Slashdot Mirror
EFF Publishes Study On Browser Fingerprinting
Rubinstien writes "The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to 'device fingerprinting' via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we've discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far."
I visited that site several times with the same browser over several weeks, each time it was unique. Some plugin had updated, some font had been installed... So for tracking me it would be totally useless. The uniqueness it identifies is only valid for a session or two.
"18.8" doesn't sound like a big number, until you consider what it stands for. Each bit of information halves your uniqueness. That means that you can be picked out of a crowd of 2^18.8 people -- 456,419. With an estimated two billion people on the internet today, that means you're down to being one in 4500. That's about the same as saying "My name is Matthew Miller and I live in the United States." Not particularly private!
Another way to think of it is this: those two billion people represent 31 bits of uniqueness. Every bit of information revealed knocks off some of that. When you're down to one, you're positively identified. Your web browser is giving up at least 18.8 of those thirty for nothing, leaving you with just about 12.
I have exactly 20.57 bits too! I guess you're that special 1 in 1558541... ;)
Here's mine... As great as it feels to be unique, most tracking is done via scripting so I'm not concerned one bit. My browser is upgraded every other week or I'm running nightlies. Does anybody care about this?
The author said his browser was identifiable because of his font and addon settings. i.e. He probably customized it.
But what about those of us who use "default" settings and customize virtually-nothing? Are we identifiable, or do we got lost in the crowd? I suspect the latter.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
20.57 here as well. Xubuntu with Firefox.
I've always wondered about this stuff. If you're one of the 6 people on the internet who care about this stuff, and therefore block all their fingerprint methods, doesn't that make you somewhat unique? Wouldn't it make more sense to return a random list of fonts, a random user agent, and randomize all the other information they are fingerprinting you with to make it seem like you're a different person every time, rather than being one of only 6 people who have a very simple UserAgent string, with no extra stuff tacked on the end?
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
how do they know it's unique? they say my browser is unique, I got no serious doubts about that(nightlies), but how would they know if it's me browsing two times or someone else? my screen sizes going to be different when I go home, too. is this what my money would go to if I donated money to EFF? start doing a fooler filter, this research project as it is sucks and benefits mostly some people who are working on identifying unique visitors to ads/sites, though not much to them either. and another thing - has anyone tested with a brand new installation? would that end up as being unique, too? aurora had "at least 20.57 bits of identifying information". guess what, ie had exact same amount of bits of identifying information. though it had reported a different resolution(based on window size, I suppose). ie 64 bit.. well, panopticlick just didn't work with it at all(I super rarely use it).
world was created 5 seconds before this post as it is.
Article dated from May 2010...
15.21 and 1:38023
The UA and HTTP_ACCEPT headers provided most of the bits, and those will be pretty common for anyone using the same browser version and platform. NoScript blocked most of the other detection techniques, and those results will be common with anyone else using NoScript or with JavaScript disabled.
No script and whitelist-only cookies = 14.16 bits of info. The bottom six values are not available.
I would actually look for the more common fingerprints and return them. One hides better when one looks like the environment, right?
Okay, my CS degree is fourteen years old but how can the information identifying whether or not my browser accepts cookies be '0.39 bits'? Isn't it a yes/no, single-bit piece of information? All the other information is described in non-whole-numbers also. Aren't bits discrete?
also 20.57, Chromium on Kubuntu
Breaking news, guys...
Exactly. If you follow the information on the Panoptoclick site, then it tells you to disable a bunch of stuff, that only a very small number of people will do. Toss in that information with tracking your IP to a city, and you are probably very unique, yet panoptoclick says you aren't unique anymore. I think the methods for determining uniqueness are very flawed. I mean, if everybody followed the recommendations they put out, then the entire internet would look homogeneous, and everyone would be the same, and untrackable. However, this is entirely not the case, and following their directions makes you stick out in a crowd.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
It`s simple: since your representation was not seen before, and that there`s now been 1,559,692 test, you can obtain your minimum number of bits (the maximum is unknown) as being the log (1,559,692 ) / log (2), the exponent to 2 required to obtain so many tests..
Also 20.57, Chromium on Arch Linux (Gnome 3).
Sad times. Now I will never be a unique snowflake on the internets.
Time to create some fake fonts to gain my uniqueness again!
You think that's bad. The article is a dupe too.
Worse still it's not a dupe of say an Android article where searching for Android produces pages and pages of results. If you search in slashdot "browser uniqueness" you'll get 3 results, 2 of which almost have the same title.
I still think Slashdot would do just fine without editors.
I haven't even customized my user agent string and I'm using the standard Fedora 14 browser, but my user agent string itself is unique... Seems like I am the only Danish Fedora 14 user who has clicked on panopticlick recently.
Finally! A year of moderation! Ready for 2019?
According to them, I'm the only person in the world using Opera 11.50 on 64-bit Linux. Yeah, right. Sample size isn't really large enough yet, I guess ... I'm sure using a beta version of Opera on 64-bit Linux is rare, but it is definitely not unique.
It has never been a requirement for any browser to be immune to browser fingerprinting. Nice exercise in the obvious EFF.
Actually that would make you even more unique. Because no one else will create the same fake fonts as you...
20.57 bits too. Safari 5 on Mac OS X with plug-ins and Java disabled, javascript enabled.
With firefox 3.6.18pre, a carefully chosen User Agent (below), default HTTP_ACCEPT headers and noscript, panopticlick says that my
fingerprint conveys 9.01 bits of identifying information.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
My browser plug-ins make me unique. My fonts make me unique.
I'm unique. Just like everybody else...
Bryan
News for nerds, stuff that was published a really long time ago.
I perform some lazy browser fingerprinting and generate a hash for that visitor. I mainly use it for traffic purposes (tracking new visitors vs. returning visitors). I understand that it isn't foolproof and will generate some false results in some cases, but that is not important to me. I don't store any personal identifying information, just a hash.
It also is a way for my sites to stop trying to give cookies to visitors who have cookies disabled. It checks the hash and if that hash has been seen recently and did not have cookies enabled, then I don't waste the resources or requests to try to send them a cookie. Again, I do no client-side checking for cookies and it is all server-side. I assume that is more agreeable than trying to set a cookie stating that they do not want cookies ... which is hilarious that many sites do just that.
I am sure some people may use browser analytics for darker purposes, but I doubt I am the only person using it in a harmless manner.
Many web sites that provide online financial services, and also gateways to MMORPGs, use browser fingerprinting to detect fraudulent use of the service. For example, if a user logs in consistently using a specific browser on a specific computer, and then logs in from a completely different browser, or from a different computer, then there is the suspicion that someone other that the user is logging in using stolen account information. The web site will in such cases ask for some 2nd form of authentication (eg. mother's maiden name, or something more secure) in order to protect the account.
By trying to block browser fingerprinting you might be protecting yourself from online tracking, but you are also preventing legit services from protecting you.
Life is like a web application. Sometime you need cookies just to get by.
Anyone have any tips or add-ons that block sending some of this information to make us less identifiable?
This sounds like it could have some uses for e.g. wikipedia, where instead of blocking vandals by IP, you can block individual users on a certain IP address block instead. This would work for people vandalising off university networks, for example.
I've tried this and similar sites multiple times in the past for the heck of it, each time for it to be able to determine anything I had to turn off several layers of protection, and even then the result was not really that useful (as in, it would change very frequently, when applied to a system that isn't frozen in time and actually gets updated).
Couldn't someone design a plugin to spoof these variables, so that it looks like you are using a basic, stock browser? Or to randomize them?
Is it possible to override the information that the browsers are sending to every website that you visit? This seems like it would not be too hard. Couldn't we block FireFox from sending our entire list of plugins to every website we visit, except for those that might be necessary for certain functionality, like Flash?
Have gnu, will travel.
I've always wondered if there was a software for web browsing that would let you spoof all of that type of information, hiding OS type, browser version, JAVA, etc.
"If any question why we died, Tell them because our fathers lied."
I remember when /. first covered the device fingerprinting method that was developed by some chinese kid using all sorts of details and flags to build the end fingerprint, which a 99% accuracy rate (supposedly reviewed by his peers at that time) some 10 years ago.....is this the same thing?
I don't know...but I am sure that he may be wanting compensation if they are using his code and not paying him.
I have 20.58! (Firefox 3.5.4 on Windows XP)
Do I get a prize?
Yes, this information is at least a year old. And the main reason I am identifiable is because of Flash broadcasting the entire list of installed system fonts to anyone who asks. Yet when I go looking for ways to stop it, they do not exist.
The amazing part is, that earlier article you linked to (from May 18, 2010) is itself a dupe of an even earlier article (Jan 27, 2010) from the same year!