Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Privacy Electronic Frontier Foundation Java Security Your Rights Online

EFF Publishes Study On Browser Fingerprinting 80

Rubinstien writes "The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to 'device fingerprinting' via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we've discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far."
This discussion has been archived. No new comments can be posted.

EFF Publishes Study On Browser Fingerprinting

Comments Filter:
  • by AlexiaDeath ( 1616055 ) on Friday June 03, 2011 @08:59AM (#36330102)
    I visited that site several times with the same browser over several weeks, each time it was unique. Some plugin had updated, some font had been installed... So for tracking me it would be totally useless. The uniqueness it identifies is only valid for a session or two.
    • by Anonymous Coward on Friday June 03, 2011 @09:09AM (#36330176)

      If you read the article they write that it's trivial to track users despite minor fingerprint changes. Page 13 of the PDF.

      • by AlexiaDeath ( 1616055 ) on Friday June 03, 2011 @09:18AM (#36330250)
        Read the relevant section. They tested the algorithm against browsers that had cookie indication of sameness.
        "We ran our algorithm over the set of users whose cookies indicated that they were returning to the site 1{2 hours or more after their first visit, and who now had a different fingerprint."
        Take that out and you get a flood of false positives.
        • by Anonymous Coward

          No, actually. They tested the ones with cookies against their entire database, then tested their answer against the cookie. They guessed 65% of the time and were right 99% of the time. The false positive rate was 0.86%. Basically, 64% of the time they will still be able to track you. And this is their "crude" algorithm.

          Repeating myself for clarity:

          They only used the cookies to test for correctness of their guess, not to make the guess.

          • Im reading the quoted sentence clearly stating that they picked users they had cookies for. Out of those were the matches made.
        • by phme ( 1501991 )
          From the paper:
          "We implemented a very simple algorithm to heuristically estimate whether a given ngerprint might be an evolved version of a ngerprint seen previously. [...] Excluding users whose ngerprints changed because they disabled javascript (a common case in response to visiting, but perhaps not so common in the real world), our heuristic made a correct guess in 65% of cases, an incorrect guess in 0.56% of cases, and no guess in 35% of cases. 99.1% of guesses were correct, while
  • by mattdm ( 1931 ) on Friday June 03, 2011 @09:03AM (#36330124) Homepage

    "18.8" doesn't sound like a big number, until you consider what it stands for. Each bit of information halves your uniqueness. That means that you can be picked out of a crowd of 2^18.8 people -- 456,419. With an estimated two billion people on the internet today, that means you're down to being one in 4500. That's about the same as saying "My name is Matthew Miller and I live in the United States." Not particularly private!

    Another way to think of it is this: those two billion people represent 31 bits of uniqueness. Every bit of information revealed knocks off some of that. When you're down to one, you're positively identified. Your web browser is giving up at least 18.8 of those thirty for nothing, leaving you with just about 12.

    • by fnj ( 64210 ) on Friday June 03, 2011 @09:13AM (#36330210)

      Er, actually each bit of information doubles (not halves) your uniqueness.

    • by ugen ( 93902 )

      Your face gives out about 25 bits :) (Depending on how acute the perception is of someone looking at it). Your fingerprints are good for pretty much the entire 32 bit. Even your voice is probably good for 20 bits or so, with appropriate equipment.

      The only way to be untrackable is to be completely undistinguishable from a very large set of people. It is possible, but what fun would that kind of life be? You can't both *be* a unique individual and expect others not to notice that/not to treat you like such.

      • by phme ( 1501991 )
        Indeed. But your biometric data is unlikely to be in present in a single database of perhaps a billion people. Yet.
    • by Bengie ( 1121981 )

      "That means that you can be picked out of a crowd of 2^18.8 people -- 456,419. With an estimated two billion people on the internet today"

      Tack on your IP address and they can figure out which city you're connecting from. So, I can be identified out of a crowd of 456k people, but my city only has 10k people. Sounds like they probably keep track of me quite easily.

  • The author said his browser was identifiable because of his font and addon settings. i.e. He probably customized it.

    But what about those of us who use "default" settings and customize virtually-nothing? Are we identifiable, or do we got lost in the crowd? I suspect the latter.

    • by Nursie ( 632944 )

      You, and 99% of the people who neither know nor care about privacy, are all fine. standard os, standard browser, no uniqueness.

      the like of me on debian wheezy with iceweasel and a few privacy plugins, conversely, are east to track. turns out blending into the crowd is effective. who knew?

      • >>>You, and 99% of the people who neither know nor care about privacy,

        This is an incorrect conclusion.

        • That statement contains no conclusion. Parent is joining two sets: (You) + (99% of the people who neither know nor care about privacy).

          If parent had said "You, and the other 99%...", (s)he would be including you in the group, but that was not the case.

    • by glwtta ( 532858 )
      But what about those of us who use "default" settings and customize virtually-nothing?

      I wouldn't be so sure. In my case, just the specific versions of the Java, QuickTime, and Flash plugins (Java 1,6,0,20; QuickTime 7,6,5,0; Flash 10,1,53,64;) provided about 20 bits of identifying information - quite a few people will have these "customizations", and the versions depend on when they were installed.

      Available system fonts are affected by the applications installed, including the crapware that OEMs prel
    • You also have your OS version, your system fonts, (sometimes installed by certain apps you installed), your screen resolution, your timezone, etc. Or you could just go to the website in the summary: [] and test yourself
  • how do they know it's unique? they say my browser is unique, I got no serious doubts about that(nightlies), but how would they know if it's me browsing two times or someone else? my screen sizes going to be different when I go home, too. is this what my money would go to if I donated money to EFF? start doing a fooler filter, this research project as it is sucks and benefits mostly some people who are working on identifying unique visitors to ads/sites, though not much to them either. and another thing -
  • by Plouf ( 957367 ) on Friday June 03, 2011 @09:12AM (#36330208)
    Article dated from May 2010...
  • Thanks, NoScript! (Score:3, Informative)

    by nman64 ( 912054 ) on Friday June 03, 2011 @09:18AM (#36330238) Homepage

    15.21 and 1:38023

    The UA and HTTP_ACCEPT headers provided most of the bits, and those will be pretty common for anyone using the same browser version and platform. NoScript blocked most of the other detection techniques, and those results will be common with anyone else using NoScript or with JavaScript disabled.

  • by Infiniti2000 ( 1720222 ) on Friday June 03, 2011 @09:18AM (#36330246)
    No script and whitelist-only cookies = 14.16 bits of info. The bottom six values are not available.
  • Okay, my CS degree is fourteen years old but how can the information identifying whether or not my browser accepts cookies be '0.39 bits'? Isn't it a yes/no, single-bit piece of information? All the other information is described in non-whole-numbers also. Aren't bits discrete?

    • Oops. I should have read the article before asking. If anyone else misunderstood the values, the explanation is on page six of the article.

    • Aren't bits discrete?

      Not in information theory. Suppose I had an unfair coin; a priori, you know that the probability of the coin landing "heads" was 3/4. If I perform the experiment, how many bits of information will you gain when I tell you the outcome? It is clearly less than 1 bit, because if I perform the experiment 100 times, I will not need to send you 100 bits to describe the outcome of each toss (I should be able to compress that string, since there will be a strong bias).

  • I haven't even customized my user agent string and I'm using the standard Fedora 14 browser, but my user agent string itself is unique... Seems like I am the only Danish Fedora 14 user who has clicked on panopticlick recently.

  • According to them, I'm the only person in the world using Opera 11.50 on 64-bit Linux. Yeah, right. Sample size isn't really large enough yet, I guess ... I'm sure using a beta version of Opera on 64-bit Linux is rare, but it is definitely not unique.

  • With firefox 3.6.18pre, a carefully chosen User Agent (below), default HTTP_ACCEPT headers and noscript, panopticlick says that my
    fingerprint conveys 9.01 bits of identifying information.

    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20091221 Firefox/3.5.7

  • My browser plug-ins make me unique. My fonts make me unique.

    I'm unique. Just like everybody else...

  • News for nerds, stuff that was published a really long time ago.
  • I perform some lazy browser fingerprinting and generate a hash for that visitor. I mainly use it for traffic purposes (tracking new visitors vs. returning visitors). I understand that it isn't foolproof and will generate some false results in some cases, but that is not important to me. I don't store any personal identifying information, just a hash.

    It also is a way for my sites to stop trying to give cookies to visitors who have cookies disabled. It checks the hash and if that hash has been seen recently a

  • Many web sites that provide online financial services, and also gateways to MMORPGs, use browser fingerprinting to detect fraudulent use of the service. For example, if a user logs in consistently using a specific browser on a specific computer, and then logs in from a completely different browser, or from a different computer, then there is the suspicion that someone other that the user is logging in using stolen account information. The web site will in such cases ask for some 2nd form of authentication (

  • Anyone have any tips or add-ons that block sending some of this information to make us less identifiable?
  • This sounds like it could have some uses for e.g. wikipedia, where instead of blocking vandals by IP, you can block individual users on a certain IP address block instead. This would work for people vandalising off university networks, for example.
  • ... is my passport. Verify me.

  • I've always wondered if there was a software for web browsing that would let you spoof all of that type of information, hiding OS type, browser version, JAVA, etc.

  • I remember when /. first covered the device fingerprinting method that was developed by some chinese kid using all sorts of details and flags to build the end fingerprint, which a 99% accuracy rate (supposedly reviewed by his peers at that time) some 10 years this the same thing?
    I don't know...but I am sure that he may be wanting compensation if they are using his code and not paying him.

To do two things at once is to do neither. -- Publilius Syrus