🤯 50% Off! 700+ courses, assessments, and books
Browse Titles
Programming

No cookies or JavaScript? No worries. You can be tracked anyway.

    Alex Walker
    Share

    I’m not quite sure how to feel about this one. The web developer in me is saying “Whoa! That’s so cool!” While the web surfer in me is saying “Ew.. I’m leaking data everywhere.. How gross…”

    EFF

    Digital civil rights group Electronic Frontier Foundation (of recent Net neutrality and Facebook privacy battles) has released an eye-opening online tool called Panopticlick, designed to demonstrate exactly how uniquely identifiable you are — even if you’re diligent enough to take some of the most commonly prescribed privacy measures.

    EFF

    Conventional wisdom holds that if you disable scripting and refuse to accept cookies, you’ll be denying web sites the tools they need to recognize you when you return, thus maintaining your anonymity.

    However, as Panopticlick shows us, there is still a lot of seemingly benign data available to any web server inquisitive enough to ask — items such as user agent, browser plugin details, local timezone, screen size, screen color depth and system fonts.

    As is the case with the proteins bases in our DNA, while none of the individual pieces are (likely) unique, when taken as a whole they very likely combine to produce a unique fingerprint.

    *Head slap* It was so obvious.

    For instance, it told me it had seen my specific Win XP/Chrome setup in 1 in 50 setup. It goes without saying that fonts libraries and plugins lists have much greater scope for individual variation.

    So, what does this mean in practical terms?

    1). Welcome John Smith. Not.: Obviously when we talk about ‘identifying a user’ we’re not talking about knowing their name, address and phone number. As EFF says ‘All of the data for the project will be collected in an anonymized form which ensures that it is not Personally Identifiable Information, nor otherwise likely to lead to the identification or tracking of any web users..’

    It does mean a site can record your behaviour and then use that information the next time you return.

    It also means, in theory advertisers might be able to use this data to track you across multiple domains.

    2). Performance anxiety: Panopticlick took around 6-8 seconds to run it’s tests on my system, so I’d think most web site owners would think seriously before willingly adding that sort of overhead to a first page load.

    Still, it shouldn’t be necessary to query every user.

    3). Stealth mode: Clearly the more you customize your browsing environment, the more identifiable you are. As such, a less ‘moddable’ device is by default more anonymous. Does that make Safari for iPhone the new Stealth browser? No flash. No Java, standardized font set. Hmm..

    Regardless, it will be interesting to see if we see practical application of this.

    Would we know anyway? Probably not.