EFF Says Forget Cookies, Your Browser Has Fingerprints 175
Posted
by
CmdrTaco
from the you-are-not-unique dept.
from the you-are-not-unique dept.
alphadogg writes "Even without cookies, popular browsers such as Internet Explorer and Firefox give websites enough information to get a unique picture of their visitors about 94 percent of the time, according to research compiled over the past few months by the Electronic Frontier Foundation. [The Research] puts quantitative assessment on something that security gurus have known about for years, said Peter Eckersley, the EFF senior staff technologist who did the research. He found that configuration information — data on the type of browser, operating system, plugins, and even fonts installed — can be compiled by websites to create a unique portrait of most visitors. This means that most Internet users are a lot less anonymous than they believe, Eckersley said. 'Even if you turn off cookies and you use a proxy to hide your IP address, you could still be tracked,' he said."
Personally Identifiable Information (Score:5, Interesting)
I don't care if anyone tracks my preferences or shopping history. What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.
I am all for research and marketing to tune products and advertising, but they don't need to know my name or various identifiers to do it.
Doesn't link it to YOU (Score:3, Interesting)
It only lets them know it's the same browser/computer, it doesn't give them the docs on you.
You can identify the OS just by the TCP connection (Score:3, Interesting)
Never mind the browser , you can tell (or used to be able to , this was a few years back) what OS someone is running - assuming they're not going through a proxy - by looking at the TCP sequence numbers the client sends. There was an article on /. about it and some post grads had written a whitepaper.
A Wikipedia Checkuser's opinion (Score:5, Interesting)
We have a rather annoying vandal by the name of Grawp who likes to visit often and put penis pictures up on pages that little kids like to visit, among other things.
He edits via proxies, while visiting people, open wifi spots, etc... and never figures out how we know it's him.
Shame his laptop has the same fairly unique MSIE-and-toolbars useragent string.
Re:I'm not really worried (Score:3, Interesting)
This was on Windows 7. I encountered this when I was capturing packets for some performance test so I had to keep clearing the browser cache for some tests.
User agent switcher (Score:3, Interesting)
Re:Fonts leak a lot of information (Score:3, Interesting)
I agree. In fact, I don't want my browser to send out any kind of information on the fonts I've got installed. It's not a feature sites tend to use, so you might as well disable it. Any way to do that with Firefox?
Re:Personally Identifiable Information (Score:3, Interesting)
As seen time and time again, the answer is yes. That fingerprint you have - did you go shopping with it? Boom, you've just linked your fingerprint to a name, address, phone number, and partial credit card. Or visit Facebook? Or other social networking site?
Remember that Netflix contest? A simple match of that data with IMDB reveals all. And people constantly do things that inadvertently link their personal information with a fingerprint.
It's only a matter of time - businesses often sell your information to third parties, and soon those third parties will pay for the fingerprints as well. It doesn't have to be an exact positive match, even something as crappy as a 50% hit rate is enough to be spooky. And even if YOU don't make yourself identifiable, others do to make it worthwhile to do so.
And even if we strip down tons of browsers to return the same information regardless, there'll be other ways - possibly using Flash to profile your system to generate your fingerprint (they already do with flash cookies). Hell, who knows what Flash can retrieve, especially on phones (the UI to manage flash cookies is crappy enough. The UI to do it on mobile phones supporting flash will probably be non-existent).
Re:Don't worry (Score:3, Interesting)
Yeah and the funny thing is what ID'd me was NOT the fonts...it was the codecs. My fonts are pretty bog standard but I like Klie codec pack [free-codecs.com] as it is an easy way to have video support for all formats set up quickly. According to the test page my codec list is only 1 in 904006 when it comes to codecs.
Of course the nice thing is yet again Noscript comes to the rescue, as with Noscript on my highest ID # is 1 in 256, which is only because of using FF over IE. So yet again FF scores a win for me by having the indispensable Noscript. FF plug-ins FTW!
Re:damn. (Score:2, Interesting)
Unless you're doing something wrong there's no reason to ever try to trace it back to a source.
I realize that it's a bad idea, but posts like this make me think we should have a (-1, ignorant) mod anyway.