Forgot your password?
typodupeerror
Privacy Your Rights Online

Tracking Browsers Without Cookies Or IP Addresses? 265

Posted by CmdrTaco
from the just-how-private-are-you dept.
Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string. If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.
This discussion has been archived. No new comments can be posted.

Tracking Browsers Without Cookies Or IP Addresses?

Comments Filter:
  • by sopssa (1498795) * <sopssa@email.com> on Wednesday January 27, 2010 @01:23PM (#30919644) Journal

    I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic.

    Plugins were also completely unique and really easy to detect in any other browser than IE8. Interestingly IE's plugin list was really small and not at all so unique. IE's top "warning" bar asked me if I want to run specific plugins (probably to detect them). System fonts were completely unique and looks like easy to detect.

    Remember that this is info that for example Google gets all over the internet via Analytics - they don't even need those tracking cookies because your browser leaves so much unique data behind it that it doesn't matter. And so does every website owner.

    Another thing people usually forget about when clearing cookies is that Flash has cookies too and they don't clear along. When have you last time cleared them? Probably never. You can use BleachBit" [sourceforge.net] to clear those along with other software, history and temp data.

    • by Archangel Michael (180766) on Wednesday January 27, 2010 @01:36PM (#30919860) Journal

      And someone will create a Firefox Plugin in a few days that will randomize the variables being reported back, thus invalidating this.

      I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.

      Now I also realize, that I'm not a "normal" case. Here's to being "odd" !

      • by Z00L00K (682162)

        I wouldn't say that you are abnormal, but I foresee that browsers in the future will look into having stealth options to remove all identifiable information from the HTTP requests and randomize what can't easily be filtered out.

        Of course - there are details that are a bit more tricky to fiddle with - like originating IP address.

        • I tested my three browsers (Opera 10.10, Firefox 3.5.7, Chromium 5.0.306.0) on Ubuntu 9.10, and all three were rated "unique" among 18100 to 18200 signatures. In fact, they were all unique on browser plug-ins alone, and Firefox was also unique in its reported set of system fonts. This is troubling.

          On other items, they were not unique, but often in a small set. The combination of a few rare settings could easily make the browser nearly unique in a far larger set. Chromium was nearly unique in fonts (2 brow
          • > ...do we have to install or remove some fonts every day, or change screen
            > resolution...

            No. You just have change what you report, not what you actually do.

          • by sopssa (1498795) *

            Disable javascript globally and enable it for sites you like and need it. Most of the unique info is sent by it.

      • by fibrewire (1132953) on Wednesday January 27, 2010 @02:08PM (#30920318)

        Lets see whose tracking what :P

        Somebody write a firefox plugin that changes "Fingerprints" to "DropDB" statements

      • Re: (Score:3, Interesting)

        by Kijori (897770)

        I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.

        Advertising companies don't need to be able to identify an individual in order for the data to be useful to them - if they can identify what sites the people that use your computer go to they can construct a demographic that is more useful to them than simply the average user of the site showing the adverts.

        Put it this way: television companies can't tailor their adverts for specific viewers, but they still put significant effort into finding out information about those viewers. Why? Because the more precis

        • If you know what sites every computer visits you could say, for example, that computers that visit Slashdot are unlikely to visit mypinkpony.com

          Hey!! >:[

      • Re: (Score:2, Interesting)

        by PYRILAMPES (609544)
        How about a nice packet shaper for your router? Borrow a variable from another user, add it to your router and pass it on?
      • Actually, Torbutton already anonymizes the user agent string and screen resolution and blocks browser plugins. I don't think it blocks fonts, so that still could be an issue.

        But even without any anonymizing plugin, I tested my Mac and found it to be relatively untrackable—one in every few thousand computers matches it. It's not too surprising; Apple pushes Flash/Java/Quicktime updates, Safari stays up to date, and there are only a handful of Mac screen resolutons. Unless you've got some unusual sys

      • And someone will create a Firefox Plugin in a few days that will randomize the variables being reported back, thus invalidating this.

        There are still many unique variables for a given HTTP connection, even if only looking at the times and orders of connection requests. Not to mention cache effects or URL tracking tricks.

        You can be anonymous but you can't be ambiguous, if you use sites which use data mining techniques to identify their visitors (and you don't know who those are).

      • Re: (Score:3, Informative)

        by Lumpy (12016)

        https://addons.mozilla.org/en-US/firefox/addon/6581 [mozilla.org]

        too late, they beat you to it.

        • by Lumpy (12016)

          Dang slashdot. It ate this and I did not see it as a response for 10 minutes so I figured it did not post... Sorry about the dupe.

        • Re: (Score:2, Insightful)

          by Mister Whirly (964219)
          Wouldn't randomizing this every time make you more unique and hence more trackable? They should make an addon that makes every browser have an identical user agent that does not ever change, no matter what you do to your browser.
      • by Lumpy (12016)
      • Don't you see? Now all they have to do is find the usage patterns they can't quite figure out and they'll know it's all you.
    • by sopssa (1498795) *

      One extra thing I noticed also. If you disable javascript they weren't able to get any other info than user agent and http_accept strings.

      So NoScript is good to use. Also in Opera you can do this by disabling global javascript and enabling it on per site basis.

      • by KevMar (471257) on Wednesday January 27, 2010 @02:02PM (#30920200) Homepage Journal

        Using NoScript tells them plenty of information.

        You are either:
        1) Aware of the security risk on the internet so you disabled javascript
        2) You suffer from Paranoid Schizophrenia and don't want them controlling things
        3) You have a serious aversion to adds

        So the adds they should show you would go something like this in a jpg or animated gif (that is not a standard banner size).

        Do you want that extra protection that you just can't get on your own? You need more information on how addvertisements and security threats work. Fallow this link to make sure you are informed. They are still watching you.

        Sometimes they don't have to track you to figure out your habits

        • Re: (Score:3, Interesting)

          by SydShamino (547793)

          With javascript disabled my profile was a mere one in 143, but when I enabled javascript and let them run it again, I became a unique flower.

          While having javascript disabled does bin me somewhat (perhaps to 1-2%), telling them about my LabVIEW 8.6 Plugin for Netscape 32 and my Mentor Graphics Veribest Gerber 0 fonts made me completely unique.

          So yeah, javascript disabled totally helps.

        • by mcgrew (92797) *

          2) You suffer from Paranoid Schizophrenia and don't want them controlling things

          You don't have to suffer from paranoid schizophrenia to not want others controlling you any more than you have to be bipolar to get angry at people who want to manipulate you.

          BTW and offtopic, there is only one "d" in "ad" and "advertisement", "add" is a verb. And "fallow" means "barren". Dew know truss yore spill chucker, yews you're ayes. The last sentence will pass a spell check with flying colors, but it's pretty hard to rea

    • by Zerth (26112)

      Anyone using the screen size characteristic can be fooled merely by moving my browser to another monitor(mine aren't identical).

    • by thsths (31372)

      > they don't even need those tracking cookies because your browser leaves so much unique data behind it

      It may be unique, but it is not constant, and therefore not as such suitable for tracing. However, if you use it in connection with other data (such as the IP and a tracing cookie) and update your database regularly, you would be able to notice changes of individual parts, including the cookie. They could just restore the cookie based on your likely identity, although that is pretty complicated.

      Overall

    • by Idbar (1034346)
      I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic.
      Well... I've heard genes are quite unique!
  • by cornicefire (610241) on Wednesday January 27, 2010 @01:26PM (#30919692)
    I'm glad they gave me some new ideas for tracking.
    • by Monkeedude1212 (1560403) on Wednesday January 27, 2010 @01:35PM (#30919838) Journal

      Psh. Real trackers use emotional demographics to Identify their users.

      By tracking the various mouse movements on the page, and every key that might be entered, and the timing it takes between movements or keypresses, I can analyze that persons emotional relationship towards my web page. Some people might be angry, and thus have more spelling mistakes in their rage, or some people might be tender, loving, and caring, caressing the page softly and gently with their mouse.

      Everyone has different habits and express their feelings towards web pages in different ways. I can easily tell who is visitting my site based on how they are visitting my site.

      • This already happens. With Ajax reporting back mouse movements, clicks and keypresses, the site admin can snoop on the visitors and see exactly what they are doing.
        • This already happens. With Ajax reporting back mouse movements, clicks and keypresses, the site admin can snoop on the visitors and see exactly what they are doing.

          So CmdrTaco knows that 95% of Slashdotters type one-handed? O_o

    • by Talderas (1212466)

      Your browser fingerprint appears to be unique among the 3,396 tested so far.

      Fuck.

      • Re: (Score:3, Funny)

        by Volante3192 (953645)

        I got that too when I used Lynx.

        Your browser fingerprint appears to be unique among the 4,655 tested so far.

        • by Talderas (1212466)

          What I find disturbing is that its two categories which my browse is showing up unique in. Browser Plugins and System Fonts. It's the System Fonts uniqueness that has me perplexed.

      • I got:

        "Your browser fingerprint appears to be unique among the 6,335 tested so far."

        So, in the last 15 minutes, they appear to have had roughly 1000 new visitors.

        Sounds like they're collecting some new information.

        • I got:
          "Your browser fingerprint appears to be unique among the 11,342 tested so far."
        • by RKThoadan (89437)

          Chrome: Your browser fingerprint appears to be unique among the 10,511 tested so far.
          IE6: Your browser fingerprint appears to be unique among the 11,542 tested so far.
          Firefox: Your browser fingerprint appears to be unique among the 11,788 tested so far.

          Boy do I feel special. I'm surprised IE6 came back unique. It looks like it was .NET's fault.

      • My Gentoo box: "Your browser fingerprint appears to be unique among the 12,564 tested so far."

        My Ubuntu box: "Your browser fingerprint appears to be unique among the 13,730 tested so far."

        My Mac: "Your browser fingerprint appears to be unique among the 13,337 tested so far."

        I didn't realize I was so unusual ;)
        • Tried it again from a Windows Virtual Machine, and got..."Within our dataset of about ten thousand visitors, only one in 154 browsers have the same fingerprint as yours."

          Go figure...Mozilla on WinXP is more anonymous than Mozilla on Gentoo or Ubuntu and more anonymous than Safari on Mac ;)
      • I get: "Your browser fingerprint appears to be unique among the 17,127 tested so far." Gee - sure glad they don't know my URL. Anyhow - that was using Chrome. Then tried the same test in Chrome's incognito mode, and the number of identifying bits went down by a whole point, to 1 in 9000 or so.
      • by tibman (623933)

        Your browser fingerprint appears to be unique among the 19,296 tested so far.

        : (

    • by Anonymous Coward

      There is an option for privacy enhanced web browsing: IE compatibility test virtualization images. [microsoft.com] A very common OS packaged with a vanilla install of a very common browser, neatly resettable in a virtual machine. Thank you, Microsoft.

    • Security trough obscurity never works. Your argument is the same, as that of a company that is suing people who publish their findings about security holes.

  • Already being done (Score:5, Informative)

    by QuietLagoon (813062) on Wednesday January 27, 2010 @01:28PM (#30919728)
  • Unless you are one of the 100,000 using any particular Dell/HP/Apple default install on your pc.

    2 ^ 10.5 is lost of combinations , but is bet there are lots of spikes on some.

    • Further a lot of the information is stuff that is likely to change over time with the installation of browser updates, OS updates, some new apps (if they bring fonts with them)

      Though apparently my user agent ( "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)" ) is unique among those tested so far :/

      • Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
        – unique.

        Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
        – 1 in ~800
        Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
        – 1 in ~530

        Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
        – 1 in ~230
        Mozilla/5.0 (

        • Your Windows NT version is making you stand out the most.
          I'm not exactly surprised, 5.2 is little used on the desktop because there is no 32-bit desktop edition of 5.2.

          en-GB is also making you stand out, although after getting Slashdotted by the US this is not surprising. ;)

    • That’s what I figured, on my PC at work, but I was wrong. (When I get home, I’ll have to try it there.)

      My fonts – the default ones installed on the PC – are shared by only 1 in about 3,200 visitors.

      The IE user agent string, with its .NET information, said that only 1 in 4,200 browsers shares it.

      Using the version of IE installed on the PC (version 7), my particular combination of Java, Flash, and WindowsMediaplayer was unique (amongst about 13,000 visitors so far).

      Using Firefox, on th

  • by Lord Ender (156273) on Wednesday January 27, 2010 @01:33PM (#30919804) Homepage

    Researches have found a way to track web sites based on the MySQL errors they produce when they're slashdotted.

  • LOL (Score:4, Insightful)

    by C_Kode (102755) on Wednesday January 27, 2010 @01:39PM (#30919908) Journal

    The site says Only anonymous data will be collected by this site. Yet they are collecting data to see how un-anonymous you actually really are! :)

    • by Amouth (879122)
      which means we grab each part of the finger prints and see how unique they are to our data set BUT we don't keep them together with each other. if you notice they give a rating to you based on each of the areas and your over all is the highest unique..
    • True... and since you can revisit the page to see your updated stats, and it remembers you’ve been there, I can only assume it uses a cookie (they could track via IP, but I wouldn’t consider that anonymous and I don’t think anyone else with any sense would either). Looking at my cookies, I have a PHPSESSID, so apparently that is how they’re avoiding double-counting.

      It seems to me, though, that users without cookies would be re-counted every time they visited, or perhaps it would not

  • We are all V

    or

    We are all Zero

    Choice will of course depend on if you are a V for Vendetta or Code Geass fan. It will aso decide which mask you should wear when the revolution comes.

    We could also use;

    Ninjas (should Ninjas be blank?)

    Pirates

  • by Fëanáro (130986) on Wednesday January 27, 2010 @01:52PM (#30920050)

    Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements. Same for large networks that currently use NAT.

    So the vast mayority of users will have a unique non-changeable ID, making cookies or this kind of tracking obsolete.

    • by ericfitz (59316)

      IP addresses (even IPv6) are addresses, not phone numbers. The address identifies the place where the packets are supposed to go, not the person to whom they're supposed to go.

      IPv6 was designed to be hierarchical to address some of the shortcomings of the IPv4 allocation process, which requires backbone routers to maintain and exchange large routing lists.

      Personal subnets won't be implemented because people move around; it's not to change the global routing infrastructure every time you go to work.

      Now it m

      • by Fëanáro (130986)

        IP addresses (even IPv6) are addresses, not phone numbers. The address identifies the place where the packets are supposed to go, not the person to whom they're supposed to go.
        So it can be used as a unique household identifier instead of a unique person identifier. That does not make it less of a privacy concern.
        Sure you can change this identifier by changing ISPs or using a PC in a different location. It is still a lot harder to change than a cookie or a dynamic IP, and impractical to do so each day. Adver

        • > It is still a lot harder to change than a cookie or a dynamic IP, and
          > impractical to do so each day.

          Proxies.

    • by Abcd1234 (188840)

      Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements.

      Not necessarily. Unless the user explicitly asks for a routable /48 or /56, I'll bet most ISPs just give each user a /64 and have them autoconfigure, in which case there's always the Privacy Extensions for Stateless Address Autoconfiguration [ietf.org] option.

      • by Fëanáro (130986)

        Not necessarily. Unless the user explicitly asks for a routable /48 or /56, I'll bet most ISPs just give each user a /64 and have them autoconfigure, in which case there's always the Privacy Extensions for Stateless Address Autoconfiguration option.

        But no matter what the user configures, he is stuck in the /64, or do I missunderstand this?
        So if an ISP is known to give its customers a /64 each, then to identify them one just has to discard the later part of the address.
        Sure it is not a perfect identifier, y

  • by Volante3192 (953645) on Wednesday January 27, 2010 @01:52PM (#30920054)

    Browser Characteristic : User Agent
    bits of identifying information : 11.09+
    one in x browsers have this value : 2183
    value : Lynx/2.8.5rel.1 libwww-FM/2.14FM SSL-MM/1.4.1 OpenSSL/0.9.7d-dev

    (Course, i'm also two minor releases behind...but still, 1 per 2000 is more common than I would've guessed)

    • Some Slashdotters browse Slashdot at work on Lynx because it looks like a terminal to the PHB walking by.
    • Hrm...apparently I missed part of the page when I saw that. It's likely that there were only 2183 browsers cataloged at the time.

      Oops. Mea culpa.

    • by Inda (580031)
      I browse with MS Word and the site says I'm unique. Who'd of thunk it? //no JS
      http://panopticlick.eff.org/index.php?action=log

      Seems to identify itself as IE :(
  • roughly one in five browsers has javascript disabled.

    Then again, that's probably artificially high based on what circles this story has been circulating in.

  • My desktop environment is so far unique over 2,357 samples, and my iPod Touch is unique over 2,239 samples. Interesting. I know I have some interesting pieces to my desktop, but 1/2357 surprised me. My iPod Touch being unique, on the other hand, just tells me more about who they've sampled so far than about the uniqueness of the test.

  • Your browser fingerprint appears to be unique among the 6,764 tested so far.

  • I look at user agents from time to time, and it blows my mind how much stuff some programs are permitted to put in there. It seems like every toolbar, add-on, and browser re-branding these days wants to put itself in you user agent.

    I wonder what the longest non-fake user agent is these days? I recall there was a problem a while back on the Mozillazine forums because it records user agent strings for support purposes, but only allocated so many characters. Thanks to some new toolbars and such some people cou

    • I guess I'm somewhat paranoid/security conscious, e.g., I do clear out things like Flash cookies, and I block sites like Google Analytics. What surprised me was that Firefox, a browser I originally chose in part for its reputation of having better security and privacy settings than certain other browsers, seems to be broadcasting a signature that tells any site I visit all of the plug-ins I am using. This not only uniquely identifies me, it also paints a huge target if any of those plug-ins is found to have

  • unique so far?
  • When I went to their site to find out how "unique" I was, the site launched a java applet. This isn't tracking browsers at this point, it's tracking JVM's too. If you're allowed to have the browser launch a third party application, then might as well launch an .exe that scours your hard drive and does an HTTP call back to the EFF.... at that point, might as well just say every system is unique.

  • I did not realize that my plugins list was the largest source of fingerprint data. I didn't even know it was listed.

    I imagine many people use Opera at my screen resolution, but I'd be interested in seeing how many people shared my particular combo of data (aside from the plugins list).

    • I didn't realize either that the plugin list was sent out, nor the screen resolution, nor what fonts are enabled. What is the purpose of all that?
      Taking a look at the plugins I have installed, I'm also surprised at some of them. Hulu Desktop Integration? I thought the purpose of a standalone was so it didnt need to integrate. 2007 Microsoft Office plug in for Netscape Navigator? WTF?
  • With javascript disabled, they said my browser was 1 in 140.

    With javascript enabled, they said my browser was unique among all browsers seen so far.

    NoScript is so great.

    • by spune (715782)
      Curious; when I have javascript enabled (NoScript off) I'm only 1 in 6000 but it gives me unique when it's disabled.
    • by T Murphy (1054674)
      I am curious what their skew is on NoScript and FireFox use- I would assume both will be more common in their data than in the general population. I don't expect it to make a notable difference in the practical meaning of the numbers- I'm just curious from a statistics perspective.
  • This is scary (Score:2, Interesting)

    by whatajoke (1625715)
    Your browser fingerprint appears to be unique among the 10,808 tested so far.
    I just realised that the fact that I turn off all my plugins(and java) and have multiple languages enabled, probably gives a completely unique fingerprint to automated stalkers like google.
  • What will happen when 'they' identify me and fail to correlate my purchase history with the ads I have been served?

    "Oh jeez, another one who buys the same groceries every week, drives an old car and wears £3 Asda clothes until they fall to pieces!"
    "Another windows 2000 user?"
    "Yeah!"
    "Dammit, just stop serving him any pages at all and put him on the 'to kill' list."
     

  • I got my entropy up to 14+ by becoming a Mozilla/4.78 (Macintosh; U; PPC).

  • Wow! (Score:5, Interesting)

    by BitterOak (537666) on Wednesday January 27, 2010 @03:17PM (#30921972)

    I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information. I do graphic design work and I have a huge number of fonts on my system, some of them unusual. I certainly don't want nor need to have them all available to my web browser, and I certainly don't want my web browser to be broadcasting this list to the world. Does anyone know if I can configure Firefox to use only the "standard" fonts? I really don't think it's anyone else's business which fonts I have installed.

    • Re: (Score:3, Interesting)

      by YA_Python_dev (885173)

      I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information.

      It doesn't. It's the Adobe Flash plugin, deinstall it and try the test again. BTW, if you have noscript and flash, instead of JS enabled and flashblock, you have your configuration exactly backwards.

  • With noscript enabled I came up as one out of around 1400, with noscript disabled I was completely unique out of the 19000 tests done so far. I'm special.
  • Compiling Firefox (Score:5, Insightful)

    by J'raxis (248192) on Wednesday January 27, 2010 @03:21PM (#30922104) Homepage

    I noticed this years ago, when I noticed that compiling Firefox puts the exact date and time in your user-agent. The user-agent also contains the usual things like the OS, architecture, &c.. So how likely is it that someone else with the exact same system configuration and compiled the exact same version of Firefox at the same time? Probably zero.

    • by J'raxis (248192)

      Specifically, the Firefox user-agent when compiled on Gentoo will look like this:
      Mozilla/5.0 (X11; U; Linux $ARCH; $LANG; rv:$REVISION) Gecko/$YYYYMMDDHH Gentoo Firefox/$VERSION

  • by fava (513118) on Wednesday January 27, 2010 @04:16PM (#30923498)

    The irony is that the site uses cookies to determine if you are unique to the site or have been there before.

    Deleting the cookie (and maybe changing your IP address) and revisiting would introduce spurious duplicates into the database.

  • browserrecon project (Score:2, Informative)

    by Marc Ruef (1731264)

    Hello,

    I would like to refer to an old project of mine. browserrecon is an implementation which uses application fingerprint techniques to identify web clients:

    http://www.computec.ch/projekte/browserrecon/ [computec.ch]

    Bye, Marc

Some people claim that the UNIX learning curve is steep, but at least you only have to climb it once.

Working...