Skip to comments.How Unique Is Your Web Browser? (You're being tracked based on how unique your browser settings are)
Posted on 06/04/2011 6:29:49 PM PDT by LibWhacker
Abstract. We investigate the degree to which modern web browsers are subject to "device fingerprinting" via the version and con figurtion information that they will transmit to websites upon request. We implemented one possible fingerprinting algorithm, and collected these fingerprints from a large sample of browsers that visited our test site, panopticlick.eff.org. We observe that the distribution of our fingerprint contains at least 18.1 bits of entropy, meaning that if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint. Among browsers that support Flash or Java, the situation is worse, with the average browser carrying at least 18.8 bits of identifying information. 94.2% of browsers with Flash or Java were unique in our sample.
By observing returning visitors, we estimate how rapidly browser fi ngerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a figerprint was an "upgraded" version of a previously observed browser's fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.
We discuss what privacy threat browser fingerprinting poses in practice, and what countermeasures may be appropriate to prevent it. There is a trade off between protection against fingerprintability and certain kinds of debuggability, which in current browsers is weighted heavily against privacy. Paradoxically, anti- fingerprinting privacy technologies can be self- defeating if they are not used by a sufficient number of people; we show that some privacy measures currently fall victim to this paradox, but others do not.
(Excerpt) Read more at panopticlick.eff.org ...
Read the paper here: https://panopticlick.eff.org/browser-uniqueness.pdf
Criminy, I thought I was being smart running a boatload of privacy plugins, setting my browser up not to run scripts, accept cookies, nor generally, to give out much information at all about me or my computer.
But now, it turns out, that can be used against me; i.e., my computer is totally unique amongst 1.5 million browsers tested, and therefore, can be tracked across the web based upon this unique fingerprint! Or, as one wag has said, "What a cruel twist of fate, all my plugins designed to give me privacy are being used to identify me!"
They can also track you by IP and location.
That's a problem.
Same with me, except I had to allow their program to send data back.
Mine to seems to be completely unique among the 1.56 million in their database.
So what are the odds that we BOTH have such unique settings?
One thing making mine unique was that I have Java plugins- but who does not?
I think these guys are BUILDING a database of browser characteristics, to use to track people.
In theory that makes sense.... Could indeed be a tell tale.
I do such to avoid the average bs malware etc...
Now you need another plugin to protect all this info ...
I’m worse than you (1,593,093)and was doing the same thing.
Interesting... We all have similar but not identical uniqueness measures. How can that be? If they’ve tested 1.6M browsers and 100,000 of them share your fingerprint, would they tell you that you were unique among [the other] 1.5M? How exactly does that work? I’m not sure.
Nothing is something per se... That would only seem to apply to no such agency sorts who can breach your security if they want anyway.
Only way for two people to keep a secret is if one of em is dead.....supposedly....:o)
Lol, boy, is that ever the truth!
I was unique with 20.6 bits too. Hmmm.
Looks like it comes from “Browser Plugin Details” which may include the order of when you added the plugins.
Buy a used computer trade-in from a repair shop. It usually has the original buyer`s administrator`s login defaults locked in and defaults to the original buyer`s email address and windows license info. All the upgrades are registered with the administrator.
Here's an easier way of tracking someone - the only way to defeat it is through an anonymizer portal:
Here's what I got:
Within our dataset of several million visitors, only one in 5,628 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 12.46 bits of identifying information.
I got the same result as everyone else.
Also, an icon which I’ve never seen before on my computer showed up down in the lower right hand corner of the screen, next to the antivirus icon. Something to do with Java.
Okay, that's useful information, thx. So what they are saying is that, perhaps, 400 to 600 computers share your fingerprint. A lot better than me!
A few weeks ago. I visited a site that offered certain tours in Europe. About a week later, I got a brochure from them in the mail - the U.S. mail.
“Currently, we estimate that your browser has a fingerprint that conveys 12.46 bits of identifying information.”
So how do I go about becoming a 12 bitter instead of a 20 bitter?
Seriously, not trying to be funny.
I have a similar icon, but it’s because I’m running a plugin called NoScript.
That was my first thought.
Most of that information is correct, but I doubt this one:
“Within our dataset of several million visitors, only one in 5,628 browsers have the same fingerprint as yours.”
I am running Xubuntu Linux and Firefox browser, but I tried the same view from an old Redhat Linux machine with Galeon Browser (Mozilla/Netscape derivative) and got exactly the same statement.
Interesting; it seems that the two attributes - at least for the three browsers that I regularly use (FF4, Opera 11, IE9) - that are the most unique are (1) the browser plugin details that are sent in the HTTP headers, and (2) the number of system fonts sent in the HTTP headers.
Other than that, the user-agent string is the next most unique attribute, but it differs among the three; for FF4 it’s not that rare (guess that means a lot of folks switched to FF4 pretty quickly), for Opera it’s a more unique attribute - probably because a lot fewer people use Opera, and for IE9 it’s a very unique attribute, most likely because IE9 is so new and because IE users tend to be slower at upgrading - particularly enterprise users - than FF users or Opera users.
I think I might explore how to stop the browsers from sending out so much info on things that are relatively irrelevant, like system fonts.
“Your browser fingerprint appears to be unique among the 1,594,804 tested so far.”
I think you’re right.
Somebody just set us up the bomb.
“So what are the odds that we BOTH have such unique settings?”
Quite large. I identified 23 relevant elements on ‘User Agent’ and ‘HTTP_ACCEPT Headers’ alone. If each of them were binary (has only two choices) there would be 2^23 different possible configurations, or 8,388,608, which is much more than the 1.56 million in the database. They’re not binary, there’s a lot more configurations than that. And that’s without taking the other five parameters. Collision chances don’t seem too high.
Hi, Oceander... When you figure it out, and if it wouldn't be too much trouble, would you kindly summarize what you've found so that all Freepers can make the necessary changes? Again, only if you have the time. I know I sure haven't deciphered it yet and would greatly appreciate a nice, easy to understand primer. Thanks!
|Browser Characteristic||bits of identifying information||one in x browsers have this value||value|
|User Agent||20.6+||1594759||Mozilla/5.0 Galeon/1.2.5||(X11; Linux i686; U;) Gecko/20020809|
You have no chance to survive
Make Your Time
|Browser Characteristic||bits of identifying information||one in x browsers have this value||value|
|User Agent||10.24||1207.64||Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1|
Panopticlick -- How Unique, and Trackable, Is Your Browser? Your browser fingerprint appears to be unique among the 1,596,279 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 20.61 bits of identifying information. The measurements we used to obtain this result are listed below. You can read more about our methodology, statistical results, and some defenses against fingerprinting in this article. Help us increase our sample size: Email This Digg This Post this to Reddit Share Panopticlick with delicious Share this on Facebook Tweet Panopticlick Dent Panopticlick Browser Characteristic bits of identifying information one in x browsers have this value value User Agent 20.61+ 1596279 Lynx/2.8.5dev.7 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.6b HTTP_ACCEPT Headers
I have no idea what the heck this means.
One in 320,000 with scrips off, one in 1.598 Million (unique) with scrips enabled for the Panopticlick site only. Panopticlick kept feeding me suspicious scripts, the latest Java release was going wild with detections.
It’s just a measure of how much information your browser is handing off to any server on the internet it connects to. In this case, I think, ‘bits’ means ‘pieces,’ not bits as in “bytes and bits.” Twenty is not very good, according to EFF.
Interesting, and from the look of it, pretty accurate.
One thing, though...
Using Google Chrome, I get the 1 in 1.5+ million
Using Microsoft IE 9, I get the 1 in 1.5+ million.
Using Firefox with noscript and AdBlock Plus, I get 1 in 17000.
Looks like I’m going back to my locked-down Firefox install.
Oh, woops...I mean CATS!
[stupid main screen not turn on]
Oh, fantastic, thanks for that! I’m going to install it right away.
How are fractions of bits possible?
Within our dataset of several million visitors, only one in 533,751 browsers have the same fingerprint as yours.After taking the test several times, my score gets lower with each test.
Currently, we estimate that your browser has a fingerprint that conveys 19.03 bits of identifying information.
This is the latest result:
Within our dataset of several million visitors, only one in 43,285 browsers have the same fingerprint as yours.Either their test is hinky or my browser (Opera) is shutting down identifying characteristics.
Currently, we estimate that your browser has a fingerprint that conveys 15.4 bits of identifying information.
The next time you take the test, it will think of you as the seventh person to have visited the website with that fingerprint and will report that "only one in 428,571 browsers have the same fingerprint as yours." So, you'll appear to be less unique, that is, less identifiable from a uniqueness point of view. Less unique is good.
But you do not want to repeatedly take the test over and over again because, although that number will decrease each time, it will not be giving you accurate information after your first visit.
You should only re-take the test after you've made major changes in the headers that are handed off from your browser to servers, to see whether or not the changes you've made are actually beneficial from a privacy (uniqueness) point of view.
I did successfully work through the example the author gave and blocked headers related to the iPhone, which I do not own, lol.
Also, I wonder if a person blocks font information, will his online banking be screwed up from then on, for example, because servers will just send out some ugly default font from the old days, like 12-point Courier that'll totally screw up tables, etc?
Is it possible that we have similar uniqueness due to being FReepers? We have many threads here on FR on net security, etc. Also, I think that many people, liberal and conservative alike, who are net savvy tend to pay attention big time to tracking, net dangers, etc. moreso than casual net surfers.