Posted by: Ken Harthun
Electronic Frontier Foundation, Identity Exposure Index, Identity Theft, Privacy
Privacy has been dead for a long time thanks to the Information Age. More personally-identifiable information than ever before is now accessible online through free and paid searches. The simple fact that most people post their intimate personal details on FaceBook, MySpace, Twitter, and other social networks contributes to the overall erosion of privacy. But, personally-identifiable information is only one aspect of the problem; perhaps an even bigger privacy threat is the leakage of machine-specific fingerprints that are used to track your online habits.
I went to their research site and found that my browser was uniquely identifiable among more than 1.1 million others: “Your browser fingerprint appears to be unique among the 1,161,450 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 20.15 bits of identifying information.” What this means is that using the information listed below, my browsing habits can be tracked using only information gleaned from my browser’s interaction with web servers.
Steve Gibson of GRC.com covered this research in minute detail in Security Now! Podcast Episode #264 last week and I highly suggest you listen to it. But, until you get a chance to do so, here is all the information you need to uniquely identify any machine on the Internet with amazing accuracy:
- User agent
- HTTP_ACCEPT headers
- Browser plug-in details
- Time Zone
- Screen size and color depth
- System fonts
- Whether or not cookies are enabled
- Supercookie (Flash cookies) test
Commercial services are already using this information to track your online habits–no matter how you try to block them–using technology to fingerprint your system, and they are building huge databases. While none of this information is tied to your personal identity, the profiles are nevertheless useful to advertisers who will use it to more accurately target web surfers with relevant marketing messages.
In the next post, I’ll detail what you can do about this (not much, unfortunately) and why, for now, you probably shouldn’t be too concerned.