Are You Being Fingerprinted Online?

Category: Privacy

Cookies are crumbling. Those bits of code that Web sites deposit on your hard drive are becoming less useful to marketers, and others wanting to track what you do online. But there's a new web tracking technology that can't be easily detected or blocked. Here's what you need to know about browser fingerprinting...

What is Browser Fingerprinting?

Web cookies have been around for twenty years; they can be used to customize your online experience and save you time. However, online marketers, social networks, and others have learned how to use them to their advantage as well. The good news is that these little tidbits are becoming less valuable to those third parties, as browser technology and privacy initiatives advance.

The bad news is that they’ve come up with a replacement technology that some call “browser fingerprinting.” And the steps you may take to avoid cookies don’t work against fingerprinting.

Let's take a step back. I’ve always said that cookies are not inherently bad; in fact, many people’s favorite features of the Web won’t work without cookies. (See related: A Closer Look at Cookies.) But cookies are a mixed blessing. They can be used to build anonymous profiles of a user's activity across the web, and that bothers some.
Browser Fingerprinting

As more users feel concerns about privacy, they have either blocked cookies entirely or limited the amount of time that passes before cookies are deleted. And there's also the concept of private or incognito browsing now. These options are built into the privacy settings of all the major Web browsers. See my related article about Private Browsing.

Others have turned to browser add-ons such as Ghostery to learn who is tracking them and selectively block certain cookies. My opinion is that these tools do more harm than good, because they lead many users to believe that ALL cookies are bad. I also object in principle to the notion that cookies are used to "track" the activities of web users. In the vast majority of cases, cookies are simply a tool to help marketers and others deliver ads and/or content that are more relevant, without personally identifying the user. But I digress...

Have You Been Fingerprinted?

The new fingerprinting technology does not put anything on your hard drive. Instead, it relies on information that your Web browser sends to the sites you visit. This information (which is a standard part of Internet communication protocol) includes the names and version numbers of your operating system and browser; your browser add-ons; the time zone set on your device; screen size and color depth; system fonts; and cookie status (accept/reject).

Your browser sends most of this information so that the receiving site knows what sort of Web content it should return to your browser. It’s truly amazing how many different versions of a Web page can be sent to users on the fly, each customized to the data handling and display capabilities of a user’s machine. But the information sent by your browser also identifies your machine nearly as well as a unique cookie does.

Before you get too excited about the privacy implications, keep in mind that browser fingerprinting (just like web cookies) does not PERSONALLY identify specific users. It doesn't tell marketers or website owners your name, email address or phone number.
You can see for yourself how “unique” your browser and machine are. Just take the Panopticlick Test (https://panopticlick.eff.org/) hosted by the Electronic Frontier Foundation. For example, only 1 in about 3 million browsers provide the same “fingerprint” that mine does. The test report will also show you what info your browser sends. Don’t worry; the EFF won’t track you or share your browser fingerprint.

You can reduce your browser fingerprint and thereby increase your quasi-anonymity. After I switched to private (or “incognito”) browsing mode, the Panopticlick Test said that 1 in about 1.5 million browsers have the same fingerprint as mine. My fingerprint was twice as common, so I was only half as identifiable.

Browser fingerprints are not stored on users’ devices, so users can’t delete them. There are no options built into browsers that give users control over the fingerprint info they send (except for the private/incognito browsing mode mentioned). And there are no add-ons that can tell you who is capturing your browser fingerprint.

Perhaps there will be such tools in the future. But like cookie control, fingerprint control will involve a tradeoff of functionality in exchange for privacy. The companies that use fingerprinting are not admitting it, for the most part. They don’t want the attention of privacy advocates.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 5 Jul 2013


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 03 July 2013

The Top Twenty
Next Article:
Rooting and Jailbreaking

Most recent comments on "Are You Being Fingerprinted Online?"

(See all 27 comments for this article.)

Posted by:

carmen
05 Jul 2013

wait--I'm confused--if my fingerprint is "unique," that means I am MORE identifiable and less anonymous, right?


Posted by:

Mary
05 Jul 2013

I'm not the sharpest tool in the shed so please forgive my ignorance. How would browser fingerprinting be affected if one was using a "live" Ubuntu type CD/DVD to access the internet? Especially considering that the "live" disk may use a totally different browser than the one installed on the hard drive.

Likewise, what effect would there be if one used a VPN like Hotspot Shield or set up a virtual machine using VMware, VirtualBox, etc?


Posted by:

John Jones
05 Jul 2013

I'm not sure why this article would state: "Don’t worry; the EFF won’t track you or share your browser fingerprint." The EFF is about protecting our online privacy.


Posted by:

George
05 Jul 2013

I, too, am unique and the test Bob suggested in this very interesting article reveals that fact and even more usefully shows the reason for my failure to blend in with the crowd. Obviously it's the vast number of "System Fonts", most of which I'm sure I never use and don't need. Any ideas for a good way to weed out the excess??


Posted by:

Rich
05 Jul 2013

I very rarely use Yahoo because of privacy concerns; basically only to post to my recycling service of choice which is a Yahoo Group. Recently I got an email to my backup address saying that someone had accessed my account with a computer not associated with me...

Actually it was me, I had bought a new machine. But now I know at least one nosy operation that has been fingerprinting my computers for quite a long time, and associating it with an email address.

Looks like I'll have to switch browsers and email addresses every time I use Yahoo - and hope they aren't tracking MAC numbers too.


Posted by:

joe
06 Jul 2013

You went from 1 in 3M to 1 in 1.5M because you tested the same browser twice. That's 2 in 3M. If you test again, you will see 1 in 1M. That's 3 in 3M. But all 3 are you.


Posted by:

salim
06 Jul 2013

how helpful in this respect id deepFreeze?


Posted by:

James Orpin
06 Jul 2013

Okay ... I look at it this way. If your IP address is viewable to ANYONE, and it is. They know where you live, they have your physical address. If you have a phone, they know where you are. So ... IP minus GPS = wheather you are at home, or not. ANY QUESTIONS ???

EDITOR'S NOTE: IP address does NOT reveal physical address. See http://askbobrankin.com/does_ip_address_reveal_my_physical_location.html


Posted by:

Don
06 Jul 2013

While agreeing most cookies are harmless, the fact is advertising is getting way too pushy. With the development of more sophisticated software its getting harder to avoid and much of this is getting invasive. I am referring to the "latest thing" that has transpired in Germany, that is advertising by bone induction.where resting your head on the window in a train, triggers an avert to play. Pretty much getting inside your head rite?


Posted by:

Kevin
07 Jul 2013

We usually control browser profiles only in basic ways, (choosing a browser, updating it, turning off certain types of cookies). Those alone are not very identifying factors. It's the huge number of application and system settings that form unique combinations. Many are irrelevant or would not adversely affect the browsing experience if they were changed somewhat, even to values that did not match the computer, or were at least "reported" wrongly.

So... perhaps experts in privacy groups could provide masses of users with a program that imposes (or merely reports) whatever is determined to be the most universal combination of those myriad settings. That data set would be refreshed regularly by polling the browsers of users each time they visit the site to get their own update of the communal profile. The result is reduced uniqueness because each user's browser would then vary only in the very common choices they have always made, (though it would have to also include a relatively limited number of computer-specific settings required for the browser to work).

An opposite approach would be to widely distribute a program that exploits uniqueness to make it harmless in the long term. It would do this by periodically changing (or merely mis-reporting) some selected non-crucial settings. If this is done automatically with each session (or even with each web page), a browser that is "uniquely" identified at a particular time will appear to be a different one when its profile is examined at any future time.


Posted by:

Old Man
07 Jul 2013

I agree with Kerry. It would make more sense if the figures "one in x" were high. That means the computer is more apt to blend into the background. Whereas a low figure would make you unique.

I read the site's FAQ and other data, but it did not really explain how to interpret the numbers.

Also, the site showed it did place a cookie on the computer so multiple tests would not skew the overall figures. Deleting the cookie would render each test as unique, not a returning tester.


Posted by:

Paul
07 Jul 2013

The first thing I get is a security popup sating the site is a security risk w/o a valid certificate. When that is canceled, without accepting the risk to run the script, seems to run it anyway and displays a page that says my CPU is unique in 3.1 million.

This PDF file this statement references was interesting;
“The measurements we used to obtain this result are listed below. You can read more about our methodology, statistical results, and some defenses against fingerprinting in this article.”

Clicking on the hot link, “this article”, brings up a dissertation on methods used. On page 7 it starts to use some rather complicated mathematical statistical methods. It’s been many many years since I had a semester of statistics, but from what I could ascertain from it, if confidence levels for the percentages quoted to re-identify a particular browser were also given, they would be just slightly above 50/50. They would start out better than that but degrade quickly with browser usage and then retested.

In short, I don't think I would want to take a trip in space based on the same reliability as this fingerprint method seems to have.

“this article” leads to: https://panopticlick.eff.org/browser-uniqueness.pdf


Posted by:

Pieter
08 Jul 2013

As a point of interest (apologies if this has already been mentioned). I had the same results, being 1 in 3m with the first test, then after switching to incognito mode getting a result of 1 in 1.5m. The fact is that your first test adds you to the database thereby halving the result. A third test in normal mode also gives a result of 1 in 1.5m. This tells me that switching to incognito makes no difference. WE ARE SCREWED. I do believe thought that browsers will find a way to fight back.

Pieter


Posted by:

Geoff
08 Jul 2013

Re: After I switched to private (or “incognito”) browsing mode . . . , taking Joe You went from 1 in 3M to 1 in 1.5M because you tested the same browser twice and Old Man the site showed it did place a cookie on the computer so multiple tests would not skew the overall figures. Deleting the cookie would render each test as unique, not a returning tester. together, did going incognito just hide the earlier cookie so that you were a second instance?


Posted by:

Walter
08 Jul 2013

I got one in 48,000 right off the hop (I run no-script). I didn't much like it, so went looking for a very common user agent setting for Firefox. I found "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0" then made a new entry in about:config called "general.useragent.override" and set it to that. Now I'm down to 1 in 2,800. Still pretty identifiable, but better.

If I set it to a common IE useragent pages would display screwy. Now if only I could find a more common HTTP_ACCEPT Header and figure out how to set that.


Posted by:

Peter
20 Jul 2013

I agree with your comments overall, but the pantoptickick numbers appear to be misleading - basedon their web site. Their "one in x browsers have this value" is just a binary translation of the number of bits in the message. So if there were just 2 bits x would be 4, for 3 bits x would be 8 and so on. However this assumes that data is randomly distributed - so it for the two bit example that there are equal numbers of 00, 01, 10, and 10. But suppose - for illustration only that all browsers returned "00" - in that case your anonymity would be complete, you would be indistinguishable from all other users.

Now the situation I describe as an example is not the case - but that is a far cry from assuming a truly random distribution. If in fact your signature is a common one then you are indistinguishable from a great many other people. So what the real numbers are is not at all revealed by the article or by the pantoptickick site test.


Posted by:

Peter
22 Jul 2013

I tested it in 2 browser with vastly different number of plug-ins reported, 1 line against at least 50 lines of the plugin report. The test returned EXACTLY the number as to my uniqueness and the number of bits identifying me. This leads me to the conclusion that the browser does not enter into the calculation and that it is almost entirely based on screen resolution and installed fonts. Unless they do something else they are not telling us about, such as a calculated sum of hardware component IDs.


Posted by:

Dick N
22 Jul 2013

Since you can't have 15.38 bits in a message, clearly the N in "1 in N" is not computed from the length of a bit string. Rather, the #bits is computed log2 of N and presented as an effective number of bits of identifying information based on uniqueness.

Now I guess since the least unique configurations are known, the Gov't will have to start focusing on these, knowing that terrorists will do their best to make themselves anonymous. Non-unique, eh? That's very suspicious.


Posted by:

Jeff
23 Jul 2013

Thank you for the useful link, & the different way to look at the browser experience. I have always believed that regardless of what tool a user accesses the net with, he/she would invariably leave a trace of themselves wherever they chose to land. ;)


Posted by:

Andy
06 Sep 2013

You posted a website address of https://panopticlick.eff.org. Once you click test, it provides the results and then runs an app on your computer without telling you. My settings and add-ons blocked it, but many people won't have the same security settings I do.


There's more reader feedback... See all 27 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.
[an error occurred while processing this directive]


Article information: AskBobRankin -- Are You Being Fingerprinted Online? (Posted: 5 Jul 2013)
Source: http://askbobrankin.com/are_you_being_fingerprinted_online.html
Copyright © 2005 - Bob Rankin - All Rights Reserved