Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Privacy Your Rights Online

EFF Says Forget Cookies, Your Browser Has Fingerprints 175

alphadogg writes "Even without cookies, popular browsers such as Internet Explorer and Firefox give websites enough information to get a unique picture of their visitors about 94 percent of the time, according to research compiled over the past few months by the Electronic Frontier Foundation. [The Research] puts quantitative assessment on something that security gurus have known about for years, said Peter Eckersley, the EFF senior staff technologist who did the research. He found that configuration information — data on the type of browser, operating system, plugins, and even fonts installed — can be compiled by websites to create a unique portrait of most visitors. This means that most Internet users are a lot less anonymous than they believe, Eckersley said. 'Even if you turn off cookies and you use a proxy to hide your IP address, you could still be tracked,' he said."
This discussion has been archived. No new comments can be posted.

EFF Says Forget Cookies, Your Browser Has Fingerprints

Comments Filter:
  • by IYagami ( 136831 ) on Tuesday May 18, 2010 @09:40AM (#32252022)

    From TFA:

    "There are some effective countermeasures, however. A uniquely identifiable IDG News Service Windows XP computer running Firefox could not be identified with the NoScript [] safe browsing extension turned on. Adding the Tor [] Internet anonymization software also works, Eckersley said."

    • Chrome also has NoScript-like functionality. Go to Options > Content Settings and disable JS and plugins, and add exceptions using the addressbar icons that appear when you browse sites you trust.
      • But does that work the same as NoScript to select which domains on the site the user allows? I don't like it that google-analytics is on damn near every page on the Internet. I don't need Google tracking me everywhere I go.
    • Even without the Javascript leakage, fonts leak a lot of information. My browser showed up as unique (until I tried connecting with both Mozilla and IE, and with NoScript on and off under Mozilla), because I was the only person with the couple of fonts used by my company for their logo and branding. And even without that, if you downloaded that cool Elvish font, and that fairly clean monospaced console font, that probably makes you unique.

      Browsing would be a lot more private if you could choose which font

      • Isn't there a really simple way to change the fingerprint?
        Why not make a script that just periodically installs some bogus fonts (to avoid having these fonts weeded out automatically, we could create a list of real but unusual fonts that practically never get used in webpages).
        Then the fingerprint will contain more bits, but it won't matter because it changes regularly. If we wanted to really go all out we could do something similar with plugins.
        Although I suspect browsers only load system fonts and pl
        • by amn108 ( 1231606 )

          I would say we are currently at the infancy of fingerprinting. It is a really powerful concept in my opinion, but what it lacks is some help from the field of statistics. What I am getting at is this: imagine you have a script that randomly shuffles and/or adds bogus font references. Todays fingerprinting is more than fragile enough to take you as a completely different client, indeed.

          Tomorrow however, they will start stat'ing graphs where they will identify the periods/wavelets based on the bogus data you

          • I don't understand how they could make a pattern out of it if it is random. Sure, if each client followed the same cycle of font-substitutions on some known, fixed schedule then they could figure it out.
            Or if they managed to finesse the method so they could say, "well we have this sub-combination which seems likely to be unique (say, linux, with Opera v.10, swfdec, and Apple Garamond light) so we are going to ignore these fonts that don't match as noise."
            But that is going to have a higher error rate (beca
      • Re: (Score:3, Interesting)

        by moonbender ( 547943 )

        I agree. In fact, I don't want my browser to send out any kind of information on the fonts I've got installed. It's not a feature sites tend to use, so you might as well disable it. Any way to do that with Firefox?

        • I think it might be possible to obtain that information indirectly, with slightly less precision at worst. For example, you could start with a list of known fonts (that you want to check for), create an autosizing DIV with zero margins and padding, and set its context to a certain text string. Then, measure its (automatically computed) pixel size from JavaScript. This would vary depending on the font, and also on the font rendering technology (which indirectly betrays the OS). I bet that, using enough chara

      • That's actually a pretty good idea. While I know FX let's you choose which fonts are the "defaults" for the various families of fonts, it doesn't allow you to restrict exporting to that selection. Curious what the effect is to disabling that particular checkbox. Reckon FX needs a second checkbox on there for "Don't advertise any other fonts"?

        • by amn108 ( 1231606 )

          Appreciate practical thinking, but it is also very small minded of you. It won't get you very far in any direction. There will be other query objects than fonts. What do you propose for them? "Don't advertise this?" checkbox for each and every bit of an API.

          Fingerprinting efficiency is supported by the very same factor that improves usability of computers. In my opinion, even with your understandable good motivation, the results will not be something the users will like. A lot of applications will break bec

    • However, see section 6.1 from TFA (the actual EFF article, not the news piece): technologies used to "enhance privacy" may be counterproductive. Using those technologies (FlashBlock, Privoxy, changing your UA) is very uncommon, so the average entropy of browsers using those technologies is high. They add that they didn't try to fingerprint NoScript usage any further, but it is very possible to do so if users allow scripts from some important sites.

  • Original ./ article (Score:5, Informative)

    by Mouldy ( 1322581 ) on Tuesday May 18, 2010 @09:41AM (#32252026)
  • by Coreigh ( 185150 ) on Tuesday May 18, 2010 @09:42AM (#32252040) Homepage

    I don't care if anyone tracks my preferences or shopping history. What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.

    I am all for research and marketing to tune products and advertising, but they don't need to know my name or various identifiers to do it.

    • by somersault ( 912633 ) on Tuesday May 18, 2010 @09:46AM (#32252086) Homepage Journal

      In other words its not that they know what I do, its do they know, specifically, who I am

      Bruce Wayne: It's not who I am underneath, but what I do that defines me.

      • by amn108 ( 1231606 )

        If we assume that your fingerprint is assembled wholly at your side, then I would say you are RELATIVELY safe from it being disassembled into components that could compromise your realworld identity. One way to make the fingerprint irreversible like that is to encrypt it with a throw-away random key, also at client side. The unique but absolutely meaningless string arriving at the other end will uniquely identify YOUR END, NOT YOU. You can continue shopping and surfing porn, and all they got is a random str

    • by Monkeedude1212 ( 1560403 ) on Tuesday May 18, 2010 @09:58AM (#32252224) Journal

      Thats where things get difficult, though, right? For the sake of arguement, lets say that Microsoft decided to embed a Unique User ID into everyone's internet explorer, so that anytime you browse the net your ID gets stamped everywhere you go. Makes it easier for adspace to trend towards your interests, right? But then you're also checking your facebook, your email, your bank account, logging into slashdot, and so on and so forth.

      Eventually, one of these services slip, like Facebook has, and your Identifiable Information gets out in the open. When I google my name, I see my Facebook Profile, my name come up under my mothers friends list on Facebook, a handful of .NET Debugging forums. Even foreign versions of Facebook, in my classes we had people from the middle east, Japan, Hong Kong, and other regions of the world, and every other google page I see "Facebook: (Chinese Characters) (My Name) ". Makes me a little paranoid I'm being creeped by someone I don't know.

      Regardless - my point is that any effort they make to track just your preferences will always lead back to some site that slips up and makes your identifiable information easier to find, should you put it anywhere online. The way things currently are, you are pretty much safe if you do your best to keep your anonymity online, is probably the best its ever going to get.

    • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday May 18, 2010 @10:00AM (#32252254) Journal
      The trouble is, you only need to fuck up once(or, perhaps more realistically, a few times to let the algorithms bump their confidence in the ID high enough) for that information to become personally identifiable. And, once gathered, a body of "non-personally identifiable" information can persist for a time limited only by the plummeting costs of storage and can, at any future time, be linked with enough new data to make it personally identifiable.

      Some percentage, varying by person(and by whether or not your ISP is selling you out to anybody like Phorm), of site visits are personally identifying with a fairly high degree of confidence. For a substantial number of people, that's probably just facebook. In other cases, patterns of activity across a few websites make inferring your identity with fairly high confidence reasonably plausible. Because things like 3rd-party ad networks and whatever "I can't believe its not beacon" tech facebook is using today, have cross site reach, often remarkably broad, it is by no means unrealistic to expect that, over time, at least one of your personally identifiable visits or visit clusters will overlap with the reach of one or more ad networks with extensive "non-personally identifiable" knowledge of what your browser fingerprint has been up to. At that point, the previously "non-personally identifiable" is suddenly personally identified.

      Most people aren't even paying attention. Even the ones that are are likely imperfect in their execution, and keeping up with the scope and sophistication of what a competent data-miner could infer would practically be a full time job. Unless you are a truly bland person, you can probably be identified with fair confidence on surprisingly little data. Worse, as TFA notes, a lot of the common "privacy" measures and extensions and so forth actually make your browser substantially more unusual than it would otherwise be.
    • Re: (Score:2, Insightful)

      by tpstigers ( 1075021 )
      I use credit and debit cards to purchase items in stores all the time. There's nothing even remotely anonymous or private about the process. Why do we all expect it to be otherwise online?
    • The trouble is in aggregated data.

      Let's say I run a website. If you visit my site and you don't enter any personally-identifiable data, I don't know who you are. But I do see your browser signature which I can store along with your IP address (which will at least usually identify your ISP) and if you haven't blocked it I can also use doubleclick or googleanalytics to get your unique cookie ID. I can freely sell that information to anyone I damned well please because there's no personally identifiable inf

    • by dmomo ( 256005 )

      Interestingly, even if this type of fingerprinting doesn't 100% uniquely identify a user, for the purposes of marketing, that's probably okay. Users with the same fingerprints are likely similar demographically. At least as far as a target audience for a product is concerned. I'd almost prefer to be lumped anonymously into an "advertising bucket" than be tracked individually. Maybe we need a system for fingerprint sharing. I'm sure some firefox plugin could spoof or randomize this to some extent.

    • by ccady ( 569355 )

      What really scares me is when advertisers know stuff about me that *I* don't even know. Like the fact that I will need Viagra tomorrow, or that I am about to receive a million dollars from my Nigerian uncle.

    • Re: (Score:3, Interesting)

      by tlhIngan ( 30335 )

      I don't care if anyone tracks my preferences or shopping history. What I care about is; 'Is that information "Personally Identifiable"?' In other words its not that they know what I do, its do they know, specifically, who I am.

      I am all for research and marketing to tune products and advertising, but they don't need to know my name or various identifiers to do it.

      As seen time and time again, the answer is yes. That fingerprint you have - did you go shopping with it? Boom, you've just linked your fingerprint

    • by geekoid ( 135745 )

      "I don't care if anyone tracks my preferences or shopping history.

      you do you you are on a site that gets raided for some reason.

      If you have purchases something, then you are personally identifiable. How do you think they know where to get your money?

  • by Gothmolly ( 148874 ) on Tuesday May 18, 2010 @09:43AM (#32252054)

    It only lets them know it's the same browser/computer, it doesn't give them the docs on you.

    • Re: (Score:3, Insightful)

      by Cmdr-Absurd ( 780125 )
      Ah, but if you can be ID'd on a single site, much of what you do can be tracked. A lot of http access logs are web-accessible.
      So if I can associate you with your browser signature on ANY site, I can let my google fingers do the walking. It's a snap.
      • Re: (Score:3, Insightful)

        The fingerprinting techniques heavily relies on JavaScript, so finding random unprotected http access logs isn't going to help you. If it's truly "a snap" then please show me my last visited sites?

        I think at some point the internet privacy debate will have to start featuring some concept of personas, or the idea that a single person does not have a single identity but rather many identities. Some of them overlap, some of them are easier to change than others and some of them are what we might call "personal

      • by suggsjc ( 726146 )
        Either I'm missing something or your creating a strawman.

        First you say "A lot of http access logs are web-accessible." My guess would be that mainly smaller/lower trafficked sites (not that the information couldn't be valuable), are the ones making their logs available whereas the more popular sites would do their due diligence and secure them. However you then write "So if I can associate you with your browser signature on ANY site..." Like I said, I may be missing something, but can you, Cmdr-Absurd,
    • Yeah, not turn on your proxy and browse whatever porn. Then you close everything, turn off the proxy, and hit up facebook. Now they know who you are.
      • by mea37 ( 1201159 )

        Er... why do you theorize Facebook is exchanging browser profiles info with random porn sites?

        Like many people assessing online privacy threats, you seem to be looking at what a sufficiently well-placed cabal could do (from a "technically plausible" standpoint) and not thinking about real-world applicability. If your best reason to be concerned about privacy is to conceal your porn habits, you can rest assured nobody's that interested anyway. (Yes, there are exceptions. If you're trying to conceal predat

    • It's about as effective as knowing who is driving a car by the license plate. Yeah its not 100% accurate but definately more than 90%.

  • by Viol8 ( 599362 ) on Tuesday May 18, 2010 @09:48AM (#32252104) Homepage

    Never mind the browser , you can tell (or used to be able to , this was a few years back) what OS someone is running - assuming they're not going through a proxy - by looking at the TCP sequence numbers the client sends. There was an article on /. about it and some post grads had written a whitepaper.

  • by Anonymous Coward on Tuesday May 18, 2010 @09:57AM (#32252208)

    We have a rather annoying vandal by the name of Grawp who likes to visit often and put penis pictures up on pages that little kids like to visit, among other things.

    He edits via proxies, while visiting people, open wifi spots, etc... and never figures out how we know it's him.

    Shame his laptop has the same fairly unique MSIE-and-toolbars useragent string.

  • Cookies (Score:4, Informative)

    by chipperdog ( 169552 ) on Tuesday May 18, 2010 @10:02AM (#32252260) Homepage
    Cookies are at least a "honest" way to track. you can easily see them in your cookie jar (or whatever term is used by your browser), and you have at least some information about who wrote it. Cookies are not always bad - hidden images, browser/OS fingerprinting, and other 'hidden' means are much worse for privacy.
  • BFD (Score:4, Informative)

    by rwa2 ( 4391 ) * on Tuesday May 18, 2010 @10:07AM (#32252298) Homepage Journal

    Don't let the mass media scare you.

    Step 1: Install Wireshark []
    Step 2: Leave Wireshark running and observe what kind of information people are gleaning from you over the network. It's educational!
    Step 3: There is no step 3.

    I don't see why people expect anonymity on the internet any more than they do driving around in their car with the license plate showing.
    I just pretend there's an FBI agent always watching over my shoulder. His name is Fred. I explain to him everything I'm doing.

  • I tried the survey some months ago when they started it, and found that your most unique information usually is the list of installed fonts that Javascript can provide to pages.

    Not only is it usually unique, some of these fonts are specifically installed by some applications, which means that info about your work environment (eg. MS Office / / etc.) leaks out.

    In my case, I had several old Tengwar fonts and one vectorized sample of my handwriting helpfully named "Arancaytar's Handwriting". I m

  • And? (Score:2, Insightful)

    by flintmecha ( 1134937 )

    data on the type of browser, operating system, plugins, and even fonts installed

    Should I be worried about websites knowing these things?

    • ... nobody particularly cares if website operators find out what fonts and plugins you use. You might, however, care if website operators can look at those things and be able to say "hey, it's flintmecha again". Some people (I'm one of them) don't necessarily want every company on the internet building dossiers on their online behavior. But some people might be happy to let such companies do so - it's not like there are no advantages. When a website knows who you are, it can personalize your experience with
  • Randomising most of HTTP_ACCEPT and User agent would totally fix this problem, right? Or at least, it should for those of us with javascript turned off by default (using noscript makes this pretty convenient).

    A handful of things should stay the same, such as browser name, the major version number of the browser, and your main language preferences, but I guess the rest could change per-site by selecting random values from lists of valid values.

    Anyone know of a plugin (for any browser) that does this?

    • by dave420 ( 699308 )
      Paranoid much? If you are that far gone, you might as well simply unplug your computer and spend all your savings on tin foil.
    • That's only useful if a whole lot of people use it. Otherwise, you have a very clear fingerprint: you're "That guy with that weird randomizer plugin."
      • I thought the point of the NoScript part of the prescription was that it blocked the site from retrieving your plug-in list (because surely that's done via script).
        • They don't figure it out by looking at your plugin list, they figure it out because your fingerprint is essentially random (in other words, "highly unlikely") looking.

  • Watching my apache logs, I see lots of very similar "fingerprints" like they refer to. However, a lot of it leads to dead ends. For example, I see a lot of users who connect through RoadRunner, running Windows Vista, using Firefox3. That doesn't really tell me much. Sure I can attempt to locate where they are geographically by their IP address, but that isn't all that useful either if I really want to say "that was John Smith". After all, even if I know that two visits on different days were the same o
    • The article describes data that isn't gathered in Apache's logs. Things that can only be found through CSS, Javascript or Flash tricks. Screen resolution, Flash Version, installed fonts, visited web sites (in certain versions of Firefox, at least).

  • The EFF site identifies my computer uniquely if I access it directly, but when I access it through all the information it gathers has no relation to the information it gathers when I access it directly. The user agent and HTTP_ACCEPT headers are both spoofed, and since Javascript is disabled it cannot obtain any info about plugins, time zones, screen size, system fonts or supercookies. I suspect all who access the website through Proxify will look like the same user unless they happen to enable

  • I'm all for privacy, don't get me wrong. But is the Internet a public place? I mean, if I go out to lunch somewhere with my wife or a friend, anyone can take pictures of me. People can see what I'm wearing. They can overhear my conversations, and maybe glean my name or address from them. They can look at my car and my license plate. A whole slew of valuable personal information about me can be gathered from something as simple as a lunch date. Someone can follow me. Anything can happen, really. Is
    • Re: (Score:3, Insightful)

      Is being on the internet any different?

      Actually, yes it is different. The first difference is cost. It is expensive to follow people around and record everything they are saying. I don't worry that someone is going to spend a half a million dollars to follow me around for the next year; it's not impossible, but it's about as likely that I will be struck by a meteor. The second is storage of information. If someone decides today to find out exactly what you said at lunch last week, they can't, becaus

    • by geekoid ( 135745 )

      well, when browsinf is the same as going to dinner, you may ahve a point. It's not.

      Tney internet is different for several reasons.
      1) All yuo conversations can be searched at ones, and any time.

      2) At anytime you movements can be determined.

      Both those require a substantial resource to do in meat space, and very little in cyber space.

      Sure some can follow you, but is the right?

      Practicality also defines privacy.

  • It says 1 browser out of 4.72 for each criteria 8except one) have the same ID as me. Even assuming *ALL* criteria are actually really unique, with the user agent string being common to 1 out of 36 that come out at about 1 out 150.000. Naturally the other data aren't really unique it comes out at less. So..... I am not worried.
    • Re: (Score:3, Informative)

      by jittles ( 1613415 )

      Try allowing Noscript on that site? I was listed as 1 in 4 too until I enabled scripting on that website and ran the test again. Then I came out to be 1 in 1,000,000. I'd say that's more unique than I'd like to be.

      Test yourself here [] if you haven't already.

    • Re: (Score:2, Offtopic)

      by Rick17JJ ( 744063 )
      Because I use Ubuntu 9.10, my computer setup is still fairly unusual even when using NoScript. Despite using the NoScript plug-in for Firefox, the test showed that only one in 21,800 browsers has the same fingerprint as my computer. Among other things, it said that I am using Ubuntu 9.10 on a 64-bit computer with Firefox 3.5.9. In five categories of information from the test, it said "no javascript," because the test could not obtain any information about things like browser plug in details, time zone, scre
  • The RSA/Passmark system used by many banks for "Multi-Factor Authentication" (it really isn't) uses fingerprinting as one of the many factors.

    I used to have to do support for an installation of this system provided by ITI (a banking industry software provider, now owned by FISERV).

    Anyway part of the MFA process checks the fingerprint to see if it is one of the ones saved in a users profile...if it is not then they get asked for the extra security question.

    We sometimes had odd issues with the detection when

  • Using Panopticlick [] as a measurement tool, my computer went from being identifiably unique as 1 in 900,000 all the way down to 1 in 13,000 simply by enabling noscript. The most telling feature with noscript on was my User Agent string, Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729), which if I was paranoid enough I could modify to something much more common, like internet explorer.
    • Your browser fingerprint appears to be unique among the 919,012 tested so far.

      It's not 1 in 900k, it's the fact that it's the only one like it in 900k tests meaning that if I went to various sites they could figure out I am the same person time and time again.

      As far as that goes, we now can tell which customer is on our website and when they are about to make an online purchase.

  • Dupe []

Bell Labs Unix -- Reach out and grep someone.