Tracking Browsers Without Cookies Or IP Addresses? 265
Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string.
If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.
Re:Results and flash cookies (Score:5, Interesting)
And someone will create a Firefox Plugin in a few days that will randomize the variables being reported back, thus invalidating this.
I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.
Now I also realize, that I'm not a "normal" case. Here's to being "odd" !
IPv6 will make this obsolete (Score:4, Interesting)
Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements. Same for large networks that currently use NAT.
So the vast mayority of users will have a unique non-changeable ID, making cookies or this kind of tracking obsolete.
Re:Results and flash cookies (Score:3, Interesting)
With javascript disabled my profile was a mere one in 143, but when I enabled javascript and let them run it again, I became a unique flower.
While having javascript disabled does bin me somewhat (perhaps to 1-2%), telling them about my LabVIEW 8.6 Plugin for Netscape 32 and my Mentor Graphics Veribest Gerber 0 fonts made me completely unique.
So yeah, javascript disabled totally helps.
Re:Results and flash cookies (Score:3, Interesting)
I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.
Advertising companies don't need to be able to identify an individual in order for the data to be useful to them - if they can identify what sites the people that use your computer go to they can construct a demographic that is more useful to them than simply the average user of the site showing the adverts.
Put it this way: television companies can't tailor their adverts for specific viewers, but they still put significant effort into finding out information about those viewers. Why? Because the more precisely they can define the average viewer the more they can charge advertisers. Similarly, knowing the average user of your computer, while not as useful as knowing your exact tastes, is more than enough for them to want to track your computer's page views.
Perhaps more worryingly, unless your browsing habits are very similar it wouldn't take much to separate the different users of the computer. If you know what sites every computer visits you could say, for example, that computers that visit Slashdot are unlikely to visit mypinkpony.com - and you could infer, with a relatively high degree of confidence, that if a computer visits both of these sites it is likely that it has multiple users. Then, when the computer visits techreport.com you can ignore all but the sites that were visited shortly before or after visiting Slashdot, while treating sites like mypinkpony.com as a sign that the user has changed. Is it perfect? No, but it will allow you to reduce the noise significantly and build a fairly accurate picture of what to try to sell you.
Re:Results and flash cookies (Score:2, Interesting)
This is scary (Score:2, Interesting)
I just realised that the fact that I turn off all my plugins(and java) and have multiple languages enabled, probably gives a completely unique fingerprint to automated stalkers like google.
Wow! (Score:5, Interesting)
I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information. I do graphic design work and I have a huge number of fonts on my system, some of them unusual. I certainly don't want nor need to have them all available to my web browser, and I certainly don't want my web browser to be broadcasting this list to the world. Does anyone know if I can configure Firefox to use only the "standard" fonts? I really don't think it's anyone else's business which fonts I have installed.
The site uses cookies. (Score:3, Interesting)
The irony is that the site uses cookies to determine if you are unique to the site or have been there before.
Deleting the cookie (and maybe changing your IP address) and revisiting would introduce spurious duplicates into the database.
Re:Little Bobby Tables in User Agent String (Score:2, Interesting)
dave, your observation holds if the user changes the UserAgent just once.
But thms's idea (leaving aside the whole idea of destructive data) has great merit if you change the UserAgent string differently every day, or every hour. That anonymizes you periodically.
Re:Wow! (Score:3, Interesting)
I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information.
It doesn't. It's the Adobe Flash plugin, deinstall it and try the test again. BTW, if you have noscript and flash, instead of JS enabled and flashblock, you have your configuration exactly backwards.