Browser Fingerprinting Can ID You Without Cookies

The specific combination of mundane information such as your plugins and system fonts can be used to create a "fingerprint" for your browser that could potentially uniquely identify you.

To showcase that potential, the Electronic Frontier Foundation is running a creative experiment called Panopticlick. Visiting the site reads the technical data provided by your browser to any site it visits, such as its program type and version, installed plugins, system fonts and whether it accepts cookies. By combining all that data, the site creates a fingerprint for your browser.

My own browser's fingerprint is unique so far out of 221,352 visitors, as is Bruce Schneier's. The major identifying factors look like my list of browser plugin details and my particular system fonts, which are both shared by only one out of every 110,676 browsers (which I believe means that only one other browser that visited the site shared my configuration).

These fingerprints might not remain especially uncommon as Panopticlick gathers more visitors. The EFF is encouraging visitors to test just that. Also, Web sites do make legitimate use of the data used for this fingerprint experiment. The site might check your provided plugin list to warn you if you lack a plugin necessary to view the site, for example, or code the page differently if you use a particular browser version.

But when you combine the potential for such tracking with the already-in-place use of things like super-sneaky Flash cookies, it doesn't bode well for the state of online privacy. The EFF suggests some fingerprinting countermeasures, but aside from browser's private browsing mode, most would add some major inconvenience.

Subscribe to the Security Watch Newsletter

Comments