Web Users Tracking without Cookies

If you're interested in protecting your online privacy, you've probably taken steps like deleting browser cookies or turning on the private browsing features of Safari and Google Chrome.

That's supposed to prevent Web sites from tracking you across repeat visits. But a forthcoming paper prepared by an Electronic Frontier Foundation technologist shows that they're not really effective at all.

The reason is simple, but counterintuitive: Modern browsers have been designed to send Web sites a torrent of information thought to be innocuous, including detailed version numbers, operating system information, screen size, what fonts are installed, and sometimes even in what order the fonts were installed. Firefox, for instance, sends every Web site a version number such as "Intel Mac OS X 10/Gecko/20100315 Firefox/3.5.9."

Once this collection of facts--which are individually anonymous--is combined together and compared against other users' web browsers, the data can become personally identifiable. (It's like being able to find someone's name if you know their birth date, ZIP code, and gender, which is not that difficult a task.)

Peter Eckersley the Australian computer scientist working at EFF who wrote the report, calls the technique "browser fingerprinting." Eckersley's paper will be presented at a privacy symposium in Berlin in July.

"There are implications both for privacy policy and technical design," concludes Eckersley, who believes that the law should treat browser fingerprints as personally identifiable information, which can be subject to greater restrictions. He also recommends that browsers be changed so they send less information about their configuration settings to Web sites.

If a Web browser has Flash and Java activated, Eckersley says, the odds of its fingerprint being unique are about 1 in 450,000. He collected data from hundreds of thousands of people who connected to EFF's "Panopticlick" Web site.

Source: news.cnet.com