Slashdot Mirror

← Back to Stories (view on slashdot.org)

EFF Publishes Study On Browser Fingerprinting

Posted by Soulskill on from the do-we-need-proxybrowsers dept.

Rubinstien writes "The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to 'device fingerprinting' via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we've discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far."

13 of 80 comments (clear)

  1. That unique identifies marsh gas... by AlexiaDeath · · Score: 4, Interesting

    I visited that site several times with the same browser over several weeks, each time it was unique. Some plugin had updated, some font had been installed... So for tracking me it would be totally useless. The uniqueness it identifies is only valid for a session or two.

    1. Re:That unique identifies marsh gas... by Anonymous Coward · · Score: 5, Informative

      If you read the article they write that it's trivial to track users despite minor fingerprint changes. Page 13 of the PDF.

    2. Re:That unique identifies marsh gas... by AlexiaDeath · · Score: 4, Insightful

      Read the relevant section. They tested the algorithm against browsers that had cookie indication of sameness.
      "We ran our algorithm over the set of users whose cookies indicated that they were returning to the site 1{2 hours or more after their first visit, and who now had a different fingerprint."
      Take that out and you get a flood of false positives.

  2. Bits of identifiable information by mattdm · · Score: 5, Interesting

    "18.8" doesn't sound like a big number, until you consider what it stands for. Each bit of information halves your uniqueness. That means that you can be picked out of a crowd of 2^18.8 people -- 456,419. With an estimated two billion people on the internet today, that means you're down to being one in 4500. That's about the same as saying "My name is Matthew Miller and I live in the United States." Not particularly private!

    Another way to think of it is this: those two billion people represent 31 bits of uniqueness. Every bit of information revealed knocks off some of that. When you're down to one, you're positively identified. Your web browser is giving up at least 18.8 of those thirty for nothing, leaving you with just about 12.

    1. Re:Bits of identifiable information by fnj · · Score: 4, Insightful

      Er, actually each bit of information doubles (not halves) your uniqueness.

    2. Re:Bits of identifiable information by SydShamino · · Score: 3, Insightful

      Halving the possibilities doubles the uniqueness.

      --
      It doesn't hurt to be nice.
  3. Re:Winning by CastrTroy · · Score: 4, Interesting

    I've always wondered about this stuff. If you're one of the 6 people on the internet who care about this stuff, and therefore block all their fingerprint methods, doesn't that make you somewhat unique? Wouldn't it make more sense to return a random list of fonts, a random user agent, and randomize all the other information they are fingerprinting you with to make it seem like you're a different person every time, rather than being one of only 6 people who have a very simple UserAgent string, with no extra stuff tacked on the end?

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  4. Old news by Plouf · · Score: 2

    Article dated from May 2010...

  5. Thanks, NoScript! by nman64 · · Score: 3, Informative

    15.21 and 1:38023

    The UA and HTTP_ACCEPT headers provided most of the bits, and those will be pretty common for anyone using the same browser version and platform. NoScript blocked most of the other detection techniques, and those results will be common with anyone else using NoScript or with JavaScript disabled.

  6. No script FTW by Infiniti2000 · · Score: 2

    No script and whitelist-only cookies = 14.16 bits of info. The bottom six values are not available.

  7. Re:"0.39 bits"? by therealkevinkretz · · Score: 2

    Oops. I should have read the article before asking. If anyone else misunderstood the values, the explanation is on page six of the article.

  8. Re:Article is a dupe too! by thegarbz · · Score: 4, Insightful

    You think that's bad. The article is a dupe too.

    Worse still it's not a dupe of say an Android article where searching for Android produces pages and pages of results. If you search in slashdot "browser uniqueness" you'll get 3 results, 2 of which almost have the same title.

    I still think Slashdot would do just fine without editors.

  9. Re:Article is a dupe too! by ethork · · Score: 2

    The amazing part is, that earlier article you linked to (from May 18, 2010) is itself a dupe of an even earlier article (Jan 27, 2010) from the same year!