EFF demonstrates a browser's "finger print"

The Electronic Frontier Foundation (EFF) citizens' rights organisation has launched an online service that allows internet users to find out how unique their browser is. This is predominantly interesting for internet users who are worried about their privacy and identifiability on the net – apart from cookies, session ID or IP address, a browser's finger print can potentially identify its user with considerable accuracy.

The EFF's Panopticlick application collects anonymised data to help users establish how easy it is to identify them amongst all their fellow surfers. The service evaluates the HTTP request headers (browser ID and accepted MIME types) and uses JavaScript to collect information about the browser's installed plug-ins and fonts as well as screen size and time zone. Finally, it also considers standard cookies and "super cookies" (web storage, Flash cookies, IE userData) to determine a browser's ranking. So far, The EFF has collected about 200,000 reference records. There is an interesting side effect to the project: The data gives an indication, for instance, of how widely used certain screen resolutions or supercookies are.

It is not uncommon that the test conclusively identifies a browser – especially if a user surfs the net with a non-mainstream browser on a non-Windows system. However, users don't necessarily have to use Internet Explorer 7 on Windows XP and a medium-size monitor to avoid leaving conclusive finger prints.

The test obtains its operating system and browser version data from the browser ID, which can be individually modified in many browsers – in Firefox, for instance, via the UA Switcher tool. The most detailed information is extracted via JavaScript from the installed plug-ins and fonts. Therefore, disabling JavaScript considerably reduces the amount of detectable information. This can also be achieved on a site level via NoScript. With only these simple measures in place, a previously uniquely identifiable browser disappeared in a set of about 30,000 similar systems – although, without a proxy, these systems could still be distinguished via their IP addresses.

(crve)