LWN: Comments on "EFF: Web Browsers Leave 'Fingerprints' Behind as You Surf the Net"

Company browsers are anonymous?

MKesper — Wed, 19 May 2010 10:39:10 +0000

Most companies are stuck at IE6.0, I guess. The user string sent by IE is very verbose, though: e.g.
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 1.1.4322; MS-RTC LM 8)

Company browsers are anonymous?

NAR — Tue, 18 May 2010 10:14:43 +0000

I was wondering that in a company environment the setup of the computers should be the same, so the browsers should look to be the same. Anyway, it's pretty amazing that only 4 people (including me) visited the site with the same user agent (IE 7.0, probably with up to date(?) patches, so I thought this must be a lot more popular). Actually it is more specific than the system font list, which contains company-specific fonts, so there must be 7 other people from this company who visited this page, but 4 of them used a different browser.

How about randomising HTTP_ACCEPT and User agent?

jamesh — Tue, 18 May 2010 03:12:59 +0000

The plugin info doesn't come from HTTP headers: they're being accessed via Javascript. While you might consider it a privacy issue, it isn't adding overhead to the HTTP requests.

stating the obvious

smoogen — Tue, 18 May 2010 00:23:59 +0000

Actually people are not as anonymous when they are in the city center not even counting security cameras. Media organizations have long tracked buying habits.. any good grocer would know what kinds of vegetables you like if he wanted to keep in business. But since the 1970's and the growth of the credit industry it has become more of a part of society.

Going beyond the internet, a person's credit card/debit purchases, their magazine viewing, their TV habits are all stored and viewed away. We have lived in a society where privacy has become more of a fiction in the last 30+ years... we traded it away for cheap TV and t-shirts years ago. Scott McNeally's famous privacy quote was right in so many ways :/.

How about randomising HTTP_ACCEPT and User agent?

coriordan — Tue, 18 May 2010 00:06:18 +0000

The linked paper discusses a similar topic:

The obvious solution to this problem would be to make the version numbers less precise. Why report Java 1.6.0_17 rather than just Java 1.6, or DivX Web Player 1.4.0.233 rather than just DivX Web Player 1.4? The motivation for these precise version numbers appears to be debuggability. Plugin and browser developers want the option of occasionally excavating the micro-version numbers of clients when trying to retrospectively diagnose some error that may be present in a particular micro-version of their code. This is an understandable desire, but it should now be clear that this decision trades off the users privacy against the developers convenience.

There is a spectrum between extreme debuggability and extreme defense against fingerprinting, and current browsers choose a point in that spectrum close to the debuggability extreme.

How about randomising HTTP_ACCEPT and User agent?

jrn — Mon, 17 May 2010 23:52:52 +0000

> The real problem however is that information such as your web browser's ID, plugins or supported languages is often used by the web server to alter the actual content served to you (eg. to send you text in your language, or work around bugs in your browser), so there are limits to how much one wants to mess with that.

In practice, that is much less of a problem than it would seem to be. I have been browsing with chromium-browser --user-agent="Mozilla/8.0" for a few months now, and I only ran into a few problems:

. Gmail requires ?nocheckbrowser at the end of the URL or it will not use ajaxy features

. Old versions of http://www.bad-behavior.ioerror.us/ deny access to some pages. So far, every webmaster I have mentioned this to has been happy to have the reminder to upgrade.

. Facebook appears to use Content-disposition: attachment or something for its front page, rendering it inaccessible.

Thats all. I would be happy to see more people doing this, since if sites use sane behavior by default, that means one less barrier to entry for new browsers and should make it easier to change the behavior of existing browsers.

stating the obvious

coriordan — Mon, 17 May 2010 23:49:43 +0000

Just to add to that... I remember an interesting point that Lawrence Lessig made about privacy. It was along the lines of, in the real world, we're guaranteed a certain level of privacy because of the effort required to track us.

My trip to the city centre will expose me to thousands of people, but none would reliably draw a picture of me the next day. The security cameras in the bookshops will record what books I browsed, but, except in very exceptional circumstances, no one will watch the recordings with enough interest to see me or the books.

Online, the situation is put on its head. *I* can't remember what sites I viewed last week, but doubleclick.net has a pretty complete record of what I viewed last week, last month, last year, ...

How about randomising HTTP_ACCEPT and User agent?

coriordan — Mon, 17 May 2010 23:41:38 +0000

Yeh, it's all about where to strike the balance.

For me, avoiding tracking is pretty important. Helping web devs work around bugs in my browser is something I'm lukewarm about - it won't happen often, and it'll almost never be a big deal.

I think a good starting point would be to hand over just four pieces of info, for example: I use Iceweasel, version 3.5.X, on GNU/Linux, in Dutch.

These are four things that might be used regularly, legitimately by websites to ensure I get a good browsing experience. And that's probably not an identifiable amount of info, so it could remain unchanged (or, maybe the browser name could even alternate between "Iceweasel" and "firefox").

If 3.5.4 had display problems, then the "X" in my version number could be randomly chosen from [1-35-9].

How about randomising HTTP_ACCEPT and User agent?

coriordan — Mon, 17 May 2010 22:30:23 +0000

I've installed User Agent Switcher just now. I don't think it's going to be of any use, since I won't manually switch my User_agent each time I browse to a new site, but it's free software, and that code would surely be a good starting for implementing what I was talking about.

Especially bad if you run Linux

spaetz — Mon, 17 May 2010 22:05:03 +0000

Nope, not language was the most revealing. Both the combination of installed plugins and available system fonts on my (pretty much stock) Ubuntu firefox was considered as unique among all current entries !

stating the obvious

smoogen — Mon, 17 May 2010 21:04:47 +0000

You know you have too much knowledge of a subject when you read an article like that and go "Yeah and this is new because?"

Fingerprinting a browser has been possible for a long long time (probably the late 1990's. I know that several web-trends programs from 2000 used various techniques to determine if an IP address was a singular or multiple browsers.. and looking at what they did one could see how to see if that 'browser' (or something very similar) showed up in other places without putting a special cookie on the browser. [A cookie makes it a definite 1:1 versus a guess.]

The fact is that most technology is not built for privacy and has never been. While we may think that we are quietly in our house and completely private, technology is built more like you have gone into common grounds. Unless you are willing to wear a burqa to cover yourself and deal with the extra scrutiny that gets from some quarters.. it is not a private action when you begin to communicate with anything outside of your computer. [And depending on some tools.. not even then :(.]

Especially bad if you run Linux

nix — Mon, 17 May 2010 20:52:07 +0000

The big gotcha is the supported languages string, which depends on the particular language support packs you have installed. Once you take out a few of these that you don't use, you make it likely that you have a near-unique configuration.

Those of us who only speak one language (or a few, common ones) can just remove *all* language packs other than the ones we speak. I doubt a supported-languages string with only one or two entries is going to be terribly unique :)

(hey, an advantage to monoglottism! but a tiny one.)

How about randomising HTTP_ACCEPT and User agent?

JoeBuck — Mon, 17 May 2010 20:41:21 +0000

This isn't a good idea. There's a balance to be struck.

It's useful for web site developers to have some idea of how many users use which platforms, and in some cases, user-agent is used to allow a web site to work around browser bugs. It isn't really necessary, though, for every HTTP transaction to send all that bloated stuff about every plugin and every supported language. We should focus on sending small amounts of accurate information, instead of huge piles of irrelevant information that mainly serves to fingerprint the user.

How about randomising HTTP_ACCEPT and User agent?

saffroy — Mon, 17 May 2010 20:37:32 +0000

Well the User Agent Switcher extention for Firefox does help a bit here.

The real problem however is that information such as your web browser's ID, plugins or supported languages is often used by the web server to alter the actual content served to you (eg. to send you text in your language, or work around bugs in your browser), so there are limits to how much one wants to mess with that.

How about randomising HTTP_ACCEPT and User agent?

coriordan — Mon, 17 May 2010 20:16:54 +0000

Randomising most of HTTP_ACCEPT and User agent would totally fix this problem, right? Or at least, it should for those of us with javascript turned off by default (using noscript makes this pretty convenient).

A handful of things should stay the same, such as browser name, the major version number of the browser, and your main language preferences, but I guess the rest could change per-site by selecting random values from lists of valid values.

Anyone know of a plugin (for any browser) that does this?

Especially bad if you run Linux

JoeBuck — Mon, 17 May 2010 20:01:35 +0000

The big gotcha is the supported languages string, which depends on the particular language support packs you have installed. Once you take out a few of these that you don't use, you make it likely that you have a near-unique configuration.

Firefox reveals way too many details in the HTTP headers.