Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Says Forget Cookies, Your Browser Has Fingerprints

Posted by CmdrTaco on from the you-are-not-unique dept.

alphadogg writes "Even without cookies, popular browsers such as Internet Explorer and Firefox give websites enough information to get a unique picture of their visitors about 94 percent of the time, according to research compiled over the past few months by the Electronic Frontier Foundation. [The Research] puts quantitative assessment on something that security gurus have known about for years, said Peter Eckersley, the EFF senior staff technologist who did the research. He found that configuration information — data on the type of browser, operating system, plugins, and even fonts installed — can be compiled by websites to create a unique portrait of most visitors. This means that most Internet users are a lot less anonymous than they believe, Eckersley said. 'Even if you turn off cookies and you use a proxy to hide your IP address, you could still be tracked,' he said."

37 of 175 comments (clear)

  1. Take some measures... by IYagami · · Score: 5, Informative

    From TFA:

    "There are some effective countermeasures, however. A uniquely identifiable IDG News Service Windows XP computer running Firefox could not be identified with the NoScript safe browsing extension turned on. Adding the Tor Internet anonymization software also works, Eckersley said."

  2. Original ./ article by Mouldy · · Score: 5, Informative

    For those who are interested

  3. Personally Identifiable Information by Coreigh · · Score: 5, Interesting

    I don't care if anyone tracks my preferences or shopping history. What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.

    I am all for research and marketing to tune products and advertising, but they don't need to know my name or various identifiers to do it.

    --



    "Waitress I need two more boat-drinks..."
    1. Re:Personally Identifiable Information by somersault · · Score: 5, Funny

      In other words its not that they know what I do, its do they know, specifically, who I am

      Bruce Wayne: It's not who I am underneath, but what I do that defines me.

      --
      which is totally what she said
    2. Re:Personally Identifiable Information by Monkeedude1212 · · Score: 3, Insightful

      Thats where things get difficult, though, right? For the sake of arguement, lets say that Microsoft decided to embed a Unique User ID into everyone's internet explorer, so that anytime you browse the net your ID gets stamped everywhere you go. Makes it easier for adspace to trend towards your interests, right? But then you're also checking your facebook, your email, your bank account, logging into slashdot, and so on and so forth.

      Eventually, one of these services slip, like Facebook has, and your Identifiable Information gets out in the open. When I google my name, I see my Facebook Profile, my name come up under my mothers friends list on Facebook, a handful of .NET Debugging forums. Even foreign versions of Facebook, in my classes we had people from the middle east, Japan, Hong Kong, and other regions of the world, and every other google page I see "Facebook: (Chinese Characters) (My Name) ". Makes me a little paranoid I'm being creeped by someone I don't know.

      Regardless - my point is that any effort they make to track just your preferences will always lead back to some site that slips up and makes your identifiable information easier to find, should you put it anywhere online. The way things currently are, you are pretty much safe if you do your best to keep your anonymity online, is probably the best its ever going to get.

    3. Re:Personally Identifiable Information by fuzzyfuzzyfungus · · Score: 4, Informative

      The trouble is, you only need to fuck up once(or, perhaps more realistically, a few times to let the algorithms bump their confidence in the ID high enough) for that information to become personally identifiable. And, once gathered, a body of "non-personally identifiable" information can persist for a time limited only by the plummeting costs of storage and can, at any future time, be linked with enough new data to make it personally identifiable.

      Some percentage, varying by person(and by whether or not your ISP is selling you out to anybody like Phorm), of site visits are personally identifying with a fairly high degree of confidence. For a substantial number of people, that's probably just facebook. In other cases, patterns of activity across a few websites make inferring your identity with fairly high confidence reasonably plausible. Because things like 3rd-party ad networks and whatever "I can't believe its not beacon" tech facebook is using today, have cross site reach, often remarkably broad, it is by no means unrealistic to expect that, over time, at least one of your personally identifiable visits or visit clusters will overlap with the reach of one or more ad networks with extensive "non-personally identifiable" knowledge of what your browser fingerprint has been up to. At that point, the previously "non-personally identifiable" is suddenly personally identified.

      Most people aren't even paying attention. Even the ones that are are likely imperfect in their execution, and keeping up with the scope and sophistication of what a competent data-miner could infer would practically be a full time job. Unless you are a truly bland person, you can probably be identified with fair confidence on surprisingly little data. Worse, as TFA notes, a lot of the common "privacy" measures and extensions and so forth actually make your browser substantially more unusual than it would otherwise be.

    4. Re:Personally Identifiable Information by tpstigers · · Score: 2, Insightful

      I use credit and debit cards to purchase items in stores all the time. There's nothing even remotely anonymous or private about the process. Why do we all expect it to be otherwise online?

    5. Re:Personally Identifiable Information by tlhIngan · · Score: 2, Interesting

      I don't care if anyone tracks my preferences or shopping history. What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.

      I am all for research and marketing to tune products and advertising, but they don't need to know my name or various identifiers to do it.

      As seen time and time again, the answer is yes. That fingerprint you have - did you go shopping with it? Boom, you've just linked your fingerprint to a name, address, phone number, and partial credit card. Or visit Facebook? Or other social networking site?

      Remember that Netflix contest? A simple match of that data with IMDB reveals all. And people constantly do things that inadvertently link their personal information with a fingerprint.

      It's only a matter of time - businesses often sell your information to third parties, and soon those third parties will pay for the fingerprints as well. It doesn't have to be an exact positive match, even something as crappy as a 50% hit rate is enough to be spooky. And even if YOU don't make yourself identifiable, others do to make it worthwhile to do so.

      And even if we strip down tons of browsers to return the same information regardless, there'll be other ways - possibly using Flash to profile your system to generate your fingerprint (they already do with flash cookies). Hell, who knows what Flash can retrieve, especially on phones (the UI to manage flash cookies is crappy enough. The UI to do it on mobile phones supporting flash will probably be non-existent).

  4. Doesn't link it to YOU by Gothmolly · · Score: 3, Interesting

    It only lets them know it's the same browser/computer, it doesn't give them the docs on you.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Doesn't link it to YOU by Cmdr-Absurd · · Score: 2, Insightful

      Ah, but if you can be ID'd on a single site, much of what you do can be tracked. A lot of http access logs are web-accessible.
      So if I can associate you with your browser signature on ANY site, I can let my google fingers do the walking. It's a snap.

    2. Re:Doesn't link it to YOU by IamTheRealMike · · Score: 2, Insightful

      The fingerprinting techniques heavily relies on JavaScript, so finding random unprotected http access logs isn't going to help you. If it's truly "a snap" then please show me my last visited sites?

      I think at some point the internet privacy debate will have to start featuring some concept of personas, or the idea that a single person does not have a single identity but rather many identities. Some of them overlap, some of them are easier to change than others and some of them are what we might call "personal" - for instance personas like your full legal name or physical appearance are clearly different to a persona like a passport number, which is itself quite different to an email address (a lot harder to change for one). Although today they tend to all get lumped together under the same concept of "you-ness".

      In this case, my browsers fingerprint is clearly a persona, but is that really a problem?

  5. Re:damn. by ShadowRangerRIT · · Score: 4, Insightful

    I know that's a joke, but at work you likely experience greater anonymity than at home (from the website operator at least, can't say if your company monitors). At home, your computer is likely to have an eclectic mix of plugins, more or less up to date browser, OS, etc., all of which make you easy to profile. At work, you're often subject to the demands of the IT department, and the IT department likes uniformity; it's easier to support. So when you surf for porn at work, odds are the website can't distinguish you from anyone else at your office, since you all broadcast the same configuration data.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  6. You can identify the OS just by the TCP connection by Viol8 · · Score: 2, Interesting

    Never mind the browser , you can tell (or used to be able to , this was a few years back) what OS someone is running - assuming they're not going through a proxy - by looking at the TCP sequence numbers the client sends. There was an article on /. about it and some post grads had written a whitepaper.

  7. Don't worry by mangu · · Score: 4, Informative

    All you have to do is change your fingerprint to "Googlebot/2.1 (+http://www.googlebot.com/bot.html)". OK, perhaps this needs updating, but you get the general idea.

    You'll be amazed at the information some sites will be willing to give you. Even paysites will let you in for free if they believe you are Google.

    1. Re:Don't worry by darthflo · · Score: 5, Informative

      That's just the User-Agent string. The actual fingerprint consists of that and a big bunch of other headers your browser sends out with each request. Language, preferred encoding, plugins; screen resolution, your installed fonts and so on.Changing your standard browser's user-agent to something like you quoted above is a surefire way to be even more unique.
      Check the panopticlick page for your details. Keep in mind their "bits of identifying information" only apply to a single header. A bit of work and identifying over all of these fields is easily done. Throw in a bit of extra work and users can be singled out even after they change one or two of 'em.
      Summing all the lines together, I can get some 70 bits of identifying info out of my (almost worst-case) setup: Ubuntu 9.10 running a snapshot of Opera 10.54 with a couple of extra fonts and a weird screen resolution.Cut away user-agent and plugins and we're still at some 35, more than IPv4 addresses out there.

    2. Re:Don't worry by coolsnowmen · · Score: 4, Funny

      Which is why I have a linux script that constantly changes the size of my browser window by a couple pixels.

    3. Re:Don't worry by hairyfeet · · Score: 2, Interesting

      Yeah and the funny thing is what ID'd me was NOT the fonts...it was the codecs. My fonts are pretty bog standard but I like Klie codec pack as it is an easy way to have video support for all formats set up quickly. According to the test page my codec list is only 1 in 904006 when it comes to codecs.

      Of course the nice thing is yet again Noscript comes to the rescue, as with Noscript on my highest ID # is 1 in 256, which is only because of using FF over IE. So yet again FF scores a win for me by having the indispensable Noscript. FF plug-ins FTW!

      --
      ACs don't waste your time replying, your posts are never seen by me.
  8. Re:I'm not really worried by $RANDOMLUSER · · Score: 4, Funny

    When I want to be anonymous I switch to incognito mode in <Google product>...

    Excellent plan.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  9. A Wikipedia Checkuser's opinion by Anonymous Coward · · Score: 5, Interesting

    We have a rather annoying vandal by the name of Grawp who likes to visit often and put penis pictures up on pages that little kids like to visit, among other things.

    He edits via proxies, while visiting people, open wifi spots, etc... and never figures out how we know it's him.

    Shame his laptop has the same fairly unique MSIE-and-toolbars useragent string.

  10. Cookies by chipperdog · · Score: 3, Informative

    Cookies are at least a "honest" way to track. you can easily see them in your cookie jar (or whatever term is used by your browser), and you have at least some information about who wrote it. Cookies are not always bad - hidden images, browser/OS fingerprinting, and other 'hidden' means are much worse for privacy.

  11. Re:damn. by Anonymous Coward · · Score: 5, Funny

    true,

    but you're still boned if you're the only furry in the office.

  12. BFD by rwa2 · · Score: 3, Informative

    Don't let the mass media scare you.

    Step 1: Install Wireshark
    Step 2: Leave Wireshark running and observe what kind of information people are gleaning from you over the network. It's educational!
    Step 3: There is no step 3.

    I don't see why people expect anonymity on the internet any more than they do driving around in their car with the license plate showing.
    I just pretend there's an FBI agent always watching over my shoulder. His name is Fred. I explain to him everything I'm doing.

  13. Re:I'm not really worried by TheLink · · Score: 2, Interesting

    Can anyone replicate this behaviour: when I clear all browser history on Google Chrome, Chrome makes a few http requests to Google just after that is done. What's that about?

    This was on Windows 7. I encountered this when I was capturing packets for some performance test so I had to keep clearing the browser cache for some tests.

    --
  14. Re:Old News by caerwyn · · Score: 4, Informative

    This article relates to the publishing of the *results* of the experiment announced in the first article. This is not (for once) a dup. Hence the "compiled over the past few months" bit in the summary.

    --
    The ringing of the division bell has begun... -PF
  15. And? by flintmecha · · Score: 2, Insightful

    data on the type of browser, operating system, plugins, and even fonts installed

    Should I be worried about websites knowing these things?

  16. Re:no shit by grumbel · · Score: 2, Informative

    It goes far beyond just the OS. With Flash for example you can get a list of all the fonts the user has installed. If you ever installed some custom fonts, chances are you are close to 100% uniquely identifiable. You can also trace which pages the user has visited with some dirty CSS tricks (load an image in a:visited {}, track that, and you know if the user has visited the link).

    I seriously doubt that most users are away of that trickery on how much information it is really giving away.

  17. User agent switcher by petes_PoV · · Score: 2, Interesting

    This is a firefox add-on which might go some way to at least confusing, if not entirely obsfucating your brwser identity

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
  18. Re:damn. by icebraining · · Score: 3, Insightful

    Who really cares that their "browser fingerprint" is out there? Unless you're doing something wrong there's no reason to ever try to trace it back to a source.

    Except what's "wrong" is not well defined *now*, and it may even be worst in the future - and we have no idea for how long they'll keep those logs.

    --
    Dilbert RSS feed
  19. Re:damn. by DM9290 · · Score: 4, Insightful

    Who really cares that their "browser fingerprint" is out there? Unless you're doing something wrong there's no reason to ever try to trace it back to a source.

    And who defines what "wrong" is? In some places being gay is a crime. In some places being an apostate is a crime. In some places being anti-government is a crime. In some places playing violent video games, looking at porn of women with small breasts is a crime. In some places reading certain books is a crime.

    Either you are ignorant, or you are trolling.

    --
    No one has a right to their *own* opinion. They have a right to the TRUTH.
  20. Re:Fonts leak a lot of information by moonbender · · Score: 2, Interesting

    I agree. In fact, I don't want my browser to send out any kind of information on the fonts I've got installed. It's not a feature sites tend to use, so you might as well disable it. Any way to do that with Firefox?

    --
    Switch back to Slashdot's D1 system.
  21. Re:Not that great an identification by jittles · · Score: 2, Informative

    Try allowing Noscript on that site? I was listed as 1 in 4 too until I enabled scripting on that website and ran the test again. Then I came out to be 1 in 1,000,000. I'd say that's more unique than I'd like to be.

    Test yourself here if you haven't already.

  22. Well, it depends... by sean.peters · · Score: 2, Insightful

    ... nobody particularly cares if website operators find out what fonts and plugins you use. You might, however, care if website operators can look at those things and be able to say "hey, it's flintmecha again". Some people (I'm one of them) don't necessarily want every company on the internet building dossiers on their online behavior. But some people might be happy to let such companies do so - it's not like there are no advantages. When a website knows who you are, it can personalize your experience with the site. I personally am happy to see a generic site and not feel like I'm being snooped on. YMMV.

  23. This is what is known as willful ignorance by sean.peters · · Score: 2, Insightful

    Of course, no one cares what fonts you have installed. The issue, which would be clear if you so much as RTFS, is that this information can uniquely identify you. Still not the greatest injustice since they got rid of red M&Ms, but honestly. You're either deliberately ignoring the central point of the posting, or you didn't bother to read it. I know, I must be new here.

  24. Re:Public Place? by Crispy+Critters · · Score: 2, Insightful
    Is being on the internet any different?

    Actually, yes it is different. The first difference is cost. It is expensive to follow people around and record everything they are saying. I don't worry that someone is going to spend a half a million dollars to follow me around for the next year; it's not impossible, but it's about as likely that I will be struck by a meteor. The second is storage of information. If someone decides today to find out exactly what you said at lunch last week, they can't, because that information is gone, no matter how many people could overhear you. Cheap aggregation and eternal storage of public information lead to a loss of privacy.

  25. Re:damn. by Mister_Stoopid · · Score: 2, Interesting

    Unless you're doing something wrong there's no reason to ever try to trace it back to a source.

    I realize that it's a bad idea, but posts like this make me think we should have a (-1, ignorant) mod anyway.

  26. Re:damn. by Artifakt · · Score: 2, Insightful

    Usually, people who offer the "If you're not doing anything wrong, why do you care who has your information" claim are talking about something such as the Dept. of Justice seeing that information. Here we're talking about anyone who puts up a web site, (as you, yourself, posted). That's actually a pretty extreme position. You're not just saying we should all trust the government - you're really saying we should all trust random strangers.
            Would you respond to my post right now, with your current IP address, monitor resolution, video card and driver info, all browser functions enabled, any 3rd party add ons, what versions of Flash, Shockwave, and so on you have, your OS and what support packs it has, a complete list of codecs on your machine, a similarly complete list of fonts, and probably a lot more info? I'm a random stranger to you, aren't I? I can understand if you don't want to look all that up manually and type it into a little slashdot window (in fact, please don't), but how is that really different from my automated havesting of that same data?
            Look at all the things you can't change. Yeah, you, and most people can force a new IP address if you're with a common ISP such as Comcast. But if you update your Flash, that update's gonna have a time-stamp after the version I just found out about, so I can still assume that your PC had that version of Flash at the time it visited my site. What if I'm looking for old versions of add ons that have known vulnerabilities? Maybe I'm watching for visitors who don't upgrade or patch much. There are certainly exploits that would be hard to stop if their originator focused on putting them only on the obviously slow to patch set's boxes. So, if for no other reason, we should care because it's another reason to keep up with current versions of all those 3rd party support files browsers have these days.

    --
    Who is John Cabal?
  27. People use Noscript... by deesine · · Score: 2, Insightful

    because of its whitelisting feature. Otherwise they would use their browser's built-in ability to turn off Javascript. What percentage of people use a browser that doesn't enable the user to turn off Javascript?

    --
    damaged by dogma