EFF Publishes Study On Browser Fingerprinting

Rubinstien writes "The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to 'device fingerprinting' via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we've discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far."

Re:

[thijsh]

I have exactly 20.57 bits too! I guess you're that special 1 in 1558541... ;)

Re:

[PIBM]

It`s simple: since your representation was not seen before, and that there`s now been 1,559,692 test, you can obtain your minimum number of bits (the maximum is unknown) as being the log (1,559,692 ) / log (2), the exponent to 2 required to obtain so many tests..

Re:

[Yvan256]

20.57 bits too. Safari 5 on Mac OS X with plug-ins and Java disabled, javascript enabled.

Re:Winning

[CastrTroy]

I've always wondered about this stuff. If you're one of the 6 people on the internet who care about this stuff, and therefore block all their fingerprint methods, doesn't that make you somewhat unique? Wouldn't it make more sense to return a random list of fonts, a random user agent, and randomize all the other information they are fingerprinting you with to make it seem like you're a different person every time, rather than being one of only 6 people who have a very simple UserAgent string, with no extra stuff tacked on the end?

Re:

[gomiam]

I would actually look for the more common fingerprints and return them. One hides better when one looks like the environment, right?

Re:

[CastrTroy]

Exactly. If you follow the information on the Panoptoclick site, then it tells you to disable a bunch of stuff, that only a very small number of people will do. Toss in that information with tracking your IP to a city, and you are probably very unique, yet panoptoclick says you aren't unique anymore. I think the methods for determining uniqueness are very flawed. I mean, if everybody followed the recommendations they put out, then the entire internet would look homogeneous, and everyone would be the same

That unique identifies marsh gas...

[AlexiaDeath]

I visited that site several times with the same browser over several weeks, each time it was unique. Some plugin had updated, some font had been installed... So for tracking me it would be totally useless. The uniqueness it identifies is only valid for a session or two.

Re:That unique identifies marsh gas...

[Anonymous Coward]

If you read the article they write that it's trivial to track users despite minor fingerprint changes. Page 13 of the PDF.

Re:That unique identifies marsh gas...

[AlexiaDeath]

Read the relevant section. They tested the algorithm against browsers that had cookie indication of sameness.
"We ran our algorithm over the set of users whose cookies indicated that they were returning to the site 1{2 hours or more after their first visit, and who now had a different fingerprint."
Take that out and you get a flood of false positives.

Re:

[Anonymous Coward]

No, actually. They tested the ones with cookies against their entire database, then tested their answer against the cookie. They guessed 65% of the time and were right 99% of the time. The false positive rate was 0.86%. Basically, 64% of the time they will still be able to track you. And this is their "crude" algorithm.

Repeating myself for clarity:

They only used the cookies to test for correctness of their guess, not to make the guess.

Re:

[AlexiaDeath]

Im reading the quoted sentence clearly stating that they picked users they had cookies for. Out of those were the matches made.

Re:

[phme]

From the paper:
"We implemented a very simple algorithm to heuristically estimate whether a given ngerprint might be an evolved version of a ngerprint seen previously. [...] Excluding users whose ngerprints changed because they disabled javascript (a common case in response to visiting panopticlick.eff.org, but perhaps not so common in the real world), our heuristic made a correct guess in 65% of cases, an incorrect guess in 0.56% of cases, and no guess in 35% of cases. 99.1% of guesses were correct, while

Re:

[AlexiaDeath]

Yes, I read it. But the results are also marsh gas if you take the cookie based set selection out of it.

Re:

[AlexiaDeath]

Okay, that is a bit more sensible talk. It still boils down to "Whitelist your god damn cookies".

Re:

[DarwinSurvivor]

It's difficult now, just as creating reliable dynamic interfaces is difficult *cough*slashdot*cough*, then people wrote libraries such as jquery to deal with such things. If this fingerprint thing takes off, I guarantee someone will do the same and it'll be nothing more than a bolt-on library with a "gen_fingerprint" and "update_fingerprint" binding that will let even the greenest of script kiddies could pull it off.

Bits of identifiable information

[mattdm]

"18.8" doesn't sound like a big number, until you consider what it stands for. Each bit of information halves your uniqueness. That means that you can be picked out of a crowd of 2^18.8 people -- 456,419. With an estimated two billion people on the internet today, that means you're down to being one in 4500. That's about the same as saying "My name is Matthew Miller and I live in the United States." Not particularly private!

Another way to think of it is this: those two billion people represent 31 bits of uniqueness. Every bit of information revealed knocks off some of that. When you're down to one, you're positively identified. Your web browser is giving up at least 18.8 of those thirty for nothing, leaving you with just about 12.

Re:Bits of identifiable information

[fnj]

Er, actually each bit of information doubles (not halves) your uniqueness.

Re:

[Windrip]

Who modded this comment insightful? Obviously those who didn't RTFA.

From pg. 6

Surprisal can be thought of as an amount of information about the identity of the object that is being ngerprinted, where each bit of information cuts the number of possibilities in half.

Re:Bits of identifiable information

[SydShamino]

Halving the possibilities doubles the uniqueness.

Re:

[Anubis IV]

Pedantry at its finest.

Re:

[ugen]

Your face gives out about 25 bits :) (Depending on how acute the perception is of someone looking at it). Your fingerprints are good for pretty much the entire 32 bit. Even your voice is probably good for 20 bits or so, with appropriate equipment.

The only way to be untrackable is to be completely undistinguishable from a very large set of people. It is possible, but what fun would that kind of life be? You can't both *be* a unique individual and expect others not to notice that/not to treat you like such.

Re:

[Inda]

Take the population of the UK - 66m

Two people will share the same face.

You can't tell me you've never seen two people who look like the pitting image of each other.

Re:

[icebraining]

The keyword is perception. You can't distinguish different but very similar faces.

Re:

[phme]

Indeed. But your biometric data is unlikely to be in present in a single database of perhaps a billion people. Yet.

Re:

[Bengie]

"That means that you can be picked out of a crowd of 2^18.8 people -- 456,419. With an estimated two billion people on the internet today"

Tack on your IP address and they can figure out which city you're connecting from. So, I can be identified out of a crowd of 456k people, but my city only has 10k people. Sounds like they probably keep track of me quite easily.

What if you use "default" for your browser?

[cpu6502]

The author said his browser was identifiable because of his font and addon settings. i.e. He probably customized it.

But what about those of us who use "default" settings and customize virtually-nothing? Are we identifiable, or do we got lost in the crowd? I suspect the latter.

Re:

[Nursie]

You, and 99% of the people who neither know nor care about privacy, are all fine. standard os, standard browser, no uniqueness.

the like of me on debian wheezy with iceweasel and a few privacy plugins, conversely, are east to track. turns out blending into the crowd is effective. who knew?

Re:

[cpu6502]

>>>You, and 99% of the people who neither know nor care about privacy,

This is an incorrect conclusion.

Re:

[icebraining]

That statement contains no conclusion. Parent is joining two sets: (You) + (99% of the people who neither know nor care about privacy).

If parent had said "You, and the other 99%...", (s)he would be including you in the group, but that was not the case.

Re:

[glwtta]

But what about those of us who use "default" settings and customize virtually-nothing?

I wouldn't be so sure. In my case, just the specific versions of the Java, QuickTime, and Flash plugins (Java 1,6,0,20; QuickTime 7,6,5,0; Flash 10,1,53,64;) provided about 20 bits of identifying information - quite a few people will have these "customizations", and the versions depend on when they were installed.

Available system fonts are affected by the applications installed, including the crapware that OEMs prel

Re:

[johncandale]

You also have your OS version, your system fonts, (sometimes installed by certain apps you installed), your screen resolution, your timezone, etc. Or you could just go to the website in the summary: http://panopticlick.eff.org/ [eff.org] and test yourself

how do they know it's unique?

[gl4ss]

how do they know it's unique? they say my browser is unique, I got no serious doubts about that(nightlies), but how would they know if it's me browsing two times or someone else? my screen sizes going to be different when I go home, too. is this what my money would go to if I donated money to EFF? start doing a fooler filter, this research project as it is sucks and benefits mostly some people who are working on identifying unique visitors to ads/sites, though not much to them either. and another thing -

Old news

[Plouf]

Article dated from May 2010...

Re:Article is a dupe too!

[thegarbz]

You think that's bad. The article is a dupe too [slashdot.org].

Worse still it's not a dupe of say an Android article where searching for Android produces pages and pages of results. If you search in slashdot "browser uniqueness" you'll get 3 results, 2 of which almost have the same title.

I still think Slashdot would do just fine without editors.

Re:

[ethork]

The amazing part is, that earlier article you linked to (from May 18, 2010) is itself a dupe of an even earlier article [slashdot.org] (Jan 27, 2010) from the same year!

Thanks, NoScript!

[nman64]

15.21 and 1:38023

The UA and HTTP_ACCEPT headers provided most of the bits, and those will be pretty common for anyone using the same browser version and platform. NoScript blocked most of the other detection techniques, and those results will be common with anyone else using NoScript or with JavaScript disabled.

No script FTW

[Infiniti2000]

No script and whitelist-only cookies = 14.16 bits of info. The bottom six values are not available.

"0.39 bits"?

[therealkevinkretz]

Okay, my CS degree is fourteen years old but how can the information identifying whether or not my browser accepts cookies be '0.39 bits'? Isn't it a yes/no, single-bit piece of information? All the other information is described in non-whole-numbers also. Aren't bits discrete?

Re:

[therealkevinkretz]

Oops. I should have read the article before asking. If anyone else misunderstood the values, the explanation is on page six of the article.

Re:

[betterunixthanunix]

Aren't bits discrete?

Not in information theory. Suppose I had an unfair coin; a priori, you know that the probability of the coin landing "heads" was 3/4. If I perform the experiment, how many bits of information will you gain when I tell you the outcome? It is clearly less than 1 bit, because if I perform the experiment 100 times, I will not need to send you 100 bits to describe the outcome of each toss (I should be able to compress that string, since there will be a strong bias).

Re:

[value]

Actually that would make you even more unique. Because no one else will create the same fake fonts as you...

My user agent string is unique

[amorsen]

I haven't even customized my user agent string and I'm using the standard Fedora 14 browser, but my user agent string itself is unique... Seems like I am the only Danish Fedora 14 user who has clicked on panopticlick recently.

Unique?

[sgunhouse]

According to them, I'm the only person in the world using Opera 11.50 on 64-bit Linux. Yeah, right. Sample size isn't really large enough yet, I guess ... I'm sure using a beta version of Opera on 64-bit Linux is rare, but it is definitely not unique.

Re:

[grahamm]

But with the EU directive on cookies, triggered by privacy concerns, will the EU then introduce a ban on the the use of browser fingerprinting?

tell a white lie for a 9-bit fingerprint

[meyering]

With firefox 3.6.18pre, a carefully chosen User Agent (below), default HTTP_ACCEPT headers and noscript, panopticlick says that my
fingerprint conveys 9.01 bits of identifying information.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7

I guess I'd petter change something.

[Bryan Bytehead]

My browser plug-ins make me unique. My fonts make me unique.

I'm unique. Just like everybody else...

Slashdot

[kelemvor4]

News for nerds, stuff that was published a really long time ago.

Not Always Nefarious

[Bloodwine77]

I perform some lazy browser fingerprinting and generate a hash for that visitor. I mainly use it for traffic purposes (tracking new visitors vs. returning visitors). I understand that it isn't foolproof and will generate some false results in some cases, but that is not important to me. I don't store any personal identifying information, just a hash.

It also is a way for my sites to stop trying to give cookies to visitors who have cookies disabled. It checks the hash and if that hash has been seen recently a

Sometime used for legit reasons

[khendron]

Many web sites that provide online financial services, and also gateways to MMORPGs, use browser fingerprinting to detect fraudulent use of the service. For example, if a user logs in consistently using a specific browser on a specific computer, and then logs in from a completely different browser, or from a different computer, then there is the suspicion that someone other that the user is logging in using stolen account information. The web site will in such cases ask for some 2nd form of authentication (

well

[Charliemopps]

Anyone have any tips or add-ons that block sending some of this information to make us less identifiable?

Wikipedia

[FhnuZoag]

This sounds like it could have some uses for e.g. wikipedia, where instead of blocking vandals by IP, you can block individual users on a certain IP address block instead. This would work for people vandalising off university networks, for example.

My browser ...

[PPH]

... is my passport. Verify me.

Is there?

[koan]

I've always wondered if there was a software for web browsing that would let you spoof all of that type of information, hiding OS type, browser version, JAVA, etc.

This is very old news

[hesaigo999ca]

I remember when /. first covered the device fingerprinting method that was developed by some chinese kid using all sorts of details and flags to build the end fingerprint, which a 99% accuracy rate (supposedly reviewed by his peers at that time) some 10 years ago.....is this the same thing?
I don't know...but I am sure that he may be wanting compensation if they are using his code and not paying him.