Tracking Web users without using cookies

EFF technologist's paper shows how sites can track visitors by collating version numbers, screen resolutions, and other data modern browsers provide.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
2 min read

If you're interested in protecting your online privacy, you've probably taken steps like deleting browser cookies or turning on the private browsing features of Safari and Google Chrome.

That's supposed to prevent Web sites from tracking you across repeat visits. But a forthcoming paper prepared by an Electronic Frontier Foundation technologist shows that they're not really effective at all.

The reason is simple, but counterintuitive: Modern browsers have been designed to send Web sites a torrent of information thought to be innocuous, including detailed version numbers, operating system information, screen size, what fonts are installed, and sometimes even in what order the fonts were installed. Firefox, for instance, sends every Web site a version number such as "Intel Mac OS X 10/Gecko/20100315 Firefox/3.5.9."

Once this collection of facts--which are individually anonymous--is combined together and compared against other users' browsers, the data can become personally identifiable. (It's like being able to find someone's name if you know their birth date, ZIP code, and gender, which is not that difficult a task.)

Peter Eckersley the Australian computer scientist working at EFF who wrote the report, calls the technique "browser fingerprinting." Eckersley's paper will be presented at a privacy symposium in Berlin in July.

"There are implications both for privacy policy and technical design," concludes Eckersley, who believes that the law should treat browser fingerprints as personally identifiable information, which can be subject to greater restrictions. He also recommends that browsers be changed so they send less information about their configuration settings to Web sites.

If a Web browser has Flash and Java activated, Eckersley says, the odds of its fingerprint being unique are about 1 in 450,000. He collected data from hundreds of thousands of people who connected to EFF's "Panopticlick" Web site.

Web businesses are, as usual, a little ahead of privacy advocates on this point. Marketers call the idea "clientless device identification," or CDI, and banks and credit card companies have been among the first to adopt it as a new way to verify who's a legitimate customer or not.

"CDI is a useful tool in fraud detection and gives even the most 'fraud-fighting-savvy' enterprises that already use a host of other fraud detection tools a 15 percent to 25 percent lift in fraud detection rates," a February 2010 report by Gartner says.

In the last few years, online businesses have adopted what are known as Flash cookies--typically less visible to the user--to track users who delete their Web cookies. But because Windows 7 has raised more warnings about Flash cookies, also known as local shared objects, browser fingerprinting techniques are becoming more attractive.

"For all practical purposes, online service providers should consider the days of easy tagging of user PCs with Flash local storage quickly drawing to an end," the Gartner report says. "Those who rely on LSOs for fraud detection and for tagging good customers should, therefore, formulate and implement a plan for eliminating this dependency by 2012."