Most browsers leave fingerprint that can ID users The vast majority of people surfing the web leave behind digital fingerprints that can be used to uniquely identify them, research released Monday by the Electronic Frontier Foundation suggests. Using a website that compares visitors' browser configurations to a database of almost 1 million other users, EFF researchers found …
I'm apparently unique in IE8, Opera and Firefox. All out of the box standard configs running on a cheap lappy running Fista.
Not convinced, unless everyone hitting that site is using XP or some flavour of Linux.
Or maybe as I'm not a full on IT professional I'm the only one still using Vista!
And, in fact, NoScript disabling JavaScript, Java and plugins by default makes identification about 40 times harder on my Firefox (1/19000).
I'm not sure why Dan Goodin reportedly had his browser identified as unique notwithstanding NoScript, but I suspect he's got "Globally allow mode" or he failed to correctly repeat the test...
Later I had some conversation with Dan, and we discovered that the culprit of his un-anonymity was a pretty unique HTTP header he was sending by accident, due to uncommon configuration bits of his. In fact, once you shut down JavaScript and plugins, the stuff giving your identity away (aside your IP) is almost all at the HTTP level, especially cookies, user agent string (double check that it's the default one coming with your vanilla browser - the Microsoft .NET Framework and other 3rd party software love to "customize" it making you more identifiable) and language information.
Based on the results I was only the 3rd (JavaScript off) and 4th (JavaScript on) visitor running a Mozilla-supplied 64-bit Firefox 3.6.3 Linux distribution in 842,000 visitors, which surprised me.
With JavaScript on its the system fonts and plugins that make a good fingerprint. Both were unique.
But even with JS disabled, I'm unique. The interesting thing is that I'm running a pretty vanilla install of Ubuntu 8.04 LTS, recently updated, which gives a user agent string
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010040119 Ubuntu/8.04 (hardy) Firefox/3.0.19 [1 in 21067.7 browsers]
and HTTP_ACCEPT headers
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 windows-1252,utf-8;q=0.7,*;q=0.7 gzip,deflate en-us,en;q=0.5 [1 in 13167.31 browsers]
Both of these I would expect to be pretty standard, yet evidently both are reasonably rare and in combination make my fingerprint unique. I simply do not understand. Can anyone explain what makes these particular combinations so uncommon? Or is it that the universe of possible combinations is far more extensive than one might think?
With JS enabled, the real killer is one's font selection. I've got some unusual fonts such as Everson Mono and BPG Unicode Standard, so it's understandable that I"m unique in that regard. WRT the assortment of fonts, I notice two things: first, the fingerprint specifically says "system fonts". Does this mean that if I move my special fonts to my user directory they'll be invisible? Second, I notice that the font info is retrieved via Flash. More and more I begin to view Flash as considerably more than just a video/interactive plug-in. Adobe seems to be like Google, far too interested in privacy-eroding details.
At least I've successfully turned supercookies off!
All in all, this is one more reason not to use proprietary software like Flash. At least with Open Source, you can (in theory) go in and neuter it so it doesn't divulge such details.
Let me propose that those concerned with privacy change their user agent string to simple "Hidden"
> Let me propose that those concerned with privacy change their user agent string to simple "Hidden"
Just think if one in every X web surfers really:
- knows that a browser has a user agent string
- knows how to change it
- knows that it can be used to infringe their privacy
- cares enough to do it
- doesn't forget to do it again after browser/os reinstall
- fulfills all of the above conditions and decides to change it to "Hidden" as opposed to something else, e.g. "hidden", "Hidden!" or "I won't tell you, you spying swines!"
- believes that at least one in X web surfers fulfills the conditions listed here,
where "one of X" is the proportion of web surfers with a user agent string matching theirs
Because if these conditions don't hold, changing your u.a.s. to "Hidden" would make your system more easily detected instead of less...
'When The Register visited the site using Firefox, it received a message that read: "Your browser fingerprint appears to be unique among the 837,411 tested so far."'
And was it?
Why does this message have any more credibility than a message/advert on a website that claims I am unprotected and need to buy their Internet Security product in order to survive? I expect anyone at The Register who browses the Internet ends up with the same IP address, meaning people can identify you as being from there, once they know what that IP address is, without being able to say which person you are. That's nothing special. Can this website go through their logs and tell me which entries are me at home and at work? I expect not.
This is little more than someone with caller ID issuing a press release to say they can tell who phoned them. Anyone who doesn't understand that every time they connect to a website they have to give an IP address to 'reply' to is going to be traceable in so many ways that there's little point warning them about one.
I think it's obvious that they're making an error by assuming that because you have a detailed fingerprint, it's unique. I suspect that one could format the HD, install a fresh OS, take the test, and be told that you're unique. And a hundred others could do the same thing on the same type of PC and screen (etc.) and could get the same result. I'm not sure, but seems likely.
I'm exceedingly sceptical.
With Java/JavaScript off, all you get is the user agent, HTTP ACCEPT and whether or not cookies are accepted.
The user agent is built from the OS and browser versions and the current language setting. The HTTP ACCEPT value depends almost totally on the factors that are expressed in the user agent, so I would be surprised to find cases where the HTTP ACCEPT differed with identical user agent strings.
So, we are left with OS and browser versions and language. Assuming that you have auto-updates the version numbers for these will be the same for most people. Worse still, my user agent today may be different from my user agent tomorrow, because the browser may have been updated or I may have received an OS service pack.
So, it looks like we are down to OS choice (not exact version) and browser choice (again not exact version) and language.
Or am I wrong?
After my results, I wonder if they treat all variables as independent.
One in 285304.67 browsers out of 855914 have my user string, which means that only 3 such browsers have visited the page. This didn't surprise me, as I visited from my N900 using Fennec, and the N900 is the only device in existence which supports the Maemo OS and the Fennec browser. Plus, Fennec isn't even the default browser on it.
But I was told that my configuration is unique among the 855 914 visitors. How that? Maybe they have multiplied the "3 out of 855 914" with the other variables? Well, that would be wrong. Because all people running Fennec on the N900 have a 800x400 screen, none of them can have detectable Flash or Java fonts, none of them can have definable plugins, and none of them can disable supercookies. The normal cookies remain, but I was unique both with and without them. So unless the other 2 people with this device chose to modify their http accept headers, there is something fishy with the calculations panopticlick makes.
It's your IP address.
I say that because on my ultra locked down browser they are only getting the UA & HTTP Accept headers, which are pretty far from being unique yet they tell me that nobody else has the same configuration which is clearly bullocks based on the number of people running noscript here.
Ergo, they are using some other peice of information submitted to the server, and the only thing that comes to mind that would be easily usable is the IP.
I would like this site to let me know if there are any other sad lusers using a crummy old Firefox 2.0 on Solaris 8 that visited it. I'm impressed how much it gathers. I'm unique, great! I am one of 60,000 - also great. The best would be one of only two with the same configuration.
It looks like anonymous browsing involves buying some standard kit, and not modifying anything.
"Mine was unique too in IE8, but the one that really did me in was the screen resolution of "1843x1152x32" (I actually use 1920x1200). Looks like a bug in there somewhere."
Mine claimed to be unique too. It seems very unlikely though. My fonts come from OSX + iLife + Photoshop + Office. Surely I'm not the only one?
It also got my screen resolution wrong.
So, given that it take very small differences to become unique among a very large number of seemingly identically setup machines, surely then, only very small changes would alter your fingerprint which then becomes a bit useless for tracking purposes. The question has got to be how easily does your fingerprint change?
I’m not convinced either, since sat behind a proxy server using two machines setup from the same image with a comparision of the data shown on the website showing it is identical – yet they are both ‘unique’.
Me thinks they are hiding something – probably that it doesn’t actually work!
Tested with firefox on our gateway pc, and found it was unique. Turned off javascript, and dropped to 1 in 11,490. I can see how they get a lot of unique hits though, especially with all the different versions of firefox out in the wild.
Amusingly though, testing with IE6 came up with three javascript errors on the front page, then a blank page when I clicked Test, then the browser crashed when I refreshed the page.
Thats certainly one way of making their stats look better - the great unwashed can't even use the site!
my browser fingerprint is reported by Panopticlick as seemingly being «unique among the 862,067 tested so far», irrespective of whether the website URL is enabled or disabled in NoScript. More or less the same result as when I tested a year or so ago. Nice to have one's uniqueness confirmed - if more people test their machines, perhaps I'll get to be one in a million !...
Henri
The frequency with which many browsers and plugins (and even OSes) update these days I would have thought makes this pretty much useless. For example I am running nightly builds of Firefox at the moment so my browser updates every single day. The whole point of finger prints is that they do not change, it seems this one does.
... is what gives me away. Not surprising perhaps having Far Eastern Language support turned on in the west and some fonts only installed by/for specific applications as well.
So the only way for me to be non-unique is to prevent plugin and font data being accessed. Good luck to the man on the Clapham Omnibus achieving that without help.
On the 'small changes makes it useless for tracking' notion ... not necessarily. The 3'6" man with a Richard Nixon mask and a white wig robbing a bank is likely to be the same 3'6" man with a Tony Blair mask and a red wig robbing another. Not 100% guaranteed but statistically significant. It depends on the reason for tracking, as a unique identifier, perhaps not, on following suspects, far more useful.
Mine's the one with the "GCHQ are all nice folk" note in the pocket.
What a load of nonsense,
I first done this test and it said my fingerprint was unique, so, I re-routed all traffic to that website over my works VPN connection, and re-done the test using the same browser which has the same fingerprint. Surprise Surprise, it said it was unique again.
I'm now one in 866454, probably because I'm the first to use SeaMonkey/2.0.4 Like Firefox/3.5.
But the odd thing is the column headed 'Bits of identifying information' because this gives values to two places of decimals. As any fule kno, bits are units of information and so you can only have whole numbers of bits of information, surely?
And as Anonymous Coward above pointed out, it's not just being unique that identifies you, it's having that uniqueness remaining constant that is necessary. If fingerprints changed every day, thieves would not worry about leaving them behind.
I think the point of the test is to highlight how much more we let on than we think. There are advantages both in being unique - less likely to be the victim of a known exploit crafted for the masses - and being non-unique - possibly more difficult to identify. Given that most people have fairly promiscuous cookie settings, cookies are likely to remain the id tag of choice. But, assuming you have access to sufficient websites, you could use this heuristic for profiling, presumably inversely as a way of excluding the masses.
There are a lot of things that go into your browser's signature (OS, version numbers, fonts, etc. etc.). If all these can vary between users the number of combinations quickly becomes quite large. There may indeed be many people in the world who share your quite common settings. However, if the number of people who've visited the EFF website is smaller than the number of common setting combinations, then you will still probably appear unique using this test.
To see the problem, imagine you go to a small website with only two visitors. They can easily tell you apart because one of you uses IE and the other uses Firefox. Oh heck!
The EFF site is a bit like that.
Trouble is, so are some of the sites that want to track you.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
