back to article Most browsers leave fingerprint that can ID users

The vast majority of people surfing the web leave behind digital fingerprints that can be used to uniquely identify them, research released Monday by the Electronic Frontier Foundation suggests. Using a website that compares visitors' browser configurations to a database of almost 1 million other users, EFF researchers found …

COMMENTS

This topic is closed for new posts.
  1. SirTainleyBarking
    WTF?

    I'm not convinced about that one

    I'm apparently unique in IE8, Opera and Firefox. All out of the box standard configs running on a cheap lappy running Fista.

    Not convinced, unless everyone hitting that site is using XP or some flavour of Linux.

    Or maybe as I'm not a full on IT professional I'm the only one still using Vista!

    1. Danington the Third
      Alert

      bear in mind

      This data collection also appears to contain your installed fonts, current reolution, and so forth. If you run the test again you can check what part of it was 'ID'ing you by :)

      Also, Vista? Really?

  2. Anonymous Coward
    Happy

    titlez

    I tend to masquerade behind Privoxy, so I appear to be running a very generic version of Firefox on a very popular version of Windows when in actual fact neither is true.

    It's also useful for totally killing all analytics/tracking independently of the browser.

  3. Tim Brown 1
    FAIL

    turning off javascript significantly changes the result

    With javascript disabled, the only information the test page gets is your browser's identification string, HTTP_ACCEPT headers and whether or not cookies are enabled.This has a large effect on the result.

    1. Anonymous Coward
      Anonymous Coward

      Care to share?

      Privoxy's documentation seems to expect a lot of knowledge of browsers and perl. Just to compare, how would one tell it to rewrite the fonts and plugins headers to be fictional strings?

  4. Spanners Silver badge
    Boffin

    Javascript

    When I went to the site, I immediately saw the reason that turning off JavaScript didn't stop it. It is actually running Java.

    I regularly remind Users and managers that the two are different. Hopefully, you already do.

  5. Gordon 11

    No Linux users

    Based on the results I was only the 3rd (JavaScript off) and 4th (JavaScript on) visitor running a Mozilla-supplied 64-bit Firefox 3.6.3 Linux distribution in 842,000 visitors, which surprised me.

    With JavaScript on its the system fonts and plugins that make a good fingerprint. Both were unique.

  6. McBread

    I'm rapidly getting more anonymous

    I'm only unique to 1 in 60,000. And it was 1 in 90,000 ten minutes ago.

    1. Giorgio Maone
      Thumb Up

      NoScript blocks both Java and JavaScript

      And, in fact, NoScript disabling JavaScript, Java and plugins by default makes identification about 40 times harder on my Firefox (1/19000).

      I'm not sure why Dan Goodin reportedly had his browser identified as unique notwithstanding NoScript, but I suspect he's got "Globally allow mode" or he failed to correctly repeat the test...

      1. Giorgio Maone
        Happy

        Dan Goodin's uniqueness explained :)

        Later I had some conversation with Dan, and we discovered that the culprit of his un-anonymity was a pretty unique HTTP header he was sending by accident, due to uncommon configuration bits of his. In fact, once you shut down JavaScript and plugins, the stuff giving your identity away (aside your IP) is almost all at the HTTP level, especially cookies, user agent string (double check that it's the default one coming with your vanilla browser - the Microsoft .NET Framework and other 3rd party software love to "customize" it making you more identifiable) and language information.

  7. RW
    Unhappy

    @ Tim Brown 1

    But even with JS disabled, I'm unique. The interesting thing is that I'm running a pretty vanilla install of Ubuntu 8.04 LTS, recently updated, which gives a user agent string

    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010040119 Ubuntu/8.04 (hardy) Firefox/3.0.19 [1 in 21067.7 browsers]

    and HTTP_ACCEPT headers

    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 windows-1252,utf-8;q=0.7,*;q=0.7 gzip,deflate en-us,en;q=0.5 [1 in 13167.31 browsers]

    Both of these I would expect to be pretty standard, yet evidently both are reasonably rare and in combination make my fingerprint unique. I simply do not understand. Can anyone explain what makes these particular combinations so uncommon? Or is it that the universe of possible combinations is far more extensive than one might think?

    With JS enabled, the real killer is one's font selection. I've got some unusual fonts such as Everson Mono and BPG Unicode Standard, so it's understandable that I"m unique in that regard. WRT the assortment of fonts, I notice two things: first, the fingerprint specifically says "system fonts". Does this mean that if I move my special fonts to my user directory they'll be invisible? Second, I notice that the font info is retrieved via Flash. More and more I begin to view Flash as considerably more than just a video/interactive plug-in. Adobe seems to be like Google, far too interested in privacy-eroding details.

    At least I've successfully turned supercookies off!

    All in all, this is one more reason not to use proprietary software like Flash. At least with Open Source, you can (in theory) go in and neuter it so it doesn't divulge such details.

    Let me propose that those concerned with privacy change their user agent string to simple "Hidden"

    1. RW
      Unhappy

      "System fonts"

      Bad news: under Linux, fonts in ~/.fonts are discovered. It's pointless to try to conceal them there.

      This is understandable because Flash likely asks "what fonts can I use?" and Firefox/Linux return a list of all fonts the current browser session has access to.

    2. informavorette
      Thumb Down

      seriously?

      > Let me propose that those concerned with privacy change their user agent string to simple "Hidden"

      Just think if one in every X web surfers really:

      - knows that a browser has a user agent string

      - knows how to change it

      - knows that it can be used to infringe their privacy

      - cares enough to do it

      - doesn't forget to do it again after browser/os reinstall

      - fulfills all of the above conditions and decides to change it to "Hidden" as opposed to something else, e.g. "hidden", "Hidden!" or "I won't tell you, you spying swines!"

      - believes that at least one in X web surfers fulfills the conditions listed here,

      where "one of X" is the proportion of web surfers with a user agent string matching theirs

      Because if these conditions don't hold, changing your u.a.s. to "Hidden" would make your system more easily detected instead of less...

  8. Tom Maddox Silver badge
    Coat

    Good luck!

    I'm behind seven Boxxies!

  9. Sarev
    FAIL

    Pretty useless

    Any time I change anything about my system, I become a different identity. Not the best tracking mechanism then.

  10. Steve Evans
    Flame

    Well...

    My firefox 3.6.3 exploded (and offered to send the bug report to MS), how unique is that?!

  11. Anonymous Coward
    Anonymous Coward

    Surprised

    Very interesting indeed. I'll read the whitepaper. It claims I have an unique fingerprint (with special thanks to plugins and fonts).

  12. Notas Badoff

    My evil doppelganger

    needs only to deinstall Shruti to foment revolution, then reinstall to pretend innocence? Or is it merely removing an old version of Java?

    Anyways, NoScript made me one in 2,833. I like those odds better.

    1. Gaz Jay

      Exactly,

      All we need to do is install another Font or something!

      My fingerprint from last week will be different from the one this week because I got a new monitor on Friday with a different screen resolution being used.

  13. Anonymous Coward
    Jobs Horns

    What's in a claim?

    'When The Register visited the site using Firefox, it received a message that read: "Your browser fingerprint appears to be unique among the 837,411 tested so far."'

    And was it?

    Why does this message have any more credibility than a message/advert on a website that claims I am unprotected and need to buy their Internet Security product in order to survive? I expect anyone at The Register who browses the Internet ends up with the same IP address, meaning people can identify you as being from there, once they know what that IP address is, without being able to say which person you are. That's nothing special. Can this website go through their logs and tell me which entries are me at home and at work? I expect not.

    This is little more than someone with caller ID issuing a press release to say they can tell who phoned them. Anyone who doesn't understand that every time they connect to a website they have to give an IP address to 'reply' to is going to be traceable in so many ways that there's little point warning them about one.

  14. JeffyPooh Silver badge

    We are all unique, like snowflakes

    I think it's obvious that they're making an error by assuming that because you have a detailed fingerprint, it's unique. I suspect that one could format the HD, install a fresh OS, take the test, and be told that you're unique. And a hundred others could do the same thing on the same type of PC and screen (etc.) and could get the same result. I'm not sure, but seems likely.

  15. Chris_Maresca
    Alert

    Old news

    Convertro has been doing this for at least a year. It's nothing new and I'm sure plenty of others do it as well.

    1. Anonymous Coward
      Coat

      I'm not

      On my way

  16. Chemist

    OpenSUSE 11.2

    FF 1 in ~450000

    Konqueror 1 in ~850000

    Opera 1 in ~850000

    All with JS off

  17. Dodgy Geezer Silver badge
    Black Helicopters

    Thank you very much...

    For publishing here, instead of taking the idea off to Cheltenham and selling it for a lot of money.

    Or even worse, taking it off to the US, China or Israel and selling it for a lot more....

  18. GettinSadda
    WTF?

    Sceptical

    I'm exceedingly sceptical.

    With Java/JavaScript off, all you get is the user agent, HTTP ACCEPT and whether or not cookies are accepted.

    The user agent is built from the OS and browser versions and the current language setting. The HTTP ACCEPT value depends almost totally on the factors that are expressed in the user agent, so I would be surprised to find cases where the HTTP ACCEPT differed with identical user agent strings.

    So, we are left with OS and browser versions and language. Assuming that you have auto-updates the version numbers for these will be the same for most people. Worse still, my user agent today may be different from my user agent tomorrow, because the browser may have been updated or I may have received an OS service pack.

    So, it looks like we are down to OS choice (not exact version) and browser choice (again not exact version) and language.

    Or am I wrong?

  19. informavorette

    iid variables?

    After my results, I wonder if they treat all variables as independent.

    One in 285304.67 browsers out of 855914 have my user string, which means that only 3 such browsers have visited the page. This didn't surprise me, as I visited from my N900 using Fennec, and the N900 is the only device in existence which supports the Maemo OS and the Fennec browser. Plus, Fennec isn't even the default browser on it.

    But I was told that my configuration is unique among the 855 914 visitors. How that? Maybe they have multiplied the "3 out of 855 914" with the other variables? Well, that would be wrong. Because all people running Fennec on the N900 have a 800x400 screen, none of them can have detectable Flash or Java fonts, none of them can have definable plugins, and none of them can disable supercookies. The normal cookies remain, but I was unique both with and without them. So unless the other 2 people with this device chose to modify their http accept headers, there is something fishy with the calculations panopticlick makes.

  20. Pigeon
    Thumb Up

    What larks!

    I would like this site to let me know if there are any other sad lusers using a crummy old Firefox 2.0 on Solaris 8 that visited it. I'm impressed how much it gathers. I'm unique, great! I am one of 60,000 - also great. The best would be one of only two with the same configuration.

    It looks like anonymous browsing involves buying some standard kit, and not modifying anything.

    1. Anonymous Coward
      Anonymous Coward

      I think I know the peice of data that makes everybody unique and trackable!

      It's your IP address.

      I say that because on my ultra locked down browser they are only getting the UA & HTTP Accept headers, which are pretty far from being unique yet they tell me that nobody else has the same configuration which is clearly bullocks based on the number of people running noscript here.

      Ergo, they are using some other peice of information submitted to the server, and the only thing that comes to mind that would be easily usable is the IP.

  21. Anonymous Coward
    FAIL

    Yeah right ...

    Running a default install of Safari on a brand new default install MacOS X powerbook - makes me unique ? Unless I'm the only person in the country who owns one, I don't think that's really going to be the case ... This is a load of cobblers.

  22. N2 Silver badge

    my test

    only one in 214,360 browsers have the same fingerprint as yours

    1. Jamie Kitson

      Re: Yeah right ...

      It doesn't say your unique in the country, just unique amongst the < 1,000,000 people who have taken the test, which seems plausible.

  23. Anonymous Coward
    Anonymous Coward

    Title

    Mine was unique too in IE8, but the one that really did me in was the screen resolution of "1843x1152x32" (I actually use 1920x1200). Looks like a bug in there somewhere.

    1. Anonymous Coward
      WTF?

      RE: Title

      "Mine was unique too in IE8, but the one that really did me in was the screen resolution of "1843x1152x32" (I actually use 1920x1200). Looks like a bug in there somewhere."

      Mine claimed to be unique too. It seems very unlikely though. My fonts come from OSX + iLife + Photoshop + Office. Surely I'm not the only one?

      It also got my screen resolution wrong.

  24. Dom 3

    Combinations

    @RW: yes, the number of possible combinations is surprisingly big. I'm sure this all got reported a month or two back so I've already thrashed through the arguments on Usenet... personally, I changed my user-agent string so as to *guarantee* uniqueness...

  25. Anonymous Coward
    Anonymous Coward

    Oh rats!

    It looks like I'm the only person whose preferred languages (according to the Accept-Language header) are Toki Pona, Esperanto and Lojban, in that order.

  26. Anonymous Coward
    FAIL

    So....

    So, given that it take very small differences to become unique among a very large number of seemingly identically setup machines, surely then, only very small changes would alter your fingerprint which then becomes a bit useless for tracking purposes. The question has got to be how easily does your fingerprint change?

    I’m not convinced either, since sat behind a proxy server using two machines setup from the same image with a comparision of the data shown on the website showing it is identical – yet they are both ‘unique’.

    Me thinks they are hiding something – probably that it doesn’t actually work!

  27. Anonymous Coward
    Anonymous Coward

    Plug in info seems to give the most away

    I wonder if geeks are more vulnerable to this sort of thing. I see bits from dev kits and tech demos.

  28. Mayhem
    WTF?

    IE6 is unique

    Tested with firefox on our gateway pc, and found it was unique. Turned off javascript, and dropped to 1 in 11,490. I can see how they get a lot of unique hits though, especially with all the different versions of firefox out in the wild.

    Amusingly though, testing with IE6 came up with three javascript errors on the front page, then a blank page when I clicked Test, then the browser crashed when I refreshed the page.

    Thats certainly one way of making their stats look better - the great unwashed can't even use the site!

  29. mhenriday

    Running FF 3.6.5pre on 64-bit Ubuntu Lucid,

    my browser fingerprint is reported by Panopticlick as seemingly being «unique among the 862,067 tested so far», irrespective of whether the website URL is enabled or disabled in NoScript. More or less the same result as when I tested a year or so ago. Nice to have one's uniqueness confirmed - if more people test their machines, perhaps I'll get to be one in a million !...

    Henri

    1. Anonymous Coward
      Joke

      a year ago?

      You were running FF 3.6.5pre on 64 bit Lucid a year ago? Amazing.

  30. Anonymous Coward
    Anonymous Coward

    curiously (perhaps)

    I turned noscript off, and became half as unique (1/400k not 1/800k).

  31. Jamie Kitson

    Updates

    The frequency with which many browsers and plugins (and even OSes) update these days I would have thought makes this pretty much useless. For example I am running nightly builds of Firefox at the moment so my browser updates every single day. The whole point of finger prints is that they do not change, it seems this one does.

  32. Jason Bloomberg Silver badge
    Coat

    Plugins and Fonts

    ... is what gives me away. Not surprising perhaps having Far Eastern Language support turned on in the west and some fonts only installed by/for specific applications as well.

    So the only way for me to be non-unique is to prevent plugin and font data being accessed. Good luck to the man on the Clapham Omnibus achieving that without help.

    On the 'small changes makes it useless for tracking' notion ... not necessarily. The 3'6" man with a Richard Nixon mask and a white wig robbing a bank is likely to be the same 3'6" man with a Tony Blair mask and a red wig robbing another. Not 100% guaranteed but statistically significant. It depends on the reason for tracking, as a unique identifier, perhaps not, on following suspects, far more useful.

    Mine's the one with the "GCHQ are all nice folk" note in the pocket.

  33. WelshTom

    What a load of nonsense

    What a load of nonsense,

    I first done this test and it said my fingerprint was unique, so, I re-routed all traffic to that website over my works VPN connection, and re-done the test using the same browser which has the same fingerprint. Surprise Surprise, it said it was unique again.

    1. Anonymous Coward
      Anonymous Coward

      Using the same browser?

      Did you remember to delete their 'unique id' cookie as described in their faq?

  34. Roger Cornwell

    Fractional bits

    I'm now one in 866454, probably because I'm the first to use SeaMonkey/2.0.4 Like Firefox/3.5.

    But the odd thing is the column headed 'Bits of identifying information' because this gives values to two places of decimals. As any fule kno, bits are units of information and so you can only have whole numbers of bits of information, surely?

    And as Anonymous Coward above pointed out, it's not just being unique that identifies you, it's having that uniqueness remaining constant that is necessary. If fingerprints changed every day, thieves would not worry about leaving them behind.

  35. Charlie Clark Silver badge
    Thumb Up

    Interesting heuristic

    I think the point of the test is to highlight how much more we let on than we think. There are advantages both in being unique - less likely to be the victim of a known exploit crafted for the masses - and being non-unique - possibly more difficult to identify. Given that most people have fairly promiscuous cookie settings, cookies are likely to remain the id tag of choice. But, assuming you have access to sufficient websites, you could use this heuristic for profiling, presumably inversely as a way of excluding the masses.

  36. Anonymous Coward
    Anonymous Coward

    Unique?

    Unique in 867,760.

    Only its not.

    The screen size and colour depth is unique. Screen size being the size of the current browser window.

    I don't think I'll lose any sleep over this :)

  37. Anonymous Coward
    Thumb Down

    Damn lies and statistics

    There are a lot of things that go into your browser's signature (OS, version numbers, fonts, etc. etc.). If all these can vary between users the number of combinations quickly becomes quite large. There may indeed be many people in the world who share your quite common settings. However, if the number of people who've visited the EFF website is smaller than the number of common setting combinations, then you will still probably appear unique using this test.

    To see the problem, imagine you go to a small website with only two visitors. They can easily tell you apart because one of you uses IE and the other uses Firefox. Oh heck!

    The EFF site is a bit like that.

    Trouble is, so are some of the sites that want to track you.

  38. Jad
    Happy

    User Agent ...

    Damn I'm unique ...

    "Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9.2.2) Gecko/20100317 Firefox/3.6.2" ...

    1 in 869917 browsers have this ...

    what do you think it was that gave me away?

    1. Random_Walk
      WTF?

      Wow - so am I!

      "Your browser fingerprint appears to be unique among the 927,786 tested so far."

      (The real scary part is, I tested it from a Windows 7 box w/ Firefox... maybe if I ran IE with half a dozen crap add-ons latched onto it?)

    2. samantha nicole

      great

      lol. good for you./ great.

  39. Rocket
    Welcome

    only nerds?

    Does this mean that granny who doesn't add any plug-ins or fonts is less trackable than the tech-savvy?

    Does this also mesh with target market?

    I would've thought that the larger/more lucrative market is the casual email/shoppers rather than tech-savvy cynics

    1. Anonymous Coward
      Anonymous Coward

      it depends

      "Does this mean that granny who doesn't add any plug-ins or fonts is less trackable than the tech-savvy"

      To *this* method of identifying the user agent, yes they are. But there are still differences that can mount up as each bit of software they add can change things (MS Office, photoshop elements etc).

      "I would've thought that the larger/more lucrative market is the casual email/shoppers rather than tech-savvy cynics"

      Depends on what the target market is. This is unlikely to be a tracking technique used by online shopping outfits.

  40. CD001

    interesting

    With JavaScript enabled:

    "Your browser fingerprint appears to be unique among the 872,487 tested so far."

    With JavaScript disabled:

    "Within our dataset of several hundred thousand visitors, only one in 15,045 browsers have the same fingerprint as yours."

    So from 1:872487 to 1:15045 means that disabling JavaScript makes me 58x more "anonymous".

    1. Kevin 6

      heres a better one

      Your browser fingerprint appears to be unique among the 952,922 tested so far.

      after I disable no script

      before I disabled it

      only one in 238,242 had the same config

      BTW I'm using FF 3.0.19 on win 2k

  41. Anonymous Coward
    Anonymous Coward

    unique != we know who you are

    As many have noticed so far, being unique (by this sites loose definition of the term) is not mean much really.

    You are just as unique to google with their tracking cookie, and just as unique in your DNA

    ....... until this data is matched to a real world source.

    If you are that concerned about being unique on the internet then maybe you should only use it in internet cafes and a different one every time just to be sure.

  42. Anonymous Coward
    Thumb Down

    Bollocks!

    With a bulk-standard (recent) instalation of XP SP3

    Your browser fingerprint appears to be unique among the 875,581 tested so far.

  43. CT

    Font managers?

    So if I've got a font manager, often turning them on and off for different clients' projects, does that make my ID change every time? Or does it only see the relatively static non-managed fonts?

  44. Rodinuk
    Black Helicopters

    Interesting and disturbing

    A whole new area for browser anonimising.

    Testing against up to date versions of IE8 and Chrome 4 yielded the 'unique' result whilst Opera 10 returned a result implying that 1 other weirdo out there shares my my configuration. Firefox 3 was an improvement again provided NoScript was enabled, allowing scripts saw its anonymity slip to unique.

    Enabling the private browsing mode in each browser had NO effect whatsoever, neither did denying access to the Java applet.

    It will be interesting to see whether anyone will come up with a way to exploit this data but in the meantime I'll stick with my highly configured Firefox setup, it's just to gosh darned convenient for me to want to change.

  45. John F***ing Stepp

    You know, just looking at the specifications makes this a non issue.

    Well, yes they can do this and there is not a lot you can do about it.

    "Yes I am in the internet and nor am I out of it."

    Home page.

    Your browser hits the home page from one page to the next.

    I do not know why it does that but.

    Hello? history(-1)*?

    They grab you by the nards at this point.

    The fonts thing.

    Big ass fucking font front end for a Trojan; hi Microsoft you fucks, exactly how are Goddamn fonts expected to connect to the rest of the OS?

    Are you people brain damaged?

    Oh wait, they are.

    Privacy?

    You are in England.

    I am in the USA.

    We could meet in the middle of the road.

    and get run over by a lorry (truck).

    We don't need no f*cking privacy.

    And we will not ever get any because that would really defeat the hell out of the internet.

    Hello? information needs to be free.

    (at half the cost.)

    *Set your home page on root (C:\) for the Win people.

    *make up a directory (folder for the slow folks out there) and start a home page.

    *You don't really need to know html unless you want links.

  46. Cronus
    Stop

    Who cares if you're unique?

    Being unique and being trackable are two different things. If the bits of information that make you unique can be condensed down into a number AND those bits don't change then it can be used to track you. However, if you can keep these bits constantly changing, say by listing a fake plugin with a randomly generated name, then although you remain unique you can no longer be tracked. Granted this could start an arms race with the would be trackers, who in turn would try to filter out the fake from the real but I suspect that ultimately it wouldn't be worth it for them.

  47. Anonymous Coward
    Anonymous Coward

    Oh come on....

    1 in 13.93 browsers run at 1280x800x24

    1 in 3.77 browsers have a "Time Zone" of -60 (what ever that means)

    1 in 34.98 browsers have "xt/html, */* ISO-8859-1,utf-8;q=0.7,*;q=0.7 gzip,deflate en-gb,en;q=0.5" as their "HTTP_ACCEPT Headers"

    1 in 17524.21 browsers have "Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3" as their user agent.

    But it was the fonts in Unbuntu 10 that make me unique (1 in 912095 which was total number of browsers they had tested.

    So the answer is to had something that randomly changes your installed fonts.

  48. Robert E A Harvey
    Coat

    Old news, Old nes

    uk.rec.sheds discussed this in February, and decided then in was oblox. The thread, if you care to search for it, was uniquely titled "Unique".

    Do try to keep up at the back.

    I'll get me coat. We use them in the shedde as well. Mine probably smells of creomite.

    1. Paul 129
      Alert

      Not so straight forward

      But the first list of possibilities means you could be one in about 32million. Probabilities are multiplicative. The fonts are a dead give away, so would any home directory path that gets divulged. The whole concept of an electronic DNA fingerprint is kinda disturbing.

      Its the "think of the kids brigade that you have to look out for"

      "Your honor the facts speak for them selves, the odds of anyone else having the same digitial ID is one in 32Million, but there are only 20 million people in this town, he must be guilty"

      "-But I never post on the register!, My flatmate copied my computer setup and then posted that he thought windows should be blown up"

      "+On the balance of the evidence brought before me, the compelling scientific evidence, that you are Guilty of being a Freetard!"

      "-But!"

      "+Given the serious nature of your crimes, and the ongoing threat of poisioning poor children with you attitude, I sentance you to 200 hours of comminity service with the Registers Dominatrix"

      "-ummmm... mmmm."

  49. justkyle
    Alert

    lynx results

    Now that I've posted them, I'm no longer anonymous.

    So much for the alleged safety and privacy haven of text only browsers...

    Panopticlick -- How Unique, and Trackable, Is Your Browser?

    Within our dataset of several hundred thousand visitors, only one in

    233,656 browsers have the same fingerprint as yours.

    Currently, we estimate that your browser has a fingerprint that conveys

    17.83 bits of identifying information.

    The measurements we used to obtain this result are listed below. You

    can read more about our methodology, statistical results, and some

    defenses against fingerprinting in this article.

    Help us increase our sample size: Email This Digg This Post this to

    Reddit Share Panopticlick with delicious Share this on Facebook Tweet

    Panopticlick Dent Panopticlick

    Browser Characteristic bits of identifying information one in x

    browsers have this value value

    User Agent

    17.51

    186924.6

    Lynx/2.8.7dev.13 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7l

    HTTP_ACCEPT Headers

    10.98

    2018.62

    text/html, text/plain, text/css, text/sgml, */*;q=0.01 gzip, compress,

    bzip2 en

    Browser Plugin Details

    2.26

    4.78

    no javascript

    Time Zone

    2.24

    4.73

    no javascript

    Screen Size and Color Depth

    2.24

    4.73

    no javascript

    System Fonts

    2.25

    4.74

    no javascript

    Are Cookies Enabled?

    2.49

    5.63

    No

    Limited supercookie test

    2.24

    4.73

    no javascript

    Thanks to browserspy.dk for the font detection code, and to breadcrumbs

    for supercookie help.

    Frequently asked questions.

    Send other questions or comments to panopticlick@eff.org.

    Learn about Panopticlick and web tracking. The Panopticlick Privacy

    Policy. Learn about the Electronic Frontier Foundation.

    EFF

    A research project of the Electronic Frontier Foundation

  50. David Barr
    FAIL

    Meh.

    More privacy scaremongering. The reason why mine is unique is the combination of plugins. The more more plugins you have the more unique you are... Oh, and the more likely you are to have a different fingerprint once, or twice a week as new plugins are updated.

  51. Funky Dennis
    Thumb Up

    Changing fingerprints won't save you

    A lot of commenters here are saying that your browser fingerprint will change very often, as you upgrade plugins, etc. This is true, but it's not like how a digital hash changes completely when you change just one bit of the input data; the browser fingerprints only change slowly.

    They cover this in depth in their paper:

    https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick

    From the abstract:

    "By observing returning visitors, we estimate how rapidly browser fi ngerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an "upgraded" version of a previously observed browser's fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%."

    And that, as they admit, is only using a very crude algorithm.

    The best way to look at this is as a very power "super-cookie" -- like a Flash Cookie but much harder (currently) to defend against. This _is_ a big deal. It gives any website that you visit regularly the ability to know that you are the same visitor as earlier, even if you don't log in and don't accept cookies. And if you have ever identified yourself to that website in the past, they will know who you are even when you visit the site again but don't log in.

    This technique must be a favourite of the spooks. And only the browser makers can really fix it -- an add-on that homogenises your fingerprint will only be as good as the number of people who use it, which will be a very small number indeed.

  52. Anonymous Coward
    WTF?

    IE8 gives Mozilla user agent string

    I tested with Firefox. Result : user agent string for Mozilla.

    I tested with Opera. Result : user agent string for Opera.

    Then I tested with IE8. For some reason it still gives the Mozilla user agent string. Any suggestions?

    1. JP19

      mozilla is in all user agent strings

      all user agent strings have mozilla in them!

      explanation: http://webaim.org/blog/user-agent-string-history/

      1. Anonymous Coward
        Anonymous Coward

        ha ha!

        that's a fabulous link!

  53. Dodgy Geezer Silver badge
    Boffin

    Looks like the best way to deal with this is...

    a small utility that randomly adds dummy plug-in and font data to each browser interaction.

    Then we'll ALL be unique, ALL the time. Solves the problem....

  54. Richard Porter
    FAIL

    No javascript?

    Why does that site say "No javascript" for several of the criteria when I have got Javascript enabled?

  55. Ed L
    FAIL

    Umm... Fractions of bits?

    "Currently, we estimate that your browser has a fingerprint that conveys 18.31 bits of identifying information."

    Apologies if this has already been covered...

    But, is anybody willing to explain how 0.31 bits can exist in a computer system?

    Sounds very strange to me.

    1. Werner McGoole

      Information theory

      When measuring information content it is usual to use the negative base-2 logarithm of a probability and to call these "bits". So 0.31 bits means that the probability that you are anonymous is 2**-0.31.

  56. K_Smith
    Thumb Up

    I rank among the unique

    Fr once I am unique!!

    Your browser fingerprint appears to be unique among the 977,485 tested so far

    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Avant Browser; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

    1/139640.71 browsers have this value

  57. Ladislav
    Stop

    Something is wrong here!

    When I visit the page and test my browser it says the following:

    Your browser fingerprint appears to be unique among the 978,742 tested so far.

    When I do it again, at the same PC using the same browser it says:

    Your browser fingerprint appears to be unique among the 978,788 tested so far.

    Well if it already identified me the first time, then the second time can not be UNIQUE...right?

  58. Anonymous Coward
    Anonymous Coward

    Me Too

    I became unique 3 times with the same settings before boredom set in. The system does not seem to correctly detect a repeat visit. Is the database memory too small?

  59. Alice Andretti
    Linux

    Fake user-agents (Linux)

    @ "No Linux users"

    I use Linux online, but I usually change the user-agent so that it appears I'm using a different OS as well as a different browser. I feel (note I said "feel" ;) there) that it might give me a slight edge on the security front... or not... but I figure, why give possibly-hacked sites any more info than they *really* need to have. (Yes, of course I use NoScript too, and I only rarely allow any pages to use JavaScript and only where absolutely necessary which it usually isn't.)

    I'm lazy ;) and I like to be able to switch user-agents instantly and easily without having to re-type a bunch of stuff over and over again, so to change UA in Firefox, I use the User Agent Switcher add-on: <https://addons.mozilla.org/en-US/firefox/addon/59/> . It lets you use standard user-agents or you can just make stuff up (unique, and I suppose you'd want to change those unique UAs often if you're worried about privacy).

    Occasionally I run across a site where I have to use my real UA in order to make the site work correctly, probably something to do with dumbf*ck lazy-ass webmasters who write pages targetting specific browsers or something, who knows.

    <rant> Seems to me that *real* webmasters should make the extra effort to write *one* version of their pages that will work in *all* friggin' browsers, rather than relying on browser sniffing and browser-specific hacks to make their lame-ass pages work right.</rant>

    Anyway, it can sometimes be revealing to see the different pages that some sites serve up, depending on what you've got your user-agent set to. Like one time (can't remember where it was, long time ago) I found a webpage that served up Macs-are-great-and-PCs-suck material when my user-agent showed I was using a Mac, but 30 seconds later when I switched my UA to pretend to be a PC, that very *same* URL served me up a Macs-suck-and-PCs-rule type of page. Interesting insight into the webmasters' head, there.

    Slightly off-topic note:

    Yes, I'm aware that for Linux users to falsify their browser's user-agent to show a non-Linux OS, doesn't do the Linux 'cause' any good... but my viewpoint on that is, my security takes precedence over the general good. ;) Hey, it's the *only* reason I use Linux in the first place, certainly not because I particularly like Linux (I don't), although I'm slowly getting used to Linux's weirdness and finding other marginally-likable things about Linux - although sometimes it's not easy! I'll never be a 100% convert, but I admit that Linux is certainly useful. :)

    And back to the topic here, it's handy to be able to hide your true browser and OS via a false user-agent - assuming you haven't enabled Javascript which I guess allows websites to collect more data about you. My view is, websites don't need to know jack shit about me, *real* browser and OS included.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019