8 in 10 browsers leave identifiable 'fingerprints,' EFF warns

Watchdog publishes paper based on experiment called Panopticlick

EFF logo

The Electronic Frontier Foundation today warned that more than 80 percent of browsers reveal identifiable "fingerprints" that could allow a user's Web surfing to be tracked. The privacy watchdog urged that greater attention be paid to this by the public and policy makers.

The results are based on an experiment EFF conducted with volunteers who visited this site - called Panopticlick - and allowed their browsers to be tested.

From the EFF press release:

The website anonymously logged the configuration and version information from each participant's operating system, browser, and browser plug-ins -- information that websites routinely access each time you visit -- and compared that information to a database of configurations collected from almost a million other visitors.  EFF found that 84% of the configuration combinations were unique and identifiable, creating unique and identifiable browser "fingerprints."  Browsers with Adobe Flash or Java plug-ins installed were 94% unique and trackable.

"We took measures to keep participants in our experiment anonymous, but most sites don't do that," said EFF Senior Staff Technologist Peter Eckersley.  "In fact, several companies are already selling products that claim to use browser fingerprinting to help websites identify users and their online activities.  This experiment is an important reality check, showing just how powerful these tracking mechanisms are."

Here's an explanation of Panopticlick.

(2010's 25 Geekiest 25th Anniversaries)

From the paper's conclusion:

Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability. Although fingerprints turn out not to be particularly stable, browsers reveal so much version and configuration information that they remain overwhelmingly trackable. There are implications both for privacy policy and technical design.

Policymakers should start treating fingerprintable records as potentially personally identifiable, and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms.

The Slashdot community discussed Panopticlick and its early results in this string from January after the project was first announced. Here's one entry:

I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic. Plugins were also completely unique and really easy to detect in any other browser than IE8. Interestingly IE's plugin list was really small and not at all so unique. IE's top "warning" bar asked me if I want to run specific plugins (probably to detect them). System fonts were completely unique and looks like easy to detect.

Remember that this is info that for example Google gets all over the internet via Analytics - they don't even need those tracking cookies because your browser leaves so much unique data behind it that it doesn't matter. And so does every website owner.

For those who want a deeper dive and are not afraid of math, here is an "A Primer on Information Theory and Privacy." And the EFF offers more about online behavioral tracking here.

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

2010's 25 Geekiest 25th Anniversaries.

How many zettabytes can dance on the had of a pin?

Dear Apple: Please make "magical" disappear from your iPad marketing.

How the 'Net would have saved Coke from New Coke.

I have absolutely nothing to say about the iPad.

Google cracks animal translation riddle ... for Android.

Clever video technique shows there really are two sides to any story.

Doing the Laptop Drive of Shame, Part III

True: This site is not Snopes.com

A new take on cloud security ... from Hitler.

Facebook pushing 'Suicide Machine' into an open-source afterlife

Cell-phone gabber in fast-food line gets his just deserts

48 technology "firsts" that made a president's day.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.