Are You Being Fingerprinted Online?

wait--I'm confused--if my fingerprint is "unique," that means I am MORE identifiable and less anonymous, right?

I'm not the sharpest tool in the shed so please forgive my ignorance. How would browser fingerprinting be affected if one was using a "live" Ubuntu type CD/DVD to access the internet? Especially considering that the "live" disk may use a totally different browser than the one installed on the hard drive.

Likewise, what effect would there be if one used a VPN like Hotspot Shield or set up a virtual machine using VMware, VirtualBox, etc?

I'm not sure why this article would state: "Don’t worry; the EFF won’t track you or share your browser fingerprint." The EFF is about protecting our online privacy.

I, too, am unique and the test Bob suggested in this very interesting article reveals that fact and even more usefully shows the reason for my failure to blend in with the crowd. Obviously it's the vast number of "System Fonts", most of which I'm sure I never use and don't need. Any ideas for a good way to weed out the excess??

I very rarely use Yahoo because of privacy concerns; basically only to post to my recycling service of choice which is a Yahoo Group. Recently I got an email to my backup address saying that someone had accessed my account with a computer not associated with me...

Actually it was me, I had bought a new machine. But now I know at least one nosy operation that has been fingerprinting my computers for quite a long time, and associating it with an email address.

Looks like I'll have to switch browsers and email addresses every time I use Yahoo - and hope they aren't tracking MAC numbers too.

You went from 1 in 3M to 1 in 1.5M because you tested the same browser twice. That's 2 in 3M. If you test again, you will see 1 in 1M. That's 3 in 3M. But all 3 are you.

how helpful in this respect id deepFreeze?

Okay ... I look at it this way. If your IP address is viewable to ANYONE, and it is. They know where you live, they have your physical address. If you have a phone, they know where you are. So ... IP minus GPS = wheather you are at home, or not. ANY QUESTIONS ???

EDITOR'S NOTE: IP address does NOT reveal physical address. See http://askbobrankin.com/does_ip_address_reveal_my_physical_location.html

While agreeing most cookies are harmless, the fact is advertising is getting way too pushy. With the development of more sophisticated software its getting harder to avoid and much of this is getting invasive. I am referring to the "latest thing" that has transpired in Germany, that is advertising by bone induction.where resting your head on the window in a train, triggers an avert to play. Pretty much getting inside your head rite?

We usually control browser profiles only in basic ways, (choosing a browser, updating it, turning off certain types of cookies). Those alone are not very identifying factors. It's the huge number of application and system settings that form unique combinations. Many are irrelevant or would not adversely affect the browsing experience if they were changed somewhat, even to values that did not match the computer, or were at least "reported" wrongly.

So... perhaps experts in privacy groups could provide masses of users with a program that imposes (or merely reports) whatever is determined to be the most universal combination of those myriad settings. That data set would be refreshed regularly by polling the browsers of users each time they visit the site to get their own update of the communal profile. The result is reduced uniqueness because each user's browser would then vary only in the very common choices they have always made, (though it would have to also include a relatively limited number of computer-specific settings required for the browser to work).

An opposite approach would be to widely distribute a program that exploits uniqueness to make it harmless in the long term. It would do this by periodically changing (or merely mis-reporting) some selected non-crucial settings. If this is done automatically with each session (or even with each web page), a browser that is "uniquely" identified at a particular time will appear to be a different one when its profile is examined at any future time.

I agree with Kerry. It would make more sense if the figures "one in x" were high. That means the computer is more apt to blend into the background. Whereas a low figure would make you unique.

I read the site's FAQ and other data, but it did not really explain how to interpret the numbers.

Also, the site showed it did place a cookie on the computer so multiple tests would not skew the overall figures. Deleting the cookie would render each test as unique, not a returning tester.

The first thing I get is a security popup sating the site is a security risk w/o a valid certificate. When that is canceled, without accepting the risk to run the script, seems to run it anyway and displays a page that says my CPU is unique in 3.1 million.

This PDF file this statement references was interesting;
“The measurements we used to obtain this result are listed below. You can read more about our methodology, statistical results, and some defenses against fingerprinting in this article.”

Clicking on the hot link, “this article”, brings up a dissertation on methods used. On page 7 it starts to use some rather complicated mathematical statistical methods. It’s been many many years since I had a semester of statistics, but from what I could ascertain from it, if confidence levels for the percentages quoted to re-identify a particular browser were also given, they would be just slightly above 50/50. They would start out better than that but degrade quickly with browser usage and then retested.

In short, I don't think I would want to take a trip in space based on the same reliability as this fingerprint method seems to have.

“this article” leads to: https://panopticlick.eff.org/browser-uniqueness.pdf

As a point of interest (apologies if this has already been mentioned). I had the same results, being 1 in 3m with the first test, then after switching to incognito mode getting a result of 1 in 1.5m. The fact is that your first test adds you to the database thereby halving the result. A third test in normal mode also gives a result of 1 in 1.5m. This tells me that switching to incognito makes no difference. WE ARE SCREWED. I do believe thought that browsers will find a way to fight back.

Pieter

Re: After I switched to private (or “incognito”) browsing mode . . . , taking Joe You went from 1 in 3M to 1 in 1.5M because you tested the same browser twice and Old Man the site showed it did place a cookie on the computer so multiple tests would not skew the overall figures. Deleting the cookie would render each test as unique, not a returning tester. together, did going incognito just hide the earlier cookie so that you were a second instance?

I got one in 48,000 right off the hop (I run no-script). I didn't much like it, so went looking for a very common user agent setting for Firefox. I found "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0" then made a new entry in about:config called "general.useragent.override" and set it to that. Now I'm down to 1 in 2,800. Still pretty identifiable, but better.

If I set it to a common IE useragent pages would display screwy. Now if only I could find a more common HTTP_ACCEPT Header and figure out how to set that.

I agree with your comments overall, but the pantoptickick numbers appear to be misleading - basedon their web site. Their "one in x browsers have this value" is just a binary translation of the number of bits in the message. So if there were just 2 bits x would be 4, for 3 bits x would be 8 and so on. However this assumes that data is randomly distributed - so it for the two bit example that there are equal numbers of 00, 01, 10, and 10. But suppose - for illustration only that all browsers returned "00" - in that case your anonymity would be complete, you would be indistinguishable from all other users.

Now the situation I describe as an example is not the case - but that is a far cry from assuming a truly random distribution. If in fact your signature is a common one then you are indistinguishable from a great many other people. So what the real numbers are is not at all revealed by the article or by the pantoptickick site test.

I tested it in 2 browser with vastly different number of plug-ins reported, 1 line against at least 50 lines of the plugin report. The test returned EXACTLY the number as to my uniqueness and the number of bits identifying me. This leads me to the conclusion that the browser does not enter into the calculation and that it is almost entirely based on screen resolution and installed fonts. Unless they do something else they are not telling us about, such as a calculated sum of hardware component IDs.

Since you can't have 15.38 bits in a message, clearly the N in "1 in N" is not computed from the length of a bit string. Rather, the #bits is computed log2 of N and presented as an effective number of bits of identifying information based on uniqueness.

Now I guess since the least unique configurations are known, the Gov't will have to start focusing on these, knowing that terrorists will do their best to make themselves anonymous. Non-unique, eh? That's very suspicious.

Thank you for the useful link, & the different way to look at the browser experience. I have always believed that regardless of what tool a user accesses the net with, he/she would invariably leave a trace of themselves wherever they chose to land. ;)

You posted a website address of https://panopticlick.eff.org. Once you click test, it provides the results and then runs an app on your computer without telling you. My settings and add-ons blocked it, but many people won't have the same security settings I do.