Your browser is a dirty stinkin rat. There… I said it. According to research conducted by the Electronic Frontier Foundation (EFF), most browsers have telltale fingerprints which can be used by web site owners to uniquely identify visitors to their sites even if cookies are disabled, or the visitor is coming from behind a NATting firewall.
The Panopticlick software developed by the EFF researchers looks at a wide variety of information which a web site can gather from any visiting client. By combining a number of these seemingly innocuous pieces of information, a client fingerprint can be calculated:
Browser and plugin versions
Configuration options
ACCEPT headers
Screen resolution
Fonts
Time Zones
MIME types
The EFF collected its data via a website which it set up and publicized, so we can assume that the data they collected came from people who are interested in their privacy. Despite this self selected sample, the findings do not bode well for privacy on the Internet:
- Overall, the browsers of 83.6% of all visitors to the test site had unique fingerprints.
- If a browser has Adobe Flash or the Java Virtual Machine enabled, there was a 94.2% chance that its fingerprint was unique.
- Since the fingerprints are based on browser configuration settings, they can change rapidly. However, the researchers were able to detect changed fingerprints and tie them back to the original fingerprint in 99.1% of cases via an algorithm.
- Some good news for mobile device users – iPhone and Android based browsers had more uniform fingerprints and were harder to differentiate from one another due to the lack of plugins and options available. However, as mobile browsers become more sophisticated, this technique may become applicable to these browsers on the go. Also, it is important to note that the mobile browsers do not have good ways to control cookies, leaving them open to cookie based fingerprinting.
In related work, researchers from an Australian university have found that they were able to identify by name many users of Xing, a social networking site in Germany. The researchers first collected information on 6500 groups and their 1.8 million members. By simply analyzing the overlaps in group memberships, they were able to discern the identities of 42% of the users. They next created a web site which, when visited, examined the browser history of the visitor. Of the 26 test subjects they enlisted, the identities of 15% were revealed simply by visiting the site. Xing has updated their software to protect against these types of attacks, but other sites may still be vulnerable.
So… what does this all mean? Well, first of all, marketers and site owners have a new tool to track visitors, including those who have disabled cookies (in order to avoid such tracking). Second of all, these techniques provide scammers and malware authors with a way to track their victims’ web activity without leaving telltale traces. On the bright side, these fingerprinting techniques could also be used for good purposes, such as providing an additional level of authentication for banking and other sensitive web sites (and there is evidence that this is already being done, although mostly using cookies). Law enforcement could use these techniques during investigations, although given the politics of many nations, this could be a really bad thing as well. The EFF wants policymakers to expand their definition of personnally identifiable information to include fingerprintable records – I think that this is a topic worthy of discussion. I also think that browser designers need to work on this problem from a technical point of view.
Want to cover your tracks? Well, you could block Javascript – this provides pretty good protection against the techniques EFF used, but at a cost in terms of web site usability and functionality. You could start using TorButton to route your web traffic via anonymizing proxies. You could use your iPhone or Android phone to do all your web surfing. None of these solutions is ideal.
So… another nail in the coffin of privacy…