The EFF are worried about an alternative way of tracking your web activity without the need for cookies, and have set up a site (Panopticlick) that checks your browser for how trackable it is.
If you’re worried about the potential loss of privacy, they have a few suggestions for how to make your fingerprint less unique.
Having tried out the check myself, my configuration was recognisably unique out of nearly 200,000 checked so far. I have to admit it surprised me.
The suggestions from the EFF will help you blend in with the crowd and make you harder to track, but generally at the expense of turning off large chunks of functionality in your browser.
There are a couple of possible alternatives:
- Have some agreed ’sets’ of plugins and fonts, something like, “bare-bones”, “simple”, “moderate”, “everything”; or “basic user”, “user”, “web developer” – just some way to minimise the number of possible configurations.
- Add some entropy into the finger-print so it changes a little or a lot every few pages. Return slightly different versions of the browser, report a few extra plugins and fonts.
For the first, it would be very hard to implement, how do you decide which plugins should be in the sets? How do you administrate it? What happens when a new plugin is released? You’re going to get people wanting a plugin that’s not in any of the sets for whatever reason, not to mention that it will effectively kill a lot of development work if the developer doesn’t think it’ll get into a set – maybe the plugin is useful, but to too limited an audience.
For the second, if you want the remote site to display properly in your browser you can’t lie to it too much – a different browser (IE/Firefox) may get different css; if you don’t tell it you have the flash plugin it’s not likely to serve you flash until you ‘install’ it. You could however tell it you have plugins and fonts that you don’t really. Of course this could result in receiving the wrong css or bad data just the same as lying about not having a plugin. So you’d have to make sure the plugins you lie about aren’t depended on server-side (i.e. it should make no difference to what gets served). You could even generate semi-random plugin and font names. It’s feasible that a remote site could weed out all but a known list of plugins and fonts, but it would add overhead to the check and would rely on their data being valid and up to date. Also, if they track by your IP or some other means they could work out which were the ‘core’ plugins/fonts that were always on your list and ignore the rest – again, a big overhead and not 100% reliable, especially over time with a random IP every time you connect to your DSL.
I think the standardised sets idea would work but would stifle the internet.
The randomised finger-prints offer a far greater probability for evading tracking, you could even do it through a browser plugin – which of course would never advertise itself.
Of course all of this could be a moot point if a major corporation were to get enough market share to force a standardised browsing experience on the world, but that has much bigger downsides than the original problem and I’m not even touching that topic.
Addendum: I’m touching that topic, briefly.
Regarding ’standardised browser experience’, the recent release of the iPad is exactly what I’m talking about.
It’s the most closed system currently in existence, and as a result very unlikely to support a wide range of plugins in the browser, let alone random user-created ones that are updated regularly (the finger-prints include the version numbers, many small version increments increase finger-print space and uniqueness).
I tried the site both with and without javascript enabled (via the firefox noscript plugin). Without it, I was 1 in ~8600, with js enabled, I was unique in more than half a million. However, I also noticed that their site runs some pretty serious js, even launching the jvm, which is far more than most sites ever do.
All the more reason to use firefox with noscript.