Your Web browser's fingerprints can betray you, study finds

Test reveals that unique browser configurations can allow tracking without the use of cookies

Browsers have fingerprints, too, which means that Web sites could be able to identify and track visitors even without the use of cookies or super cookies, according to a recent study by the Electronic Frontier Foundation.

EFF set up a test site for what it calls its Panopticlick project and invited people to take part. Of the 470,161 visitors who did, 83.6 percent of the browsers had a unique fingerprint, EFF’s report said. And 94.2 percent of the browsers with Flash or Java installed were identified as unique.

The test collected information on visiting browsers – such as type of browser, operating system, screen resolution, browser plug-ins and system fonts – and compared them to EFF’s extensive list of configurations. Browsers with Java installed make it easier to identify such things as screen resolutions and Flash can give up the system fonts, which is why those browsers were easier to identify. Taken together, the configurations often add up to a unique fingerprint that could identify the browser when it visits another site.

“In general, modern desktop browsers fare very poorly,” in terms of protecting privacy, the report said.

The browsers that were the least unique, and therefore the most difficult to identify, were those with JavaScript disabled, those using TorButton (an add-on that protects privacy), and iPhone and Android browsers, which the report said are more uniform than other browsers. However, iPhone and Android browsers don’t have good cookie control, so those users are subject to tracking anyway, the report said.

The idea of browser fingerprints isn’t new, but report puts a number on how many browsers are could be tracked without cookies. And although it’s uncertain whether many Web sites are using fingerprinting to track visitors, some banking, e-commerce and social Web sites have been using this kind of tracking in incidents of suspected fraud.

At any rate, the study shows that users are not as anonymous as they might have thought, even if they’re careful about blocking cookies.

“Policy-makers should start treating fingerprintable records as potentially personally identifiable,” the EFF reported concluded, “and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms.”

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

inside gcn

  • cloud migration (deepadesigns/Shutterstock.com)

    DISA eyes moving some cyber awareness monitoring to the cloud

Reader Comments

Thu, May 20, 2010 DR

Excellent story. That EFF site and the analysis there is very interesting...

Thu, May 20, 2010

Conversely, couldn't spammers and hackers be as easily identified using the same sort of ID?

Thu, May 20, 2010 Kevin Dayton

Wrt fingerprints, a simple way to reduce your signal to noise ratio is to use a variety of browsers and a variety of computers.

Wed, May 19, 2010 Anton Marx Washington, DC

I am constantly amazed that anyone still believes they have a shred of privacy in any of their communications over the Internet. Between Homeland Security, NSA, motor vehicle departments, real estate and court document public records, department stores, Facebook and Amazon, and the hundreds of thousands of vendors advertizing on The Net, there must be many terabytes of detailed information about almost everyone in the world. And I read somewhere, probably in GCN, that a major feature of the expanded IP Address Space is the ability to track GPS Locations.

Wed, May 19, 2010

If a browser wanted to take the lead in security, they should include some sort of plug-in that would slightly alter a computer's system (with approval of course) so that the user wouldn't have the exact same profile for very long. They could disable a font (for example one that isn't common or hasn't been used in a while) or recommend a minor/incremental update to a program (e.g. from 1.10.08 to 1.10.12) so that the user's profile isn't "exactly" the same for long periods of time. In addition to regular system/software updates, this would change a user's system enough to make tracking a specific user difficult.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group