[go: up one dir, main page]
|
|
Log in / Subscribe / Register

EFF: Web Browsers Leave 'Fingerprints' Behind as You Surf the Net

[Posted May 17, 2010 by ris]

From:  EFF Press <press-AT-eff.org>
To:  presslist-AT-eff.org
Subject:  EFF: Web Browsers Leave 'Fingerprints' Behind as You Surf the Net
Date:  Mon, 17 May 2010 08:51:58 -0700
Message-ID:  <4BF1661E.2030702@eff.org>

Electronic Frontier Foundation Media Release

For Immediate Release: Monday, May 17, 2010

Contact:

Peter Eckersley
   Senior Staff Technologist
   Electronic Frontier Foundation
   pde@eff.org
   +1 415 436 9333 x131

Web Browsers Leave 'Fingerprints' Behind as You Surf the
Net

EFF Research Shows More Than 8 in 10 Browsers Have Unique,
Trackable Signatures

San Francisco - New research by the Electronic Frontier
Foundation (EFF) has found that an overwhelming majority of
web browsers have unique signatures -- creating
identifiable "fingerprints" that could be used to track you
as you surf the Internet.

The findings were the result of an experiment EFF conducted
with volunteers who visited http://panopticlick.eff.org/.
The website anonymously logged the configuration and
version information from each participant's operating
system, browser, and browser plug-ins -- information that
websites routinely access each time you visit -- and
compared that information to a database of configurations
collected from almost a million other visitors.  EFF found
that 84% of the configuration combinations were unique and
identifiable, creating unique and identifiable browser
"fingerprints."  Browsers with Adobe Flash or Java plug-ins
installed were 94% unique and trackable.

"We took measures to keep participants in our experiment
anonymous, but most sites don't do that," said EFF Senior
Staff Technologist Peter Eckersley.  "In fact, several
companies are already selling products that claim to use
browser fingerprinting to help websites identify users and
their online activities.  This experiment is an important
reality check, showing just how powerful these tracking
mechanisms are."

EFF found that some browsers were less likely to contain
unique configurations, including those that block
JavaScript, and some browser plug-ins may be able to be
configured to limit the information your browser shares
with the websites you visit.  But overall, it is very
difficult to reconfigure your browser to make it less
identifiable.  The best solution for web users may be to
insist that new privacy protections be built into the
browsers themselves.

"Browser fingerprinting is a powerful technique, and
fingerprints must be considered alongside cookies and IP
addresses when we discuss web privacy and user
trackability," said Eckersley.  "We hope that browser
developers will work to reduce these privacy risks in
future versions of their code."

EFF's paper on Panopticlick will be formally presented at
the Privacy Enhancing Technologies Symposium (PETS 2010) in
Berlin in July.

For the full white paper: How Unique is Your Web Browser?:
https://panopticlick.eff.org/browser-uniqueness.pdf

For more details on Pantopticlick:
http://www.eff.org/deeplinks/2010/05/every-browser-unique... 


For more on online behavioral tracking:
http://www.eff.org/issues/online-behavioral-tracking

For this release:
http://www.eff.org/press/archives/2010/05/13

About EFF

The Electronic Frontier Foundation is the leading civil
liberties organization working to protect rights in the
digital world. Founded in 1990, EFF actively encourages and
challenges industry and government to support free
expression and privacy online. EFF is a member-supported
organization and maintains one of the most linked-to
websites in the world at http://www.eff.org/


     -end-

_______________________________________________
To unsubscribe or manage your email options:
https://mail1.eff.org/mailman/listinfo/presslist

to post comments

Especially bad if you run Linux

Posted May 17, 2010 20:01 UTC (Mon) by JoeBuck (guest, #2330) [Link] (2 responses)

The big gotcha is the supported languages string, which depends on the particular language support packs you have installed. Once you take out a few of these that you don't use, you make it likely that you have a near-unique configuration.

Firefox reveals way too many details in the HTTP headers.

Especially bad if you run Linux

Posted May 17, 2010 20:52 UTC (Mon) by nix (subscriber, #2304) [Link]

The big gotcha is the supported languages string, which depends on the particular language support packs you have installed. Once you take out a few of these that you don't use, you make it likely that you have a near-unique configuration.
Those of us who only speak one language (or a few, common ones) can just remove *all* language packs other than the ones we speak. I doubt a supported-languages string with only one or two entries is going to be terribly unique :)

(hey, an advantage to monoglottism! but a tiny one.)

Especially bad if you run Linux

Posted May 17, 2010 22:05 UTC (Mon) by spaetz (guest, #32870) [Link]

Nope, not language was the most revealing. Both the combination of installed plugins and available system fonts on my (pretty much stock) Ubuntu firefox was considered as unique among all current entries !

How about randomising HTTP_ACCEPT and User agent?

Posted May 17, 2010 20:16 UTC (Mon) by coriordan (guest, #7544) [Link] (7 responses)

Randomising most of HTTP_ACCEPT and User agent would totally fix this problem, right? Or at least, it should for those of us with javascript turned off by default (using noscript makes this pretty convenient).

A handful of things should stay the same, such as browser name, the major version number of the browser, and your main language preferences, but I guess the rest could change per-site by selecting random values from lists of valid values.

Anyone know of a plugin (for any browser) that does this?

How about randomising HTTP_ACCEPT and User agent?

Posted May 17, 2010 20:37 UTC (Mon) by saffroy (guest, #43999) [Link] (2 responses)

Well the User Agent Switcher extention for Firefox does help a bit here.

The real problem however is that information such as your web browser's ID, plugins or supported languages is often used by the web server to alter the actual content served to you (eg. to send you text in your language, or work around bugs in your browser), so there are limits to how much one wants to mess with that.

How about randomising HTTP_ACCEPT and User agent?

Posted May 17, 2010 22:30 UTC (Mon) by coriordan (guest, #7544) [Link]

I've installed User Agent Switcher just now. I don't think it's going to be of any use, since I won't manually switch my User_agent each time I browse to a new site, but it's free software, and that code would surely be a good starting for implementing what I was talking about.

How about randomising HTTP_ACCEPT and User agent?

Posted May 17, 2010 23:52 UTC (Mon) by jrn (subscriber, #64214) [Link]

> The real problem however is that information such as your web browser's ID, plugins or supported languages is often used by the web server to alter the actual content served to you (eg. to send you text in your language, or work around bugs in your browser), so there are limits to how much one wants to mess with that.

In practice, that is much less of a problem than it would seem to be. I have been browsing with ‘chromium-browser --user-agent="Mozilla/8.0"’ for a few months now, and I only ran into a few problems:

. Gmail requires ?nocheckbrowser at the end of the URL or it will not use ajaxy features

. Old versions of http://www.bad-behavior.ioerror.us/ deny access to some pages. So far, every webmaster I have mentioned this to has been happy to have the reminder to upgrade.

. Facebook appears to use Content-disposition: attachment or something for its front page, rendering it inaccessible.

That’s all. I would be happy to see more people doing this, since if sites use sane behavior by default, that means one less barrier to entry for new browsers and should make it easier to change the behavior of existing browsers.

How about randomising HTTP_ACCEPT and User agent?

Posted May 17, 2010 20:41 UTC (Mon) by JoeBuck (guest, #2330) [Link] (3 responses)

This isn't a good idea. There's a balance to be struck.

It's useful for web site developers to have some idea of how many users use which platforms, and in some cases, user-agent is used to allow a web site to work around browser bugs. It isn't really necessary, though, for every HTTP transaction to send all that bloated stuff about every plugin and every supported language. We should focus on sending small amounts of accurate information, instead of huge piles of irrelevant information that mainly serves to fingerprint the user.

How about randomising HTTP_ACCEPT and User agent?

Posted May 17, 2010 23:41 UTC (Mon) by coriordan (guest, #7544) [Link] (1 responses)

Yeh, it's all about where to strike the balance.

For me, avoiding tracking is pretty important. Helping web devs work around bugs in my browser is something I'm lukewarm about - it won't happen often, and it'll almost never be a big deal.

I think a good starting point would be to hand over just four pieces of info, for example: I use Iceweasel, version 3.5.X, on GNU/Linux, in Dutch.

These are four things that might be used regularly, legitimately by websites to ensure I get a good browsing experience. And that's probably not an identifiable amount of info, so it could remain unchanged (or, maybe the browser name could even alternate between "Iceweasel" and "firefox").

If 3.5.4 had display problems, then the "X" in my version number could be randomly chosen from [1-35-9].

How about randomising HTTP_ACCEPT and User agent?

Posted May 18, 2010 0:06 UTC (Tue) by coriordan (guest, #7544) [Link]

The linked paper discusses a similar topic:

The obvious solution to this problem would be to make the version numbers less precise. Why report Java 1.6.0_17 rather than just Java 1.6, or DivX Web Player 1.4.0.233 rather than just DivX Web Player 1.4? The motivation for these precise version numbers appears to be debuggability. Plugin and browser developers want the option of occasionally excavating the micro-version numbers of clients when trying to retrospectively diagnose some error that may be present in a particular micro-version of their code. This is an understandable desire, but it should now be clear that this decision trades off the user’s privacy against the developer’s convenience.

There is a spectrum between extreme debuggability and extreme defense against fingerprinting, and current browsers choose a point in that spectrum close to the debuggability extreme.

How about randomising HTTP_ACCEPT and User agent?

Posted May 18, 2010 3:12 UTC (Tue) by jamesh (guest, #1159) [Link]

The plugin info doesn't come from HTTP headers: they're being accessed via Javascript. While you might consider it a privacy issue, it isn't adding overhead to the HTTP requests.

stating the obvious

Posted May 17, 2010 21:04 UTC (Mon) by smoogen (subscriber, #97) [Link] (2 responses)

You know you have too much knowledge of a subject when you read an article like that and go "Yeah and this is new because?"

Fingerprinting a browser has been possible for a long long time (probably the late 1990's. I know that several web-trends programs from 2000 used various techniques to determine if an IP address was a singular or multiple browsers.. and looking at what they did one could see how to see if that 'browser' (or something very similar) showed up in other places without putting a special cookie on the browser. [A cookie makes it a definite 1:1 versus a guess.]

The fact is that most technology is not built for privacy and has never been. While we may think that we are quietly in our house and completely private, technology is built more like you have gone into common grounds. Unless you are willing to wear a burqa to cover yourself and deal with the extra scrutiny that gets from some quarters.. it is not a private action when you begin to communicate with anything outside of your computer. [And depending on some tools.. not even then :(.]

stating the obvious

Posted May 17, 2010 23:49 UTC (Mon) by coriordan (guest, #7544) [Link] (1 responses)

Just to add to that... I remember an interesting point that Lawrence Lessig made about privacy. It was along the lines of, in the real world, we're guaranteed a certain level of privacy because of the effort required to track us.

My trip to the city centre will expose me to thousands of people, but none would reliably draw a picture of me the next day. The security cameras in the bookshops will record what books I browsed, but, except in very exceptional circumstances, no one will watch the recordings with enough interest to see me or the books.

Online, the situation is put on its head. *I* can't remember what sites I viewed last week, but doubleclick.net has a pretty complete record of what I viewed last week, last month, last year, ...

stating the obvious

Posted May 18, 2010 0:23 UTC (Tue) by smoogen (subscriber, #97) [Link]

Actually people are not as anonymous when they are in the city center not even counting security cameras. Media organizations have long tracked buying habits.. any good grocer would know what kinds of vegetables you like if he wanted to keep in business. But since the 1970's and the growth of the credit industry it has become more of a part of society.

Going beyond the internet, a person's credit card/debit purchases, their magazine viewing, their TV habits are all stored and viewed away. We have lived in a society where privacy has become more of a fiction in the last 30+ years... we traded it away for cheap TV and t-shirts years ago. Scott McNeally's famous privacy quote was right in so many ways :/.

Company browsers are anonymous?

Posted May 18, 2010 10:14 UTC (Tue) by NAR (subscriber, #1313) [Link] (1 responses)

I was wondering that in a company environment the setup of the computers should be the same, so the browsers should look to be the same. Anyway, it's pretty amazing that only 4 people (including me) visited the site with the same user agent (IE 7.0, probably with up to date(?) patches, so I thought this must be a lot more popular). Actually it is more specific than the system font list, which contains company-specific fonts, so there must be 7 other people from this company who visited this page, but 4 of them used a different browser.

Company browsers are anonymous?

Posted May 19, 2010 10:39 UTC (Wed) by MKesper (subscriber, #38539) [Link]

Most companies are stuck at IE6.0, I guess. The user string sent by IE is very verbose, though: e.g.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 1.1.4322; MS-RTC LM 8)


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds