Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Says Forget Cookies, Your Browser Has Fingerprints

Posted by CmdrTaco on from the you-are-not-unique dept.

alphadogg writes "Even without cookies, popular browsers such as Internet Explorer and Firefox give websites enough information to get a unique picture of their visitors about 94 percent of the time, according to research compiled over the past few months by the Electronic Frontier Foundation. [The Research] puts quantitative assessment on something that security gurus have known about for years, said Peter Eckersley, the EFF senior staff technologist who did the research. He found that configuration information — data on the type of browser, operating system, plugins, and even fonts installed — can be compiled by websites to create a unique portrait of most visitors. This means that most Internet users are a lot less anonymous than they believe, Eckersley said. 'Even if you turn off cookies and you use a proxy to hide your IP address, you could still be tracked,' he said."

14 of 175 comments (clear)

  1. Take some measures... by IYagami · · Score: 5, Informative

    From TFA:

    "There are some effective countermeasures, however. A uniquely identifiable IDG News Service Windows XP computer running Firefox could not be identified with the NoScript safe browsing extension turned on. Adding the Tor Internet anonymization software also works, Eckersley said."

  2. Original ./ article by Mouldy · · Score: 5, Informative

    For those who are interested

  3. Personally Identifiable Information by Coreigh · · Score: 5, Interesting

    I don't care if anyone tracks my preferences or shopping history. What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.

    I am all for research and marketing to tune products and advertising, but they don't need to know my name or various identifiers to do it.

    --



    "Waitress I need two more boat-drinks..."
    1. Re:Personally Identifiable Information by somersault · · Score: 5, Funny

      In other words its not that they know what I do, its do they know, specifically, who I am

      Bruce Wayne: It's not who I am underneath, but what I do that defines me.

      --
      which is totally what she said
    2. Re:Personally Identifiable Information by fuzzyfuzzyfungus · · Score: 4, Informative

      The trouble is, you only need to fuck up once(or, perhaps more realistically, a few times to let the algorithms bump their confidence in the ID high enough) for that information to become personally identifiable. And, once gathered, a body of "non-personally identifiable" information can persist for a time limited only by the plummeting costs of storage and can, at any future time, be linked with enough new data to make it personally identifiable.

      Some percentage, varying by person(and by whether or not your ISP is selling you out to anybody like Phorm), of site visits are personally identifying with a fairly high degree of confidence. For a substantial number of people, that's probably just facebook. In other cases, patterns of activity across a few websites make inferring your identity with fairly high confidence reasonably plausible. Because things like 3rd-party ad networks and whatever "I can't believe its not beacon" tech facebook is using today, have cross site reach, often remarkably broad, it is by no means unrealistic to expect that, over time, at least one of your personally identifiable visits or visit clusters will overlap with the reach of one or more ad networks with extensive "non-personally identifiable" knowledge of what your browser fingerprint has been up to. At that point, the previously "non-personally identifiable" is suddenly personally identified.

      Most people aren't even paying attention. Even the ones that are are likely imperfect in their execution, and keeping up with the scope and sophistication of what a competent data-miner could infer would practically be a full time job. Unless you are a truly bland person, you can probably be identified with fair confidence on surprisingly little data. Worse, as TFA notes, a lot of the common "privacy" measures and extensions and so forth actually make your browser substantially more unusual than it would otherwise be.

  4. Re:damn. by ShadowRangerRIT · · Score: 4, Insightful

    I know that's a joke, but at work you likely experience greater anonymity than at home (from the website operator at least, can't say if your company monitors). At home, your computer is likely to have an eclectic mix of plugins, more or less up to date browser, OS, etc., all of which make you easy to profile. At work, you're often subject to the demands of the IT department, and the IT department likes uniformity; it's easier to support. So when you surf for porn at work, odds are the website can't distinguish you from anyone else at your office, since you all broadcast the same configuration data.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  5. Don't worry by mangu · · Score: 4, Informative

    All you have to do is change your fingerprint to "Googlebot/2.1 (+http://www.googlebot.com/bot.html)". OK, perhaps this needs updating, but you get the general idea.

    You'll be amazed at the information some sites will be willing to give you. Even paysites will let you in for free if they believe you are Google.

    1. Re:Don't worry by darthflo · · Score: 5, Informative

      That's just the User-Agent string. The actual fingerprint consists of that and a big bunch of other headers your browser sends out with each request. Language, preferred encoding, plugins; screen resolution, your installed fonts and so on.Changing your standard browser's user-agent to something like you quoted above is a surefire way to be even more unique.
      Check the panopticlick page for your details. Keep in mind their "bits of identifying information" only apply to a single header. A bit of work and identifying over all of these fields is easily done. Throw in a bit of extra work and users can be singled out even after they change one or two of 'em.
      Summing all the lines together, I can get some 70 bits of identifying info out of my (almost worst-case) setup: Ubuntu 9.10 running a snapshot of Opera 10.54 with a couple of extra fonts and a weird screen resolution.Cut away user-agent and plugins and we're still at some 35, more than IPv4 addresses out there.

    2. Re:Don't worry by coolsnowmen · · Score: 4, Funny

      Which is why I have a linux script that constantly changes the size of my browser window by a couple pixels.

  6. Re:I'm not really worried by $RANDOMLUSER · · Score: 4, Funny

    When I want to be anonymous I switch to incognito mode in <Google product>...

    Excellent plan.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  7. A Wikipedia Checkuser's opinion by Anonymous Coward · · Score: 5, Interesting

    We have a rather annoying vandal by the name of Grawp who likes to visit often and put penis pictures up on pages that little kids like to visit, among other things.

    He edits via proxies, while visiting people, open wifi spots, etc... and never figures out how we know it's him.

    Shame his laptop has the same fairly unique MSIE-and-toolbars useragent string.

  8. Re:damn. by Anonymous Coward · · Score: 5, Funny

    true,

    but you're still boned if you're the only furry in the office.

  9. Re:Old News by caerwyn · · Score: 4, Informative

    This article relates to the publishing of the *results* of the experiment announced in the first article. This is not (for once) a dup. Hence the "compiled over the past few months" bit in the summary.

    --
    The ringing of the division bell has begun... -PF
  10. Re:damn. by DM9290 · · Score: 4, Insightful

    Who really cares that their "browser fingerprint" is out there? Unless you're doing something wrong there's no reason to ever try to trace it back to a source.

    And who defines what "wrong" is? In some places being gay is a crime. In some places being an apostate is a crime. In some places being anti-government is a crime. In some places playing violent video games, looking at porn of women with small breasts is a crime. In some places reading certain books is a crime.

    Either you are ignorant, or you are trolling.

    --
    No one has a right to their *own* opinion. They have a right to the TRUTH.