Think you have privacy online? You only do to an extent. Here's how browser fingerprinting can uniquely identify you and IP lookups can provide a starting point for personal identification. If this sounds terrifying, then I suggest a VPN. This is (the interesting) part of an assignment I wrote in Introduction to Web Analytics, from the University of British Columbia's online Award of Digital Achievement, with content from the Digital Analytics Association.
Is Privacy an Option?
Before deciding whether or not to give up one’s privacy it would be best to start with an agreement of how we define privacy. According to Wikipedia “Internet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, provision to third-parties, and displaying of information pertaining to oneself via the Internet.” It can be broken down further into Personally Identifying Information (PII) and non-Personally Identifying Information (non-PII). Having complete privacy online is impossible, since most every page view, query and discernible action is logged somewhere. So should we limit the debate over privacy to PII alone? How about narrowing our scope to cookies? Would it just be third-party or does this include first-party? I plan to show that excluding all cookies is still not enough to maintain total privacy, which isn’t realistically an option. The relevant questions are how much control we have over our information and whether we give our consent to its use.
Even the most routine visit to a website exposes basic information about you. Using the Electronic Frontier Foundation’s Panopticlick tool shows the most baseline information provided by my browser, such as user agent, HTTP accept headers, browser plugins, time zone, screen size, colour depth, system fonts, cookie status and supercookie testing. The EFF states that my browser can be uniquely identified from the 3,651,749 tested so far. I visit the site a second time using Private Browsing Mode and see the same results. That means that even without allowing a single cookie between these sessions I have still been uniquely identified. According to the EFF, even as systems are updated and their information changed, the returning browser can still be identified with a 99.1% rate of accuracy. The false positive rate is reported at only 0.86%. This technique is called Fingerprinting and with it we are uniquely identifiable.
bits of identifying information
one in x browsers have this value
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
text/html, */* gzip, deflate en-us
Browser Plugin Details
Plugin 0: Shockwave Flash; Shockwave Flash 11.2 r202; libflashplayer.so; (Shockwave Flash; application/x-shockwave-flash; swf) (FutureSplash Player; application/futuresplash; spl). Plugin 1: Shockwave Flash; Shockwave Flash 11.2 r202; libflashplayer.so; (Shockwave Flash; application/x-shockwave-flash; swf) (FutureSplash Player; application/futuresplash; spl).
Screen Size and Color Depth
<removed, 145 fonts total>
Are Cookies Enabled?
Limited supercookie test
DOM localStorage: Yes, DOM sessionStorage: Yes, IE userData: No
Fig. 1. Fingerprinting - What Your Browser Says About You
Given that we can be uniquely identified, can we be personally identified? IP addresses are exposed publicly and cannot be safeguarded. Using a tracer on my IP address shows my Internet service provider, country, province, city, GPS coordinates of the ISP’s server, level of anonymity and whether I am hiding behind a proxy. Those GPS coordinates, 48.4710:-123.3438, are easily found using Google Maps and point to a location that is only a 2.9 kilometer, 6 minute drive from my home! With that information I can now known to be assumed to be one of approximately 109,752 people living in Saanich, a suburb of Victoria. I can be uniquely identified from a pool of 3,651,749 in a city of 109,752. There are a whole host of other ways to be identified, such as legal inquiry, tracking your network card’s MAC address over wifi or through IPv6 and spyware/malware. After a point this information must become personally identifying and we haven’t even started talking about cookies. Given enough effort, we are personally identifiable.
184.108.40.206 IP address location & more:
My IP address [?]:
220.127.116.11 [Whois] [Reverse IP]
My IP country code:
My IP address country:
My IP address state:
My IP address city:
My IP postcode:
My IP address latitude:
My IP address longitude:
My ISP [?]:
None / Highly Anonymous
Local time in Canada:
Fig. 2. IP Tracing - What Your IP Address Says About You
On the other hand, you may not even need to be personally identified to have your privacy violated. In the example made at Don’t Track Us, an anonymous user performs a search using terms that suggest an embarrassing health condition. When results are presented and a link followed, these search terms are shared with the recipient domain. This information is then passed on to and sold between third-party sites. This is where cookies finally come in to play and are used by third parties to show embarrassing and revealing ads relating to this condition on a whole host of seemingly unrelated sites. Potentially this data could be sold so that the user will pay higher prices for related services, such as health insurance.
 Personally identifiable information, http://en.wikipedia.org/wiki/Personally_identifiable_information
 Private Browsing - Browse the web without saving information about the sites you visit, https://support.mozilla.org/en-US/kb/private-browsing-browse-web-without-saving-info
 How Unique is Your Web Browser?, https://panopticlick.eff.org/browser-uniqueness.pdf
 The Debate About Warrantless Access to ISP Customer Information http://www.slaw.ca/2009/10/09/the-debate-about-warrantless-access-to-isp-customer-information/
 Computer IPv6 addresses & privacy, http://www.hacker10.com/tag/ipv6-shows-mac-address/