EFF Says Forget Cookies, Your Browser Has Fingerprints 175
Posted
by
CmdrTaco
from the you-are-not-unique dept.
from the you-are-not-unique dept.
alphadogg writes "Even without cookies, popular browsers such as Internet Explorer and Firefox give websites enough information to get a unique picture of their visitors about 94 percent of the time, according to research compiled over the past few months by the Electronic Frontier Foundation. [The Research] puts quantitative assessment on something that security gurus have known about for years, said Peter Eckersley, the EFF senior staff technologist who did the research. He found that configuration information — data on the type of browser, operating system, plugins, and even fonts installed — can be compiled by websites to create a unique portrait of most visitors. This means that most Internet users are a lot less anonymous than they believe, Eckersley said. 'Even if you turn off cookies and you use a proxy to hide your IP address, you could still be tracked,' he said."
damn. (Score:1, Insightful)
gonna have to stop surfing porn at work now.
no shit (Score:1, Insightful)
anyone that has had a website not hosted on geocities knows this
most normal people should know this by now also, how do you think it knows to install the windows version over the linux or OSX version (ie installing java)
Re:damn. (Score:5, Insightful)
Re:Personally Identifiable Information (Score:4, Insightful)
Thats where things get difficult, though, right? For the sake of arguement, lets say that Microsoft decided to embed a Unique User ID into everyone's internet explorer, so that anytime you browse the net your ID gets stamped everywhere you go. Makes it easier for adspace to trend towards your interests, right? But then you're also checking your facebook, your email, your bank account, logging into slashdot, and so on and so forth.
Eventually, one of these services slip, like Facebook has, and your Identifiable Information gets out in the open. When I google my name, I see my Facebook Profile, my name come up under my mothers friends list on Facebook, a handful of .NET Debugging forums. Even foreign versions of Facebook, in my classes we had people from the middle east, Japan, Hong Kong, and other regions of the world, and every other google page I see "Facebook: (Chinese Characters) (My Name) ". Makes me a little paranoid I'm being creeped by someone I don't know.
Regardless - my point is that any effort they make to track just your preferences will always lead back to some site that slips up and makes your identifiable information easier to find, should you put it anywhere online. The way things currently are, you are pretty much safe if you do your best to keep your anonymity online, is probably the best its ever going to get.
Re:Doesn't link it to YOU (Score:3, Insightful)
So if I can associate you with your browser signature on ANY site, I can let my google fingers do the walking. It's a snap.
Re:A Wikipedia Checkuser's opinion (Score:1, Insightful)
Lets hope Grawp does not read this ;)
And? (Score:2, Insightful)
data on the type of browser, operating system, plugins, and even fonts installed
Should I be worried about websites knowing these things?
Re:Personally Identifiable Information (Score:2, Insightful)
Re:Doesn't link it to YOU (Score:3, Insightful)
The fingerprinting techniques heavily relies on JavaScript, so finding random unprotected http access logs isn't going to help you. If it's truly "a snap" then please show me my last visited sites?
I think at some point the internet privacy debate will have to start featuring some concept of personas, or the idea that a single person does not have a single identity but rather many identities. Some of them overlap, some of them are easier to change than others and some of them are what we might call "personal" - for instance personas like your full legal name or physical appearance are clearly different to a persona like a passport number, which is itself quite different to an email address (a lot harder to change for one). Although today they tend to all get lumped together under the same concept of "you-ness".
In this case, my browsers fingerprint is clearly a persona, but is that really a problem?
Re:damn. (Score:4, Insightful)
Except what's "wrong" is not well defined *now*, and it may even be worst in the future - and we have no idea for how long they'll keep those logs.
Re:damn. (Score:5, Insightful)
Who really cares that their "browser fingerprint" is out there? Unless you're doing something wrong there's no reason to ever try to trace it back to a source.
And who defines what "wrong" is? In some places being gay is a crime. In some places being an apostate is a crime. In some places being anti-government is a crime. In some places playing violent video games, looking at porn of women with small breasts is a crime. In some places reading certain books is a crime.
Either you are ignorant, or you are trolling.
Well, it depends... (Score:3, Insightful)
This is what is known as willful ignorance (Score:3, Insightful)
Re:Public Place? (Score:3, Insightful)
Actually, yes it is different. The first difference is cost. It is expensive to follow people around and record everything they are saying. I don't worry that someone is going to spend a half a million dollars to follow me around for the next year; it's not impossible, but it's about as likely that I will be struck by a meteor. The second is storage of information. If someone decides today to find out exactly what you said at lunch last week, they can't, because that information is gone, no matter how many people could overhear you. Cheap aggregation and eternal storage of public information lead to a loss of privacy.
Re:damn. (Score:3, Insightful)
Usually, people who offer the "If you're not doing anything wrong, why do you care who has your information" claim are talking about something such as the Dept. of Justice seeing that information. Here we're talking about anyone who puts up a web site, (as you, yourself, posted). That's actually a pretty extreme position. You're not just saying we should all trust the government - you're really saying we should all trust random strangers.
Would you respond to my post right now, with your current IP address, monitor resolution, video card and driver info, all browser functions enabled, any 3rd party add ons, what versions of Flash, Shockwave, and so on you have, your OS and what support packs it has, a complete list of codecs on your machine, a similarly complete list of fonts, and probably a lot more info? I'm a random stranger to you, aren't I? I can understand if you don't want to look all that up manually and type it into a little slashdot window (in fact, please don't), but how is that really different from my automated havesting of that same data?
Look at all the things you can't change. Yeah, you, and most people can force a new IP address if you're with a common ISP such as Comcast. But if you update your Flash, that update's gonna have a time-stamp after the version I just found out about, so I can still assume that your PC had that version of Flash at the time it visited my site. What if I'm looking for old versions of add ons that have known vulnerabilities? Maybe I'm watching for visitors who don't upgrade or patch much. There are certainly exploits that would be hard to stop if their originator focused on putting them only on the obviously slow to patch set's boxes. So, if for no other reason, we should care because it's another reason to keep up with current versions of all those 3rd party support files browsers have these days.
People use Noscript... (Score:3, Insightful)
because of its whitelisting feature. Otherwise they would use their browser's built-in ability to turn off Javascript. What percentage of people use a browser that doesn't enable the user to turn off Javascript?
Think about the perverts (Score:1, Insightful)
I run chatroulette.com and am forced to kick out perverts with their dick in their hands on an hourly basis, at a rate of about 20 a day on average. You can imagine where this leaves me in this particular debate.
Currently, we block IP addresses, but then a lot of innocent people complain, as they get a [blocked] reused IP address from their ISP, or simply sit behind some form of a router that another blocked schmo is connected to so the IP address is shared between N users of which M < B are blocked (usually M = 1) and spoil the fun for the rest.
I wish there was some way people actually COULD be identified with some 99% reliability on Internet. You have no idea how many perverts out there pray to gods that they cannot ever be reliably blocked, because obviously privacy hammer swings both ways. You'd think they are stupid, but some of them manage to even evade IP filtering by somehow shuffling their IP address, to a degree where they reappear on the service within SECONDS.
I don't think it has much to do with your privacy. If you want privacy - don't show yourself to adolescents on video when jacking off. I always fucking hated pedophiles, but even more these days.
Site statistics also tell me that a substantial amount of visitors come through anonymity provider services. They don't get it though - the manner the application is designed, it is not possible to filter it through an anonimity service and get it to work after that.