Browsers' digital fingerprints can be used to track you online

An online privacy group has found that an overwhelming majority of web browsers have unique signatures - creating identifiable "fingerprints" that can be used to track you as you surf the internet.

The findings were the result of an experiment Electronic Frontier Foundation conducted with volunteers who visited http://panopticlick.eff.org/.

The website anonymously logged the configuration and version information from each participant's operating system, browser, and browser plug-ins - information that websites routinely access each time you visit.

It then compared that information to a database of configurations collected from almost a million other visitors.

EFF found 84% of the configuration combinations were unique and identifiable, creating unique and identifiable browser "fingerprints."

Browsers with Adobe Flash or Java plug-ins installed were 94% unique and trackable.

"We took measures to keep participants in our experiment anonymous, but most sites don't do that," EFF senior staff technologist Peter Eckersley said.

"In fact, several companies are already selling products that claim to use browser fingerprinting to help websites identify users and their online activities.

"This experiment is an important reality check, showing just how powerful these tracking mechanisms are."

One of the more concerning parts of the experiement is that those who visitied the website were more likely to have some interest in internet privacy and have taken some steps to preserve it.

"While our sample of browsers is quite biased, it is likely to be representative of the population of internet users who pay enough attention to privacy to be aware of the minimal steps, such as limiting cookies or perhaps using proxy servers for sensitive browsing, that are generally agreed to be necessary to avoid having most of one's browsing activities tracked and collated by various parties," the study's authors said.

EFF found that some browsers were less likely to contain unique configurations, including those that block JavaScript.

They also found some browser plug-ins may be able to be configured to limit the information your browser shares with the websites you visit.

But overall, it was very difficult to reconfigure a browser to make it less identifiable.

The best solution for web users may be to insist that new privacy protections be built into the browsers themselves, he said.

"Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies and IP addresses when we discuss web privacy and user trackability."

"We hope that browser developers will work to reduce these privacy risks in future versions of their code."

EFF's paper on Panopticlick will be formally presented at the Privacy Enhancing Technologies Symposium (PETS 2010) in Berlin in July.

Add a Comment