Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tracking Browsers Without Cookies Or IP Addresses?

Posted by CmdrTaco on from the just-how-private-are-you dept.

Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string. If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.

17 of 265 comments (clear)

  1. Results and flash cookies by sopssa · · Score: 5, Informative

    I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic.

    Plugins were also completely unique and really easy to detect in any other browser than IE8. Interestingly IE's plugin list was really small and not at all so unique. IE's top "warning" bar asked me if I want to run specific plugins (probably to detect them). System fonts were completely unique and looks like easy to detect.

    Remember that this is info that for example Google gets all over the internet via Analytics - they don't even need those tracking cookies because your browser leaves so much unique data behind it that it doesn't matter. And so does every website owner.

    Another thing people usually forget about when clearing cookies is that Flash has cookies too and they don't clear along. When have you last time cleared them? Probably never. You can use BleachBit" to clear those along with other software, history and temp data.

    1. Re:Results and flash cookies by Archangel+Michael · · Score: 4, Interesting

      And someone will create a Firefox Plugin in a few days that will randomize the variables being reported back, thus invalidating this.

      I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.

      Now I also realize, that I'm not a "normal" case. Here's to being "odd" !

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Results and flash cookies by KevMar · · Score: 4, Funny

      Using NoScript tells them plenty of information.

      You are either:
      1) Aware of the security risk on the internet so you disabled javascript
      2) You suffer from Paranoid Schizophrenia and don't want them controlling things
      3) You have a serious aversion to adds

      So the adds they should show you would go something like this in a jpg or animated gif (that is not a standard banner size).

      Do you want that extra protection that you just can't get on your own? You need more information on how addvertisements and security threats work. Fallow this link to make sure you are informed. They are still watching you.

      Sometimes they don't have to track you to figure out your habits

      --
      Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
    3. Re:Results and flash cookies by Ken+D · · Score: 4, Informative

      You are misreading the statistics. If only one in a few thousand computers matches yours, then you are very trackable. Your computer sticks out in a crowd. You want to be as close to 1:1 as you can get, as in, my computer looks like every other computer.

    4. Re:Results and flash cookies by TheCarp · · Score: 4, Informative

      Or actually, I read that wrong... looks like a huge win for open browsing and scripts off, and huge loss for torbutton with scripts off... especially at under 20k tested so far.

      --
      "I opened my eyes, and everything went dark again"
  2. Thanks EFF. I never thought about that. by cornicefire · · Score: 5, Funny

    I'm glad they gave me some new ideas for tracking.

    1. Re:Thanks EFF. I never thought about that. by Monkeedude1212 · · Score: 4, Funny

      Psh. Real trackers use emotional demographics to Identify their users.

      By tracking the various mouse movements on the page, and every key that might be entered, and the timing it takes between movements or keypresses, I can analyze that persons emotional relationship towards my web page. Some people might be angry, and thus have more spelling mistakes in their rage, or some people might be tender, loving, and caring, caressing the page softly and gently with their mouse.

      Everyone has different habits and express their feelings towards web pages in different ways. I can easily tell who is visitting my site based on how they are visitting my site.

  3. Already being done by QuietLagoon · · Score: 5, Informative

    in the market research industry.

  4. in other news by Lord+Ender · · Score: 4, Funny

    Researches have found a way to track web sites based on the MySQL errors they produce when they're slashdotted.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  5. LOL by C_Kode · · Score: 3, Insightful

    The site says Only anonymous data will be collected by this site. Yet they are collecting data to see how un-anonymous you actually really are! :)

  6. Two data points... by sabt-pestnu · · Score: 3, Funny

    By subtly changing where the errors occur (and which ones are reported), they can correlate your slashdot post with the attempted page fetch...

  7. IPv6 will make this obsolete by F�an�ro · · Score: 3, Interesting

    Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements. Same for large networks that currently use NAT.

    So the vast mayority of users will have a unique non-changeable ID, making cookies or this kind of tracking obsolete.

  8. Lynx apparently more popular than I thought by Volante3192 · · Score: 3, Informative

    Browser Characteristic : User Agent
    bits of identifying information : 11.09+
    one in x browsers have this value : 2183
    value : Lynx/2.8.5rel.1 libwww-FM/2.14FM SSL-MM/1.4.1 OpenSSL/0.9.7d-dev

    (Course, i'm also two minor releases behind...but still, 1 per 2000 is more common than I would've guessed)

  9. Little Bobby Tables in User Agent String by fibrewire · · Score: 5, Funny

    Lets see whose tracking what :P

    Somebody write a firefox plugin that changes "Fingerprints" to "DropDB" statements

    1. Re:Little Bobby Tables in User Agent String by thms · · Score: 5, Informative

      The quick manual way:

      1) Type "about:config" in the addressbar, if you haven't been there before you must confirm that you are actually a geek.
      2) Filter for "useragent", then append whatever you want to the general.useragent.extra.firefoxComment key.
      3) Help -> About shows your current user agent, btw.
      4) Wait for lawsuits? Or Profit? I forgot...

  10. Wow! by BitterOak · · Score: 4, Interesting

    I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information. I do graphic design work and I have a huge number of fonts on my system, some of them unusual. I certainly don't want nor need to have them all available to my web browser, and I certainly don't want my web browser to be broadcasting this list to the world. Does anyone know if I can configure Firefox to use only the "standard" fonts? I really don't think it's anyone else's business which fonts I have installed.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  11. Compiling Firefox by J'raxis · · Score: 4, Insightful

    I noticed this years ago, when I noticed that compiling Firefox puts the exact date and time in your user-agent. The user-agent also contains the usual things like the OS, architecture, &c.. So how likely is it that someone else with the exact same system configuration and compiled the exact same version of Firefox at the same time? Probably zero.

    --
    Liberty in your lifetime