EFF Says Forget Cookies, Your Browser Has Fingerprints

alphadogg writes "Even without cookies, popular browsers such as Internet Explorer and Firefox give websites enough information to get a unique picture of their visitors about 94 percent of the time, according to research compiled over the past few months by the Electronic Frontier Foundation. [The Research] puts quantitative assessment on something that security gurus have known about for years, said Peter Eckersley, the EFF senior staff technologist who did the research. He found that configuration information — data on the type of browser, operating system, plugins, and even fonts installed — can be compiled by websites to create a unique portrait of most visitors. This means that most Internet users are a lot less anonymous than they believe, Eckersley said. 'Even if you turn off cookies and you use a proxy to hide your IP address, you could still be tracked,' he said."

damn.

gonna have to stop surfing porn at work now.

Re:damn.

[ShadowRangerRIT]

I know that's a joke, but at work you likely experience greater anonymity than at home (from the website operator at least, can't say if your company monitors). At home, your computer is likely to have an eclectic mix of plugins, more or less up to date browser, OS, etc., all of which make you easy to profile. At work, you're often subject to the demands of the IT department, and the IT department likes uniformity; it's easier to support. So when you surf for porn at work, odds are the website can't distinguish you from anyone else at your office, since you all broadcast the same configuration data.

Re:damn.

[WrongSizeGlass]

gonna have to stop surfing porn at work now.

Just do it from the proxy server and they'll never be able to trace it back to you ... unless you're the only one with access to that server, which means you should start handing out the server passwords, which would make you the anti-Terry Childs of workplace porn!

Re:damn.

[WrongSizeGlass]

Who really cares that their "browser fingerprint" is out there? Unless you're doing something wrong there's no reason to ever try to trace it back to a source.

If you're that concerned about some site(s) knowing you were there then either don't go there or change your IP address regularly so they don't know you're the same visitor (changing the cloned MAC address of your router and rebooting your router & broadband modem will get you a different IP address on some networks). If you're doing it from a static IP address you're paying for, well, then you're paying to identify yourself.

Re:damn.

true,

but you're still boned if you're the only furry in the office.

Re:damn.

[The+Fanta+Menace]

Umm, what if you're in China and you're browsing pro-democracy websites?

Re:damn.

[bytesex]

Why does everyone always want to bone furries ? And in the office no less !

Re:damn.

It's the tail. Without a tail there's no good excuse to wiggle your arse at people.

Re:damn.

[icebraining]

Who really cares that their "browser fingerprint" is out there? Unless you're doing something wrong there's no reason to ever try to trace it back to a source.

Except what's "wrong" is not well defined *now*, and it may even be worst in the future - and we have no idea for how long they'll keep those logs.

Re:damn.

[omnichad]

Then the IP address is enough identifying information. This article would be irrelevant.

Re:damn.

[DM9290]

Who really cares that their "browser fingerprint" is out there? Unless you're doing something wrong there's no reason to ever try to trace it back to a source.

And who defines what "wrong" is? In some places being gay is a crime. In some places being an apostate is a crime. In some places being anti-government is a crime. In some places playing violent video games, looking at porn of women with small breasts is a crime. In some places reading certain books is a crime.

Either you are ignorant, or you are trolling.

Re:damn.

um...no. What if you already took precautions against having your IP address identified. Unsecured wireless access, etc...then THIS would still get you.

Re:damn.

[coolsnowmen]

just be cause you can fingerprint(uniquely identify) a browsing entity, doesn't mean you can easily find them. You'ld have to then correlate that fingerprint with one with a traceable ip. What if the same firefox plugin I'm using to obfuscate my source IP also is providing a standard set of plugins/fonts and is disabling certain java script calls (ostensibly to prevent itself from being detected but now with the added side effect of preventing you from being uniquely identified).

Re:damn.

[Mister_Stoopid]

Unless you're doing something wrong there's no reason to ever try to trace it back to a source.

I realize that it's a bad idea, but posts like this make me think we should have a (-1, ignorant) mod anyway.

Re:damn.

[vegiVamp]

Because furries are probably the only ones slutty enough to do a slashdotter.

Re:damn.

[Artifakt]

Usually, people who offer the "If you're not doing anything wrong, why do you care who has your information" claim are talking about something such as the Dept. of Justice seeing that information. Here we're talking about anyone who puts up a web site, (as you, yourself, posted). That's actually a pretty extreme position. You're not just saying we should all trust the government - you're really saying we should all trust random strangers.
        Would you respond to my post right now, with your current IP address, monitor resolution, video card and driver info, all browser functions enabled, any 3rd party add ons, what versions of Flash, Shockwave, and so on you have, your OS and what support packs it has, a complete list of codecs on your machine, a similarly complete list of fonts, and probably a lot more info? I'm a random stranger to you, aren't I? I can understand if you don't want to look all that up manually and type it into a little slashdot window (in fact, please don't), but how is that really different from my automated havesting of that same data?
        Look at all the things you can't change. Yeah, you, and most people can force a new IP address if you're with a common ISP such as Comcast. But if you update your Flash, that update's gonna have a time-stamp after the version I just found out about, so I can still assume that your PC had that version of Flash at the time it visited my site. What if I'm looking for old versions of add ons that have known vulnerabilities? Maybe I'm watching for visitors who don't upgrade or patch much. There are certainly exploits that would be hard to stop if their originator focused on putting them only on the obviously slow to patch set's boxes. So, if for no other reason, we should care because it's another reason to keep up with current versions of all those 3rd party support files browsers have these days.

Re:damn.

[Stregano]

Or just surf for porn at McDonald's or Borders since they have free wifi.

Re:damn.

Who really cares that their "browser fingerprint" is out there?

Those of us who have enough imagination, experience and knowledge of history to enable us to see the potential (and often quite likely) consequences of browser fingerprints in general.

I.e not you.

Re:damn.

What if you're in the USA and you're browsing cryptome?

Take some measures...

[IYagami]

From TFA:

"There are some effective countermeasures, however. A uniquely identifiable IDG News Service Windows XP computer running Firefox could not be identified with the NoScript safe browsing extension turned on. Adding the Tor Internet anonymization software also works, Eckersley said."

Re:Take some measures...

[The+MAZZTer]

Chrome also has NoScript-like functionality. Go to Options > Content Settings and disable JS and plugins, and add exceptions using the addressbar icons that appear when you browse sites you trust.

Re:Take some measures...

God I love that extension, it grants all sorts of security just by preventing me from doing 'stuff' I didn't mean to do.

Re:Take some measures...

[Steve+Max]

However, see section 6.1 from TFA (the actual EFF article, not the news piece): technologies used to "enhance privacy" may be counterproductive. Using those technologies (FlashBlock, Privoxy, changing your UA) is very uncommon, so the average entropy of browsers using those technologies is high. They add that they didn't try to fingerprint NoScript usage any further, but it is very possible to do so if users allow scripts from some important sites.

Re:Take some measures...

It seems that a good chunk of your identifiability comes from the list of fonts you have actually installed on your computer (many programs install fonts). This list is captured through a flash object. Since noscript blocks flash... you know.

Re:Take some measures...

[MyFirstNameIsPaul]

But does that work the same as NoScript to select which domains on the site the user allows? I don't like it that google-analytics is on damn near every page on the Internet. I don't need Google tracking me everywhere I go.

Re:Take some measures...

That's nothing like the convenience of using NoScript. Chrome pales in comparison - it won't let you enable scripts per-domain for example, you have to enable EVERY script on the page, or NONE of them.

Original ./ article

[Mouldy]

For those who are interested

Re:Original ./ article

./ article? really?

Re:Original ./ article

[BenoitRen]

What's this Dotslash site you're advertising in your subject line?

no shit

anyone that has had a website not hosted on geocities knows this

most normal people should know this by now also, how do you think it knows to install the windows version over the linux or OSX version (ie installing java)

Re:no shit

[Cro+Magnon]

most normal people should know this by now also, how do you think it knows to install the windows version over the linux or OSX version (ie installing java)

Or, in the case of this crowd, how it knows NOT to install the windows version on our Macs/Linux boxen.

Re:no shit

[EvanED]

how do you think it knows to install the windows version over the linux or OSX version (ie installing java)

Being able to tell what OS you're running is a far cry from being able to basically personally identify you. The former is probably present in your browser's useragent; the latter requires for more than just your useragent. But of course you know that, because you read TFA, right?

Re:no shit

[grumbel]

It goes far beyond just the OS. With Flash for example you can get a list of all the fonts the user has installed. If you ever installed some custom fonts, chances are you are close to 100% uniquely identifiable. You can also trace which pages the user has visited with some dirty CSS tricks (load an image in a:visited {}, track that, and you know if the user has visited the link).

I seriously doubt that most users are away of that trickery on how much information it is really giving away.

Re:no shit

[amn108]

Well, if you are going to enlighten us on Flash, let me help you. You can go much farther than just forwarding the list of fonts to a fingerprint making machine. Why not also grab:

1. Flash Player version and host OS
2. Flash Player "is a debugger player version" flag
3. Flash Player "is embedded" (browser/standalone) flag

There is more, like locale, accessibility flags delegated from the OS, and I would imagine some 5 or 10 more samples that will help you with the fingerpring entropy. Flash is wonderful!

Old News

[ronmon]

This was covered in January.

Re:Old News

[caerwyn]

This article relates to the publishing of the *results* of the experiment announced in the first article. This is not (for once) a dup. Hence the "compiled over the past few months" bit in the summary.

Re:Old News

[noidentity]

The beginning of this was covered, I believe. Now the data are in and they can draw definite conclusions.

Re:Old News

Any Slashdotter worth his salt (or whatever) should have realized years ago that this is probably possible.

Personally Identifiable Information

[Coreigh]

I don't care if anyone tracks my preferences or shopping history. What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.

I am all for research and marketing to tune products and advertising, but they don't need to know my name or various identifiers to do it.

Re:Personally Identifiable Information

[somersault]

In other words its not that they know what I do, its do they know, specifically, who I am

Bruce Wayne: It's not who I am underneath, but what I do that defines me.

Re:Personally Identifiable Information

What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.

The problem is that being uniquely identifiable (as is the case with this problem) greatly expands the scope of any personally identifiable leak and also potentially creates new personally identifiable leaks when data is aggregated. It also takes surprisingly little information to become personally identifiable: The Netflix privacy scandal was based on the combination of zip code, birthdate, and gender.

Re:Personally Identifiable Information

[Monkeedude1212]

Thats where things get difficult, though, right? For the sake of arguement, lets say that Microsoft decided to embed a Unique User ID into everyone's internet explorer, so that anytime you browse the net your ID gets stamped everywhere you go. Makes it easier for adspace to trend towards your interests, right? But then you're also checking your facebook, your email, your bank account, logging into slashdot, and so on and so forth.

Eventually, one of these services slip, like Facebook has, and your Identifiable Information gets out in the open. When I google my name, I see my Facebook Profile, my name come up under my mothers friends list on Facebook, a handful of .NET Debugging forums. Even foreign versions of Facebook, in my classes we had people from the middle east, Japan, Hong Kong, and other regions of the world, and every other google page I see "Facebook: (Chinese Characters) (My Name) ". Makes me a little paranoid I'm being creeped by someone I don't know.

Regardless - my point is that any effort they make to track just your preferences will always lead back to some site that slips up and makes your identifiable information easier to find, should you put it anywhere online. The way things currently are, you are pretty much safe if you do your best to keep your anonymity online, is probably the best its ever going to get.

Re:Personally Identifiable Information

[fuzzyfuzzyfungus]

The trouble is, you only need to fuck up once(or, perhaps more realistically, a few times to let the algorithms bump their confidence in the ID high enough) for that information to become personally identifiable. And, once gathered, a body of "non-personally identifiable" information can persist for a time limited only by the plummeting costs of storage and can, at any future time, be linked with enough new data to make it personally identifiable.

Some percentage, varying by person(and by whether or not your ISP is selling you out to anybody like Phorm), of site visits are personally identifying with a fairly high degree of confidence. For a substantial number of people, that's probably just facebook. In other cases, patterns of activity across a few websites make inferring your identity with fairly high confidence reasonably plausible. Because things like 3rd-party ad networks and whatever "I can't believe its not beacon" tech facebook is using today, have cross site reach, often remarkably broad, it is by no means unrealistic to expect that, over time, at least one of your personally identifiable visits or visit clusters will overlap with the reach of one or more ad networks with extensive "non-personally identifiable" knowledge of what your browser fingerprint has been up to. At that point, the previously "non-personally identifiable" is suddenly personally identified.

Most people aren't even paying attention. Even the ones that are are likely imperfect in their execution, and keeping up with the scope and sophistication of what a competent data-miner could infer would practically be a full time job. Unless you are a truly bland person, you can probably be identified with fair confidence on surprisingly little data. Worse, as TFA notes, a lot of the common "privacy" measures and extensions and so forth actually make your browser substantially more unusual than it would otherwise be.

Re:Personally Identifiable Information

[tpstigers]

I use credit and debit cards to purchase items in stores all the time. There's nothing even remotely anonymous or private about the process. Why do we all expect it to be otherwise online?

Re:Personally Identifiable Information

[natehoy]

The trouble is in aggregated data.

Let's say I run a website. If you visit my site and you don't enter any personally-identifiable data, I don't know who you are. But I do see your browser signature which I can store along with your IP address (which will at least usually identify your ISP) and if you haven't blocked it I can also use doubleclick or googleanalytics to get your unique cookie ID. I can freely sell that information to anyone I damned well please because there's no personally identifiable information in it. Data aggregators pay decent sums to collect that data.

Then, if you visit another site, they can buy the aggregate data on your visits and see what other sites you visit.

Eventually, you're going to buy something. That seller (if they are honest and have a decent privacy policy) will not sell your name. But they have it, and they have your entire browsing history. And they add the fact that "user 918470293487 purchased a XYZ-model digital camera at 8PM on the 15th for $X, after spending 4 hours on the site reviewing other models, looking at 245 reviews, focusing mostly on negative reviews, marking three of them as helpful, two of them as unhelpful, and asking the following questions on the user forums."

That is now part of your aggregate data. Do a search for "check engine light" and your car dealer knows something is wrong with your car, because they are collecting aggregate data and know who you are.

Re:Personally Identifiable Information

[dmomo]

Interestingly, even if this type of fingerprinting doesn't 100% uniquely identify a user, for the purposes of marketing, that's probably okay. Users with the same fingerprints are likely similar demographically. At least as far as a target audience for a product is concerned. I'd almost prefer to be lumped anonymously into an "advertising bucket" than be tracked individually. Maybe we need a system for fingerprint sharing. I'm sure some firefox plugin could spoof or randomize this to some extent.

Re:Personally Identifiable Information

[ccady]

What really scares me is when advertisers know stuff about me that *I* don't even know. Like the fact that I will need Viagra tomorrow, or that I am about to receive a million dollars from my Nigerian uncle.

Re:Personally Identifiable Information

[tlhIngan]

I don't care if anyone tracks my preferences or shopping history. What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.

I am all for research and marketing to tune products and advertising, but they don't need to know my name or various identifiers to do it.

As seen time and time again, the answer is yes. That fingerprint you have - did you go shopping with it? Boom, you've just linked your fingerprint to a name, address, phone number, and partial credit card. Or visit Facebook? Or other social networking site?

Remember that Netflix contest? A simple match of that data with IMDB reveals all. And people constantly do things that inadvertently link their personal information with a fingerprint.

It's only a matter of time - businesses often sell your information to third parties, and soon those third parties will pay for the fingerprints as well. It doesn't have to be an exact positive match, even something as crappy as a 50% hit rate is enough to be spooky. And even if YOU don't make yourself identifiable, others do to make it worthwhile to do so.

And even if we strip down tons of browsers to return the same information regardless, there'll be other ways - possibly using Flash to profile your system to generate your fingerprint (they already do with flash cookies). Hell, who knows what Flash can retrieve, especially on phones (the UI to manage flash cookies is crappy enough. The UI to do it on mobile phones supporting flash will probably be non-existent).

Re:Personally Identifiable Information

So what happens with multiple people using the same computer? Or multiple people sharing a connection?

Or the same person using different browsers? I use 2 browsers regularly on my main machine. I have 3 machines that I use regularly, and the browser on the 2 other machines are different browsers or versions from my main machine.

Not only that, I have those machines for different activities. The one machine I use Firefox for all banking and payment transactions. The other is for more personal/private stuff--I never log in from there. The main machine is for regular browsing and work.

So do the algorithms identify between 3 machines and 5 browsers the same individual, or think they're different people?

Re:Personally Identifiable Information

Sounds terrible. People would know you're a .NET developer!

Re:Personally Identifiable Information

[fuzzyfuzzyfungus]

Well, unless you are one of the (fairly rare) people who have multiple internet-facing IPs in the location that they do their personal surfing from, rather than just a NAT box, your multiple computers won't do all that much. Even if you don't shell out for a static IP, most home broadband IPs are, de facto, stable for a few days at a time, if not rather longer. Multiple distinct signatures aren't a huge mystery if they come from the same IP.

Unless you are quite careful, multiple browsers is trivially defeated by Flash cookies, which are persistent per flash instance, not per browser(maybe Chrome's upcoming integration will change this, I don't know). The other plugin and font fingerprinting stuff should be reasonably robust cross-browser as well.

Then there are the time-of-day based inferences. IP geolocation should, barring specific attempts at obfuscation, or the occasional fuckup, at least get you within the right time zone. You can then start testing inferences based on the fact that, for instance, schoolchildren tend to browse at home earlier than office workers do, night-shift workers have a different schedule altogether, stay-at-home-moms keep roughly the same hours as work-from-home consultant types; but have different browsing habits, and so forth.

I'm not saying that privacy is completely impossible, just that it is harder than it looks.

Re:Personally Identifiable Information

[geekoid]

"I don't care if anyone tracks my preferences or shopping history.

you do you you are on a site that gets raided for some reason.

If you have purchases something, then you are personally identifiable. How do you think they know where to get your money?

Re:Personally Identifiable Information

Actually that is just what Silverlight did. When you have silverlight a silverlight aware site can get an unique id. Which is also the reason why I personally don't install Silverlight even if it is required if you want to see olympic games.

Re:Personally Identifiable Information

[amn108]

If we assume that your fingerprint is assembled wholly at your side, then I would say you are RELATIVELY safe from it being disassembled into components that could compromise your realworld identity. One way to make the fingerprint irreversible like that is to encrypt it with a throw-away random key, also at client side. The unique but absolutely meaningless string arriving at the other end will uniquely identify YOUR END, NOT YOU. You can continue shopping and surfing porn, and all they got is a random string. If the porn site wants a fingerprint, they will get another value which will also identify you ACROSS THEIR DOMAIN. The two parties will not be able to cross-correlate their "databases" for any result. They will each contain a database of non-colliding pieces of data, one per each unique user, but they will not make any sense of comparing these.

Re:Personally Identifiable Information

[amn108]

Don't be silly. First of all, there are stores that think just ramming YOUR card number along with some juicy details like owner name, expiration data, and CVC code, in their OWN MySQL database is a good idea. If you have a brain, you know that's a store to watch out for. THen again, most respected smaller stores in full knowledge they don't know how to do banking "outsource" it by means of delegating all sensitive stuff through some net-banking provider which is usually your bank. When your bank fucks up, you call them and get the money back. This is why we expect it otherwise online - because you won't get your money back otherwise. Banks carry responsibility, a random website that is stupid enough to require you login to buy a box of vintage Coke bottles, in effect, does not.

Re:Personally Identifiable Information

Can you cite a reference? I did a quick search but came up with a bunch of not-obviously-relevant programming stuff. Lots of session/object uuids, not a persistent per-user ear-tag. If it's really there I'd like to know more. Thx.

Doesn't link it to YOU

[Gothmolly]

It only lets them know it's the same browser/computer, it doesn't give them the docs on you.

Re:Doesn't link it to YOU

[Cmdr-Absurd]

Ah, but if you can be ID'd on a single site, much of what you do can be tracked. A lot of http access logs are web-accessible.
So if I can associate you with your browser signature on ANY site, I can let my google fingers do the walking. It's a snap.

Re:Doesn't link it to YOU

[canajin56]

Yeah, not quite...you turn on your proxy and browse whatever porn. Then you close everything, turn off the proxy, and hit up facebook. Now they know who you are.

Re:Doesn't link it to YOU

[Monkeedude1212]

It's about as effective as knowing who is driving a car by the license plate. Yeah its not 100% accurate but definately more than 90%.

Re:Doesn't link it to YOU

[mea37]

Er... why do you theorize Facebook is exchanging browser profiles info with random porn sites?

Like many people assessing online privacy threats, you seem to be looking at what a sufficiently well-placed cabal could do (from a "technically plausible" standpoint) and not thinking about real-world applicability. If your best reason to be concerned about privacy is to conceal your porn habits, you can rest assured nobody's that interested anyway. (Yes, there are exceptions. If you're trying to conceal predatory behavior, my attitude switches from apathy to lack of sympathy.)

Which is not to say there's no threat. If Facebook realizes that those profile-to-person mappings have commercial value, they certainly might start sharing them with commercial sitest that are willing to pay for them.

Re:Doesn't link it to YOU

[IamTheRealMike]

The fingerprinting techniques heavily relies on JavaScript, so finding random unprotected http access logs isn't going to help you. If it's truly "a snap" then please show me my last visited sites?

I think at some point the internet privacy debate will have to start featuring some concept of personas, or the idea that a single person does not have a single identity but rather many identities. Some of them overlap, some of them are easier to change than others and some of them are what we might call "personal" - for instance personas like your full legal name or physical appearance are clearly different to a persona like a passport number, which is itself quite different to an email address (a lot harder to change for one). Although today they tend to all get lumped together under the same concept of "you-ness".

In this case, my browsers fingerprint is clearly a persona, but is that really a problem?

Re:Doesn't link it to YOU

[suggsjc]

Either I'm missing something or your creating a strawman.

First you say "A lot of http access logs are web-accessible." My guess would be that mainly smaller/lower trafficked sites (not that the information couldn't be valuable), are the ones making their logs available whereas the more popular sites would do their due diligence and secure them. However you then write "So if I can associate you with your browser signature on ANY site..." Like I said, I may be missing something, but can you, Cmdr-Absurd, get access to the logs to ANY site and compile that information across ALL the sites on the web? If you can, please let the /. community know how because I'd say you've stumbled across a very large security/privacy hole.

Re:Doesn't link it to YOU

there are tons of methods for hiding who you are... but probably only 5% of the users out there (if even that many) will ever even know that they exist or even understand how to put them in effect even if explained with pre-school pics and wide rule yellow kindergarten paper ;)

i personally prefer this method to identifying individuals on sites i develop personally for myself... i also use cookies but this as somewhat of a background for non sensitive preferences, etc... but if anonymity is what your looking for you could spend a life time trying to keep up with all the new crap out there that the spammers and marketers and even honest developers keep coming up with to figure out who you are and what the best add is they should through in your face... and as for the chrome comment... you may be able to hide cheesy little things that will keep your wife from knowing that you prefer to look at 19 year old firm breasts to get worked up instead of her aging 50 year old saggy bottom that looks like a bag of marbles, but you'll never trick company sniffers, or advanced server developers... so clicking that ole incognito button (aka the porn browser mode which is what we call it at work ;) ) only gets you so far... we have entered into an age where someone seems to know just about everything about us if they wish from what we purchase including just every dollar we spend and our preferences in ice cream and books to what our favorite fetish and techie information site ;) face it only way out of it completely is get a cabin in the woods use candles for light and those old fashioned information sources that we used to use as kids (aka books *sarcastic grin*) other then that assume that you will never be 100% anonymous in anything you do from this day forward!

Re:Doesn't link it to YOU

http://yro.slashdot.org/story/10/05/18/1225250/EFF-Says-Forget-Cookies-Your-Browser-Has-Fingerprints?art_pos=4

Re:Doesn't link it to YOU

[camperdave]

That's easy. Your last visited site was Slashdot.

Re:Doesn't link it to YOU

[Cmdr-Absurd]

not a "snap" for me. That's a play on an old yellow pages commercial.
You are quite right that the full fingerprint is not generally found in web logs, but user agent string plus IP address is -- and that is not a bad fingerprint, in itself. Now if you happen to be

• a major online retailer that also offers cloud computing services.
• a major search engine that also offers online apps
• a major social networking site with tendrils all over the 'net
• a major web hosting/colo company
• a government that likes to keep tabs on dissidents

you could easily have access to the sorts of logs in question.
And those sorts of logs are attractive targets for data mining by third parties of various sorts.

The general public still has very little awareness that web surfing is, at least potentially, a lot less anonymous than one might think or hope.

Is this a problem? That depends on one's individual situation.

Re:Doesn't link it to YOU

[Brianwa]

The major advertisers definitely have the ability to glean these fingerprints from some nontrivial percentage of the sites you visit. With enough data they stand a reasonable chance of finding connections between someone's different "personas" on the Internet, whether the difference between said personas is simply one person using two different computers or if it's someone actually trying hide their identity.

even plugins?

> data on the type of browser, operating system, plugins, and even fonts installed

Surely the browser, version, an OS are available in the user agent ID string, which one can spoof with a FF plugin.

But unless one enables scripts, how can a site get the list of plugins and fonts intalled? I didn't know there was something sent from my browser back with that information. If so, is there a plugin to remove it? :)

Of course if I enable scripts I'd expect a site could get that info, but if I let it run scripts, all bet are off about privacy anyway, which is why my default is "disable scripts unless I have a good reason to enable them". I've never understood why most people use the opposite default of, "hey, Mr Web Site, run anything you want! Really, it's no problem, I don't need to have any idea whatsoever what you're doing that for."

I'm not really worried

[sourcerror]

When I want to be anonymous I switch to incognito mode in Chrome (ctrl+shift+n). This won't show my cookies, and doesn't save browsing history. As I don't use any plugin besides Flash in Chrome, this doesn't reveal too much about myself. I don't use any other fonts than what are installed in WinXP by default. (However I don't see, how can a webserver know what fonts are installed.)

Re:I'm not really worried

[$RANDOMLUSER]

When I want to be anonymous I switch to incognito mode in <Google product>...

Excellent plan.

Re:I'm not really worried

[TheLink]

Can anyone replicate this behaviour: when I clear all browser history on Google Chrome, Chrome makes a few http requests to Google just after that is done. What's that about?

This was on Windows 7. I encountered this when I was capturing packets for some performance test so I had to keep clearing the browser cache for some tests.

Re:I'm not really worried

[darthflo]

how can a webserver know what fonts are installed?

JavaScript. Detects screen resolution and plugins, too.

Re:I'm not really worried

[Verteiron]

And if you enable Flash, it will happily transmit all of your browser info (and, I believe, info about your computer's specifications) to any site that asks for it.

And a webserver can figure out what fonts you have by using @font-face to offer you fonts. If your system downloads them, then the server knows you didn't have them.

Re:I'm not really worried

[dave420]

It only seems to do that when you have configured it to send usage statistics back to Google. It must be for tracking, as the server sends nothing back (even going so far as sending a 204 instead of 200).

Re:I'm not really worried

[bmuon]

However I don't see, how can a webserver know what fonts are installed

A website can even know what sites you visited through sleazy css sniffing. Fortunately browsers are catching up... http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/

Re:I'm not really worried

[TheLink]

Nope, I don't have that enabled. I do have the rest enabled (show suggestions, use suggestion service dns prefetching, phishing protection).

Those connections are made when I click clear browsing data, not when I need suggestions...

Re:I'm not really worried

[TheLink]

OK more details. It doesn't send HTTP requests again if you do the clearing more than once in a browser session.

But if you close all browser windows and make sure that chrome is closed, then restart it, then clear, it will send an HTTP HEAD to Google and Google will set a cookie(s). It's not the same cookie each time.

You can identify the OS just by the TCP connection

[Viol8]

Never mind the browser , you can tell (or used to be able to , this was a few years back) what OS someone is running - assuming they're not going through a proxy - by looking at the TCP sequence numbers the client sends. There was an article on /. about it and some post grads had written a whitepaper.

Don't worry

[mangu]

All you have to do is change your fingerprint to "Googlebot/2.1 (+http://www.googlebot.com/bot.html)". OK, perhaps this needs updating, but you get the general idea.

You'll be amazed at the information some sites will be willing to give you. Even paysites will let you in for free if they believe you are Google.

Re:Don't worry

[Arancaytar]

According to TFA, your /fingerprint/ is way more than your /User Agent string/ - in particular, when you enable Javascript.

Re:Don't worry

[darthflo]

That's just the User-Agent string. The actual fingerprint consists of that and a big bunch of other headers your browser sends out with each request. Language, preferred encoding, plugins; screen resolution, your installed fonts and so on.Changing your standard browser's user-agent to something like you quoted above is a surefire way to be even more unique.
Check the panopticlick page for your details. Keep in mind their "bits of identifying information" only apply to a single header. A bit of work and identifying over all of these fields is easily done. Throw in a bit of extra work and users can be singled out even after they change one or two of 'em.
Summing all the lines together, I can get some 70 bits of identifying info out of my (almost worst-case) setup: Ubuntu 9.10 running a snapshot of Opera 10.54 with a couple of extra fonts and a weird screen resolution.Cut away user-agent and plugins and we're still at some 35, more than IPv4 addresses out there.

Re:Don't worry

[hyartep]

it's not only about headers, but also about info available with javascript (such as screen size etc.)

Re:Don't worry

[coolsnowmen]

Which is why I have a linux script that constantly changes the size of my browser window by a couple pixels.

Re:Don't worry

[hairyfeet]

Yeah and the funny thing is what ID'd me was NOT the fonts...it was the codecs. My fonts are pretty bog standard but I like Klie codec pack as it is an easy way to have video support for all formats set up quickly. According to the test page my codec list is only 1 in 904006 when it comes to codecs.

Of course the nice thing is yet again Noscript comes to the rescue, as with Noscript on my highest ID # is 1 in 256, which is only because of using FF over IE. So yet again FF scores a win for me by having the indispensable Noscript. FF plug-ins FTW!

Re:Don't worry

And don't forget that they get all that info on top of your IP address. This can be used to further refine identification or resolve collisions of the other identifiers. Most people will have a fairly stable IP for awhile, which makes for easy tracking. Even people on dynamic IPs will usually have an IP within a certain range (and it won't change that often). If you try to hide your IP using a proxy or TOR, that also provides a bit of identifying information (you become "the user with this agent-string, these plugins, and who uses this IP-block owned by this proxy service").

Plus the fingerprints allow them to link "old IP" to "new IP" each time it changes, providing a continuous history for a given user. Basically, if you're keen you can uniquely track every visitor to your site.

Really what we need is for browsers to send less information. For instance I think we can survive without screen resolution being broadcast (How many sites really adjust on that basis? We could probably get by with just a "Mobile Device? Y/N" flag.) The plugins also provide way too much information. I realize that a page may need to know whether a given plugin exists or not. But there's probably a way to trim it down just to the essential information, which would make the number of combinations smaller, and thus make browsers look more generic.

Re:Don't worry

[amicusNYCL]

Firefox isn't the only browser where you can disable Javascript..

Re:Don't worry

[Artifakt]

Between some PCs having some really unusual codecs (such as the older Indeo codecs for some seriously pre DivX era .AVI files), and having some pretty rare fancy decorative fonts, this would create a situation where identification would really be about as distinctive as fingerprints or DNA. In court, a prosecutor could cite billions to one odds that it was any other PC than that particular one, and it would most likely be believed by a jury.

      However, it would probably be misleading. Most of the people keeping those seriously old codecs have odd video content that doesn't work without them, and a lot of the weird porn, bootleg content and such being distributed by back channels still uses them too. You'd get a situation where most people who went to site X, deliberately looking for its content, had a high probability of having those legacy codecs, but that wouldn't imply either of the inverses. (That people with those codecs had illegal content from site X that needed them wouldn't be generally true. And that people with those codecs got them or kept them because they had intent to get the illegal content wouldn't be generally true either).

      This could be like claiming the normal odds for DNA testing, when the actual group wasn't the general population, but a preselected subgroup (I.e. there's a claim PC 'A' was used to download bootleg copies of the vampire movie 'Twilight', and it has a cluster of very unusual fonts, which however, just happen to all be Vampire oriented, Gothic looking fonts. A huge portion of vampire fixated emo losers might have those fonts. It could even be that practically everyone who bootlegs 'Twilight" has those fonts, but that doesn't imply the reverse at all for whether they were torrenting 'Twilight'.).

Re:Don't worry

[tokul]

Check the panopticlick page

Their stats may be botched. One in 4.7 browsers don't support javascript. Come on. More than 20%. Do they count all bot visits?

Re:Don't worry

[base_chakra]

Nope, you're good.

http://www.useragentstring.com/pages/Googlebot/

Re:Don't worry

[amn108]

Screen size, not window size.

Re:Don't worry

[coolsnowmen]

Thanks, my script is now updated.

Re:Don't worry

Which thanks to the wonders of Ajax can be posted back to the bleeding server. And the thing is, if you omit all the needless extra headers, or lie to the scripts, that only makes you *more* identifiable, since you'll be pretty much the only one doing that. The only way this could change is if some major browser vendors stop sending this information in as much as this is possible, starting with the user agent. I knew that was a bad idea when I first read the spec and not just for privacy reasons.

Re:Don't worry

[DaleSwanson]

They're just biased. Many people who go to a site like this are going to be using Noscript, and many are going to disable javascript to test the difference.

Re:Don't worry

Ah, but what if your browser randomly changes the User-Agent string and installed fonts. Each page view will be unique so no correlation can be done. Expect side effects...

Re:Don't worry

[amn108]

Fake!

Re:Don't worry

[coolsnowmen]

Are you ok?

Re:Don't worry

[amn108]

Are you serious? :-)

Re:Don't worry

[stub667]

Are any browser developers looking at this seriously? Looking at panopticlick's output, I could happily do without any of that crap being sent to a site except my preferred language. The rest could just be standard boilerplate, with everything else being dealt with client side. I occasionally might get a video that can't be decoded or a font that is mapped weirdly, but that happens today anyway.

A Wikipedia Checkuser's opinion

We have a rather annoying vandal by the name of Grawp who likes to visit often and put penis pictures up on pages that little kids like to visit, among other things.

He edits via proxies, while visiting people, open wifi spots, etc... and never figures out how we know it's him.

Shame his laptop has the same fairly unique MSIE-and-toolbars useragent string.

Re:A Wikipedia Checkuser's opinion

Lets hope Grawp does not read this ;)

Re:A Wikipedia Checkuser's opinion

Too late... >:)

Re:A Wikipedia Checkuser's opinion

We have a rather annoying vandal by the name of Grawp who likes to visit often and put penis pictures up on pages that little kids like to visit, among other things.

He edits via proxies, while visiting people, open wifi spots, etc... and never figures out how we know it's him.

Ummm, maybe because his username is Grawp?

Cookies

[chipperdog]

Cookies are at least a "honest" way to track. you can easily see them in your cookie jar (or whatever term is used by your browser), and you have at least some information about who wrote it. Cookies are not always bad - hidden images, browser/OS fingerprinting, and other 'hidden' means are much worse for privacy.

Chrome Incognito Mode won't help

[G'Quann]

If you are talking about TFA, it won't help. Just tried visiting EFF's test site in normal mode and in inkognito mode and both times got identified as the same user.

Yeah... so?

[SpicyBrownMustard]

All this tuss-up over cookies and "browser fingerprints" ... has anyone ever pointed to any contemporary examples of where the anonymous alphanumeric string in a cookie and/or "browser fingerprint" (combination of header information of OS, browser version, IP, etc.) has resulted in any bad thing happening to good people?
Anyone?
Anyone?
"What's your point Walter?"
"Shut the -F- up Donnie!"

BFD

[rwa2]

Don't let the mass media scare you.

Step 1: Install Wireshark
Step 2: Leave Wireshark running and observe what kind of information people are gleaning from you over the network. It's educational!
Step 3: There is no step 3.

I don't see why people expect anonymity on the internet any more than they do driving around in their car with the license plate showing.
I just pretend there's an FBI agent always watching over my shoulder. His name is Fred. I explain to him everything I'm doing.

Re:BFD

[unixan]

Step 1: Install Wireshark

Step 1.5: Install HttpFox (Firefox on any OS) or HttpWatch (IE or FF on Windows).

For HTTP traffic, both will supplement WireShark by giving you a clear browser-level picture of what data your browser is sending and receiving.

For HTTPS (or other SSL/TLS tunneled protocol spoken by your browser), it's also the practical way to get a cleartext version of the communication.

Re:BFD

[Burz]

I just pretend there's an FBI agent always watching over my shoulder. His name is Fred. I explain to him everything I'm doing.

That sounds like living in a mental prison. Or hell.

Unique font collection

[Arancaytar]

I tried the survey some months ago when they started it, and found that your most unique information usually is the list of installed fonts that Javascript can provide to pages.

Not only is it usually unique, some of these fonts are specifically installed by some applications, which means that info about your work environment (eg. MS Office / OpenOffice.org / etc.) leaks out.

In my case, I had several old Tengwar fonts and one vectorized sample of my handwriting helpfully named "Arancaytar's Handwriting". I might as well add my name to my user agent string. :P

Re:Unique font collection

Yes, this and the plugins as well.
Both of those 2 make my computer unique.

If anything, it just provides an interesting way to block users on websites.
Scan all this information on login, if said user gets banned and their browser fingerprint is unique, ban them through this method as well. (along with cookies, supercookies and flash cache if required)
This will get round even the smarter of the users who tend to get around bans simply by resetting their connections and clearing cookies.

Re:You can identify the OS just by the TCP connect

[TheRaven64]

Yup, the OpenBSD TCP/IP stack lets you do this; pf can filter based on the OS of the originating packets. Unless you run Haiku or ReactOS, however, this is not really uniquely identifiable information.

And?

[flintmecha]

data on the type of browser, operating system, plugins, and even fonts installed

Should I be worried about websites knowing these things?

Re:And?

data on the type of browser, operating system, plugins, and even fonts installed

Should I be worried about websites knowing these things?

Obviously. If you're not paranoid enough and someone can actually identify you, that allows the eeeeevil scaaaary sp00ks in the gummint and corporations to Evil(tm) your soul out, right through your very nose!!! See? Scaaaaaaaaary! OoooooOoooOOOo!

So take our advice and go hide under a rock (but not OUR rocks; they might find us then!) and live in complete anonymity for the rest of your life! Then maybe you'll achieve the one true, real bliss that you can only get from being a completely unknown person and you can die content in knowing that nobody ever knew or cared about you, because you're not a SHEEP like all the other SHEEPLE (see what i did there isnt that clever)!

Or you could, like you suggest, just get over it and realize people know a lot more about you than their l33t off-the-grid counterculture wants to believe and maybe live a life that doesn't involve wasting way too much of your time hiding in fear. You do know those silly tinfoil hats haven't stopped our mind-beams since the early 70s, right?

I mean, their mind-beams. The ones that they have that I did not take part in developing. The ones that they don't have. That don't exist. That I never said anything about. Now, just look over here for a second...

Plug-in to randomise all but the essentials?

[ciaran_o_riordan]

Randomising most of HTTP_ACCEPT and User agent would totally fix this problem, right? Or at least, it should for those of us with javascript turned off by default (using noscript makes this pretty convenient).

A handful of things should stay the same, such as browser name, the major version number of the browser, and your main language preferences, but I guess the rest could change per-site by selecting random values from lists of valid values.

Anyone know of a plugin (for any browser) that does this?

Re:Plug-in to randomise all but the essentials?

[dave420]

Paranoid much? If you are that far gone, you might as well simply unplug your computer and spend all your savings on tin foil.

Re:Plug-in to randomise all but the essentials?

[pclminion]

That's only useful if a whole lot of people use it. Otherwise, you have a very clear fingerprint: you're "That guy with that weird randomizer plugin."

It's not really that uniquely identifying...

[damn_registrars]

Watching my apache logs, I see lots of very similar "fingerprints" like they refer to. However, a lot of it leads to dead ends. For example, I see a lot of users who connect through RoadRunner, running Windows Vista, using Firefox3. That doesn't really tell me much. Sure I can attempt to locate where they are geographically by their IP address, but that isn't all that useful either if I really want to say "that was John Smith". After all, even if I know that two visits on different days were the same originating IP, same OS and same browser, I can't really say for sure that it was the same person.

Now of course, if the distribution of operating systems (and browsers) on PCs was more even it would be easier to be more confident about identifying return visitors. But as it is there are a lot of PCs out there that aren't upgrading their OS for any of a number of reasons.

Re:It's not really that uniquely identifying...

[omnichad]

The article describes data that isn't gathered in Apache's logs. Things that can only be found through CSS, Javascript or Flash tricks. Screen resolution, Flash Version, installed fonts, visited web sites (in certain versions of Firefox, at least).

COOKIES

http://www.youtube.com/watch?v=0VlnFI7J-Tk&feature=PlayList&p=1B134515F6E5C749&playnext_from=PL&index=0&playnext=1

Some proxies seem to work

[Adrian+Lopez]

The EFF site identifies my computer uniquely if I access it directly, but when I access it through proxify.com all the information it gathers has no relation to the information it gathers when I access it directly. The user agent and HTTP_ACCEPT headers are both spoofed, and since Javascript is disabled it cannot obtain any info about plugins, time zones, screen size, system fonts or supercookies. I suspect all who access the website through Proxify will look like the same user unless they happen to enable Javascript.

EFF

Eff that.

Public Place?

[Cytlid]

I'm all for privacy, don't get me wrong. But is the Internet a public place? I mean, if I go out to lunch somewhere with my wife or a friend, anyone can take pictures of me. People can see what I'm wearing. They can overhear my conversations, and maybe glean my name or address from them. They can look at my car and my license plate. A whole slew of valuable personal information about me can be gathered from something as simple as a lunch date. Someone can follow me. Anything can happen, really. Is being on the internet any different? Just because it happens while you're at home, behind a computer, you're accessing the public world from the privacy of your own home. Is there something in the human brain that wants to pretend they're in a private space when they're not? (Think people in their cars). Just because it's virtual and not tangible, doesn't mean it isn't public. Your "address" on the internet is a public space, even if you don't like it. Just like the address of your house is public. My point is this. Your picture of your aunt Sue in your "Pictures" directory on your computer is private information. Chances are noone has that same image in that same spot, named exactly the same thing. Your IP address, what browser you use or sites you've visited is not private information. It's generic information. Some person uses Firefox. And Ubuntu. And they went to XYZ.com and their ISP is ABC corp. I'm glad the EFF is a watchdog group keeping an eye on these things. But sometimes I'm just a normal guy doing normal things and if I told you everything I did and where I went, you'd be bored to tears.

Re:Public Place?

[Crispy+Critters]

Is being on the internet any different?

Actually, yes it is different. The first difference is cost. It is expensive to follow people around and record everything they are saying. I don't worry that someone is going to spend a half a million dollars to follow me around for the next year; it's not impossible, but it's about as likely that I will be struck by a meteor. The second is storage of information. If someone decides today to find out exactly what you said at lunch last week, they can't, because that information is gone, no matter how many people could overhear you. Cheap aggregation and eternal storage of public information lead to a loss of privacy.

Re:Public Place?

[geekoid]

well, when browsinf is the same as going to dinner, you may ahve a point. It's not.

Tney internet is different for several reasons.
1) All yuo conversations can be searched at ones, and any time.

2) At anytime you movements can be determined.

Both those require a substantial resource to do in meat space, and very little in cyber space.

Sure some can follow you, but is the right?

Practicality also defines privacy.

Re:Public Place?

Shame on you for protecting the creepy Feds.

Get a clue.. we ALL expect privacy.. as we SHOULD!

The problem is, the Feds want ALL the privacy to themselves, and not allow ANYONE else to.

The problems is, the Feds only protect themselves, the system, and the other assorted, real 'bad guys'.

I nor anyone else, mostly, has ANYTHING to hide..

ALL THE MORE REASON FOR THE GOVERNMENT TO NOT WANT TO SEE EVERYTHING WE DO, SAY AND THINK!!

However the reason they want to 'watch' EVERYONE, even though we have NOTHING to hide.. is because they KNOW-- EVERYONE, is sick and tired of their crimes against humanity... and they sense how we are ready to SNAP on the creeps.

User agent switcher

[petes_PoV]

This is a firefox add-on which might go some way to at least confusing, if not entirely obsfucating your brwser identity

Re:User agent switcher

[drachenstern]

And it's not like it wouldn't be possible to write extensions that could fubar the scan even more. Just force the system to return unreliable/inconsistent results to that particular API.

I can't think of many websites that need that information from the browser anyways, but it's in the spec for a reason. The question is, do users care?

Re:User agent switcher

[DigitAl56K]

Maybe.

But there is also a very significant risk that unless you understand the problem well you will make yourself more uniquely identifiable. What if you fake the version of the browser you are running but it turns out that you miss faking certain extensions that shipped with that browser, or you fake some extensions in the agent string that weren't compatible with that browser, or you fake an OS version that browser didn't work with, or you fake a browser version that was short-lived due to an auto-update and you are the only one still running it, or something else the javascript can query wouldn't normally occur in the browser version you faked?

There's a long list of ways you could potentially put yourself into the very situation you think you're avoiding.

Re:User agent switcher

[Bakkster]

On the other hand, as long as everyone who uses this kind of spoofing broadcasts exactly the same way those people will all still be less identifiable. You will be able to track the group as a whole, perhaps, but not any particular individual. The trickiest bit would be covering all the bases, including installed fonts.

In other words, it doesn't matter if you broadcast IE9.8 running on Windows ME with the Tickle Me Elmo extension installed, as long as 1 million other people broadcast identical configurations. Sure, one person wearing a Guy Fawkes mask would be identifiable, but not in an entire crowd if everyone is wearing the same mask.

OMG!

[KiwiCanuck]

People know what font I'm using. Holy carp! Stop the presses, this is the greatest injustice in the history of the multiverse! Yep, I am defined by my browser font.

Fonts leak a lot of information

[billstewart]

Even without the Javascript leakage, fonts leak a lot of information. My browser showed up as unique (until I tried connecting with both Mozilla and IE, and with NoScript on and off under Mozilla), because I was the only person with the couple of fonts used by my company for their logo and branding. And even without that, if you downloaded that cool Elvish font, and that fairly clean monospaced console font, that probably makes you unique.

Browsing would be a lot more private if you could choose which fonts you actually want the browser to export, as opposed to having Mozilla automatically export everything your machine has. In general, I've got no interest in having all those decorative things show up in my browser; I'd prefer to have just a couple of fonts advertised.

Re:Fonts leak a lot of information

[quickOnTheUptake]

Isn't there a really simple way to change the fingerprint?
Why not make a script that just periodically installs some bogus fonts (to avoid having these fonts weeded out automatically, we could create a list of real but unusual fonts that practically never get used in webpages).
Then the fingerprint will contain more bits, but it won't matter because it changes regularly. If we wanted to really go all out we could do something similar with plugins.
Although I suspect browsers only load system fonts and plugins at startup, so you would retain a fingerprint until you restarted the browser.

Re:Fonts leak a lot of information

[moonbender]

I agree. In fact, I don't want my browser to send out any kind of information on the fonts I've got installed. It's not a feature sites tend to use, so you might as well disable it. Any way to do that with Firefox?

Re:Fonts leak a lot of information

[drachenstern]

That's actually a pretty good idea. While I know FX let's you choose which fonts are the "defaults" for the various families of fonts, it doesn't allow you to restrict exporting to that selection. Curious what the effect is to disabling that particular checkbox. Reckon FX needs a second checkbox on there for "Don't advertise any other fonts"?

Re:Fonts leak a lot of information

[amn108]

I would say we are currently at the infancy of fingerprinting. It is a really powerful concept in my opinion, but what it lacks is some help from the field of statistics. What I am getting at is this: imagine you have a script that randomly shuffles and/or adds bogus font references. Todays fingerprinting is more than fragile enough to take you as a completely different client, indeed.

Tomorrow however, they will start stat'ing graphs where they will identify the periods/wavelets based on the bogus data you spew out, and they will make a pattern out of it. That pattern will add to your unique fingerprint, and you are at the start tile again. Think about it. Of course, a bit science-fiction, but who thought someone would actually go as far as fingerprinting anyway? :-)

Re:Fonts leak a lot of information

[amn108]

Appreciate practical thinking, but it is also very small minded of you. It won't get you very far in any direction. There will be other query objects than fonts. What do you propose for them? "Don't advertise this?" checkbox for each and every bit of an API.

Fingerprinting efficiency is supported by the very same factor that improves usability of computers. In my opinion, even with your understandable good motivation, the results will not be something the users will like. A lot of applications will break because someone decided to clear the "Don't advertise my fonts" FOR the user, because they themselves are paranoid. Fair enough, but like always, your users will not even hate you for it, they will switch to an alternative. Unless you go fascist and deny them that too.

Re:Fonts leak a lot of information

[shutdown+-p+now]

I think it might be possible to obtain that information indirectly, with slightly less precision at worst. For example, you could start with a list of known fonts (that you want to check for), create an autosizing DIV with zero margins and padding, and set its context to a certain text string. Then, measure its (automatically computed) pixel size from JavaScript. This would vary depending on the font, and also on the font rendering technology (which indirectly betrays the OS). I bet that, using enough characters with various stems, strings can be produced that would identify renderer+font accurately enough to use with this fingerprinting technique.

Re:Fonts leak a lot of information

[quickOnTheUptake]

I don't understand how they could make a pattern out of it if it is random. Sure, if each client followed the same cycle of font-substitutions on some known, fixed schedule then they could figure it out.
Or if they managed to finesse the method so they could say, "well we have this sub-combination which seems likely to be unique (say, linux, with Opera v.10, swfdec, and Apple Garamond light) so we are going to ignore these fonts that don't match as noise."
But that is going to have a higher error rate (because there is noise, and it's noise in some of the most informative/identifiable data they have), and it's going to have to be fairly advanced tech.

Re:Fonts leak a lot of information

[moonbender]

Nice, and of course somebody did something very similar already: http://www.lalit.org/lab/javascript-css-font-detect Doesn't seem to work in Firefox/Ubuntu 10.10, though, it says true for fonts I don't have. Works in Chrome.

That said, even when it works reliably, you'd still need to enumerate all fonts you want to test. Since the font fingerprint relies on obscure fonts for accuracy, that'll be a pretty long list. It's probably doable, though.

Re:Fonts leak a lot of information

[drachenstern]

I wasn't trying for small minded but focused direction.

I agree that there are other query objects, such as plugins, but the grouping of plugins tends to be a little more aggregated than the query of plugins and the query of fonts grouped.

After sleeping on it, I'm still ambivalent one way or the other to disabling font querying, and would likely never turn it off in my browser, but the option for others may have a need to exist.

Just like I would personally be against disabling querying of plugins, because ya know, sometimes it's good that a page can tell me if I need a particular plugin.

But thanks for the thoughts. Really my point was the first line.

Another Perspective: Use the data for security...

It would take more than just cookie hijacking to break a session then.

Not that great an identification

[aepervius]

It says 1 browser out of 4.72 for each criteria 8except one) have the same ID as me. Even assuming *ALL* criteria are actually really unique, with the user agent string being common to 1 out of 36 that come out at about 1 out 150.000. Naturally the other data aren't really unique it comes out at less. So..... I am not worried.

Re:Not that great an identification

[jittles]

Try allowing Noscript on that site? I was listed as 1 in 4 too until I enabled scripting on that website and ran the test again. Then I came out to be 1 in 1,000,000. I'd say that's more unique than I'd like to be.

Test yourself here if you haven't already.

Re:Not that great an identification

[Rick17JJ]

Because I use Ubuntu 9.10, my computer setup is still fairly unusual even when using NoScript. Despite using the NoScript plug-in for Firefox, the test showed that only one in 21,800 browsers has the same fingerprint as my computer. Among other things, it said that I am using Ubuntu 9.10 on a 64-bit computer with Firefox 3.5.9. In five categories of information from the test, it said "no javascript," because the test could not obtain any information about things like browser plug in details, time zone, screen size and color depth, or system fonts.

My being one in 21,800 is still better than the average computer which is one in 286,777, but it sounds like my computer is still somewhat easily recognizable.

Every few days I turn off my DSL modem, which causes my IP address to change. But, even if I were to have the cookies cleared out more often, or disable using them, my computer would still be fairly recognizable. When I get around to upgrading to the latest Ubuntu 10.4 version, perhaps my computer will be slightly less unusual, but even then it would still be an uncommon setup.

Re:Not that great an identification

[isorox]

Test yourself here if you haven't already.

I have. With the same browser, on the same machine, several times over the last few weeks. Each time I've come up "unique", which suggests to me something is fishy.

RSA Passmark MFA uses Fingerprinting

[Jainith]

The RSA/Passmark system used by many banks for "Multi-Factor Authentication" (it really isn't) uses fingerprinting as one of the many factors.

I used to have to do support for an installation of this system provided by ITI (a banking industry software provider, now owned by FISERV).

Anyway part of the MFA process checks the fingerprint to see if it is one of the ones saved in a users profile...if it is not then they get asked for the extra security question.

We sometimes had odd issues with the detection when the customer had an old version of flash (5 ish) , or was using an odd platform (Apple).

WHERE IS FIREFOX PLUGIN FIX?

DAMMIT? Don't say TORBUTTON

Re:WHERE IS FIREFOX PLUGIN FIX?

[izomiac]

I looked for one, and found some tools to modify headers, but nothing comprehensive enough overall. IMHO, what we need is something that'll strip the headers to the bare minimum. You can do that with a proxy server (e.g. Privoxy) easily enough, but you'd still be transmitting a unique header. What we need is for a popular Firefox add-on to do this for a large number of people.

It'd be even better if the major browser makers decided to stop catering to poorly designed websites, and do this automatically. Don't send the referrer, nor the user agent, or even a list of plugins. Just send the minimum the HTTP/1.1 (maybe 1.2) specification allows. While they're at it, the similar Javascript methods could also be trimmed. After all, there's little reason for knowing the exact user agent, just test for the methods you need, and don't design websites down to the pixel. It'd be a boon for smaller browsers, mobile browsers, and people who adjust DPI or accessibility options.

Turn javascript off as well as hiding user-agent?

[DNX+Blandy]

OK, so I turn javascript off, turn cookies off and hide my user-agent, try and get all my browser details then.

Well, it depends...

[sean.peters]

... nobody particularly cares if website operators find out what fonts and plugins you use. You might, however, care if website operators can look at those things and be able to say "hey, it's flintmecha again". Some people (I'm one of them) don't necessarily want every company on the internet building dossiers on their online behavior. But some people might be happy to let such companies do so - it's not like there are no advantages. When a website knows who you are, it can personalize your experience with the site. I personally am happy to see a generic site and not feel like I'm being snooped on. YMMV.

Re:Well, it depends...

[flintmecha]

Well if we just count operating systems and browser useragents, there's actually a very small amount of combinations possible - at least, compared to the amount of people on the Internet. Next, factor in fonts installed. I'm willing to bet 80% of people on the Internet don't have any non-stock fonts, which will be determined by the operating system. That's 80% of people in each OS combination with identical fonts. Browser plugins are really the biggest factor in determining uniqueness but I'm going to make the (IMO valid) assumption that most web surfers have little or no plugins installed - even Firefox users. And then you have the large groups of people with common plugin combinations, like AdBlock Plus, NoScript, and the .NET assistant. Even if we are now into the hundreds of thousands of potential combinations, that is still very small compared to the hundreds of millions of people surfing the web, using Google, checking their e-mail, and so on.

My point is the metrics mentioned offer something hardly unique at all. More likely, this information would be used for tracking statistics and trends. I see no realisitic way this information could be used as a "fingerprint" of individual people.

Not true, right?

[sean.peters]

I thought the point of the NoScript part of the prescription was that it blocked the site from retrieving your plug-in list (because surely that's done via script).

Re:Not true, right?

[pclminion]

They don't figure it out by looking at your plugin list, they figure it out because your fingerprint is essentially random (in other words, "highly unlikely") looking.

Re:Not true, right?

[ciaran_o_riordan]

Not really. Random doesn't have to mean oiyusg7no45c8wo9nq23r9.

In this case, I meant that for each site you visit, the plugin would identify your browser as firefox 3.4.2, or 3.2.1, or 3.5.9, etc. etc. and the build date as blah blah blah.

All perfectly credible, and still sufficiently random to stop your browser having a fingerprint.

Even more reason for using noscript

[DeadboltX]

Using Panopticlick as a measurement tool, my computer went from being identifiably unique as 1 in 900,000 all the way down to 1 in 13,000 simply by enabling noscript. The most telling feature with noscript on was my User Agent string, Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729), which if I was paranoid enough I could modify to something much more common, like internet explorer.

Re:Even more reason for using noscript

[ducomputergeek]

Your browser fingerprint appears to be unique among the 919,012 tested so far.

It's not 1 in 900k, it's the fact that it's the only one like it in 900k tests meaning that if I went to various sites they could figure out I am the same person time and time again.

As far as that goes, we now can tell which customer is on our website and when they are about to make an online purchase.

This is what is known as willful ignorance

[sean.peters]

Of course, no one cares what fonts you have installed. The issue, which would be clear if you so much as RTFS, is that this information can uniquely identify you. Still not the greatest injustice since they got rid of red M&Ms, but honestly. You're either deliberately ignoring the central point of the posting, or you didn't bother to read it. I know, I must be new here.

And Noscript...

[deesine]

doesn't just disable Javascript.

Re:And Noscript...

[amicusNYCL]

In the context of this discussion, that's all it's being used for. The EFF says that disabling Javascript is one way to mitigate this type of tracking (another recommendation, BTW, is to use a "non-rare" browser, such as IE). One can disable Javascript in Firefox without using Noscript, Noscript is not required to defend against this. In Opera, for example, my results are noticeably smaller when I disable Javascript and information about my installed plugins and fonts are missing from the test.

People like the OP use the term "enable Noscript" as a substitute for "disable Javascript", and then go on to praise Noscript for its Javascript-disabling qualities ("Noscript comes to the rescue"). In the interest of education that's misleading, defending from this type of tracking has nothing to do with using Noscript, it's about disabling Javascript. A browser plugin is not required to disable Javascript.

Background

Wikipedia:Long-term abuse/JarlaxleArtemis

People use Noscript...

[deesine]

because of its whitelisting feature. Otherwise they would use their browser's built-in ability to turn off Javascript. What percentage of people use a browser that doesn't enable the user to turn off Javascript?

Re:People use Noscript...

[amicusNYCL]

What percentage of people use a browser that doesn't enable the user to turn off Javascript?

Probably very low, and that's my point. You don't need Noscript to be protected against things like this. You only need to understand what Javascript is. It's disingenuous to say that Noscript is the way to protect against this, because it implies that you are only protected if you're using Firefox. I can whitelist sites in Opera, and that works just fine.

Duplicate

[PatPending]

Dupe

Think about the perverts

I run chatroulette.com and am forced to kick out perverts with their dick in their hands on an hourly basis, at a rate of about 20 a day on average. You can imagine where this leaves me in this particular debate.

Currently, we block IP addresses, but then a lot of innocent people complain, as they get a [blocked] reused IP address from their ISP, or simply sit behind some form of a router that another blocked schmo is connected to so the IP address is shared between N users of which M < B are blocked (usually M = 1) and spoil the fun for the rest.

I wish there was some way people actually COULD be identified with some 99% reliability on Internet. You have no idea how many perverts out there pray to gods that they cannot ever be reliably blocked, because obviously privacy hammer swings both ways. You'd think they are stupid, but some of them manage to even evade IP filtering by somehow shuffling their IP address, to a degree where they reappear on the service within SECONDS.

I don't think it has much to do with your privacy. If you want privacy - don't show yourself to adolescents on video when jacking off. I always fucking hated pedophiles, but even more these days.

Site statistics also tell me that a substantial amount of visitors come through anonymity provider services. They don't get it though - the manner the application is designed, it is not possible to filter it through an anonimity service and get it to work after that.

Nobody is saying that Firefox...

[deesine]

is the only way to protect against this, or that Noscript is the only way to protect against this. Hairyfeet described Noscript as indispensable for use with Firefox. You obviously took that as a chaff against non-firefox and non-noscript users.

Re:Nobody is saying that Firefox...

[amicusNYCL]

Nobody is saying that Firefox... (Score:2)
by deesine (722173)
Alter Relationship
on Tuesday May 18, @12:24PM (#32256680)

is the only way to protect against this, or that Noscript is the only way to protect against this.

This is what was said:

Of course the nice thing is yet again Noscript comes to the rescue, as with Noscript on my highest ID # is 1 in 256, which is only because of using FF over IE. So yet again FF scores a win for me by having the indispensable Noscript. FF plug-ins FTW!

The emphasized part is clearly false. It has nothing to do with browser choice. In fact, one could even argue that IE with Javascript disabled is the single most non-personally-identifiable setup.

I see.

[deesine]

Your nitpick then wasn't just about Noscript and disabling Javascript. We get it: you don't use or like Firefox.

Re:I see.

[amicusNYCL]

That's not true, I'll use Firefox until someone else duplicates the functionality of Firebug. I just don't see the browser as some sort of panacea.

Re:GOD DAMN ENUF WITH THE DUPS ALREADY !

No kidding. Five Years Ago just called, they want their "YOUR TAGS ARE A FINGERPRINT" story back.

Hey ! I knew I wasn't mad !

[LaRainette]

I talked about this on a facebook related article I think.
I had hunted down my cookies and such and since I am behind a proxy + a router and then 9 different ADSL Box with 9 different IPs (which is really annoying for rapidshare who constantly yells at me for sharing my account BTW)
Anyway Since rapidshare couldn't figure I was only one person I was pretty upset Facebook and Google could track me down anywhere I go... like NewEgg for instance who has been literally stalking me over gmail and facebook to convince me to buy this stupid HTPC case I'm not going to anyway.
But now I know the culprit ! Damn you Firefox !

If all you're worried about is fingerprinting

[Burz]

...you could use a combination of NoScript and Privoxy. The latter should keep your headers nice and generic. You can even install TorButton (tell it you're connecting through Privoxy but don't config Privoxy to use Tor) and that will take take of things like screen size.

Then again, you probably have a home IP address and that can be pretty unique (ISPs like Comcast change residential IPs pretty rarely) and of course that's what Tor itself is for, anonymizing your traffic including IP address. I2P (which is intended to communicate with other I2P users) can do the same thing as Tor more quickly, but the outproxy is only considered a gift to users so a large demand for outproxy to the regular web would result in slowness, or a shutdown of the proxy site, or people having to manually erect more outproxy sites.