Tracking your Browser Without Cookies

How unique is your browser? Can you be tracked simply by its characteristics? The EFF is trying to find out. Their site Panopticlick will measure the characteristics of your browser setup and tell you how unique it is.

I just ran the test on myself, and my browser is unique amongst the 120,000 browsers tested so far. It's my browser plugin details; no one else has the exact configuration I do. My list of system fonts is almost unique; only one other person has the exact configuration I do. (This seems odd to me, I have a week old Sony laptop running Windows 7, and I haven't done anything with the fonts.)

EFF has some suggestions for self-defense, none of them very satisfactory. And here's a news story.

EDITED TO ADD (1/29): There's a lot in the comments leading me to question the accuracy of this test. I'll post more when I know more.

EDITED TO ADD (2/12): Comments from one of the project developers.

Posted on January 29, 2010 at 7:06 AM • 130 Comments

Comments

flaskerJanuary 29, 2010 7:20 AM

@bruce "This seems odd to me, I have a brand new Sony laptop running System 7, and I haven't done anything with the fonts."
Same results here. I'm running XP and don't recall installing any fonts, I would assume my config is default. Maybe there is something tricky about the way installed fonts are reported.

Paul RenaultJanuary 29, 2010 7:22 AM

"Your browser fingerprint appears to be unique among the 191,811 tested so far."

Hmm... So, you could have two or three switchable setups, so you could do all your banking and online transactions with one - thus establishing a baseline - and do all your nefarious plots with another, thus giving you an alibi...

That, and making sure you have an unencrypted WiFi connection to your ISP.

Lotsa plausible deniability.

MatJanuary 29, 2010 7:30 AM

I noticed that my Adobe software installed some fonts. Probably Office 2007 and a handful of other programs as well.

david t-gJanuary 29, 2010 7:30 AM

mornin'!

with noscript disabling my javascript: 1 in 295
with javascript permitted: unique in 192343

i keep telling everyone that client-side scripting is evil for the client :-)


HAND

SeanJanuary 29, 2010 7:31 AM

Applications can install fonts without it being obvious - Office installs a raft, and a lot of machines will have Office installed, so be different from bare machines.

José Pedro MagalhãesJanuary 29, 2010 7:45 AM

I'm not entirely sure their analysis is correct. If I refresh the page it repeats the test and again tells me my browser is unique. Shouldn't there be at least one other in the database, namely my previous test?...

Jason!January 29, 2010 7:45 AM

I ran it twice, and it told me I was unique both times. One of three things could be true.

1) The program isn't as good as the EFF says.

2) There's no option for "You're unique, same as the last time you were here."

4) Something changed about my browser in the interim.

3) FUD by the EFF.

I'm thinking if it's #4, than browser tracking isn't very useful. #2 seems likely, with #1 close behind. I doubt the EFF would engage in #3, but they do like to stir the pot.

RTJanuary 29, 2010 7:56 AM

And the site doesn't even work with my browser. Just hangs at "Please wait". I must be completely safe then!

PeterJanuary 29, 2010 7:58 AM

I tested this with my MSIE and it claims that I am the only one in 194132 tested browsers with this combination of addins: Java 1,6,0,5; QuickTime 7,5,0,0; Shockwave 11,0,0,429; Flash 10,0,42,34; WindowsMediaplayer 11,0,5721,5268; Silverlight 3,0,50106,0; Adobe Acrobat version 7.?

Whcih seems pretty unlikely to me...

Peter MaxwellJanuary 29, 2010 8:01 AM

Apparently my browser config is unique too, although I am running Opera on FreeBSD so wouldn't expect a high number of others to match. Didn't expect it to be unique though - perhaps the sample size of just under 200,000 isn't large enough.

The one that got me thinking was the timezone, if I were to implement my plan for world domination that will have to be sorted.

I wonder if it still works when the user agent strings are messed about with.

OdalchiniJanuary 29, 2010 8:03 AM

No, this doesn’t work.  As others have pointed out, if you repeat the test it says you’re unique again and again, even though the information shown on the page, which it uses to determine uniqueness, is exactly the same each time.  A bug somewhere, methinks.

Has *anyone* tried this page and *not* had it say “Your browser fingerprint appears to be unique”?

SteveJJanuary 29, 2010 8:04 AM

@Jason: did you have cookies enabled?

I think it's (2), because I was unique (with Java enabled, anyway), then I cleared cookies and went back, and suddenly I was 1 in 97k instead of unique from 193k.

Visiting again without clearing cookies, I stay at 1 in 97k.

So, treat any "very rare" results with caution - if you think you're 1 of 3 in 200k, it could be you're actually only 1 of 2, but the other one visited twice and cleared cookies in between.

AlanJanuary 29, 2010 8:08 AM

The User Agent result seems strange; I find it hard to believe that one in 194698 browsers have this value: "Mozilla/5.0 Netscape6 (Windows; U; Windows NT 5.1; en; rv:1.9.0.17) Gecko/2009122116 Firefox/3.0.17; AlanR".

DonJanuary 29, 2010 8:14 AM

Sure you have a unique signature, but how often is the signature changing? Does it change every 5 minutes of browsing? The big question is how long does the signature stay unique?

OdalchiniJanuary 29, 2010 8:20 AM

Sorry, spoke too soon up there.  When I simply refreshed the page (in IE7), it kept saying “unique”, but when I closed and restarted the browser, it wasn’t unique any more.

By the way, Firefox apparently doesn’t reveal what fonts are installed:  in IE the page gives a long list of fonts, but in my FF it says “No Flash or Java fonts detected”.

Mark RJanuary 29, 2010 8:21 AM

The fact that the same people are repeatedly declared unique (without changing settings) sort of undermines the whole thing. Most likely the software is just not that good, having been written for demonstration purposes.

Then again, if the "proof-of-concept" can't recognize the same person when they come around for a second visit, that sort of dis-proves the concept, doesn't it?

Daniel ColascioneJanuary 29, 2010 8:23 AM

I've been saying this for ages: cookies are a blessing in disguise. They can be inspected, controlled, and deleted by ordinary users by using tools built into a web browser. When a web application developer uses a cookie, he's using the technique that's easy for him and good for the user.

On the other hand, Flash cookies and these fingerprint-based tracking techniques are much more difficult to use, but are also practically impossible for users to detect and control. If paranoia over regular cookies pushes web developers to use fingerprint-based approaches, everyone loses. Users lose because they can't control their privacy as well. Society loses because of the cost of having to actually program this crud instead of using simple, reliable normal cookies.

vedaalJanuary 29, 2010 8:26 AM

"My list of system fonts is almost unique; only one other person has the exact configuration I do."

I thought mine would be unique, as I do font design as a hobby, and have a few in my system that I never publicized.

This was what Panopticlick said:
-----
System Fonts
1 in 13.48 browsers have this value,
No Flash or Java fonts detected
-----
But for browser plugin details, it gave
1 in 195008 have this value

(I use PDF-XChange Viewer
[which I highly recommend, btw, as it allows for markups directly on a pdf, and loads much faster] instead of Adobe Reader.
Please try it out and get my uniqueness down ;-) )

vedaal

nrqJanuary 29, 2010 8:35 AM

With javascript and cookies disabled I get the message "Within our dataset of several hundred thousand visitors, only one in X browsers have the same fingerprint as yours." with differing numbers each time I retake the test, reaching from 1 in 200 to 1 in 10000. Sounds fishy to me.

RickJanuary 29, 2010 8:47 AM

@david t-g: indeed, I kind of thought that one of the main thrusts of computer security was to prevent random people from running arbitrary code on your machine...but that's exactly what happens when you visit websites with javascript enabled =)

I came away as unique too, but I think it's the languages in my HTTP_Accept header that did it. I doubt most people bother to configure it, let alone set it to a list of several locales with en.ca as the primary.

vedaalJanuary 29, 2010 8:50 AM

@vedaal

follow up,

Pantopclick said i was unique,
-----
Your browser fingerprint appears to be unique among the 195,008 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 17.57 bits of identifying information
-----

i find this a little hard to believe ;-((

here are the 17.57+ bits they listed for Browser Plug In details:

Java 1,6,0,3;
WindowsMediaplayer 11,0,5721,5268; VLC 1,0,3,0;
Adobe Acrobat version 7.?
(does it read the PDF-Xchange Viewer as some kind of rare Adobe version?)

apparently, no one else with that pdf reader also uses that VLC player version and that Java version

scary ...

WillJanuary 29, 2010 9:02 AM

The methodology and privacy policy answer most doubters in these comments above.

E.g. their privacy policy says they do keep a cookie for 3 months to determine if you revisit.

I was surprised that whilst 1% of visitors (that's nearly 2000 of us) have the latest ubuntu, my font list is only shared by one other.

HJohnJanuary 29, 2010 9:03 AM

@Paul: "But what about Google Chrome? I know there's been a lot of debate about the client ID."
____________

I just started using Google Chrome. I've been pleased with its speed thus far, it has been faster than both IE and Firefox.

I haven't had an issue with its privacy yet, but haven't used it long enough to make strong judgment. What I do know is this:
1. Browsing history is not sent to google by default.
2. It's anti-phishing mechanism downloads a list of poor sites to your computer, which is best... that way sites you visit aren't sent to Google. Many phishing sites are close spellings of legit sites, so even sites you go to by mistake could reveal some habits. So this part is good.
3. It has "incognito" mode which does not keep browsing habits.
4. You can delete your history at any time, and I have this set to "Everything."

My only complaint is that Chrome does not have a "delete history when I close" option, so I must either activate incognito or do so manually. (If you use CCleaner it options to delete Chrome, btw.)

spaceman spiffJanuary 29, 2010 9:06 AM

And you can't run gmail without javascript enabled. Gee, I wonder if Google has been using these sort of fingerprints to track our "habits" all along? :-(

GNU userJanuary 29, 2010 9:20 AM

Yup, I'm unique too. In fact, just my User Agent string is apparently unique:
Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.7) Gecko/2009021906 Firefox/3.0.7

It could be. Most GNU/Linux users have probably upgraded to Firefox 3.6.

Brandioch ConnerJanuary 29, 2010 9:22 AM

"Your browser fingerprint appears to be unique among the 199,738 tested so far."

Yeah, right.

MemVandalJanuary 29, 2010 9:23 AM

This is FUD and such *fingerprints* are not really *fingerprints*, its just some more info than what User-Agent already gives. It would be quite impractical to use them to do something meaningful without some more identity techniques. And the other point is that your IP reveals quite more info than such fingerprints.

jgrecoJanuary 29, 2010 9:24 AM

@spaceman spiff (I love calvin and hobbs btw :)

I believe gmail has a plain html version that it suggests that you use when it detects you using a browser that it doesn't like. I haven't used it in a while, but I don't _think_ that it requires javascript. Maybe they changed that though.

@ the EFF's suggestions

"Try to use a "non-rare" browser"

Welp, looks like I'm out of luck, I'm probably one of a handful of people in the world with my particular useragent with my browser at home. I suppose I can change that much relatively easily though.

WinterJanuary 29, 2010 9:28 AM

This is not really shocking.

When I want to remain "anonymous", I start up Dillo, which I have hard-wired to tor.

I must be pretty unique still, because the browser string cannot be altered in Dillo, and the blocking of *all* other categories in this set-up seems to be unique too.

Instead of having access to my IP number, time zone etc, I am now this fairly unique visitor who uses Dillo on Tor with everything closed down :-)

The solution seems to be to add random information for any of the checked items every time you send an HTTP request.

I expect a Firefox add-on soon.

Winter

RandyJanuary 29, 2010 9:43 AM

After I clicked on "Test Me" my browser (I'm not telling which one :-) crashed.

I'm more unique than all of you,
Randy

GamblerJanuary 29, 2010 9:43 AM

I think there is a time delay when refreshing the page will give you the same result. After that time it will report that only 1 other browser in approximately one hundred thousand has the same fingerprint.

"ZOMG, it reports different numbers!!!" It's because there are people using it all the time, which changes statistics. Also, the might be some approximation going on.

Also, it's _not_ necessary for the fingerprint to be 100% persistent. The server can do sticky sessions. It will assign you a unique ID, then track you based on cookies. As long as you have the same cookies, it doesn't matter how much your "fingerprint" changes. The only thing that matters in that case is whether your fingerprint changed _between two different sessions_.

MatthewJanuary 29, 2010 9:51 AM

"Your browser fingerprint appears to be unique among the 202,313 tested so far."

It was the font list that sets me apart. I guess I need to evangelize Inconsolata so I don't stand out so much.

Ian LewisJanuary 29, 2010 10:06 AM

Says the UA for my Chrome build (latest, Windows) is 1 in 669.42. Apparently my plugins make me pretty unique, 1 in 101416.5--maybe because I have Google Voice?

Interesting note on selectivity bias: based on the "uniqueness" of my time zone, it appears that ~1 in 9 visitors to Panopticlick are from the West Coast of the USA. Wonder what the distribution is for other TZs...

-ac-January 29, 2010 10:19 AM

Win 7
IE8=unique
FF 3.5.7=unique
FF 3.5.7 with no script=1 in 22,692
Somebody with TorButton post back.

MKRJanuary 29, 2010 10:43 AM

Keep in mind the sample size. 250k isn't a lot in a world with 1b people. You might be unique on one site, but that doesn't necessarily translate to tracking you across the web.

As their sample size grows, the number of uniques will shrink.

Rich GibbsJanuary 29, 2010 11:06 AM

Just tried my laptop: Kubuntu Linux 8.04, Google Chrome 4.0.249.43.

It says both my plugin configuration and font collection are unique, in a sample of 208,662.

Tried again, with Firefox 3.6. Now I'm unique in 209.844. Most distinctive items are still plugins and fonts, but no single characteristic is unique.

Clive RobinsonJanuary 29, 2010 11:18 AM

@ MemVandal,

"And the other point is that your IP reveals quite more info than such fingerprints."

Err that depends.

Mobile phone companies and some wireless broadband suppliers use NAT, that is they put anything upto 300 active devices to one IP address.

Which is why all SysAdmins (Hey Moderator you to) should log the port numbers as well...

If you want to know more got to lightbluetouchpaper sight and read Richard Clayton's posts on the issue of NAT.

JRRJanuary 29, 2010 11:24 AM

If that page is telling me anything, it's that if I work hard to run a generic browser, I'm probably one of the very few on the planet doing so, which means my fingerprint is still pretty unique.

In a crowd of oddballs, the normal guy stands out as much as the next.

Even if there were a few thousand people running indistinguishable browsers, on any given site it's unlikely that there would be more than one or two, and if you pair it with IP address, still probably just as unique as joe blow running Konqueror on a FreeBSD box with cookies turned on.

JoeNotCharlesJanuary 29, 2010 11:35 AM

Went to it twice with Chrome, got "unique" (1 in X) both times, then went to it again in an "incognito" window and got "1 in X/2". So clearly it's recording your id through another method (cookie, I assume) and not counting you as a new visitor if the cookie's present.

Carl "SAI" MitchellJanuary 29, 2010 11:49 AM

My Firefox config, with javascript blocked: Within our dataset of several hundred thousand visitors, only one in 784 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 9.61 bits of identifying information.

With JS on: Your browser fingerprint appears to be unique among the 126,463 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 16.95 bits of identifying information.

Lynx: Within our dataset of several hundred thousand visitors, only one in 10,559 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 13.37 bits of identifying information.

Links2: unique, 16.95 bits (same as my other uniques. Interesting.)

Konquerer: Unique, same deal.

So, browse with a common browser with JS off.

Zachary Reiss-DavisJanuary 29, 2010 11:53 AM

There is a major problem with this study, which was partially addressed by other commentators, but not in full. Basically, we need to know how often your profile changes; if it's daily, this is a fun exercise but meaningless. Many (all?) of these variables aren't fixed:

* Screen size changes based on if you have an external monitor plugged in.
* User agent changes every time you either switch browsers OR you update to a new version OR have a bug fixed pushed to you.
* Same with plugins; every time a patch comes out, every time you update anything, and so on.
* Time Zone changes if you VPN, if you travel, and so on.
* Fonts are tied to plugins, because they include non-native ones.

Harina PANJanuary 29, 2010 11:58 AM

This is silly.

First, the "one in x browsers" fields show that a fairly specialized configuration I have tends to be much less "unique" than a very common one I also have. (Windows system with Linux in a VM and several different browsers to test under each)

Next, I can change this stuff as much as I desire in order to make my browser's "characteristics" change all the time.

And I also appear to be "unique" across several visits with the same browser configuration.

FOKJanuary 29, 2010 12:13 PM

@JoeNotCharles
Yes they use cookies to tell whether you are returning user. But they use session cookie. So simply closing browser and checking back will generate another instance and will tell you that there is already someone else with same fingerprint.

It is interesting that for me browser plugin details or fonts installed are unique enough to distinguish me clearly. Not to mention accept headers.

I myself maintain a little bit of privacy by not disabling a cookies. Instead I have installed Cookie Safe plugin in FireFox defaulting to session cookies. In this setup websites see me as accepting cookies but when I close browser, all cookies are gone, and I am new person.

Combinig these attributes with IP address and you are no longer one of the milions. Hey did you know that some proxy servers report your internal IP?

Jon MaulJanuary 29, 2010 12:39 PM

I question the wisdom of hundreds of thousands of people submitting their (almost) unique browser fingerprint to a central database, regardless of the fact that it's the EFF.

Angus S-FJanuary 29, 2010 12:47 PM

If I enable Javascript, it doesn't matter what UserAgent I give Panopticlick, I'm unique But if I disable Javascript (using NoClick) and monkey with my UA string, I can become quite anonymous.

Petréa MitchellJanuary 29, 2010 12:49 PM

Yes, a cookie seems to be part of it. After flushing my session cookies, I came back and was slightly less unique.

Of course, with JavaScript turned off like I normally have, my profile is identical to that of one in every 306 browsers, or approximately 657 times more anonymous than I originally was. NoScript wins again!

privoxyuserJanuary 29, 2010 12:52 PM

with no js, privoxy and editing the user agent i've been able to get it to 1 in 306.

MichaelJanuary 29, 2010 1:14 PM

No matter how often i try, i am always unique, which i already know ;)
Has anyone tried to simply diff the results?
I did, and the only differences were their numbers of uniqueness :D

Not really anonymousJanuary 29, 2010 1:17 PM

It seems a lot more people turn off useragent (at least in the self selecting group) than I thought. It was only 1 in 350 browsers.
Unfortunately there is broken software out there that thinks the useragent header is mandatory, so I have to use something at work and sourceforge. I have also found that some sites notice if you use the google bot useragent string and you don't appear to be google (presumably by IP address).

Peter A.January 29, 2010 1:56 PM

This fonts thingy is a bit fishy - but my browser got singled out by the HTTP_ACCEPT header... because of my language preferences.

It seems it's not good to be a polyglot...

Peter EckersleyJanuary 29, 2010 3:14 PM

Hey, several things that people might want to note:

Q: Why does your browser remain unique, even if you reload the page?

A: As noted in the panopticlick privacy policy (https://panopticlick.eff.org/privacy.php), the site uses a 3-month persistent cookie to try to prevent double-counting of browsers.

Now, you may ask, what about people who block cookies? If you block cookies and hit reload, your browser will be multi-counted in the live data at panopticlick.eff.org, which means that the numbers will be overly optimistic about how non-rare your brower is.

We plan to do some analysis on the dataset to correct out these effects. One strategy would be to assume that the average number of reloads for a cookie-accepting user is the same as that for a cookie-blocking user. Another would be to use the encrypted IP addresses and fuzzy timestamps we have to try to recognise and discount cookieless reloads.

Once we've run these analyses, we'll publish public data on the overall uniqueness rates we've seen.

Q: How many people are unique?

A: About 85% and falling, as the dataset gets larger. But that's a rough estimate before doing the count corrections discussed in my previous answer.

Q: Why is there so much information in the font list?

A: Note that the font list includes not only a set of fonts, but an ordering of those fonts which is presumably related to the inode walk order as implicitly reported by Flash. In the browsers we tested before launch, this ordering appeared to be stable, so we thought it was acceptable to not sort the font list before using it. If it turns out that some browsers have non-stable font list orderings, we may have to renormalise our data, either for those browsers or all browsers, which would presumably decrease uniqueness levels substantially.

One corollary here is that Flash, Java and other plugins that report fontlists could decrease their fingerprintability by sorting the fontlist before returning it to client side scripts.

The constant ordering property didn't seem to hold for plugin lists -- the order of navigator.plugins seems to vary on a given browser, so we sort them before fingerprinting.

A final, overall point:

The quality of data that we get from this project is definitely decreased as a result of the fact that the design of the website encourages people to play with their browser configurations. A lot of people are doing things like turning off javascript, entering private browsing mode, or deleting cookie just to see what effects those actions have on uniqueness.

That's great from an educational point of view, but it's probably going to add a lot of noise to our data that we'll only be able to correct for partially. We'd have gotten better data by putting these tests in an invisible corner of a high-traffic website, but that simply isn't the EFF way when it comes to running an experiment like this: we wanted to make sure people knew they were participating, and let them know — even approximately — how rare/unique they were.

Jack S.January 29, 2010 3:15 PM

"Your browser fingerprint appears to be unique among the 238,172 tested so far."

Um, I'm running a new version of Chrome (no changes) on a default version of Windows 7 (no changes).

This seems... odd. Like incorrect.

mooJanuary 29, 2010 4:05 PM

@Not really anonymous: A lot of paywall sites (or advertising-laden sites) let Google see their content but throw up ads or a paywall when a normal user goes there. If you claim to be Googlebot but they think that you aren't, they assume you are trying to circumvent their obnoxious ads and block you.

Frankly, I think Google should do automated spot-checks using a common useragent string, and remove sites that do this from their index. It diminishes the value of Google's indexing if users can click on the Google link but it doesn't take them to the page that Google told them it would. Most users will not spend 5 seconds to get past an ad-page, and most will definitely not bother to register or whatever. They just click 'Back' and go somewhere else.


About the uniqueness complaints in this thread: Is it really so hard to believe, that combining the precise version numbers of 5 or more different pieces of software (each of which is potentially patched dozens of times a year, changing the version number each time) can make you UNIQUE out of a pool of less than a million users? I did not find that surprising at all.

What was more surprising to me, was just how much information my BROWSER is leaking back to remote sites, about (1) the plugins I have installed, (2) the fonts I have installed, and (3) the .NET / other bogus system components that I have installed.

I'm surprised that the web has evolved into a situation where a remote site can discover all of this stuff. Maybe its time for a "Secure Firefox" fork or something, which re-anonymizes you by making it report identical info about these things, for all of its users. (Then I guess the hard part is convincing a substantial number of people to use it..)

Jonathan LefflerJanuary 29, 2010 5:36 PM

When I first connected, after letting eff.org set a cookie, I came up at 1:775 leaking 9.6 bits, with no Javascript enabled. When I enabled Javascript, unique in 249,028, leaking 19 bits or so. That is with just one of the browsers on my machine, of course - Firefox 3.6. Going with Chrome, I show up immediately as unique in 249,260; I haven't restrained Chrome much. Similarly with Safari, 1:249,033. Both Chrome and Safari are leaking almost 18 bits. In practice, I use Firefox mostly - in part because I have it locked down. I don't go visiting many sites for the first time with Chrome or Safari.
(System fonts probably give me away; my o/s is MacOS X 10.6.2, but I installed some extra fonts.)

annaJanuary 29, 2010 6:40 PM

Interesting.

In Safari, with my plugins, addons and hacks, I get the "Your browser fingerprint appears to be unique among the 252,565 tested so far." blurb.
And it lists a lot of what it sees. It lists that I have flash - but it doesn't see that I've got flash cookies disabled (as in chmodded it to permit no read or write in the flash cookie folder).

In Firefox, I get "Within our dataset of several hundred thousand visitors, only one in 5,054 browsers have the same fingerprint as yours." on otherwise the same system. My Firefox is set to paranoid in all its settings, so I take it there are one in 5,054 as paranoid users when browsing in Firefox, and not that my Firefox would be that 'common'. Compared to the Safari combination, it is set to way rarer plugins etc. Just paranoid settings and no cookies.

bunnyJanuary 29, 2010 6:41 PM

I first visited the site from my laptop at work. At that point my browser setup was reported to be unique, which given my setup (see below) could theoretically be possible.

A few hours later, at home, same laptop, I visited the site again. Now I'm "one in 126,476".

Seems to be working here.

Browser setup: Opera 10.10 on Mac OS X, plugins disabled, Java disabled, cookies disabled, 1280x800x32 resolution.

jacobJanuary 29, 2010 7:10 PM

This gives me an opportunity to ask a question.
Could an OS be used for a crypto attack? How many configurations could there be? The plaintext part of the equation. I think that there would be a limited number of choices, certainly less than a brute for attack on, say a 128bit key.

In my mind that would enable an agency to break anything that is whole disk encryption. They would simply have an array with different installation configurations. The OS with patches. That would give you say 5gb per windows install. Then add the most common like flash installs, going down as far as you want based on probability. Ironically encryption software would be further down the list.
It would be in limited use in a true OTP. But anything that uses a key would be vulnerable. It seems logical to me but there are times when logic is a foreign language to me.

DavidJanuary 29, 2010 9:01 PM

Couple of comments - I ran it in IE 7 on my laptop internal monitor and Chrome on my external monitor. Both reported the correct (but different) screen resolution on each monitor. And were around 50 samples apart. Both were unique, but I'd expect that - the PC is about 3 years old and I've never re-installed Windows on it, so there's probably some pretty funky upgrade sequences on it.

The other comment is timezone. It reports I'm in -660 (I'll assume that's in minutes ahead of UTC as I'm in Eastern Australia) which makes me 1 in 82.02; on a population basis, that seems about right.

@shaw.caJanuary 29, 2010 9:24 PM

Never mind cookies or browser uniqueness. My ISP (shaw.ca) issues the same numeric IP address and FQDN to my router for ever! Release/renew or power cycle won't change a thing. When I complain to them, they couldn't care less.

IraqiGeekJanuary 29, 2010 10:11 PM

They're just using a cookie like everybody else to identify recurring visitors.

If you're using firefox, go to options -> Privacy -> remove individual cookies. In the search box just type "pano" and you'll see the cookie there. Remove it, then refresh the page and you'll get a different number every time.

Blocking javascript (with noscript), about two thirds of the remaining "identifying info" seems to come from the user agent and accept headers. I don't believe for a second that my user agent string, "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 GTB6 (.NET CLR 3.5.30729)", is unique in 19930.92. Thats just Windows 7, UK english, firefox 3.6, and standard .NET 3.5.

Another thing, if I dont have the cookie, "Are Cookies Enabled?" says no, but if I do, it says yes.

As a software developer, I'd be very interested in seeing the source code or at least an explanation of how their are reaching those numbers before I'd give them any credibility.

AndyJanuary 30, 2010 2:27 AM

As Zachary points out to be useful for tracking the details have to be both unique AND none changing. So perhaps a solution for avoiding being tracked is to continually change?

bunnyJanuary 30, 2010 5:15 AM

@Iraqigeek

"I don't believe for a second that my user agent string, "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2) Gecko/20100115 Firefox/3.6 GTB6 (.NET CLR 3.5.30729)", is unique in 19930.92."

That's Firefox 3.6 (US version), Windows 6.1, British locale and Google Toolbar 6 and .net. Seems like a fairly rare combination, so yes, 1 in 20000 seems likely to me.

Clive RobinsonJanuary 30, 2010 5:55 AM

@ Andy,

"As Zachary points out to be useful for tracking the details have to be both unique AND none changing."

Not wishing to be unkind but you are confusing what the experiment is for (see Peter Eckersley's post to the thread above) and what use it could be put to and the how of that.

Traffic analysis of your ordinary browsing habits (time of day from what IP address etc) can be used quite easily without this information to give a probable on your activities.

This is not a "fingerprint" to uniquely identify you so you can be seearched for, but to confirm your footprint, thus it is more of an army "bootprint".

Thus it does not matter if things change but to what degree and over what time period.

Which brings me onto another issue.

I see no reason why an Open Source project need have these issues.

All of these identifiers could be made config file dependant and a user could have any number of different config files if they so wished keyed to the use of IP addressess, domain names which PK cert file they wish to use etc etc.

It would however require the co-operation of plugin writers to keep to the "pathway".

There are however a couple of flies in the ointment as it where,

1, Big Org propriatary code.
2, LEA's.

At the moment the "Big Org" software suppliers (MS, Adobe, et al) have no reason to change. In fact the exact opposit, unless market forces change against them over this issue.

Secondly most LEA's get there software from commercial organisations who's main interest is making money. Invariably this is by "time to market" and other "slip shod half a55ed" aproaches.

If too many people started to hide behind a multi changing "bootprint" by changing their "shoes" all the time then the LEA's would put preasure on the commercial organisations they get their software from to use less half a55ed methods. Or worse the LEA's could as in other countries press for various sorts of legislation to make the "bootprint" method nolonger required, which is highly undesirable.

The ultimate form of such legislation would be that you have to use "WeSpyOnU" software that the Government writes (As China has done) that would most probably make the security on your computer many many times worse.

Clive RobinsonJanuary 30, 2010 7:36 AM

@ jacob,

"Could an OS be used for a crypto attack? How many configurations could there be? The plaintext part of the equation."

Oddly I've sort of answered this not so long ago on this blog (cann't remember which threads though).

As regards,

"But anything that uses a key would be vulnerable."

Sort of, it depends on a number of things (it might be multiple keys, certain operating modes and a few others besides).

"It seems logical to me but there are times when logic is a foreign language to me."

No your logic is fairly ok on this one, there are however things and assumptions that change the base of the argument both for and against.

In essence you are talking about a "Known Plaintext" attack to recover a single key.

The answer usualy given is,

Modern encryption has too many key bits (ie large key space) to be brut forced thus it is a non issue...

What they don't say is that it is a gross generalisation based on many assumptions.

The base of the argument is that you would need to go through each and every key trying to find the right key and that this is time consuming to do.

Well yes and no, as with Rainbow Tables you can turn it into a dictionary attack.

That is you encrypt you known plain text under every possible key once and store the results in a database (table) of some kind.

Thus do the time consuming task once and save it thus doing a quick and simple look up the next time etc (The so called British Museum attack).

Well the good news is the Universe does not have sufficient time to do it, nore sufficient atoms for storage with 128bit AES we think (and Bruce did say he was going to keep an eye on that dark matter stuff just in case ;)
The bad news is nobody would do it this way as it's a worst case bound on the problem (which is why it's used as a benchmark by which other methods are measured).

There are time / storage trade off's that can be done for smaller key sizes and software can easily be rigged to only use a subset of the actual key space (and hardware as well can be rigged).

Worse a lot of code limit's the key size already just by people beliving in the "magic pixie dust" of determanistic processess like MD5 hashes etc.

The real issue is the entropy source used to get the initial seed used to make the key.

Irrespective of what you do determanisticaly with it afterwards the starting entropy remains the same. Thus a 128bit key only based on 32bits of entropy is within a home constructors budget today (hence Rainbow Tables).

There are however other trade offs with "known Paintext" attacks. That is sometimes you can pick the "plaintext" you get encrypted this is known as a "chosen plaintext" attack.

Usually systems are designed to prevent a chosen plaintext attack but an entire OS partition under a "codebook" or other weak mode is likley to offer much in the way of fruitfull oportunities, if they have not been deliberatly planted already (NSA conspiracy No 57 ;).

Perversly strengthening against one chosen plaintext attack method appears to make other attacks easier. That is there may be an as yet unknown optimum cusp for a basic cipher such as AES.

The upshot is two different methods are likely to have a collision which gives a "birthday paradox" type advantage.

Which gives rise to a question you don't hear spoken very often. It two different (orthagonal) "chosen plaintext" attack methods can potentialy have the effect of halving the number of bits (ie 128 down to 64) what would happen with 4 orthagonal methods would it potentialy halve it again to 32bits?

The answer is we don't know for certain we just (hope/assume) not.

So the question then arises, are their any defences against "chosen plaintext" attacks with hard drive storage?

The answer is yes there are but...

And there are a lot of but's most of which are to do with cipher modes not the ciphers themselves.

A simple solution for communications is cipher chaining or cipher feedback that is you use the plaintext or ciphertext feedback or forwards to make the mode non codebook. However this generaly only works for a sequential access system not a random access system which a hard drive tends to be...

Worse for speed some people build what is in effect a stream cipher as this allows precomputation of the running key in slack time thus giving speed enhancments. The problem with this is that most hard drives have multiple copies of the same file etc which makes key re-use with known plaintext virtually certain (think about issues with backup tapes etc).

The simple fact is that HD encryption is a very difficult subject with lot's of gotchers for the unwary. Any one of which may obviate the assumptions that give rise to the belived security...

That said there are a lot of bright people looking at these things to get their doctoral and other wings.

And less and less chose the faustien bargin (of if you know what we know) to hop behind the hedge of Government work these days. And even the NSA has droped hints we may be progressing faster in an open world than their closed world (then again who knows).

JohannesJanuary 30, 2010 11:28 AM

I believe you read that statistic wrong: 1 in 1.18 browsers has this value means it's actually rather common. It's the large values that should make your head scratch. For me, for example, it's the browser string. No one else in the world seems to run Opera 10.10 on a Mac.

The Phantom VariableJanuary 30, 2010 8:27 PM

JS on:

First time, "Only 1 in 381997 browsers have a UA string of OHGODMYEYES!!!". ^o^

Second time, with cookie, "1 in 382225". Third time, cookies cleared, "1 in 191173.5".

Oh, God! They're closing in!

elegieJanuary 31, 2010 1:35 AM

It appears that the more influential factors may be the user-agent value, the plugins list, and the system fonts list. Disabling plugins may reduce the data that is available for the plugins and fonts list.

toeprintJanuary 31, 2010 2:19 AM

Sure, probe my browser, probe anything you wish, all the while:

VPN + Tor + SSH + SSL + random web proxies +
customized (paranoid) local proxy settings +
SSH + SSL + more . . .

good luck with your "fingerprints!"

MatthewJanuary 31, 2010 6:00 AM

Safari, Firefox and Camino all gave a "unique" result from my laptop.

That's with a fairly vanilla Snow Leopard install - no additional fonts etc, etc.

I'd have thought the screen resolution would have been rarer than 1 in 16, though. Oh well. Live and learn.

Bob2uJanuary 31, 2010 10:19 AM

I forgot to add in my first post.

"Your browser fingerprint appears to be unique among the 422,883 tested so far"
--
Using K-Meleon 1.5.3 ,Win7 Ultimate

RogerJanuary 31, 2010 3:12 PM

Three observations:
1. Yes, it is setting a session cookie if you accept cookies. So your results will not register as a new hit until you clear your session cookies. (For those poor souls whose browsers do not give them fine-grained control over cookies, that means you need to restart your browser.) If you do this and revisit, your uniqueness immediately starts plunging (because the exact same browser config has visited several times.) Of course, this screws up EFF's data.

2. Javascript is the absolute killer. If you have it enabled, you are practically guaranteed to be unique even if you have a default Windows install straight out of the shop. The reason is that one of the results (system font list) actually leaks information about your low-level disk structure. Having Javascript disabled adds 2.5 bits of identification in itself (because most people don't do this), but unless you have it disabled, you are hosed.

3. I was shocked at how much information was leaked by a generic Firefox User Agent string. With Javascript off, cookies enabled (but set to clear every time I close the tab), and User Agent set to generic MISE 7, I get 1 in 17,274. Change the User Agent back to my real Firefox one and I am 1 in 143,954 !!!
It seems that that the 10 or 14 digit number after "Gecko" is the Build ID, and the Build ID is changed VERY frequently: as much as several times per day. It is useful to be able to find your Build ID easily (for debugging purposes) but there is no reason to include it in the User Agent string and advertise it to the world. We need to contact the Mozilla team and see if we can get this removed.

It's The HeadersJanuary 31, 2010 11:09 PM

@ Roger and everyone else:

First, Roger Para. #2 is absolutely right-on. Most don't disable JS, but doing so prevents all of their *other* tests, and so renders the font thing moot. So you gain much more privacy than you lose (not to mention safety).

Roger Para. #3, Useragent: I could be mistaken as well, but I believe Roger is mistaken. Useragent on latest stable Fx 3.6 includes:

rv:1.9.2) Gecko/20100115 Firefox/3.6

This indicates only the latest revision of the underlying Gecko engine, which may be days, weeks, or months apart. AFAIK, the numbers after Gecko are merely the release date of that version: 2010 - 01 - 15 , or 15 January 2010. I don't believe these numbers change unless there is an update released, i. e, from 3.5.5 to 3.5.6 or to 3.6. Perhaps *internal* build numbers change nightly, but I didn't see that in the Pan test or in my useragent. I got 1 in 65 browsers for Fx 3.6 with default UA. This penetration should increase, as the release is less than two weeks old.

For kicks, I ran the test with Fx 2.0.0.20, IE 6, Fx 3.5.6, and Fx 3.6. The rarity of useragent dropped accordingly from the older browsers to the newer ones, as expected, but not by as much as I thought it would.

The *HTTP_Accept* is the killer. I cannot *believe* that only one in 90,000 browsers is running the latest stable release of Firefox with the *default* HTTP string. Surely their market penetration is better than 0.001%? ... FWIW, the second time I ran it, it dropped to 1/73,000; the third time, to 1 in 63.000. Still ridiculously high numbers for a *default*, fresh install of Fx 3.6.

It dropped another 10,000 the 4th = I in 54,000. Fifth try: The HTTP is now below 50,000, and the overall Browser is now 1 in 88,000. So let's all just install 3.5.6 and keep hitting the test over and over, until it thinks that default HTTP_Accept on Fx 3.5.6 is not rare.

Seriously, the methodology may be flawed, and seriously, if the Mozilla people could remove some of that from the HTTP_Accept without breaking things (you can always allow them per-site, as with NoScript), could they please do so?

It's The HeadersJanuary 31, 2010 11:30 PM

I'm a hero! :-)

I just kept clicking "page reload", about once a second (no JS or cookies, high-speed cable), and watched the numbers drop.

Presently, the F3.6 HTTP thing is 1 in less than 500. The HTTP entropy is only 8.96, and *total* entropy is 8.97. Clearly, they're not additive or multiplicative.

(@ Bruce: How *do* you combine two or more independent entropy numbers to determine total entropy?)

I'm going to give my clicking finger a rest now, but if it holds up, I'll have us Fx 3.6 users down to 1 in 100. That means that of a billion users, you could be any of 10 million. It'll take a while, as it's now dropping by less than 1 (1 in x, where x decrements less than 1 per reload).

What does *this* say about their methodology?

And what does it say about electronic voting? ;)

Thanks to Bruce for bringing this to our attention, and for giving me the opportunity to salt their test results. :-)

It's The HeadersFebruary 1, 2010 1:45 AM

TA-DA!

Here is the winning combo:
******************
Within our dataset of several hundred thousand visitors, one in 69 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 6.11 bits of identifying information.

User Agent 5.08 33.77
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

HTTP_ACCEPT Headers 6.11 69
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ISO-8859-1,utf-8;q=0.7,*;q=0.7 gzip,deflate en-us,en;q=0.7,vi;q=0.3
**************************
The rest should be the same as anyone else who has JS and cookies disabled.

(Note that the 6.11 bits from HTTP is the same as total bits.)

There did not seem to be a gain in switching from a US time zone to GMT, there being apparently as many users using that time zone as either live in, or use, GMT (though I use GMT/UTC for forum memberships).

Now I know how the chimp in the lab feels, clicking a lever to get either cocaine or a female chimp. Lacking both, I found that the next best thing was to put on some headphones and listen to your fave fast, bouncy song (not Brahm's Lullaby, lol). Put the mouse pointer on "reload page". Tap out the rhythm on the mouse key with both hands, varying which fingers to help avoid RSI. To further avoid RSI, alternate with hitting the F5 key, or whatever key reloads. At 72-80 beats a second, a three-minute song gives you at least 200 clicks, but I found that you can click multiple times per second (with each note, for example); the progress bar does not have to complete, nor does the page need to reload fully, for the hit to count. A dozen songs or replays should drop you from 100,000 into triple digits, at least.

I'd give the name of the song I used, but that's fingerprint info. ;-)

Unfortunately, this helps only XP SP2 users. Vista, Win 7, and Mac users, get clicking!

Eamon NerbonneFebruary 1, 2010 4:29 AM

The website uses a fairly-long-lived session cookie to detect revists, which is why many people report being unique after revisiting.

If you disable cookies and reload continually (as some people apparently have done), you're definitely undermining the validity of the results; why would you do that?

Their methodology seems sound, although given the limitations I'm not sure how valuable the results are. (@It's The Headers: truly independent entropy values can simply be added. For fully dependent entropy values, you should take the maximum value. Panopticlick reports the maximum value, which is a very conservative estimate - clearly the varying factors aren't fully dependent).

Peter A.February 1, 2010 5:41 AM

@shaw.ca: some people would nearly kill for that feature you're complaining about :-)

Most ISPs here give dynamic IPs to their customers (if they happen to give public ones at all) and some even forcibly kill your session near midnight to force address change. Some charge extra for static IP and some does not offer it at all - or only in their "business" plans, for 5 times bigger price...

It only shows how inelastic big ISPs are. Once they figure what's the "right" way to do things (or what they percieve is best for their business) they enforce it network-wide with no options to choose from for they customers. Not that the 99.9% of the populace would care.

RogerFebruary 1, 2010 5:43 AM

@It's The Headers:
> AFAIK, the numbers after Gecko are merely the release date of that version: 2010 - 01 - 15 , or 15 January 2010.

Yes, it's a timestamp for the build. But in most versions, it also includes the hour. In some versions, it also includes minutes and seconds (14 digits total.)

> I don't believe these numbers change unless there is an update released, i. e, from 3.5.5 to 3.5.6 or to 3.6. Perhaps *internal* build numbers change nightly, but I didn't see that in the Pan test or in my useragent.

So far as I can tell from the Mozilla forums, internal build numbers typically change three times per day, sometimes more. Of course most of these aren't released to the public. However,

> This indicates only the latest revision of the underlying Gecko engine, which may be days, weeks, or months apart.

I don't think that's right. A quick scan of logs suggest more than 200 different builds of 3.6 have been released to the public already.

HJohnFebruary 1, 2010 9:08 AM

Note to Chome users:

Above I said that my beef with Chrome it doesn't have a delete history and cookies option on close. Well, I learned something over the weekend.

Go to the icon, put quotes around the file path, and add " --incognito" (no quotes. Your icon path will look like this (with quotes):

"C:\[path]\Chrome.exe" --incognito

It will start Chrome in "incognito" mode which does not retain your browsing history.

Stefan W.February 1, 2010 9:37 AM

Quite interesting.
After a fresh installation, I pick plugins and fonts real fast, but I guess that stabilizes in a few days.

Later on, only the browser get's updated, so I'm identifiable among 467 290 users by now for about one month - then the browser get's updated. As I can see, last time at 2010-01-06.

Maybe I'm trackable though over the next updates. Of course I have a second computer, where I need to be identified by other measures.

And of course in some countries the collection of such data, without explitcit user-permission, is prohibited, Germany for instance.

It's The HeadersFebruary 1, 2010 3:37 PM

@ Roger:

"Yes, it's a timestamp for the build. But in most versions, it also includes the hour. In some versions, it also includes minutes and seconds (14 digits total.)"

I've never seen that in a UA; only the date stamp. Maybe just lucky.

> This indicates only the latest revision of the underlying Gecko engine, which may be days, weeks, or months apart.

"I don't think that's right. A quick scan of logs suggest more than 200 different builds of 3.6 have been released to the public already."

Yes, but the Gecko build numbers shown *in the UA* typically (in my experience) show only three digits (1.8.1, 1.9.2, etc.) and change only when a Fx version number update is released, which may be several days or weeks.

@ Barnon Nerbonne:

" truly independent entropy values can simply be added. For fully dependent entropy values, you should take the maximum value. Panopticlick reports the maximum value, which is a very conservative estimate - clearly the varying factors aren't fully dependent).

Agree that if JS is disabled, *all* JS-dependent results will be the same. And the correlation between JS-disablers and cookie disablers probably approaches 1. However, at the start of the test, when I was 1 in 90,000, the total entropy was slightly greater than the HTTP+useragent+others. The useragent number lowered over time with repeated tests; late in the test, the total entropy was HTTP entropy + 0.1; at the end, the HTTP = total, undoubtedly from salting the database to override the few results from others with the same HTTP but different useragent. Thanks for clarifying.

"If you disable cookies and reload continually (as some people apparently have done), you're definitely undermining the validity of the results; why would you do that?"

To show how easily the results can be manipulated, and, therefore, the lack of validity of results? What if I'd never posted that I did that?

What was surprising was that they didn't even control for IP. Several hundred hits a minute from the same IP, and their algorithm doesn't flag that?

(Yes, it's easy enough to change IPs when you need to for privacy reasons, but not *that* quickly. :-)

@ Peter A.:
*************
"@shaw.ca: some people would nearly kill for that feature you're complaining about :-)" [dynamic, changing IP]

Most ISPs here give dynamic IPs to their customers (if they happen to give public ones at all) and some even forcibly kill your session near midnight to force address change. Some charge extra for static IP and some does not offer it at all - or only in their "business" plans, for 5 times bigger price...

It only shows how inelastic big ISPs are. Once they figure what's the "right" way to do things (or what they percieve is best for their business) they enforce it network-wide with no options to choose from for they customers. Not that the 99.9% of the populace would care."
*********
When I switched from dial-up with truly random DHCP IP assignment from their pool at each dial-in, to cable, I specifically asked if IPs would similarly be assigned randomly, and was assured that they were. Shortly thereafter, the IP went static. They said that leaving the modem powered down for 12 hours should result in a new IP assignment. It was more like 36 hours. Now they tell me a week.

I'd "love" to have a changing IP, strictly for privacy. (I lead a very dull life and don't do anything nefarious, at least IP-related.) They say "most of our customers want static IP". BS. Most of their (home) customers think IP is what you do when the nurse hands you a little plastic cup. ;) Unless you are running a business website or other server, which 99% of average home users aren't, I see no advantage to an unchanging IP, and considerable loss of privacy.

There are ways to change it, but... why should I have to? They reneged on their promise. (They're the only cable game in town.)

Skeptical FanboyFebruary 1, 2010 3:40 PM

I ran it twice. Once with JavaScript blocked on the site, and once without the blocking (I used NoScript).

With JavaScript turned off, my browser had achieved a uniqueness level of 1:484. With JavaScript enabled, it was unique in over 490,000 tested configurations.

So the lesson learned here is to use NoScript.

Peter A.February 1, 2010 4:58 PM

@It's the headers at February 1, 2010 3:37 PM

Regarding static vs. dynamic IP assignment by an ISP: you want privacy, I want to run my petty server. But we both sit at the very far ends of the bell curve. So our complaints will get ignored :-(

Not that it's not possible to achieve what we both need, but it's a bit a of a nuisance to have to fool ISPs dirty hacks they happen to play on their customers every now and then. Besides insisting on frequent IP change by resetting session, my favourite was "one computer per subscriber" policy enforced by setting TTL to 1... sheesh. One small ISP here even went so far as to lease a WiFi router to you "at no additional cost", but charge you extra if you want to connect your own. Idiots.

Peter EckersleyFebruary 1, 2010 7:50 PM

@Johannes: "No one else in the world seems to run Opera 10.10 on a Mac."

I just ran some queries to check this. As of a couple of days ago, we had counted 583 visitors using Opera 10.10 on the Mac. They are distributed across 17 different user agent strings, the most common of which (Intel hardware, English language settings) accounted for 358 of those visitors.

A few of the language/hardware combinations were in fact unique, and a few were close to unique.

DaveCFebruary 2, 2010 12:15 AM

It seems from comments here (haven't been to the EFF site) that the "bits of data" quoted is simply a log function (base 2?) of the uniqueness in their DB, which makes the semantics somewhat questionable, and arguably undermines the appearance of competence.

Their main point is salient though - there is a privacy risk here.

bakerFebruary 2, 2010 12:45 AM

"The privacy enhancing, anti-forensic LiveCD's listed below, must generate some rare, easy to follow fingerprints...? Privatix Live CD Incognito Live CD Phantomix Anonymous Linux Live CD"

Privacy *enhancing*, you say?

Insanity enhancing!

Who in their right mind would trust an iso prepared by anonymous individual[s] with BINARIES? Even if you ran wireshark 24/7 there could be a deeply embedded trojan set to activate on a specific day.

Peter EckersleyFebruary 2, 2010 4:10 PM

@DaveC: of course the number of bits of identifying information is the log base 2 of the probability that an entry in our database has the value in question (either the whole fingerprint, or a particular browser characteristic). We could have done some fancier calculations, like asking how much difference the addition of an extra variable like plugins makes to the self-information of a given browser fingerprint, which is a different measure to how much self-information the plugin information carries on its own. The main reason we didn't do that on panopticlick.eff.org was because we didn't want to run those extra, fairly expensive, queries against our live database server.

We'll do some fancier post-processing of the data to better break down correlations between the variables, reduce multi-counting of people who block or delete cookies, estimate how fast fingerprints change as a result of browser/plugin upgrades and font installs, and if the stats work out, to estimate global rates of uniqueness. But the more appropriate venue for that analysis is a paper, not a website that gives each user some instant, automated feedback.

@IraqiGeek you asked about source code -- I expect we'll publish the source for the site at the same time that we publish our data analysis.

Clive RobinsonFebruary 2, 2010 4:33 PM

@ Peter Eckersley,

"We'll do some fancier post-processing of the data to better break down correlations between the variables, reduce multi-counting of people who block or delete cookies..."

Thought for you.

Next time you run such an experiment, how about running it twice.

That is you have two DB's the first time somebody runs their machine against it their record gets put in both DB's, the second and all subsiquent tries into the second DB only.

The displayed results can be against both DBs.

You would have less data cleanup to do, and also you could draw other conclusions about the people who make subsiquent visits, such as if they are legitamatly trying to reduce their profile by changing their browser etc, or if they are just being silly and putting duplicate entries in the second DB.

One thing I am curious about is what are you going to do with data from people who's browsers failed to run the tests, or came from a block of IP addressess asigned to mobile phone / broadband companies who may put upto 300 individual "hosts" behind a single IP address (NAT on Overkill ;)

franklyFebruary 2, 2010 7:27 PM

Dear baker@12:45am,

I was not seeking to suggest the LiveCD's are recommended, just that maybe they generate such unique browser fingerprints that this will/does significantly negate against any privacy enhancing and anti-forensic claims.

Credibility over which LiveCD's to try out is often assumed by the links such as:

http://www.torproject.org/faq.html.en#LiveCD

What I do find odd to understand, is why no 'respectable' organisation has not produced reliable and maintained such LiveCD's.

Of course anyone can create a LiveCD from a good source like Ubuntu, but linux is just not user friendly when it comes to installing additional software.

One LiveCD that is not based on an anonymous basis is the one created by the IT-Political Association of Denmark:

http://polippix.org/

Of course many people do things on an anonymous basis, which in and of itself does not mean ill intent.

With a recent study suggesting only 1% of files shared via a torrent being non copy righted, it shows many are willing to take risks with files from anonymous sources...
http://www.freedom-to-tinker.com/blog/felten/...

hotandcoldFebruary 2, 2010 9:14 PM

As panopticlick.eff.org says the tests draw partially from the work of:
http://browserspy.dk/

similar tests:

ShieldsUP
https://www.grc.com/x/ne.dll?bh0bkyd2

The Privacy.net Analyzer
http://analyze.privacy.net/

User Agent String.Com
http://www.useragentstring.com/

Provider of VPN services AnchorFree, also seems/ed to inject a unique data string into the user agent of each install of HotSpotShield, example:

"...hotspot shield appears to be appending a very odd piece of data to
your user-agent string - a very long string it calls afcid in the form
afcid=someverylongstringoflettersandnumbers"
http://www.slyck.com/forums/viewtopic.php?...

John doeFebruary 3, 2010 6:52 AM

I think the website tracks you with cookies.

If you clear all personal data before you refresh, you are no longer one in N but one in N+1/2.

MarcFebruary 3, 2010 8:59 AM

Bruce, I don't remember if you published this other story another day. There is a funny "visited sites" attack you can do from a web site, just by displaying links to common websites in a hidden frame. The browser gives information by displaying visited links differently from non-visited links, you just need to setup a css that "calls back home" and allows the website to know which site you actually already visited.

between that and your EFF report, everybody is traceable...

RobFebruary 4, 2010 8:00 AM

Ran the tool, almost all of the uniqueness is due to the plugins and system fonts. I don't have a particularly unique set of those, which makes me think that the order in which they are presented to the tool is being counted. Since other people (above) are reporting being "unique" twice, I suspect that there is not a standard order for reporting plugins and fonts - so it varies with each query. So if I have 20 fonts, with 20! permutations then they see ln20! bits of uniqueness rather than ln20 bits that is "really" there.

Peter EckersleyFebruary 4, 2010 1:20 PM

@Rob

As mentioned in the FAQ and my post above, we sort the plugin list but not the font list. I've just completed an analysis of the dataset to test whether unsorted font list ordering is actually stable in the real world.

The conclusion is that overwhelmingly, font list ordering is a stable fingerprint characteristic. There is a rare exception, which is that we've seen about 30 returning users who have a changed font ordering within a particular set of Lucida fonts. There is a related, larger, population of about 150-200 users who have reorderings and altered whitespace in the same Lucia fonts. All of these users are on Mac OS X, so it seems there's a particular Mac program which alters font orderings either in the normal course of operation or during upgrades.

Peter EckersleyFebruary 4, 2010 1:29 PM

@Rob

As mentioned in the FAQ and my post above, we sort the plugin list but not the font list [*]. I've just completed an analysis of the dataset to test whether unsorted font list ordering is actually stable in the real world.

The conclusion is that overwhelmingly, font list ordering is a stable fingerprint characteristic. There is a rare exception, which is that we've seen about 30 returning users who have a changed font ordering within a particular set of Lucida fonts. There is a related, larger, population of about 150-200 users who have reorderings and altered whitespace in the same Lucia fonts. All of these users are on Mac OS X, so it seems there's a particular Mac program which alters font orderings either in the normal course of operation or during upgrades.

This phenomenon will be subsumed in our general analysis of how fast fingerprints change over time for returning users.

[*] Actually for reasons of implementation pragmatism we sort the font list if it comes from Java, but not from Flash. The list comes from Flash if it's available. The implication is solely that we don't squeeze quite as much identifying information as possible from the (unusual) Java case.

franklyFebruary 7, 2010 6:38 PM

When using wifi I still can't grasp how the MAC address of a router can be traced back to a physical address with geo location data, sometimes down to a specific street address. Coupled with the data a browser discloses and if the wifi link is open, the amount of identifying information is a lot more than the average user might realise.

Geolocation via mac address: http://twitter.com/samykamkar/status/7412868399

Brad TempletonFebruary 8, 2010 2:22 PM

Indeed, many of the factors that go into the fingerprint change from time to time. However, this does not make them useless for fingerprinting, because there are many things which change, and they change at different times.

One example is IP address. Even for those with dynamic IPs, on broadband, these IPs may still last weeks. So a site tracking browser fingerprints might notice, "Hmm, a hit from user at IP X, which has added a font since the last hit from IP X but is otherwise the same" and thus be confident it is the same browser.

To truly hide, you must have everything in your fingerprint change, including IP (which is not included in panopticlick) between visits or you are stil highly probably trackable. If your fonts change but your plugins don't, if your user agent changes but your fonts don't....

franklyFebruary 12, 2010 11:22 AM


"I expect a Fire Fox add-on soon"
http://www.schneier.com/blog/archives/2010/01/...

Well this might offer something in the interim:

Using a Second (or Third) Profile with Firefox Portable
http://portableapps.com/support/...

and the newer profile could be erased, amended and or altered every now and then - coupled with other profile changing add-ons may be of benefit.

With a unaltered 2nd Fire Fox profile I get the following fingerprint:

"Your browser fingerprint appears to be unique among the 617,529 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 19.24 bits of identifying information."

When I use my 'normal' Fire Fox browser, I get:

Within our dataset of several hundred thousand visitors, only one in 1,453 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 10.5 bits of identifying information.

http://panopticlick.eff.org

franklyFebruary 14, 2010 3:12 AM

Panopticlick results using a new LiveCD of Privatx, which is apparently "...designed for safe editing and carrying sensitive data, for encrypted communication, and anonymous web surfing (with Tor, Firefox and Torbutton)."?

Results:

"Your browser fingerprint appears to be unique among the 621,754 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 19.25 bits of identifying information.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.16) Gecko/2009121610 Iceweasel/3.0.6 (Debian-3.0.6-3) "

"Privatix Live-System is a free, portable, encrypted live CD which can be installed on an USB flash drive or an external hard drive. Based on Debian GNU/Linux, it is designed for safe editing and carrying sensitive data, for encrypted communication, and anonymous web surfing (with Tor, Firefox and Torbutton)."
http://distrowatch.com/table.php?...

Home page:
http://mandalka.name/privatix/

MeowzinskyFebruary 14, 2010 8:33 PM

Looking at the settings my konqueror browser gives to this site, even if I had disabled java and the such, I would be uniquely identifiable anywhere in the world.

Let's see what the culprit is.

User Agent: BLANK (hmm...so my browser and OS info aren't available to them. What's making me so unique. This is only one in 110.)

HTTP_ACCEPT Headers: "text/html, */* utf-8, utf-8;q=0.5, *;q=0.5 x-gzip, x-deflate, gzip, deflate en-US, de, cs, ja, en"

Okay, I guess I'm the only person in the group of 624,583 people who has a browser set up to read English, German, Czech, and Japanese. That sounds about right.

DaveFebruary 15, 2010 4:52 PM

With Javascript disabled (via NoScript) I'm pretty anonymous. OTOH with JS enabled my config is unique (I guess having a klinzhai font installed doesn't help there). As others have pointed out, NoScript is a powerful weapon.

franklyFebruary 16, 2010 5:00 AM

Firefox with Tor+NoScript:

"Within our dataset of several hundred thousand visitors, only one in 2,997 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 11.55 bits of identifying information."

Without Tor+NoScript: (earlier cookies removed)

"Within our dataset of several hundred thousand visitors, only one in 1,453 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 10.5 bits of identifying information.Currently, we estimate that your browser has a fingerprint that conveys 10.5 bits of identifying information."

Firefox without NoScript, without Tor:

"Your browser fingerprint appears to be unique among the 635,421 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 19.28 bits of identifying information."

Firefox, without NoScript and without Tor: (earlier cookies removed)

"Within our dataset of several hundred thousand visitors, only one in 317,721 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 18.28 bits of identifying information."

bugga divinoMarch 17, 2010 6:14 AM

Your browser fingerprint appears to be unique among the 600 tested so far.

Vista Ultimate default with zonealarm ultimate security.

Clive RobinsonMarch 27, 2010 3:57 AM

@ Rubble Barney,

"When mobile users surf the Web they also may be inadvertently disclosing their phone numbers, a security researcher said Thursday"

They are right but this has been known about for well over two years...

Basicaly the mobiles web browser includes either the phone number or one of the electronic identities of the phone.

It is why using a "web enabled" mobile phone as the "side channel" for user and transaction authentication not the good idea it was 10years ago. Because the chances are the phone user will use the same phone for both browsing to the "phishing site" and getting the SMS etc authentication token...

And still the industry does nothing about it.

@ Bruce,

Oh and something else about the IP address of mobile users, which web site owners SHOULD know and TAKE NOTE OF it's "unreliable" as a method of tracing back you need to record all the port numbers used in the logs as well as the time.

The reason for this is the phone companies have a very limited number of IP addressess so they use "Super NAT" and overload a single IP address by as much as three hundred concurrent users...

It has also been said (but I've not seen evidence of) that the "Super NAT" can also cause a mobile phone to have two or more different IP addressess if they are going to two or more sites at the same time (that is the IP addresses are handed out on a transaction basis as part of a "round robbin hunt group" as each IP address reaches capacity.

For obvious reasons this may well cause some interesting side effects for web pages that get a users browser to download page parts from different servers etc...

franklyMay 17, 2010 11:18 PM

Just published
----------------------

Web Browsers Leave 'Fingerprints' Behind as You Surf the Net
EFF Research Shows More Than 8 in 10 Browsers Have Unique, Trackable Signatures
http://www.eff.org/press/archives/2010/05/13

EFF's paper on Panopticlick will be formally presented at the Privacy Enhancing Technologies Symposium (PETS 2010) in Berlin in July.

For the full white paper: How Unique is Your Web Browser?:
https://panopticlick.eff.org/browser-uniqueness.pdf

For more details on Pantopticlick:
http://www.eff.org/deeplinks/2010/05/...

For more on online behavioral tracking:
http://www.eff.org/issues/...

hugsyJuly 20, 2011 4:57 AM

Firefox + noscript + disabled cookies + disabled plugins + some tweaks in the about:config to hide the fonts and disable dom cookies and etc. =

Within our dataset of several million visitors, one in 58 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 5.87 bits of identifying information.

proof = http://i52.tinypic.com/if0vmc.jpg

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..