Wow! I am quite surprised. I use a Macbook running Snow Leopard, fully up-to-date software, with Safari. I don't (yet) have any after market fonts installed. And yet "Your browser fingerprint appears to be unique among the 47,390 tested so far." That is creepy.
Who is using this type of profiling as an alternative to cookies and other techniques? I would love to see some examples.
Apparently I have a unique browser fingerprint as well. With so many different plugin and font combinations, I think that there are bound to be quite a few uniques.
Mine is unique too. Only 7 other people at the time of my test had the same plugin profile, and nobody had the same exact fonts (only thing I've knowingly added are MS fonts and ProggyCleanTTSZ).
If you keep refreshing, you can watch the numbers change. (If not, try disallowing cookies first; then Javascript second.) This leads me to think that, since the numbers are shrinking slowly (12.5 bits... 12.1 bits... 11.8 bits...), it means that: of the full collection of data that your browser is sending, only __ bits actually makes you unique. Meaning to say, some of the data is common to others, so isn't useful for distinguishing you from them.
I, too, am a unique snowflake. Unique among 52,301.
But here's a surprise. My UserAgent string is for the version of Firefox distributed three weeks ago as a security patch to Ubuntu Linux 9.10. One in 45.01 browsers has that exact rev. of Firefox.
So over 2% of EFF visitors are running this exact version of Firefox and Ubuntu Linux? That's much more popular than expected.
Impressive idea for fingerprinting a user, especially along the font/plugin vector.
Looking at just Java plugins, and the number of releases, you could also in theory age a browser, on how long it's been operational on how far back in versions of a plugin the browser maintains.
Fascinating. It's hard to believe that my Safari setup has a lot of entropy in the plugins, since I don't have anything special installed there, just Click2Flash and Silverlight. My system fonts, though, are more unique. Not many people have Macs with Consolas installed on them.
This can't be right. According to that site, my HTTP_ACCEPT header of "text/html, / UTF-8,* gzip,deflate en-au,en-us;q=0.7,en;q=0.3" is unique. Uh .. is it? Looks fairly standard to me?
System fonts are a very telling fingerprint, though. I tried the test on two browsers; the first time it said I was one in ~60k, the second time was one in ~30k. So it is working.
Yeah, but I haven't changed them? Maybe FF is doing something weird since it's the US english firefox running on an Australian English user account but I wouldn't have thought I'm the only person in the world doing that. I suppose it's possible I'm the first to visit that page, though. 60k people isn't much really.
So, it looks like you can get fairly close to unique identification (at least so far), by paying attention to system fonts. I actually find it a bit hard to believe that I'm the only one out of 59,132 with this set of system fonts.
I was puzzled by that too, but when I deleted the cookie from panopticlick.eff.org it no longer claimed I was unique among 60-some thousand, but among half that number.
After some thought, this sort of seems like it's missing the point.
What I'm curious about is what the current state of cookie and user click stream sharing among analytics/advertising companies is. What proportion of my browsing history is known to any given company, and what proportion given collusion? Are there any studies on this?
Those fingerprints are mostly based on information that your browser gives out voluntarily for no good reason (the server doesn't need to know your fonts, screen resolution, plugins or user-agent).
Thus an easy workaround would be to use a plugin that randomizes all this, which turns your one unique identity into many unique identities.
user-agent is most definitely needed. My server gives different content depending on which kind of client accesses the page and I certainly don't want to do that in javascript.
38 comments
[ 4.2 ms ] story [ 55.1 ms ] threadWho is using this type of profiling as an alternative to cookies and other techniques? I would love to see some examples.
Kind of terrifying, really.
Creepy that sites can query this info so easily, though I suppose I shouldn't be surprised.
"Your browser fingerprint appears to be unique among the 48,820 tested so far."
"Currently, we estimate that your browser has a fingerprint that conveys at least 15.58 bits of identifying information."
Some formulae and explanation over here: https://www.eff.org/deeplinks/2010/01/primer-information-the...
But here's a surprise. My UserAgent string is for the version of Firefox distributed three weeks ago as a security patch to Ubuntu Linux 9.10. One in 45.01 browsers has that exact rev. of Firefox.
So over 2% of EFF visitors are running this exact version of Firefox and Ubuntu Linux? That's much more popular than expected.
Looking at just Java plugins, and the number of releases, you could also in theory age a browser, on how long it's been operational on how far back in versions of a plugin the browser maintains.
I do. Best programming font ever.
It's probably Flash that ruins it for people. Allowing a per-machine cookie and identifying itself as such.
System fonts are a very telling fingerprint, though. I tried the test on two browsers; the first time it said I was one in ~60k, the second time was one in ~30k. So it is working.
Seriously, this is brilliant. Even with cookies off, it'll work. NoScript should still block it though.
What I'm curious about is what the current state of cookie and user click stream sharing among analytics/advertising companies is. What proportion of my browsing history is known to any given company, and what proportion given collusion? Are there any studies on this?
Your browser fingerprint appears to be unique among the 71,124 tested so far.
Enabled Private Browsing:
Within our dataset of about ten thousand visitors, only one in 36,313 browsers have the same fingerprint as yours.
A few minutes later public browsing:
Within our dataset of about ten thousand visitors, only one in 18,187 browsers have the same fingerprint as yours.
How did they go from 70k to 10k? WTF EFF?
[Edit] Now that I tested again with two of the browsers I am using, both browsers were labelled as unique :S
Browsers are Epiphany with Webkit-backend and Firefox, both on 64-bit Gentoo Linux.
Thus an easy workaround would be to use a plugin that randomizes all this, which turns your one unique identity into many unique identities.
Browser sniffing simply doesn't work and only brings you pain. Enough so that jquery abandoned the practice a year ago; http://docs.jquery.com/Release:jQuery_1.3