Tracking Browsers Without Cookies Or IP Addresses? 265
Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string.
If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.
Results and flash cookies (Score:5, Informative)
I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic.
Plugins were also completely unique and really easy to detect in any other browser than IE8. Interestingly IE's plugin list was really small and not at all so unique. IE's top "warning" bar asked me if I want to run specific plugins (probably to detect them). System fonts were completely unique and looks like easy to detect.
Remember that this is info that for example Google gets all over the internet via Analytics - they don't even need those tracking cookies because your browser leaves so much unique data behind it that it doesn't matter. And so does every website owner.
Another thing people usually forget about when clearing cookies is that Flash has cookies too and they don't clear along. When have you last time cleared them? Probably never. You can use BleachBit" [sourceforge.net] to clear those along with other software, history and temp data.
Re:Results and flash cookies (Score:5, Interesting)
And someone will create a Firefox Plugin in a few days that will randomize the variables being reported back, thus invalidating this.
I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.
Now I also realize, that I'm not a "normal" case. Here's to being "odd" !
Re: (Score:2)
I wouldn't say that you are abnormal, but I foresee that browsers in the future will look into having stealth options to remove all identifiable information from the HTTP requests and randomize what can't easily be filtered out.
Of course - there are details that are a bit more tricky to fiddle with - like originating IP address.
Unique among 18100+ (Score:2)
On other items, they were not unique, but often in a small set. The combination of a few rare settings could easily make the browser nearly unique in a far larger set. Chromium was nearly unique in fonts (2 brow
Re: (Score:2)
> ...do we have to install or remove some fonts every day, or change screen
> resolution...
No. You just have change what you report, not what you actually do.
Re: (Score:2)
Disable javascript globally and enable it for sites you like and need it. Most of the unique info is sent by it.
Little Bobby Tables in User Agent String (Score:5, Funny)
Lets see whose tracking what :P
Somebody write a firefox plugin that changes "Fingerprints" to "DropDB" statements
Re:Little Bobby Tables in User Agent String (Score:5, Informative)
1) Type "about:config" in the addressbar, if you haven't been there before you must confirm that you are actually a geek.
2) Filter for "useragent", then append whatever you want [xkcd.com] to the general.useragent.extra.firefoxComment key.
3) Help -> About shows your current user agent, btw.
4) Wait for lawsuits? Or Profit? I forgot...
Re: (Score:3, Interesting)
I use a couple dozen different computers for things, and if they can "track" "ME" from that, all the better. Additionally, there are other people who use the same computers that I do, and if they can sniff out who is browsing at what time, all the more power to them. I also use three different browsers on the same computer to browse various sites as well, because of how they are rendered and the speed of rendering.
Advertising companies don't need to be able to identify an individual in order for the data to be useful to them - if they can identify what sites the people that use your computer go to they can construct a demographic that is more useful to them than simply the average user of the site showing the adverts.
Put it this way: television companies can't tailor their adverts for specific viewers, but they still put significant effort into finding out information about those viewers. Why? Because the more precis
Re: (Score:2)
If you know what sites every computer visits you could say, for example, that computers that visit Slashdot are unlikely to visit mypinkpony.com
Hey!! >:[
Re: (Score:2, Interesting)
Re: (Score:2)
Actually, Torbutton already anonymizes the user agent string and screen resolution and blocks browser plugins. I don't think it blocks fonts, so that still could be an issue.
But even without any anonymizing plugin, I tested my Mac and found it to be relatively untrackable—one in every few thousand computers matches it. It's not too surprising; Apple pushes Flash/Java/Quicktime updates, Safari stays up to date, and there are only a handful of Mac screen resolutons. Unless you've got some unusual sys
Re:Results and flash cookies (Score:5, Informative)
You are misreading the statistics. If only one in a few thousand computers matches yours, then you are very trackable. Your computer sticks out in a crowd. You want to be as close to 1:1 as you can get, as in, my computer looks like every other computer.
Re:Results and flash cookies (Score:5, Informative)
Or actually, I read that wrong... looks like a huge win for open browsing and scripts off, and huge loss for torbutton with scripts off... especially at under 20k tested so far.
Re: (Score:2)
And someone will create a Firefox Plugin in a few days that will randomize the variables being reported back, thus invalidating this.
There are still many unique variables for a given HTTP connection, even if only looking at the times and orders of connection requests. Not to mention cache effects or URL tracking tricks.
You can be anonymous but you can't be ambiguous, if you use sites which use data mining techniques to identify their visitors (and you don't know who those are).
Re: (Score:3, Informative)
https://addons.mozilla.org/en-US/firefox/addon/6581 [mozilla.org]
too late, they beat you to it.
Re: (Score:2)
Dang slashdot. It ate this and I did not see it as a response for 10 minutes so I figured it did not post... Sorry about the dupe.
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
https://addons.mozilla.org/en-US/firefox/addon/6581 [mozilla.org]
It already exists.
Re: (Score:2)
Re: (Score:2)
One extra thing I noticed also. If you disable javascript they weren't able to get any other info than user agent and http_accept strings.
So NoScript is good to use. Also in Opera you can do this by disabling global javascript and enabling it on per site basis.
Re:Results and flash cookies (Score:5, Funny)
Using NoScript tells them plenty of information.
You are either:
1) Aware of the security risk on the internet so you disabled javascript
2) You suffer from Paranoid Schizophrenia and don't want them controlling things
3) You have a serious aversion to adds
So the adds they should show you would go something like this in a jpg or animated gif (that is not a standard banner size).
Do you want that extra protection that you just can't get on your own? You need more information on how addvertisements and security threats work. Fallow this link to make sure you are informed. They are still watching you.
Sometimes they don't have to track you to figure out your habits
Re: (Score:3, Interesting)
With javascript disabled my profile was a mere one in 143, but when I enabled javascript and let them run it again, I became a unique flower.
While having javascript disabled does bin me somewhat (perhaps to 1-2%), telling them about my LabVIEW 8.6 Plugin for Netscape 32 and my Mentor Graphics Veribest Gerber 0 fonts made me completely unique.
So yeah, javascript disabled totally helps.
Re: (Score:2)
Nah it seems broken.
I revisited the page multiple times (Shift+Refresh) and each time I was completely unique, despite the content of the page never changing (at least with respect to the headers shown). Noscript didn't make a difference, I was always unique, despite none of the measures showing this. The most "identifying" piece of information was supposedly the HTTP_ACCEPT header, which specifies "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ISO-8859-1,utf-8;q=0.7,*;q=0.7 gzip en-us,en;
Re: (Score:2)
If you turn off Javascript, you have to go back to the main page and click to start the test again. The &js=yes in the URL messes up the test otherwise.
Keep in mind that you might not have any unique stats, but you might still have a unique combination of stats.
Re: (Score:2)
2) You suffer from Paranoid Schizophrenia and don't want them controlling things
You don't have to suffer from paranoid schizophrenia to not want others controlling you any more than you have to be bipolar to get angry at people who want to manipulate you.
BTW and offtopic, there is only one "d" in "ad" and "advertisement", "add" is a verb. And "fallow" means "barren". Dew know truss yore spill chucker, yews you're ayes. The last sentence will pass a spell check with flying colors, but it's pretty hard to rea
Re: (Score:2)
Anyone using the screen size characteristic can be fooled merely by moving my browser to another monitor(mine aren't identical).
Re: (Score:2)
> they don't even need those tracking cookies because your browser leaves so much unique data behind it
It may be unique, but it is not constant, and therefore not as such suitable for tracing. However, if you use it in connection with other data (such as the IP and a tracing cookie) and update your database regularly, you would be able to notice changes of individual parts, including the cookie. They could just restore the cookie based on your likely identity, although that is pretty complicated.
Overall
Re: (Score:2)
Well... I've heard genes are quite unique!
Thanks EFF. I never thought about that. (Score:5, Funny)
Re:Thanks EFF. I never thought about that. (Score:5, Funny)
Psh. Real trackers use emotional demographics to Identify their users.
By tracking the various mouse movements on the page, and every key that might be entered, and the timing it takes between movements or keypresses, I can analyze that persons emotional relationship towards my web page. Some people might be angry, and thus have more spelling mistakes in their rage, or some people might be tender, loving, and caring, caressing the page softly and gently with their mouse.
Everyone has different habits and express their feelings towards web pages in different ways. I can easily tell who is visitting my site based on how they are visitting my site.
Re: (Score:2)
Re: (Score:2)
This already happens. With Ajax reporting back mouse movements, clicks and keypresses, the site admin can snoop on the visitors and see exactly what they are doing.
So CmdrTaco knows that 95% of Slashdotters type one-handed? O_o
Re: (Score:2)
Your browser fingerprint appears to be unique among the 3,396 tested so far.
Fuck.
Re: (Score:3, Funny)
I got that too when I used Lynx.
Your browser fingerprint appears to be unique among the 4,655 tested so far.
Re: (Score:2)
What I find disturbing is that its two categories which my browse is showing up unique in. Browser Plugins and System Fonts. It's the System Fonts uniqueness that has me perplexed.
Re: (Score:2)
I got:
"Your browser fingerprint appears to be unique among the 6,335 tested so far."
So, in the last 15 minutes, they appear to have had roughly 1000 new visitors.
Sounds like they're collecting some new information.
Re: (Score:2)
"Your browser fingerprint appears to be unique among the 11,342 tested so far."
Re: (Score:2)
Chrome: Your browser fingerprint appears to be unique among the 10,511 tested so far.
IE6: Your browser fingerprint appears to be unique among the 11,542 tested so far.
Firefox: Your browser fingerprint appears to be unique among the 11,788 tested so far.
Boy do I feel special. I'm surprised IE6 came back unique. It looks like it was .NET's fault.
Re: (Score:2)
My Ubuntu box: "Your browser fingerprint appears to be unique among the 13,730 tested so far."
My Mac: "Your browser fingerprint appears to be unique among the 13,337 tested so far."
I didn't realize I was so unusual
Re: (Score:2)
Go figure...Mozilla on WinXP is more anonymous than Mozilla on Gentoo or Ubuntu and more anonymous than Safari on Mac
Re: (Score:2)
You had javascript disabled. Try it again with it enabled.
Re: (Score:2)
Re: (Score:2)
Your browser fingerprint appears to be unique among the 19,296 tested so far.
: (
Shows who your true friends are. Thank Microsoft. (Score:2, Informative)
There is an option for privacy enhanced web browsing: IE compatibility test virtualization images. [microsoft.com] A very common OS packaged with a vanilla install of a very common browser, neatly resettable in a virtual machine. Thank you, Microsoft.
Re: (Score:2)
Security trough obscurity never works. Your argument is the same, as that of a company that is suing people who publish their findings about security holes.
Already being done (Score:5, Informative)
Dell Default Image (Score:2)
Unless you are one of the 100,000 using any particular Dell/HP/Apple default install on your pc.
2 ^ 10.5 is lost of combinations , but is bet there are lots of spikes on some.
Re: (Score:2)
Further a lot of the information is stuff that is likely to change over time with the installation of browser updates, OS updates, some new apps (if they bring fonts with them)
Though apparently my user agent ( "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)" ) is unique among those tested so far :/
Re: (Score:2)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
– unique.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
– 1 in ~800
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
– 1 in ~530
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
– 1 in ~230
Mozilla/5.0 (
Re: (Score:2)
Your Windows NT version is making you stand out the most.
I'm not exactly surprised, 5.2 is little used on the desktop because there is no 32-bit desktop edition of 5.2.
en-GB is also making you stand out, although after getting Slashdotted by the US this is not surprising. ;)
Re: (Score:2)
That’s what I figured, on my PC at work, but I was wrong. (When I get home, I’ll have to try it there.)
My fonts – the default ones installed on the PC – are shared by only 1 in about 3,200 visitors.
The IE user agent string, with its .NET information, said that only 1 in 4,200 browsers shares it.
Using the version of IE installed on the PC (version 7), my particular combination of Java, Flash, and WindowsMediaplayer was unique (amongst about 13,000 visitors so far).
Using Firefox, on th
in other news (Score:5, Funny)
Researches have found a way to track web sites based on the MySQL errors they produce when they're slashdotted.
LOL (Score:4, Insightful)
The site says Only anonymous data will be collected by this site. Yet they are collecting data to see how un-anonymous you actually really are! :)
Re: (Score:2)
Re: (Score:2)
Good work. This utility is very helpful.
I'm glad I support the EFF.
Re: (Score:2)
True... and since you can revisit the page to see your updated stats, and it remembers you’ve been there, I can only assume it uses a cookie (they could track via IP, but I wouldn’t consider that anonymous and I don’t think anyone else with any sense would either). Looking at my cookies, I have a PHPSESSID, so apparently that is how they’re avoiding double-counting.
It seems to me, though, that users without cookies would be re-counted every time they visited, or perhaps it would not
Suggestion for more generic User Agent String (Score:2)
We are all V
or
We are all Zero
Choice will of course depend on if you are a V for Vendetta or Code Geass fan. It will aso decide which mask you should wear when the revolution comes.
We could also use;
Ninjas (should Ninjas be blank?)
Pirates
IPv6 will make this obsolete (Score:4, Interesting)
Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements. Same for large networks that currently use NAT.
So the vast mayority of users will have a unique non-changeable ID, making cookies or this kind of tracking obsolete.
Re: (Score:2)
IP addresses (even IPv6) are addresses, not phone numbers. The address identifies the place where the packets are supposed to go, not the person to whom they're supposed to go.
IPv6 was designed to be hierarchical to address some of the shortcomings of the IPv4 allocation process, which requires backbone routers to maintain and exchange large routing lists.
Personal subnets won't be implemented because people move around; it's not to change the global routing infrastructure every time you go to work.
Now it m
Re: (Score:2)
IP addresses (even IPv6) are addresses, not phone numbers. The address identifies the place where the packets are supposed to go, not the person to whom they're supposed to go.
So it can be used as a unique household identifier instead of a unique person identifier. That does not make it less of a privacy concern.
Sure you can change this identifier by changing ISPs or using a PC in a different location. It is still a lot harder to change than a cookie or a dynamic IP, and impractical to do so each day. Adver
Re: (Score:2)
> It is still a lot harder to change than a cookie or a dynamic IP, and
> impractical to do so each day.
Proxies.
Re: (Score:2)
Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements.
Not necessarily. Unless the user explicitly asks for a routable /48 or /56, I'll bet most ISPs just give each user a /64 and have them autoconfigure, in which case there's always the Privacy Extensions for Stateless Address Autoconfiguration [ietf.org] option.
Re: (Score:2)
Not necessarily. Unless the user explicitly asks for a routable /48 or /56, I'll bet most ISPs just give each user a /64 and have them autoconfigure, in which case there's always the Privacy Extensions for Stateless Address Autoconfiguration option.
But no matter what the user configures, he is stuck in the /64, or do I missunderstand this? /64 each, then to identify them one just has to discard the later part of the address.
So if an ISP is known to give its customers a
Sure it is not a perfect identifier, y
Lynx apparently more popular than I thought (Score:4, Informative)
Browser Characteristic : User Agent
bits of identifying information : 11.09+
one in x browsers have this value : 2183
value : Lynx/2.8.5rel.1 libwww-FM/2.14FM SSL-MM/1.4.1 OpenSSL/0.9.7d-dev
(Course, i'm also two minor releases behind...but still, 1 per 2000 is more common than I would've guessed)
Re: (Score:2)
Re: (Score:2)
Hrm...apparently I missed part of the page when I saw that. It's likely that there were only 2183 browsers cataloged at the time.
Oops. Mea culpa.
Re: (Score:2)
http://panopticlick.eff.org/index.php?action=log
Seems to identify itself as IE
Re: (Score:2)
Yeah, looks like someone else has the same User Agent string (1 of 3309 now), and two others have the same HTTP ACCEPT headers (1 of 2206, 'text/html, text/plain, text/sgml, */*;q=0.01 gzip, compress en'), but I'm still unique out of 6618.
Interestingly enough, (Score:2)
roughly one in five browsers has javascript disabled.
Then again, that's probably artificially high based on what circles this story has been circulating in.
I'm twice unique! (Score:2)
My desktop environment is so far unique over 2,357 samples, and my iPod Touch is unique over 2,239 samples. Interesting. I know I have some interesting pieces to my desktop, but 1/2357 surprised me. My iPod Touch being unique, on the other hand, just tells me more about who they've sampled so far than about the uniqueness of the test.
Targeted advertisers - here I am! (Score:2)
Your browser fingerprint appears to be unique among the 6,764 tested so far.
UA strings put unnecessary stuff in them (Score:2)
I look at user agents from time to time, and it blows my mind how much stuff some programs are permitted to put in there. It seems like every toolbar, add-on, and browser re-branding these days wants to put itself in you user agent.
I wonder what the longest non-fake user agent is these days? I recall there was a problem a while back on the Mozillazine forums because it records user agent strings for support purposes, but only allocated so many characters. Thanks to some new toolbars and such some people cou
Why do they need to know my plug-ins?! (Score:2)
I guess I'm somewhat paranoid/security conscious, e.g., I do clear out things like Flash cookies, and I block sites like Google Analytics. What surprised me was that Firefox, a browser I originally chose in part for its reputation of having better security and privacy settings than certain other browsers, seems to be broadcasting a signature that tells any site I visit all of the plug-ins I am using. This not only uniquely identifies me, it also paints a huge target if any of those plug-ins is found to have
Anyone NOT (Score:2)
Re: (Score:2)
My FF3.6 at home is 1 of 262.
Re: (Score:2)
Blocking Javascript, I assume.
EFF's browser test isn't a browser test (Score:2)
When I went to their site to find out how "unique" I was, the site launched a java applet. This isn't tracking browsers at this point, it's tracking JVM's too. If you're allowed to have the browser launch a third party application, then might as well launch an .exe that scours your hard drive and does an HTTP call back to the EFF.... at that point, might as well just say every system is unique.
Plugins List (Score:2)
I did not realize that my plugins list was the largest source of fingerprint data. I didn't even know it was listed.
I imagine many people use Opera at my screen resolution, but I'd be interested in seeing how many people shared my particular combo of data (aside from the plugins list).
Re: (Score:2)
Taking a look at the plugins I have installed, I'm also surprised at some of them. Hulu Desktop Integration? I thought the purpose of a standalone was so it didnt need to integrate. 2007 Microsoft Office plug in for Netscape Navigator? WTF?
NoScript (Score:2)
With javascript disabled, they said my browser was 1 in 140.
With javascript enabled, they said my browser was unique among all browsers seen so far.
NoScript is so great.
Re: (Score:2)
Re: (Score:2)
This is scary (Score:2, Interesting)
I just realised that the fact that I turn off all my plugins(and java) and have multiple languages enabled, probably gives a completely unique fingerprint to automated stalkers like google.
Worrying (Score:2)
What will happen when 'they' identify me and fail to correlate my purchase history with the ads I have been served?
"Oh jeez, another one who buys the same groceries every week, drives an old car and wears £3 Asda clothes until they fall to pieces!"
"Another windows 2000 user?"
"Yeah!"
"Dammit, just stop serving him any pages at all and put him on the 'to kill' list."
Highest entropy? (Score:2)
I got my entropy up to 14+ by becoming a Mozilla/4.78 (Macintosh; U; PPC).
Wow! (Score:5, Interesting)
I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information. I do graphic design work and I have a huge number of fonts on my system, some of them unusual. I certainly don't want nor need to have them all available to my web browser, and I certainly don't want my web browser to be broadcasting this list to the world. Does anyone know if I can configure Firefox to use only the "standard" fonts? I really don't think it's anyone else's business which fonts I have installed.
Re: (Score:3, Interesting)
I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information.
It doesn't. It's the Adobe Flash plugin, deinstall it and try the test again. BTW, if you have noscript and flash, instead of JS enabled and flashblock, you have your configuration exactly backwards.
Interesting... (Score:2)
Compiling Firefox (Score:5, Insightful)
I noticed this years ago, when I noticed that compiling Firefox puts the exact date and time in your user-agent. The user-agent also contains the usual things like the OS, architecture, &c.. So how likely is it that someone else with the exact same system configuration and compiled the exact same version of Firefox at the same time? Probably zero.
Re: (Score:2)
Specifically, the Firefox user-agent when compiled on Gentoo will look like this:
Mozilla/5.0 (X11; U; Linux $ARCH; $LANG; rv:$REVISION) Gecko/$YYYYMMDDHH Gentoo Firefox/$VERSION
The site uses cookies. (Score:3, Interesting)
The irony is that the site uses cookies to determine if you are unique to the site or have been there before.
Deleting the cookie (and maybe changing your IP address) and revisiting would introduce spurious duplicates into the database.
browserrecon project (Score:2, Informative)
Hello,
I would like to refer to an old project of mine. browserrecon is an implementation which uses application fingerprint techniques to identify web clients:
http://www.computec.ch/projekte/browserrecon/ [computec.ch]
Bye, Marc
Re: (Score:3, Funny)
Two data points... (Score:4, Funny)
By subtly changing where the errors occur (and which ones are reported), they can correlate your slashdot post with the attempted page fetch...
Re: (Score:2)
Re: (Score:2)
As a graphic designer, suppressing the font list would help. Why is it even needed?
Or perhaps more interesting, can I somehow use a huge font list to mount a buffer overflow attack against such monitoring programs?
Re: (Score:2)
I'M BEHIND SEVEN PROXIES!!!!
Won't help you, unless the proxies actively filter out identifying information such as the plugins or fonts you have installed.