Feeds

back to article Most browsers leave fingerprint that can ID users

The vast majority of people surfing the web leave behind digital fingerprints that can be used to uniquely identify them, research released Monday by the Electronic Frontier Foundation suggests. Using a website that compares visitors' browser configurations to a database of almost 1 million other users, EFF researchers found …

COMMENTS

This topic is closed for new posts.

Page:

WTF?

I'm not convinced about that one

I'm apparently unique in IE8, Opera and Firefox. All out of the box standard configs running on a cheap lappy running Fista.

Not convinced, unless everyone hitting that site is using XP or some flavour of Linux.

Or maybe as I'm not a full on IT professional I'm the only one still using Vista!

2
3
Alert

bear in mind

This data collection also appears to contain your installed fonts, current reolution, and so forth. If you run the test again you can check what part of it was 'ID'ing you by :)

Also, Vista? Really?

0
0
Happy

titlez

I tend to masquerade behind Privoxy, so I appear to be running a very generic version of Firefox on a very popular version of Windows when in actual fact neither is true.

It's also useful for totally killing all analytics/tracking independently of the browser.

0
0
Bronze badge

Care to share?

Privoxy's documentation seems to expect a lot of knowledge of browsers and perl. Just to compare, how would one tell it to rewrite the fonts and plugins headers to be fictional strings?

0
0
FAIL

turning off javascript significantly changes the result

With javascript disabled, the only information the test page gets is your browser's identification string, HTTP_ACCEPT headers and whether or not cookies are enabled.This has a large effect on the result.

0
0
Boffin

Javascript

When I went to the site, I immediately saw the reason that turning off JavaScript didn't stop it. It is actually running Java.

I regularly remind Users and managers that the two are different. Hopefully, you already do.

0
0
Thumb Up

NoScript blocks both Java and JavaScript

And, in fact, NoScript disabling JavaScript, Java and plugins by default makes identification about 40 times harder on my Firefox (1/19000).

I'm not sure why Dan Goodin reportedly had his browser identified as unique notwithstanding NoScript, but I suspect he's got "Globally allow mode" or he failed to correctly repeat the test...

0
0
Happy

Dan Goodin's uniqueness explained :)

Later I had some conversation with Dan, and we discovered that the culprit of his un-anonymity was a pretty unique HTTP header he was sending by accident, due to uncommon configuration bits of his. In fact, once you shut down JavaScript and plugins, the stuff giving your identity away (aside your IP) is almost all at the HTTP level, especially cookies, user agent string (double check that it's the default one coming with your vanilla browser - the Microsoft .NET Framework and other 3rd party software love to "customize" it making you more identifiable) and language information.

0
0

No Linux users

Based on the results I was only the 3rd (JavaScript off) and 4th (JavaScript on) visitor running a Mozilla-supplied 64-bit Firefox 3.6.3 Linux distribution in 842,000 visitors, which surprised me.

With JavaScript on its the system fonts and plugins that make a good fingerprint. Both were unique.

0
0

I'm rapidly getting more anonymous

I'm only unique to 1 in 60,000. And it was 1 in 90,000 ten minutes ago.

0
0
RW
Unhappy

@ Tim Brown 1

But even with JS disabled, I'm unique. The interesting thing is that I'm running a pretty vanilla install of Ubuntu 8.04 LTS, recently updated, which gives a user agent string

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010040119 Ubuntu/8.04 (hardy) Firefox/3.0.19 [1 in 21067.7 browsers]

and HTTP_ACCEPT headers

text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 windows-1252,utf-8;q=0.7,*;q=0.7 gzip,deflate en-us,en;q=0.5 [1 in 13167.31 browsers]

Both of these I would expect to be pretty standard, yet evidently both are reasonably rare and in combination make my fingerprint unique. I simply do not understand. Can anyone explain what makes these particular combinations so uncommon? Or is it that the universe of possible combinations is far more extensive than one might think?

With JS enabled, the real killer is one's font selection. I've got some unusual fonts such as Everson Mono and BPG Unicode Standard, so it's understandable that I"m unique in that regard. WRT the assortment of fonts, I notice two things: first, the fingerprint specifically says "system fonts". Does this mean that if I move my special fonts to my user directory they'll be invisible? Second, I notice that the font info is retrieved via Flash. More and more I begin to view Flash as considerably more than just a video/interactive plug-in. Adobe seems to be like Google, far too interested in privacy-eroding details.

At least I've successfully turned supercookies off!

All in all, this is one more reason not to use proprietary software like Flash. At least with Open Source, you can (in theory) go in and neuter it so it doesn't divulge such details.

Let me propose that those concerned with privacy change their user agent string to simple "Hidden"

1
0
RW
Unhappy

"System fonts"

Bad news: under Linux, fonts in ~/.fonts are discovered. It's pointless to try to conceal them there.

This is understandable because Flash likely asks "what fonts can I use?" and Firefox/Linux return a list of all fonts the current browser session has access to.

0
0
Thumb Down

seriously?

> Let me propose that those concerned with privacy change their user agent string to simple "Hidden"

Just think if one in every X web surfers really:

- knows that a browser has a user agent string

- knows how to change it

- knows that it can be used to infringe their privacy

- cares enough to do it

- doesn't forget to do it again after browser/os reinstall

- fulfills all of the above conditions and decides to change it to "Hidden" as opposed to something else, e.g. "hidden", "Hidden!" or "I won't tell you, you spying swines!"

- believes that at least one in X web surfers fulfills the conditions listed here,

where "one of X" is the proportion of web surfers with a user agent string matching theirs

Because if these conditions don't hold, changing your u.a.s. to "Hidden" would make your system more easily detected instead of less...

0
0
Coat

Good luck!

I'm behind seven Boxxies!

0
3
FAIL

Pretty useless

Any time I change anything about my system, I become a different identity. Not the best tracking mechanism then.

2
2

Exactly,

All we need to do is install another Font or something!

My fingerprint from last week will be different from the one this week because I got a new monitor on Friday with a different screen resolution being used.

0
0
Silver badge
Flame

Well...

My firefox 3.6.3 exploded (and offered to send the bug report to MS), how unique is that?!

0
0
Anonymous Coward

Surprised

Very interesting indeed. I'll read the whitepaper. It claims I have an unique fingerprint (with special thanks to plugins and fonts).

0
0

My evil doppelganger

needs only to deinstall Shruti to foment revolution, then reinstall to pretend innocence? Or is it merely removing an old version of Java?

Anyways, NoScript made me one in 2,833. I like those odds better.

0
0
Jobs Horns

What's in a claim?

'When The Register visited the site using Firefox, it received a message that read: "Your browser fingerprint appears to be unique among the 837,411 tested so far."'

And was it?

Why does this message have any more credibility than a message/advert on a website that claims I am unprotected and need to buy their Internet Security product in order to survive? I expect anyone at The Register who browses the Internet ends up with the same IP address, meaning people can identify you as being from there, once they know what that IP address is, without being able to say which person you are. That's nothing special. Can this website go through their logs and tell me which entries are me at home and at work? I expect not.

This is little more than someone with caller ID issuing a press release to say they can tell who phoned them. Anyone who doesn't understand that every time they connect to a website they have to give an IP address to 'reply' to is going to be traceable in so many ways that there's little point warning them about one.

1
3
Bronze badge

We are all unique, like snowflakes

I think it's obvious that they're making an error by assuming that because you have a detailed fingerprint, it's unique. I suspect that one could format the HD, install a fresh OS, take the test, and be told that you're unique. And a hundred others could do the same thing on the same type of PC and screen (etc.) and could get the same result. I'm not sure, but seems likely.

0
0
Coat

I'm not

On my way

0
0
Alert

Old news

Convertro has been doing this for at least a year. It's nothing new and I'm sure plenty of others do it as well.

0
0
Silver badge

OpenSUSE 11.2

FF 1 in ~450000

Konqueror 1 in ~850000

Opera 1 in ~850000

All with JS off

1
0
Silver badge
Black Helicopters

Thank you very much...

For publishing here, instead of taking the idea off to Cheltenham and selling it for a lot of money.

Or even worse, taking it off to the US, China or Israel and selling it for a lot more....

0
0
WTF?

Sceptical

I'm exceedingly sceptical.

With Java/JavaScript off, all you get is the user agent, HTTP ACCEPT and whether or not cookies are accepted.

The user agent is built from the OS and browser versions and the current language setting. The HTTP ACCEPT value depends almost totally on the factors that are expressed in the user agent, so I would be surprised to find cases where the HTTP ACCEPT differed with identical user agent strings.

So, we are left with OS and browser versions and language. Assuming that you have auto-updates the version numbers for these will be the same for most people. Worse still, my user agent today may be different from my user agent tomorrow, because the browser may have been updated or I may have received an OS service pack.

So, it looks like we are down to OS choice (not exact version) and browser choice (again not exact version) and language.

Or am I wrong?

0
1

iid variables?

After my results, I wonder if they treat all variables as independent.

One in 285304.67 browsers out of 855914 have my user string, which means that only 3 such browsers have visited the page. This didn't surprise me, as I visited from my N900 using Fennec, and the N900 is the only device in existence which supports the Maemo OS and the Fennec browser. Plus, Fennec isn't even the default browser on it.

But I was told that my configuration is unique among the 855 914 visitors. How that? Maybe they have multiplied the "3 out of 855 914" with the other variables? Well, that would be wrong. Because all people running Fennec on the N900 have a 800x400 screen, none of them can have detectable Flash or Java fonts, none of them can have definable plugins, and none of them can disable supercookies. The normal cookies remain, but I was unique both with and without them. So unless the other 2 people with this device chose to modify their http accept headers, there is something fishy with the calculations panopticlick makes.

0
0
Anonymous Coward

I think I know the peice of data that makes everybody unique and trackable!

It's your IP address.

I say that because on my ultra locked down browser they are only getting the UA & HTTP Accept headers, which are pretty far from being unique yet they tell me that nobody else has the same configuration which is clearly bullocks based on the number of people running noscript here.

Ergo, they are using some other peice of information submitted to the server, and the only thing that comes to mind that would be easily usable is the IP.

0
0
Thumb Up

What larks!

I would like this site to let me know if there are any other sad lusers using a crummy old Firefox 2.0 on Solaris 8 that visited it. I'm impressed how much it gathers. I'm unique, great! I am one of 60,000 - also great. The best would be one of only two with the same configuration.

It looks like anonymous browsing involves buying some standard kit, and not modifying anything.

0
0
FAIL

Yeah right ...

Running a default install of Safari on a brand new default install MacOS X powerbook - makes me unique ? Unless I'm the only person in the country who owns one, I don't think that's really going to be the case ... This is a load of cobblers.

0
0

Re: Yeah right ...

It doesn't say your unique in the country, just unique amongst the < 1,000,000 people who have taken the test, which seems plausible.

0
0
N2
Bronze badge

my test

only one in 214,360 browsers have the same fingerprint as yours

0
0
Anonymous Coward

Title

Mine was unique too in IE8, but the one that really did me in was the screen resolution of "1843x1152x32" (I actually use 1920x1200). Looks like a bug in there somewhere.

0
0
WTF?

RE: Title

"Mine was unique too in IE8, but the one that really did me in was the screen resolution of "1843x1152x32" (I actually use 1920x1200). Looks like a bug in there somewhere."

Mine claimed to be unique too. It seems very unlikely though. My fonts come from OSX + iLife + Photoshop + Office. Surely I'm not the only one?

It also got my screen resolution wrong.

0
0

Combinations

@RW: yes, the number of possible combinations is surprisingly big. I'm sure this all got reported a month or two back so I've already thrashed through the arguments on Usenet... personally, I changed my user-agent string so as to *guarantee* uniqueness...

0
0
Anonymous Coward

Oh rats!

It looks like I'm the only person whose preferred languages (according to the Accept-Language header) are Toki Pona, Esperanto and Lojban, in that order.

0
0
FAIL

So....

So, given that it take very small differences to become unique among a very large number of seemingly identically setup machines, surely then, only very small changes would alter your fingerprint which then becomes a bit useless for tracking purposes. The question has got to be how easily does your fingerprint change?

I’m not convinced either, since sat behind a proxy server using two machines setup from the same image with a comparision of the data shown on the website showing it is identical – yet they are both ‘unique’.

Me thinks they are hiding something – probably that it doesn’t actually work!

0
0
Anonymous Coward

Plug in info seems to give the most away

I wonder if geeks are more vulnerable to this sort of thing. I see bits from dev kits and tech demos.

0
0
WTF?

IE6 is unique

Tested with firefox on our gateway pc, and found it was unique. Turned off javascript, and dropped to 1 in 11,490. I can see how they get a lot of unique hits though, especially with all the different versions of firefox out in the wild.

Amusingly though, testing with IE6 came up with three javascript errors on the front page, then a blank page when I clicked Test, then the browser crashed when I refreshed the page.

Thats certainly one way of making their stats look better - the great unwashed can't even use the site!

0
0

Running FF 3.6.5pre on 64-bit Ubuntu Lucid,

my browser fingerprint is reported by Panopticlick as seemingly being «unique among the 862,067 tested so far», irrespective of whether the website URL is enabled or disabled in NoScript. More or less the same result as when I tested a year or so ago. Nice to have one's uniqueness confirmed - if more people test their machines, perhaps I'll get to be one in a million !...

Henri

0
0
Joke

a year ago?

You were running FF 3.6.5pre on 64 bit Lucid a year ago? Amazing.

1
0
Anonymous Coward

curiously (perhaps)

I turned noscript off, and became half as unique (1/400k not 1/800k).

0
0

Updates

The frequency with which many browsers and plugins (and even OSes) update these days I would have thought makes this pretty much useless. For example I am running nightly builds of Firefox at the moment so my browser updates every single day. The whole point of finger prints is that they do not change, it seems this one does.

0
0
Bronze badge
Coat

Plugins and Fonts

... is what gives me away. Not surprising perhaps having Far Eastern Language support turned on in the west and some fonts only installed by/for specific applications as well.

So the only way for me to be non-unique is to prevent plugin and font data being accessed. Good luck to the man on the Clapham Omnibus achieving that without help.

On the 'small changes makes it useless for tracking' notion ... not necessarily. The 3'6" man with a Richard Nixon mask and a white wig robbing a bank is likely to be the same 3'6" man with a Tony Blair mask and a red wig robbing another. Not 100% guaranteed but statistically significant. It depends on the reason for tracking, as a unique identifier, perhaps not, on following suspects, far more useful.

Mine's the one with the "GCHQ are all nice folk" note in the pocket.

0
0

What a load of nonsense

What a load of nonsense,

I first done this test and it said my fingerprint was unique, so, I re-routed all traffic to that website over my works VPN connection, and re-done the test using the same browser which has the same fingerprint. Surprise Surprise, it said it was unique again.

1
1
Bronze badge

Using the same browser?

Did you remember to delete their 'unique id' cookie as described in their faq?

0
0

Fractional bits

I'm now one in 866454, probably because I'm the first to use SeaMonkey/2.0.4 Like Firefox/3.5.

But the odd thing is the column headed 'Bits of identifying information' because this gives values to two places of decimals. As any fule kno, bits are units of information and so you can only have whole numbers of bits of information, surely?

And as Anonymous Coward above pointed out, it's not just being unique that identifies you, it's having that uniqueness remaining constant that is necessary. If fingerprints changed every day, thieves would not worry about leaving them behind.

0
1
Silver badge
Thumb Up

Interesting heuristic

I think the point of the test is to highlight how much more we let on than we think. There are advantages both in being unique - less likely to be the victim of a known exploit crafted for the masses - and being non-unique - possibly more difficult to identify. Given that most people have fairly promiscuous cookie settings, cookies are likely to remain the id tag of choice. But, assuming you have access to sufficient websites, you could use this heuristic for profiling, presumably inversely as a way of excluding the masses.

0
0
Anonymous Coward

Unique?

Unique in 867,760.

Only its not.

The screen size and colour depth is unique. Screen size being the size of the current browser window.

I don't think I'll lose any sleep over this :)

0
1
Thumb Down

Damn lies and statistics

There are a lot of things that go into your browser's signature (OS, version numbers, fonts, etc. etc.). If all these can vary between users the number of combinations quickly becomes quite large. There may indeed be many people in the world who share your quite common settings. However, if the number of people who've visited the EFF website is smaller than the number of common setting combinations, then you will still probably appear unique using this test.

To see the problem, imagine you go to a small website with only two visitors. They can easily tell you apart because one of you uses IE and the other uses Firefox. Oh heck!

The EFF site is a bit like that.

Trouble is, so are some of the sites that want to track you.

0
0

Page:

This topic is closed for new posts.