Browser Uniqueness, Revisited

May 19, 2010

Back in January I posted a note about a research project being conducted by the Electronic Frontier Foundation [EFF] to explore the feasibility of tracking individuals across the Web just by using the characteristics of individual Web browsers.

The hypothesis,basically, is that because browsers can report a good deal of configuration information to the Web server, it might be possible to identify individuals passively, just by tracking browser characteristics.

The EFF has now released a paper summarizing the results of the project.  The findings are based on a sample of over 470,000 visitors to the test “fingerprinting” site,  It is important to note, as the paper is careful to do, that this is almost certainly not a representative sample of browser users overall.  It is likely to be significantly skewed toward more sophisticated users, because in order to be surveyed participants had to be aware the survey existed (and there was little if any publicity in the mainstream media).  One would expect that the average user in the sample would be more aware of privacy issues. and of potential methods of addressing them, than Joe Q. User.

Nonetheless, the EFF found that most browsers were in fact identifiable by their configuration characteristics.

EFF found that 84% of the configuration combinations were unique and identifiable, creating unique and identifiable browser “fingerprints.” Browsers with Adobe Flash or Java plug-ins installed were 94% unique and trackable.

Since Flash and Java are among the most widely installed browser “add ons”, this implies that most Web users can be tracked without resort to tracking cookies, “Web bugs”, or other special techniques.  While the researchers found that almost all browsers were identifiable, there were, according to the technical summary, a few categories that were relatively resistant to tracking:

  1. Those with JavaScript disabled (possibly using a tool like NoScript)
  2. Those that use TorButton, which successfully anticipated and defended against many fingerprinting measurements.
  3. Mobile devices like Androids and iPhones (unfortunately, these devices tend not to have good interfaces for controlling cookies, and so may be trackable by that method)
  4. Corporate desktop machines that are precise clones of one another (Such systems appeared to constitute around 3-4% of the visitors to Panopticlick; unfortunately, there are some fingerprinting techniques like CPU clock skew measurement which would will work against these systems. Commercial fingerprinting services employ those techniques).

The paper also contains some suggestions on methods for users and, more important, browser developers, to improve privacy safeguards.

EFF’s paper on Panopticlick [PDF] will be formally presented at the Privacy Enhancing Technologies Symposium (PETS 2010) in Berlin in July.

I hope that this, and the most recent Facebook privacy flap, will help focus people’s minds on the issue of privacy.  Getting more targeted ads may just be a nuisance, but setting up a pervasive electronic surveillance capability is not good civic hygiene.

%d bloggers like this: