Browser fingerprints reveal web activity
Privacy-conscious surfers have a new foe to worry them – their browsers.
New research from the privacy campaign group Electronic Frontier Foundation (EFF) suggests that the vast majority of web browsers have unique signatures that act like fingerprints, revealing where surfers have been on the web.
The EFF findings were the result of an experiment that logged details of all visitors to a specially established website. The website recorded details of the configuration and version information of each user’s operating system, browser, and browser plug-ins. This information is stored in the browser’s User Agent, and is information that websites routinely look-up each time you visit.
Only one person in about 1,500 will have the same User Agent as you
After comparing the information with a database of configurations collected from almost a million other visitors, the EFF claims that 84% of the configuration combinations created unique and identifiable fingerprints. Browsers with Adobe Flash or Java plug-ins installed were 94% unique and trackable.
“We took measures to keep participants in our experiment anonymous, but most sites don’t do that,” said EFF senior staff technologist Peter Eckersley. “In fact, several companies are already selling products that claim to use browser fingerprinting to help websites identify users and their online activities.
“Our experiment to date has shown that the browser User Agent string usually carries on average 10.5 bits of identifying information,” said Eckersley in his EFF blog. “That means that on average, only one person in about 1,500 will have the same User Agent as you.
“On its own, that isn’t enough to recreate cookies and track people perfectly, but in combination with another detail, like geolocation or having an uncommon browser plugin installed, the User Agent string becomes a real privacy problem.”
According to the EFF, it is very difficult to reconfigure your browser to make it less identifiable. “Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies and IP addresses when we discuss web privacy and user trackability,” said Eckersley. “We hope that browser developers will work to reduce these privacy risks in future versions of their code.”
The EFF has published a whitepaper (pdf) including the technical details of the research and a look at which browser configurations are most easily identifiable.