May 18, 2010
Your Browser Is A Blabbermouth
Your browser knows who you are, and it seems to be quite the tattletale to anyone who cares to listen. The EFF has a project called Panopticlick. It's designed to measure the uniqueness of a browser's fingerprint. Browsers are configurable and customizable. They interact with certain characteristics of the host computer, such as screen resolution, fonts, operating system, and others. All of this information becomes available to someone at the other end of an http request. For those paranoid enough to think that turning off cookies and deleting history will preserve privacy, well, keep drinking that koolaid because it's not true. The detail of configuration is so extensive that it is possible for someone collecting the information to match information from deleted cookies to replacements for those deleted cookies. In essence, even changing the fingerprint doesn't confuse the any tracking because of certain consistencies in other parts of the fingerprint.
These conclusions were generated from a sample at EFF's Panopticlick web site. The study that details the results is here. Visitors to Panopticlick have the opportunity to test their browser and see their browser and machine profile and get a score. I tested the browser I used to research this post and it turns out that out of 920,400 visitors tested so far, my browser fingerprint appears to be unique out of all of them. I see my user agent, HTTP_ACCEPT Headers, Browser Plugin Details (waaay to numerous to list and what appears to be the major part of the fingerprint), Time Zone, Screen Size and Color Depth, System Fonts, whether cookies are available, and results from a limited supercookie test. The lists are staggering. The implications even more so.
I'm not aware of companies that use this information, though I have to believe there are a lot of them. How are the many reports of browser market share or lists of unique visitors for the largest sites on the web compiled? Does Google use these metrics? I would guess that they do, along with Microsoft, Yahoo, AOL, and any large site trying to monetize its visitor population. Keep in mind that with this kind of information and the information we willingly supply sites when we buy something or pay a bill (with our browser), we are clearly identifiable as we move on to other sites where we think we are private.
Will politicians track their web site visitors and construct messages that cater to their supporters? And what about the government? Does the NSA track alleged terrorists with any of these methods? Somehow I can't picture Jack Bauer with a laptop. I can, however, picture Vice Admiral John Poindexter peering at a screen while rubbing his hands with glee. Total information awareness anyone? And while we're on the subject of governments, I can see repressive governments following dissidents on the web with methods built on this tracking information. Maybe Facebook is right, that we all should just live transparent lives if we plan to live on the web. It's not as if the choice will be completely in our control. [MG]