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Results and flash cookies by KevMar · · Score: 4, Funny

      Using NoScript tells them plenty of information.

      You are either:
      1) Aware of the security risk on the internet so you disabled javascript
      2) You suffer from Paranoid Schizophrenia and don't want them controlling things
      3) You have a serious aversion to adds

      So the adds they should show you would go something like this in a jpg or animated gif (that is not a standard banner size).

      Do you want that extra protection that you just can't get on your own? You need more information on how addvertisements and security threats work. Fallow this link to make sure you are informed. They are still watching you.

      Sometimes they don't have to track you to figure out your habits

      --
      Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
    3. Re:Results and flash cookies by SydShamino · · Score: 2, Interesting

      With javascript disabled my profile was a mere one in 143, but when I enabled javascript and let them run it again, I became a unique flower.

      While having javascript disabled does bin me somewhat (perhaps to 1-2%), telling them about my LabVIEW 8.6 Plugin for Netscape 32 and my Mentor Graphics Veribest Gerber 0 fonts made me completely unique.

      So yeah, javascript disabled totally helps.

      --
      It doesn't hurt to be nice.
    4. Re:Results and flash cookies by Kijori · · Score: 2, Interesting

      I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.

      Advertising companies don't need to be able to identify an individual in order for the data to be useful to them - if they can identify what sites the people that use your computer go to they can construct a demographic that is more useful to them than simply the average user of the site showing the adverts.

      Put it this way: television companies can't tailor their adverts for specific viewers, but they still put significant effort into finding out information about those viewers. Why? Because the more precisely they can define the average viewer the more they can charge advertisers. Similarly, knowing the average user of your computer, while not as useful as knowing your exact tastes, is more than enough for them to want to track your computer's page views.

      Perhaps more worryingly, unless your browsing habits are very similar it wouldn't take much to separate the different users of the computer. If you know what sites every computer visits you could say, for example, that computers that visit Slashdot are unlikely to visit mypinkpony.com - and you could infer, with a relatively high degree of confidence, that if a computer visits both of these sites it is likely that it has multiple users. Then, when the computer visits techreport.com you can ignore all but the sites that were visited shortly before or after visiting Slashdot, while treating sites like mypinkpony.com as a sign that the user has changed. Is it perfect? No, but it will allow you to reduce the noise significantly and build a fairly accurate picture of what to try to sell you.

    5. Re:Results and flash cookies by PYRILAMPES · · Score: 2, Interesting

      How about a nice packet shaper for your router? Borrow a variable from another user, add it to your router and pass it on?

    6. Re:Results and flash cookies by Lumpy · · Score: 2, Informative

      https://addons.mozilla.org/en-US/firefox/addon/6581

      too late, they beat you to it.

      --
      Do not look at laser with remaining good eye.
    7. Re:Results and flash cookies by Ken+D · · Score: 4, Informative

      You are misreading the statistics. If only one in a few thousand computers matches yours, then you are very trackable. Your computer sticks out in a crowd. You want to be as close to 1:1 as you can get, as in, my computer looks like every other computer.

    8. Re:Results and flash cookies by TheCarp · · Score: 4, Informative

      Or actually, I read that wrong... looks like a huge win for open browsing and scripts off, and huge loss for torbutton with scripts off... especially at under 20k tested so far.

      --
      "I opened my eyes, and everything went dark again"
    9. Re:Results and flash cookies by Mister+Whirly · · Score: 2, Insightful

      We were talking about the user agent of a browser as an identifier, not IP addresses or anything else. My point was that if every user agent reported the same thing, no matter the actual configurations or variances of the browser may be, it would be much harder to identify individuals out of the group. So I hardly made a foolish statement. Just because you didn't understand it does not make me foolish.

      --
      "But this one goes to 11!"
  2. Thanks EFF. I never thought about that. by cornicefire · · Score: 5, Funny

    I'm glad they gave me some new ideas for tracking.

    1. Re:Thanks EFF. I never thought about that. by Monkeedude1212 · · Score: 4, Funny

      Psh. Real trackers use emotional demographics to Identify their users.

      By tracking the various mouse movements on the page, and every key that might be entered, and the timing it takes between movements or keypresses, I can analyze that persons emotional relationship towards my web page. Some people might be angry, and thus have more spelling mistakes in their rage, or some people might be tender, loving, and caring, caressing the page softly and gently with their mouse.

      Everyone has different habits and express their feelings towards web pages in different ways. I can easily tell who is visitting my site based on how they are visitting my site.

    2. Re:Thanks EFF. I never thought about that. by Volante3192 · · Score: 2, Funny

      I got that too when I used Lynx.

      Your browser fingerprint appears to be unique among the 4,655 tested so far.

  3. Already being done by QuietLagoon · · Score: 5, Informative

    in the market research industry.

  4. Re:I get this ... by Sta7ic · · Score: 2, Funny

    Hey, more than I got. I hope the EFF can retrieve all the "research data" they're collecting from the servers that must be melting into slag...

  5. in other news by Lord+Ender · · Score: 4, Funny

    Researches have found a way to track web sites based on the MySQL errors they produce when they're slashdotted.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  6. LOL by C_Kode · · Score: 3, Insightful

    The site says Only anonymous data will be collected by this site. Yet they are collecting data to see how un-anonymous you actually really are! :)

  7. Two data points... by sabt-pestnu · · Score: 3, Funny

    By subtly changing where the errors occur (and which ones are reported), they can correlate your slashdot post with the attempted page fetch...

  8. IPv6 will make this obsolete by F�an�ro · · Score: 3, Interesting

    Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements. Same for large networks that currently use NAT.

    So the vast mayority of users will have a unique non-changeable ID, making cookies or this kind of tracking obsolete.

  9. Lynx apparently more popular than I thought by Volante3192 · · Score: 3, Informative

    Browser Characteristic : User Agent
    bits of identifying information : 11.09+
    one in x browsers have this value : 2183
    value : Lynx/2.8.5rel.1 libwww-FM/2.14FM SSL-MM/1.4.1 OpenSSL/0.9.7d-dev

    (Course, i'm also two minor releases behind...but still, 1 per 2000 is more common than I would've guessed)

  10. Little Bobby Tables in User Agent String by fibrewire · · Score: 5, Funny

    Lets see whose tracking what :P

    Somebody write a firefox plugin that changes "Fingerprints" to "DropDB" statements

    1. Re:Little Bobby Tables in User Agent String by thms · · Score: 5, Informative

      The quick manual way:

      1) Type "about:config" in the addressbar, if you haven't been there before you must confirm that you are actually a geek.
      2) Filter for "useragent", then append whatever you want to the general.useragent.extra.firefoxComment key.
      3) Help -> About shows your current user agent, btw.
      4) Wait for lawsuits? Or Profit? I forgot...

    2. Re:Little Bobby Tables in User Agent String by Bill+Evans · · Score: 2, Interesting

      dave, your observation holds if the user changes the UserAgent just once.

      But thms's idea (leaving aside the whole idea of destructive data) has great merit if you change the UserAgent string differently every day, or every hour. That anonymizes you periodically.

      --
      Oh, this Beta, it is not so good.
  11. Shows who your true friends are. Thank Microsoft. by Anonymous Coward · · Score: 2, Informative

    There is an option for privacy enhanced web browsing: IE compatibility test virtualization images. A very common OS packaged with a vanilla install of a very common browser, neatly resettable in a virtual machine. Thank you, Microsoft.

  12. This is scary by whatajoke · · Score: 2, Interesting

    Your browser fingerprint appears to be unique among the 10,808 tested so far.
    I just realised that the fact that I turn off all my plugins(and java) and have multiple languages enabled, probably gives a completely unique fingerprint to automated stalkers like google.

  13. Wow! by BitterOak · · Score: 4, Interesting

    I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information. I do graphic design work and I have a huge number of fonts on my system, some of them unusual. I certainly don't want nor need to have them all available to my web browser, and I certainly don't want my web browser to be broadcasting this list to the world. Does anyone know if I can configure Firefox to use only the "standard" fonts? I really don't think it's anyone else's business which fonts I have installed.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:Wow! by YA_Python_dev · · Score: 2, Interesting

      I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information.

      It doesn't. It's the Adobe Flash plugin, deinstall it and try the test again. BTW, if you have noscript and flash, instead of JS enabled and flashblock, you have your configuration exactly backwards.

      --
      There's a hidden treasure in Python 3.x: __prepare__()
  14. Compiling Firefox by J'raxis · · Score: 4, Insightful

    I noticed this years ago, when I noticed that compiling Firefox puts the exact date and time in your user-agent. The user-agent also contains the usual things like the OS, architecture, &c.. So how likely is it that someone else with the exact same system configuration and compiled the exact same version of Firefox at the same time? Probably zero.

    --
    Liberty in your lifetime
  15. The site uses cookies. by fava · · Score: 2, Interesting

    The irony is that the site uses cookies to determine if you are unique to the site or have been there before.

    Deleting the cookie (and maybe changing your IP address) and revisiting would introduce spurious duplicates into the database.

  16. browserrecon project by Marc+Ruef · · Score: 2, Informative

    Hello,

    I would like to refer to an old project of mine. browserrecon is an implementation which uses application fingerprint techniques to identify web clients:

    http://www.computec.ch/projekte/browserrecon/

    Bye, Marc

  17. It's the FONTS... by trygstad · · Score: 2

    If you do any graphic design work at all, odds are extremely strong that you will have a very distinctive set of fonts installed. My Firefox installation was a 1-of due to not only fonts but the particular mix of add-ons I am sporting. Interestingly enough my Chrome was unique for plug-ins--and not fonts, and IE was unique for (surprise!) the USER AGENT details. Go figure.

  18. Re:More Unique, Less trackable by Mister+Whirly · · Score: 2, Insightful

    If everybody was using it, yes. But if you keep seeing a unique agent string coming from the same IP range over and over, it would be easier to track, to a degree. There are a lot of variables, but if you didn't have a lot of traffic it could make it easier to identify an individual user.

    --
    "But this one goes to 11!"
  19. I claim prior art! by fph+il+quozientatore · · Score: 2, Insightful

    I claim prior art!

    --
    My first program:

    Hell Segmentation fault