The Electronic Frontier Foundation [EFF] is conducting an interesting research project, called Panopticlick (Bentham fans will recognize the reference), to attempt to find out whether it is possible to track individuals across the Web without employing the usual suspects: Web bugs, cookies, and so on. The hypothesis,basically, is that because browsers can report a good deal of configuration information to the Web server, it might be possible to identify individuals passively, just by tracking browser characteristics.
Many users are surprised at the amount of data that their browsers can be coaxed into disclosing. The list below will give you some idea (but is not exhaustive):
- User Agent string, which identifies the browser and version. On this machine, running Firefox 3.6 under Kubuntu Linux 8.4, my browser reports: “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
- Time zone
- Screen size and color depth
- Plugin configuration
- System fonts
- Cookie settings
From admittedly limited anecdotal evidence, it appears that plugin configurations and font collections tend to be most distinctive.
If you’d like to test your own browser, you can do so by visiting this page. (Note that you must have JavaScript enabled for the full test to run.) I’ve run it on Firefox 3.6 here (as mentioned earlier), and also with Google Chrome 4.0.249.43 on this machine. My Chrome configuration was unique among the 208.662 browsers that had been tested at that time, and both the plugin and font configurations were individually unique. I tested Firefox a couple of minutes later; its configuration was unique in a sample of 209,884, although no individual configuration item was unique. If you test your browser, I invite you to leave a comment with your results.
I have not tried it yet, but will be interested to see to what extent, if any, the “private” or “incognito” modes in some browsers make a difference.
The EFF has a page of suggested defenses against browser tracking; I’m not sure how useful they really are. Perhaps a Firefox or Chrome extension could be developed that would allow the returned values to be modified by the user, or randomized.
Random Walks 