How identifiable are you on the net?

I'm sure we're all aware that the browser we use (the User Agent in internet-speak) reports back information to each web server we visit. But could a web server gain any information about who we are just from the browser? Could we be identified when we visit later on? You might think: easy, just turn off cookies and we'd be pretty much unidentifiable, but is that the case?

I tried out a web site called Panopticlick put up by the Electronic Frontier Foundation (EFF) to see how identifiable I was (or, if you like, how unique my browser fingerprint is). I got back:

Your browser fingerprint appears to be unique among the 139,433 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 17.09 bits of identifying information.

Yikes!

The information that is gathered and analyzed for uniqueness is the User Agent string, the HTTP_ACCEPT headers, the browser plug-ins, time zone, screen size and color depth, the system fonts, whether cookies are enabled, and the "Limited supercookie test", whatever that is. The things that are most unique for me are my list of plug-ins and my fonts. In essence, those are unique amongst the data they currently have collected in their database. The EFF have gathered some recommendations to mitigate against browser fingerprinting here.

Go on, try yours, I dare you...

 

Posted via email from Julian's posterous

Loading similar posts...   Loading links to posts on similar topics...

2 Responses

 avatar
#1 Thorsten said...
29-Jan-10 12:20 AM

"Within our dataset of several hundred thousand visitors, only one in 7,661 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 12.9 bits of identifying information."

But that's mainly because everything except User Agent and HTTP_ACCEPT Headers just says "no javascript" (who in their right mind is browsing the web without having NoScript installed?).

If I DO allow javascript, then yes I also get a "appears to be unique" rating. Interestingly, blocking cookies from eff.org makes my browser more unique: "only one in 58,789 browsers have the same fingerprint as yours".

What the test doesn't properly show is that while I am allowing cookies from all sites that are not explicitly on a blacklist, they are all only allowed as session cookies except if the site is on a special whitelist, which prevents cookies from begin used to track me across session limits.

 avatar
#2 Anders Isaksson said...
29-Jan-10 2:42 AM

When I switched on "Start private browsing" in FireFox 3.5.7 the fingerprint dropped from 17.67 to 16.43 - one full bit of entropy! Not much more privacy in that...

Leave a response

Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.

  •  Emphasize with italics: surround word with underscores _emphasis_
  •  Emphasize strongly: surround word with double-asterisks **strong**
  •  Link: surround text with square brackets, url with parentheses [text](url)
  •  Inline code: surround text with backticks `IEnumerable`
  •  Unordered list: start each line with an asterisk, space * an item
  •  Ordered list: start each line with a digit, period, space 1. an item
  •  Insert code block: start each line with four spaces
  •  Insert blockquote: start each line with right-angle-bracket, space > Now is the time...
Preview of response