Slashdot Mirror
How Identifiable Are You On the Web?
An anonymous reader writes How identifiable are you on the web? This updated browser fingerprinting tool implements the current state of the art in browser fingerprinting techniques(including canvas fingerprinting) to show you how unique your browser is on the web.
Good food for thought when three-letter agencies talk about "mere metadata."
I haven't seen a /. effect for a long time.
The real "Libtards" are the Libertarians!
Always have been, and always will, for as long as light echos through space and time. But nobody really cares who I am. They know who I am, nevertheless.
I am the walrus.
Google serves my computer ads for mens watches, it serves my wifes computer, on the same NAT, (the same PC, same screen resolution) ads for shoes. Both have cookies blocked and flash is disabled by default. Mine also blocks lots of google sites, yet I have yet to find a way to block doubleclick. Our browsers are both set to tell sites to "do no track". Neither of us uses Google for search these days, switching to Duck Duck Go.
So the fingerprinting is enough for Google to send us personalized adverts.
Now if someone can tell me the full list of domains I need to block to prevent DoubleClick (also from Google) from serving ads, I'd appreciate it.
First, the simplest of script blockers completely prevented the home page from loading at all.
Second, when I allowed the site in my script blocker, it was slow as hell to load.
But Third, and more to the point: EFF's Panopticlick has been around for a long time now, and it's far better.
Below are the results I got. Really? So I'm the only person who speaks English, running Chrome on Windows 7, in the Central time zone? If that's enough to identify me, then I'm feeling pretty exposed.
Google, on the other hand, can probably tell me my life history, with all the data they have on me.
Yes! (You can be tracked!)
34.59 % of observed browsers are Chrome, as yours.
22.54 % of observed browsers are Chrome 39.0, as yours.
58.71 % of observed browsers run Windows, as yours.
40.04 % of observed browsers run Windows 7, as yours.
26.96 % of observed browsers have set "en"as their primary language, as yours.
1.09 % of observed browsers have UTC-6 as their timezone, as yours.
You have the only browser out of 11099 with this fingerprint.
"Your browser fingerprint appears to be unique among the 4,789,097 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 22.19 bits of identifying information."
... of course they know who you are. You need an IP to send and receive information, just the nature of making a connection leaves a trail all by itself. Next it's not that hard to develop mathematical techniques to analyze text and language in posts since they can analyze that most people have limited memory and interest by nature of them being finite beings and can simply build profiles by simply combining all the little tiny bits of different info into some unique ID if they wanted to.
The nature of our technology has augmented our ability to see and detect so much it's increasingly difficult to hide anymore. I shudder to think how small cameras are becoming and how they will be all pervasive where it matters. We're basically moving into a "tripwire" society where hidden and not so hidden automated track wherever you go what you do and all that data can be stored, analyzed, etc.
Standard Mozilla behaviour last time this question came up is to include a list of fonts that your browser can display; I don't know whether other browsers do the same, or if they've changed it, but it's the kind of "feature" that hopelessly breaks your chances of non-uniqueness if you've ever installed fonts.
My work laptop has a font that's the Official Corporate-Branded font for $DAYJOB's corporate logo. Almost every Windows machine at my company has that (at least, every physical machine and the virtual machines running on the hosted virtual desktop cloud; there may be some lab machines that don't, and maybe some contractors, etc.) You might work for a smaller company that does the same. In my case, I've installed all sorts of other random fonts, either to see what they looked like, or simply because back in the 80s of course you wanted Elvish and Dwarvish fonts on your computer, or because I wanted a better monospaced programming font than the default MS one or Courier New.
Lots of other things leak information as well (cookies, etc.), but fonts are a quick and dirty way around identifying people who block those.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Their sample size is 11-thousand. According to my results, 1-in-6 computers are running Linux!
This is absurd, unscientific to the extreme, fear-mongering.
In your example, based only on the statistics you provided, there were 11099x0.0109 or 120 people in the central time zone *in their sample*, which is the sample size of UTC-6 users.
Their data is useless.
In comparison, https://panopticlick.eff.org/i... has almost 5-million in their database. This is somewhat more helpful.
According to that site "[I] Can Be Tracked!" because my fingerprint is the same as 11,775 others. That number seems to be generated only by people visiting the site meaning the pool would most likely be larger.
Obviously Browser Fingerprinting is a real thing, but that site seems to be geared toward hyperbole than actually educating.
What do you know I wrote a novel
GIven most of the data is what's reported by a browser, why don't browsers filter the data?
Especially if "Do Not Track" is set to on - why don't they limit the data to send back?
Fonts - Microsoft released 6 fonts for the web over a decade ago - just report those 6 across all platforms and maybe a few standard system ones (you can get this from the User-Agent anyways). Make it whitelist of fonts.
Sure, some data is gathered through plugins, but I thought many are now click-to-run so you can't get that data unless you specifically run those plugins.
Is there a reason why browsers like Firefox return everything?
Metadata completely recognizes a user. It's better than this thing.
"First they came for the slanderers and i said nothing."
Somebody took that link out back and fed it a fist full of Valium. It's not dead, but it's comatose.
I have the same nick/password on several sites. Including, but not limited to, /., soylentnews, fark, ultimate-guitar, ars-technica, a couple dating sites, a gay dating site, a site dedicated to midget transvestites, and petitions.whitehouse.gov. Feel free to track me.
Dang, I should change the latter. Some of the petitions I sign could be embarrassing.
That said, I assume the original article meant something more subtle. I wouldn't know, the link is dead to me.
They've got me:
http://en.wikipedia.org/wiki/A...
http://en.wikipedia.org/wiki/XBase
I just tried https://panopticlick.eff.org on my iPad and Windows PCs. The Windows PC was uniquely identifiable with Firefox or IE but the iPad came out as 1 in 24 million. Looks like there is an advantage to Apple's locked down standardised platform.
Yes, like many, my result was "Unique". I noticed that one item being measured was browser resolution. Since I was running my browser at less than full screen and the exact window size is a low entropy parameter, I decided to try again after maximizing my browser window. As expected, the result was a lower uniqueness score. That led me to wonder if some technique like modifying the exact size of the browser window by a few pixels each time it's refreshed might help somewhat to hide from these evil trackers. Perhaps modifying other parameters like which extensions are enabled or what fonts are installed on each refresh might confuse them even more.
... or something equivalent like disabled scripting.
It does give usefull feedback at least. :)
As others have noted, the EFF Panopticlick is the better service.
I just spent far too much time playing around with this, on an extended lunch break. I note the following things:
- You had better disable explicit tracking services (Ghostery), or it all doesn't matter anyway.
- Fonts are a big factor. Fonts are identified through Flash. There is a configuration file "mms.cfg" that can disable this. The location of this file depends on your operating system and on your browser - it took me a good half-hour to find it for my particular configuration.
- However, even after disabling fonts, and even using a "user-agent switcher" to look like a Windows/Chrome combination (instead of Linux/Chrome), I was still uniquely identifiable. The biggest factor were my language preferences, the list of plugins, and the precise browser version. Refusing to report system fonts was also pretty important :-/
In short, there's not much way around it - if you include other information available, like your IP address, you will be uniquely identifiable, and trackable across websites.
What is missing from this picture: Browsers provide an "incognito" mode. This mode needs to be extended to provide only absolutely essential information to the server. The server needs to know roughly what level of standards support you have (e.g., "Mozilla/5.0"), and what language to send content in (one language, not a list with weights). Everything else could be omitted, and virtually all websites would work perfectly.
Go a step farther and disable JavaScript in incognito mode, to prevent explicit sniffing. That will disable more websites, but if those sites start losing traffic, they'll offer versions that don't require JS.
Enjoy life! This is not a dress rehearsal.
Seriously, this guy is still doing the rounds?
Come back when the advertisers have all moved onto the same CDN's as everyone else and you can't block by IP.
The rest? Well, apart from the utter bullshit, it's called a DNS proxy.
Turns out I'm only one in 22,473. Maybe if I switch to Firefox I can once again be 1 in a million...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
First, the flippant comment:
I find it astonishing that in this day and age when apparently they can track everything I do, want, and own online without my permission, my ATM still asks me WHAT LANGUAGE I want to use? Seriously? After I've answered that once, it's done. I'm not changing my native language guys. Offering it subsequently is doing a favor only for the foreign-language dude that steals my card.
Second, the serious one:
a) the site itself is fairly vague and misleading:
"Yes! (You can be tracked!)
36.34 % of observed browsers are Chrome, as yours.
27.11 % of observed browsers are Chrome 39.0, as yours.
55.61 % of observed browsers run Windows, as yours.
39.77 % of observed browsers run Windows 7, as yours.
59.03 % of observed browsers have set "en"as their primary language, as yours.
5.51 % of observed browsers have UTC-6 as their timezone, as yours.
You have the only browser out of 24041 with this fingerprint."
I call bullshit on that. You're telling me I'm the only english-language individual running chrome on windows 7 in the UTC-6 timezone? Absolute nonsense.
b) when you pull the 'more details" then it starts to get more plausible, where the specific list of addons I use is rather unique, but they go down to asserting that my browser is 'identifiable' due to WebGL output - really, are vendors doing this to fingerprint my browser (as is implied) or is this more of a forensic "if I was stupid enough to send a ransom note from my browser, the FBI could eventually confirm that it came from my machine if they had physical possession of it and some weeks"?
That's two different contexts of "unique", surely?
-Styopa
Pray tell us how to use hosts files through a proxy server.
It's the proxy server that looks up the host names, not your local resolver.
Also, how well does it work with wildcards? There are ad companies that use thousands of random hosts, of the form 47db.adcompany.com, 1a74.adcompany.com, 357f.adcompany.com. With a hosts file, you have to fill out every single possible entry ahead of time, because it doesn't take a wildcard like *.adcompany.com.
Nor does it block IP addresses. How would you use a hosts file to block http://61.174.51.194/ ?
Never mind that big hosts files slow down the system, because it is traversed linearly, not through a hash like better resolve (and blocking) mechanisms.
Using hosts files was viable up until the late 80s, but now it is a joke.
"YOU WOULD HAVE TO WHITELIST TO ACCESS THEM @ ALL (you're talking a practically never ending battle there))."
For the love of Pete, did you not read my original post?
For casual exceptions to the whitelist you use a free filtering proxy. My example was Startpage.com/ix-quick. You don't need to update your whitelist except for sites that you have an ongoing relationship with.
Once again, I *do* this. It's mostly a set-and-forget. And the great thing about it is that if some new tracker/adfarm thing comes along I don't have to do anything about it - it's already filtered.
A.
...bringing you cynical quips since 1998
I already ranted about fonts, but amiunique decided that my browser version (the one supported my the IT department at work) and time zone (UTF-8) and language (en-US) were enough to get uniqueness. Apparently everybody on the West Coast are running newer browsers :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Sorry, not chasing your moving goalposts. Use the solution that works for you - I do.
A.
...bringing you cynical quips since 1998
Yup, that's the right thing to do.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But,
Are you unique?
Yes! (You can be tracked!)
47.07 % of observed browsers are Firefox, as yours.
3.74 % of observed browsers are Firefox 31.0, as yours.
19.73 % of observed browsers run Linux, as yours.
62.02 % of observed browsers have set "en"as their primary language, as yours.
15.47 % of observed browsers have UTC-5 as their timezone, as yours.
You have the only browser out of 26601 with this fingerprint.
Okay. Now what? Also 26601 "browsers" doesn't sound like a lot when you're talking about potential billions. Not a big sample. But what do you do now? I have my browser set to remember nothing, so you can't really track cookies across sites well or whatever.
On a Ubuntu 14.04 install, Chrome's most unique component was WebGL. On a Macbook Pro (Mavericks), it was the list of plugins, followed by the font list. For both, the Canvas was shared with less than 1%
Curiously, Do Not Track is reported as "yes" for Ubuntu, but "1" for Safari.
Seems to be up, finally.
... 7 different versions of browsers on my system, they would not know they were the same person on the same computer. (And I have 3 other computers plus a couple of tablets.)
Of course I am unique from their sample, I used an unreleased test version of a browser - I had to be unique. However, that version of tracking is useless as I have
Does that mean I am, what, 40 different people according to them?
See Comment Subject.
But most of my "uniqueness" seems to be about the fact that I'm a Mac user, using Safari. They also extracted a lot of fonts. What I wonder is, how useful is this information if I'm blocking ads and trackers, tossing cookies regularly, and using a VPN? To whom would it be useful?
(I'm not being rhetorical)
-- sudon't
Air-ride Equipped
The answer is NO to all of the above, because I have to go through a proxy.
No, Privoxy won't help if you have to go through an external proxy. You know, one that you don't have control over, but where work can log who visited what pages. Work, like what you don't have because you're a kook and unemployable.
With a remote proxy, no local resolving takes place at all (other than the address of the proxy server). No matter what hosts tables you have set up on your local machine doesn't matter because the resolving doesn't happen on your machine at all.
Adblock works great, because it filters before you send a request. Neither the resolving nor the request goes anywhere.
Of course, it can filter IPs and wildcards too, unlike a dumb hosts table.
Please explain how hosts entries would block:
- Any host on the 123.64.0.0/11 network. .2o7.net regardless of hostname[*].
- Any host that ends with
- Requests that embed a hostname or IP address in the URL
[*]: You are aware that some trackers use pseudo-random hostnames that are resolved through wildcard DNS entries, right? That way they can track exactly where you came from too, because the hostname will be unique for just you.
All you have to do is give examples that do the above. It's you who claim hosts files are the panacea - the burden of proof is on you, not others.
Put up or shut up.