Cookies are an essential part of the way the web works and occupy a pivotal position in the online privacy arms race. Organisations who want to track and profile people give them cookies and users who don’t want to be tracked disable or delete them.
But what if there was a cookie you couldn’t delete, and what if the steps you took to guard your privacy made you easier to track?
That is the spectre raised by a report, authored by the Electronic Frontier Foundation (EFF), entitled How Unique is Your Web Browser?
The report uses data gathered by a tool called Panopticlick that determines how easy you are to identify based on your web browser’s ‘fingerprint’.
Uniqueness is important because organisations can only track people when they can tell one user from another.
The most common form of tracking involves giving users cookies with unique IDs. Each time a user visits a page that has code from the cookie’s original domain their web browser returns the cookie, and its unique ID, with the request.
This simple mechanism allows organisations to track users for weeks or months, from one page of a website to the next or even across multiple websites if those sites share code.
However, for people wanting to track you online, cookies have three major weaknesses: you can see them, you can see who gave them to you and you can delete them. If you delete a website’s cookies then the unique ID it gave you has gone and you’ll appear to it as a new and unknown user without a tracking history.
The holy grail for people who want to track you against your wishes is to find a unique ID you don’t know you have or that you can’t interfere with.
The EFF set out to discover if browser fingerprinting could provide just such an ID.
Browser fingerprinting looks at the combination of information your browser voluntarily hands over about itself when it opens a web page.
Although the web has hundreds of millions of users, most of them are using the latest versions of about five different browsers. With so little variation you might assume your browser is easily lost in the herd.
You couldn’t be more wrong.
According to the EFF’s research, your browser fingerprint is likely to be very distinct indeed:
In this sample of privacy-conscious users, 83.6% of the browsers seen had an instantaneously unique fingerprint...
...if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint. Among browsers that support Flash or Java, the situation is worse ... 94.2% of browsers with Flash or Java were unique in our sample.
I tested two of my own devices using the EFF’s Panopticlick tool. My tablet shared a fingerprint with one in every 875,000 visitors and my laptop’s browser was completely unique amongst 4.4 million browsers.
The sample size for the research paper was 470,161 users. To make matters worse the EFF acknowledges that its sample is likely to be biased in favour of people who are already privacy conscious.
While our sample of browsers is quite biased, it is likely to be representative of the population of internet users who pay enough attention to privacy to be aware of the minimal steps ... generally agreed to be necessary to avoid having most of one's browsing activities tracked...
Panopticlick creates its fingerprint from just eight pieces of information that are freely shared by web browsers, such as your timezone, screen resolution, plugin choices and fonts.
The research shows that browser fingerprints are probably unique enough to be used to ‘regenerate’ deleted cookies or even to replace tracking cookies entirely.
Although the EFF didn’t investigate if anyone is actually using browser fingerprinting in practice, they do note in the report that “…there are several companies that sell products which purport to fingerprint”.
Similar techniques, such as using ETags to regenerate cookies, certainly have been used in the wild.
Fingerprinting also raises an interesting dilemma for users who are particularly privacy conscious – browser customisations designed to make you harder to track might actually make you easier to fingerprint.
The paradox, essentially, is that many kinds of measures to make a device harder to fingerprint are themselves distinctive unless a lot of other people also take them.
So what’s a privacy conscious user to do?
Well, the first thing to remember is that whatever advanced techniques may or may not be in use, cookie tracking is still the one you’re most likely to encounter so don’t ditch cookie-munching plugins like Ghostery just yet.
It also identifies the Tor project as “noteworthy for already considering and designing against fingerprintability.”
Perhaps most usefully though, you can test and re-test the fingerprint of whatever strategy you use to stay anonymous online.