Most browsers leave fingerprint that can ID users

Source: The Register (U.K.)

Most browsers leave fingerprint that can ID users

By Dan Goodin in San Francisco • Get more from this author

The vast majority of people surfing the web leave behind digital fingerprints that can be used to uniquely identify them, research released Monday by the Electronic Frontier Foundation suggests.

Using a website that compares visitors' browser configurations to a database of almost 1 million other users, EFF researchers found that 84 percent of visitors used setting combinations that were unique. When The Register visited the site using Firefox, it received a message that read: "Your browser fingerprint appears to be unique among the 837,411 tested so far." (Turning off javascript and Java with the NoScript plugin didn't change the results we got on one test PC, but on a second machine, use of NoScript significantly increased the number of browsers with the same fingerprint.)

Read more: http://www.theregister.co.uk/2010/05/17/browser_fingerprint

---

I always knew I was unique!

Direct link to eff.org press release:

http://www.eff.org/press/archives/2010/05/13

Test your own browser configuration:

http://panopticlick.eff.org

You would need to set up a website to run a bunch of different tests to identify a person. That would mean unless a website was specifically configured to do these kinds of tests (very impractical) you would not be identified.

I also find it hard to believe that 80% of the internet has unique browser configurations that can be tested when you consider how many millions of different installations there are.

I suspect it will become even easier to identify users as the diversity of internet devices increases -- everything from iPhones to highly sophisticated navigation systems.

you miss the point. A website would have to perform these tests and then store them in a database for you to be identifiable. That would be a huge resource hog so no website would actually do this as there would be no point. The only time something like this would be done is to perform a test like that then give you a result. It's a very interesting concept, but it is not a real threat to your privacy.

You don't need to store the data, just the hash.

http://en.wikipedia.org/wiki/Hash_function

That hash becomes the "fingerprint."

Putting a hash in a url or cookie (as most sophisticated web sites do) greatly reduces the load on servers and databases.

For marketing purposes the hash doesn't need to be complex because collisions are statistically insignificant even for relatively simple hash functions.

if it is in a cookie then ok, but you are already tracking the user by setting a cookie. The cookie is only accessible to the domain which created it. So I really don't see any practical use websites would have to store this type of data nor do I see how it is any different from what they already do. If google ads wants to track you to fetch you specific ads they already do that using cookies. I guess this could be useful if cookies are not enabled but that's a tiny fraction of the internet user base.

So to pretend this is some kind of threat that will identify you is a bit on the paranoid scale in my opinion since no website will actually be performing these tests then storing them on the servers. If they store it in a cookie that is no different from what they can already do. Maybe if you can give me some specific things they can do with this to put your privacy in jeopardy.

But I prefer it in brownies.
:hide:

Me too

I prefer them in my skivvies :hide:

It is very hard for anyone to go anywhere on the net without leaving a trail with Google, either through searches, google-analytics, add serving, or any of the google websites for bloggers, video, news, etc. Turning off or clearing cookies makes relatively little difference.

We have been aware of this issue for many years, but informally. The cited work just makes it easier for the general public. BTW any effort to conceal ones identity -- unusual browser, uncommon add-ins, turning off widely used features -- actually makes your "fingerprint" easier to identify using these techniques.

if you are paranoid and think google is collecting data using the above method when cookies are disabled you can easily block any traffic from google domains. Just add them to your hosts file and point it to 127.0.0.1.

At this point, blocking all the Google and Google-related domains is nearly impossible. You would have to get all the places hosted by Google, using videos it hosts, ads, etc. Almost impossible to make any move on the net without touching Google somewhere.

Not only does Google tailor its search results based on your history, it tailors which ads are served to you at many different sites, even what content the site presents you versus someone else.

you would have to be paranoid as hell to want to do this but blocking them is a matter of adding a few lines of code to your hosts file.

Even though many of the ads being served these days are really scripts or programs embedded in SWF or other live content.

The information used to ID ones browser is stored in the typical web log maintained on almost any web site in the world, at least for a while. This allows tracking of users, even if their IP is not saved in the log. And it allows that tracking to be done long after the user visited the sites involved.

Also, there are sites which can determine the physical localtion associated with visitors to the site (or other sites). Google, for its part, recently had to admit that while taking all the StreetView pictures with the little cars, it had also mapped all the WiFi hots spots along the way, "by accident".

google ads in this case. So you can block those too with a line of code in your hosts file.

Yes, certain things do get logged in website tracking software. But not the information needed to give you the unique ID the OP was talking about. I'm not aware of any popular tracking software that checks system fonts or versions of all the plugins on the browser.

You would only need to store data unique to the user, which could be as little as a few dozen bytes per user, and certainly no more than a few hundred bytes per user. Coupled to an Oracle database with live compression, you could store user data for hundreds of millions of users on a single server.

As for running the tests, you're only talking about executing a single survey plug-in. Hundreds of thousands of websites already run data collection plug-ins from Webtrends, Google Analytics, and other services. You're just talking about a slight modification of their capabilities.

Personally, I can see some benefit to this as well. An examination of a computers "fingerprint" in addition to their login credentials could be used to detect some types of attacks or identity theft. It could possibly be used to increase online security by subjecting users to additional authentication factors if their computer fingerprint suddenly changes. Some financial websites already do this to a limited extent based on IP address and a few other easily identifiable factors.

as your browsing habits are not stored.

The privacy issue would come in if there was a database of this information, and maintaing such a database would not only be a huge resource hog but every website on the internet would need to be a part of it for it to truly track you.

both in terms of processing time/power and storage. One can spin up dozens of servers on something like amazon EC2 or rackspace cloud servers in a matter of minutes for a few cents an hour.

1 server might not be expensive. 10,000 servers is a different matter.

The privacy risk mentioned above is simply not realistic.

The real problem for a single person or a group of people wouldn't be obtaining the resources, but obtaining access to collect the data. I'm sure google has a nice database of seemingly independent and anonymous data, but that could be turned into complete profile of real people if google 'goes evil' or if someone somehow gains complete access to the data. I'm personally not too worried though. I mean, many of us tell the world everything we're doing and when we're doing it.

I wouldn't be suprised if it's hundreds of millions a day. And that's only a fraction of the total internet usage.

Now if you had to store the hash of each of these users then actually track each page they hit with that hash the resources required would be through the roof. Not by any means impossible, it's simply not practical for any company to do as there is virtually no advantage of doing so.

The main issue isn't even being able to process the data and do something 'useful' with it. The real problem would be getting access to be able to see every single piece of data sent across the web. If anyone is able to do that, then I'm sure they would have plenty of computing power to turn that data into useful information... I'm sure they'd also have a reason for doing it if they went through all that trouble... Perhaps we're not really disagreeing here.

When I said resources were cheap and easy to get these days, I meant about it on much smaller scale than what you're talking about (although still large enough that it requires a decent amount of processing power). I'm not sure what kind situation that would be, but hey, people come up with schemes all the time.

nor do I see why they would invest hundreds of millions of dollars to collect this information. You change your timezone, install a new font, install an update to adobe, or do any other minor software changes and the information they had on you becomes useless.

Simply not a practical application by any means. If you are worried about privacy you need to worry about other things, not this.

I use some of those values with some other things to help track users on my site. It's mostly to help keep the trouble makers in check by creating a signature for them. My system isn't 100% and I don't think any could be since people can obviously change settings, disable plugins, use proxies, or whatever. However, it has helped a lot in alerting me of potential trouble makers. Which is funny coming from me, someone who is known for causing trouble... Argh, what have I become?

or least keep the less motivated ones from quick success.

Edit: After doing the test, I'm even more confused. None of the information displayed was private. That the combination of non-personal information can be summed to generate a "unique id" isn't that surprising.

the site points out a number of the other fingerprints you leave behind if infact the website is storing those fingerprints (very unlikely).

The features on your face are public and visible to everyone, and yet the specific configuration of your face is relatively unique to you. If you have a more common face, there may be dozens, even thousands of people worldwide that look like you. Others have very unique features, and are genuinely one of a kind.

What this is stating, simply, is that you leave a photo of your computers "face" on every server you visit. Your photo alone isn't enough to identify you, but it can make locating you a LOT easier. When they find you, it can also act as a simple way to verify that your computer was the same one that visited Site X on Date Y.

"The features on your face are public and visible to everyone, and yet the specific configuration of your face is relatively unique to you."

When I walk down the street, it is perfectly legal for anyone who wants to to photograph me. Now, my nose was once broken, I wear sunglasses, my height is what it is, etc. etc. All of these perfectly public characteristics could be digitized and summed to provide a "unique id" by anyone who cares to do so.

However, without matching that "unique id" to another piece of data (say a driver's license number in my example, or an internet protocol address on the web,) that unique id doesn't mean anything. It's not "me", it's an arbitrary way to describe me. And without some way to match that "unique id" to some piece of information that is verified to be attached to me, there is no way to match it up later.

"When they find you, it can also act as a simple way to verify that your computer was the same one that visited Site X on Date Y."

When who finds you, precisely, and just how will they do it? I think what they mean is that Hulu.com will recognize you when you return. They can't "find" you if you don't go to their site. :hi:

Specific features of these fingerprints might be useful for marketing. Any entity Hulu shares this data with who know a person with this specific fingerprint, or that people whose fingerprints share certain features, tend to watch these shows...

A government agency in the middle, tapping into the networks, might also gather these signatures passively. It's a certainty the U.S. has a huge capability in this regard. We didn't stop with tapping the Soviet Union's submarine cables -- U.S. security agencies are wired into almost everything and monitor wireless communications too. I have some doubts about their actual capability to sort through this flood of data, but the connections are there.

If one site can extract a browser fingerprint, which is essentially a number, then another site using the identical fingerprint algorithm will get the same fingerprint.

I could post links here on DU for various sites I control, maybe even one that requires some sort of registration, and I'd be able to tell which of my sites you'd visited and I'd also be able to share that fingerprint with friends and associates.

I can already do that with cookies and IP addresses and such, much as advertising entities like google do, but this fingerprint method can discern even more associations.

I already discussed above what kind of additional resources would be required to keep track of this type of data. We already discussed how unreliable this data is (change your timezone, install a new font, install a new patch, etc and your id is regenerated). And we also discussed how there is absolutely no practical reason to store this type of data.

So for you to think that people are storing this and then sharing it among each other for no rational reason at all is nothing more than some serious paranoia.

Maybe you should RTFA.

Also there's this unrelated privacy hole:

http://whattheinternetknowsaboutyou.com/

...which is trivial to use if you know what websites you are interested in seeing in people's browsing history.

So Hulu.com shares millions of "unique ids" with its partners. Again: SO WHAT?

I won't even get into the idea that installing additional extensions will change this "unique id". Let's assume it's immutable, but utterly un-cross referencable (with an address, an ip, or a cc number, por ejamplo.) It's still useless!

Not only can they ID you as a user, but in many cases they can see evidence of your surfing habits.

Did you just go to a porn site? The mainstream site you surf to after that may be able to see where you just were.

I've witnessed this.

I could manipulate the data between 1: 936,219 to 1:63,118

Turn on scripting: browser is "unique" among a total of 915,050 tested.

Turn off scripting: "one in 65,379 browsers have the same fingerprint"


More webistes are requiring scripting to be on to view the content. Increasingly, I'm asking myself if reading that particular content is worth the risk of privacy violation. It's usually a tough question to answer, as one requested the page because the content may have been what was sought. But, after requesting the page, there's often plenty of ads visible, just not the content, until one turns on scripting.

Is it just a pay-by-click income-advertising scam? Or, is it show me your ID before you can read?

Weren't librarians warning us about this a few years ago?

if you are that worried you better stop posting online. In the end there is absolutely no gurantee of your privacy. You might stumble upon some virus that will upload all your usage data to some server in China.

The threat talked about in the OP isn't really a threat, and there are much bigger things for you to worry about.

Choosing to say something versus the right to read anonymously are like apples and oranges. Sure, both are fruits and thus are related yet they are distinctly different fruits.

Wasn't that difference covered in elementary school? Yawn.

I'm surprised the number is that high.

I'm not sure whether I like this or not.

Time to mix it up. With my luck that will just make me more unique. Sigh.

With OmniWeb, my settings seemed to be unique
With Opera, my settings seemed to be unique
With Safari, my settings seemed to be unique

With Firefox (including No Script), I was one of 3000+

How could google, yahoo, bing, (etc.) all possibly manage to detect and prevent click fraud?

something like terrorist trap sites or something.

They immediately demand that people should not be allow to take pictures.

then use the exceptions option to add the websites that I will let store a cookie on my computer. Google is one that I have blocked and it seems to have no effect on my browsing in anyway. On this computer I have a total of 4 cookies right now.

I wouldn't go to either link under the line you provided though, but thats just me.