PDA

View Full Version : Using Linux makes you more trackable?



Vostrocity
January 29th, 2010, 03:26 AM
Maybe this is common sense for some of you, but I found it quite interesting. According to EFF's new project, websites can track you (your computer) without cookies using only your browser configuration (that's obvious). But not known to me, they can delve as deep as knowing what fonts you have and what plugins you're running! For my test, this was the downfall that made my computer uniquely-identifiable among the 150,000 something they have tested so far. Using Linux thus makes you more-easily tracked as you are more likely have an obscure configuration.

The project is called Panopticlick (https://panopticlick.eff.org/) and is run by digital rights advocacy group EFF.

blueshiftoverwatch
January 29th, 2010, 03:31 AM
Yeah, I just read that earlier today. Although, just by disabling Javascript I went from having a unique configuration out of the 150,000+ people it's recorded to being one of about 900 other people with my exact same configuration.

Although, since that article is more likely to be read by tech oriented people and tech oriented people are more like to run Linux than a sample from the general population. Running Linux will make your configuration more unique compared with the rest of the web's population than what that test would lead you to believe.

Paqman
January 29th, 2010, 03:35 AM
Well, I just tried it on an XP/Firefox machine and it said I was uniquely identifiable out of 166,000 people. So I wouldn't sweat it too much that your oddball OS is what's fingering you. Judging from my result it looks like your plugins alone will give the game away.

markp1989
January 29th, 2010, 03:35 AM
i dony know how much truth there is in that site, but it tells me "Your browser fingerprint appears to be unique among the 166,824 tested so far". which to be honest i dont believe

JDShu
January 29th, 2010, 03:44 AM
Just like everybody else, I'm unique as well apparently.

handy
January 29th, 2010, 04:01 AM
If I test multiple times, I become less unique by over 10,000 each time?

It is still an interesting site, particularly the detailed info' that is being picked up from the browser, even when using a variety of methods to be more anonymous.

1/27,000

jfloydb
January 29th, 2010, 04:13 AM
It seems to me that the site itself is taking your (browser configuration) fingerprint. Information that it can use to coordinate with others to trace your activities. I didn't try it.

handy
January 29th, 2010, 04:34 AM
It seems to me that the site itself is taking your (browser configuration) fingerprint. Information that it can use to coordinate with others to trace your activities. I didn't try it.

The point is, ANY site can do that.

[Edit:] https://www.eff.org/

texaswriter
January 29th, 2010, 05:43 AM
If you are aware of Permutations and Combinations, 170,000 users isn't exactly a lot. Well, let's see how hard it would be to have 170,000 possibilities off of a relatively insignificant possibilities.

Let's start here: how many distro's are there: Debian (say there's three different versions in use: old_stable, stable, and unstable). Ubuntu: 8.04, 9.04, 9.10 and 10.04, Let's say there are 10 other linux operating systems with 3 different versions each..

So that's 10*3+1*3+1*4 = 37 different operating system versions.

Let's say each one has just two different versions of the browser. Since you may or may not be running an up to date distro AND OR custom compiled, this is somewhat fair

People have from 0 to up to 50 addons in Firefox/iceweasel

Among those addons there is probably a variation of versions in use. Let's just say there are an average of 3 version variations.

Most Linux have a media player, there is a variation with respect to Gnome or KDE... maybe more, we'll just suppose 2 here

Those media players have various plugins. This will be left to include the movie player as well.

Let's say there are only 5 different screen resolutions available.

You could have from about 15 fonts up to many many more... We won't include this variation since it is too ahrd to predict.

Ignoring ALOT of other variations: 55,500 possibilities...

Well, if you only multiplied that by 3, you have ur 165000 possibilities.

LightB
January 29th, 2010, 06:32 AM
http://i260.photobucket.com/albums/ii39/dp021/Onoz.jpg

H2SO_four
January 29th, 2010, 06:43 AM
Your browser fingerprint appears to be unique among the 173,340 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 17.4 bits of identifying information.


Also hard to believe. I only have speed dial and ad blocker on firefox. Very modest in terms of plugins.

handy
January 29th, 2010, 06:44 AM
@texaswriter: I expect that you will enjoy reading this;

http://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy

wangsuda
January 29th, 2010, 07:47 AM
I must be boring.
Within our dataset of several hundred thousand visitors, only one in 865 browsers have the same fingerprint as yours..

Dayofswords
January 29th, 2010, 07:53 AM
someone make a fresh xp install, use internet exporer, you probably very ununique

wangsuda
January 29th, 2010, 08:01 AM
someone make a fresh xp install, use internet explorer, you probably very ununique
I just tried it using Windows 7 running virtually on Karmic. Here's the result:
Your browser fingerprint appears to be unique among the 175,969 tested so far.

jomiolto
January 29th, 2010, 09:00 AM
Disable JavaScript, don't send user agent. Problem solved ;)

FuturePilot
January 29th, 2010, 09:12 AM
Disable JavaScript, don't send user agent. Problem solved ;)

Javascript has nothing to do with the user agent.

spupy
January 29th, 2010, 10:16 AM
According to the stats, the font collection is what gives you away. I was "unique among 181,032", and for the fonts it says 1 in 181,032 computers have this fingerprint. (I got some rare company fonts though.)

Devport
January 29th, 2010, 10:19 AM
What has linux to do with this kind of tracking - this data can be acquired on any browser and any operating system and is not limited to linux ... the topic title is simply wrong.

The question is not if you are trackable - the question is if you know that you have already been tracked for years right now.

Even if you would not be traceable by unique details transmitted by your browser, some sites ( especially google ) do cross site tracking on a huge scale and with the data acquired google tries to find out as much as it can about you so that ads are adjusted to meet your personality.

Once I installed a new operating system it was curious to see how all google ads turned to my habits with each site I visited.

Google wants to know you and they have the resources to acquire the information to get to know you ... google is always watching you.

To be honest I wouldnt be suprised if google at least knows the gender of almost all of us...

BTW - one of the sites you visited here is google-analytics.com ...

llawwehttam
January 29th, 2010, 10:24 AM
What has linux to do with this kind of tracking - this data can be acquired on any browser and any operating system and is not limited to linux ... the topic title is simply wrong.

The question is not if you are trackable - the question is if you know that you have already been tracked for years right now.

Even if you would not be traceable by unique details transmitted by your browser, some sites ( especially google ) do cross site tracking on a huge scale and with the data acquired google tries to find out as much as it can about you so that ads are adjusted to meet your personality.

Once I installed a new operating system it was curious to see how all google ads turned to my habits with each site I visited.

Google wants to know you and they have the resources to acquire the information to get to know you ... google is always watching you.

To be honest I wouldnt be suprised if google at least knows the gender of almost all of us...


This is not the point. The fact that you are running linux makes you more unique. Lol I need to get my freeBSD machine out and see what that gives me.

handy
January 29th, 2010, 10:27 AM
What has linux to do with this kind of tracking - this data can be acquired on any browser and any operating system and is not limited to linux ... the topic title is simply wrong.

Because Linux is a system used by a minority of users, that makes the user data more unusual, therefore we are more easily tracked.

If you happen to be using a distro that renames your browser to Shiretoko, or Iceweasel for example, you have just become even more trackable, & on it goes. BSD users would be in an even more obvious state.

Yes, we all know that we are being tracked, this experiment by the Electronic Frontier Foundation, is looking into this method, & depending on their findings, will take legal action if appropriate/possible, or apply pressure on the U.S. government to make changes, again if possible on both counts.

Have a look down the Quick Links section of this page, you will see that they have already started legal cases against the U.S. government:

Excerpt -

EFF is leading lawsuits against AT&T, the Government and Bush and Obama Administration officials to stop the warrantless wiretapping

https://www.eff.org/

Devport
January 29th, 2010, 10:28 AM
OK - I see the point.

SoFl W
January 29th, 2010, 10:41 AM
Google wants to know you and they have the resources to acquire the information to get to know you ... google is always watching you.

I have no script on my machines and all google sites are white listed by default. If you block google you realize how they are tracking you on ever site you visit. Remember... don't be evil.

SoFl W
January 29th, 2010, 10:45 AM
It isn't just your on-line habits that are being tracked, those little "shopper savings" cards you get at grocery stores are not there for saving you money but to track your buying habits. Your credit card purchases are also tracked by the retailer and the credit card company. You are being watched very carefully.

3rdalbum
January 29th, 2010, 11:30 AM
Wget: 9.4 bits of identifying information

Wget with --user-agent="" (no user-agent sent): 13.58 bits of identifying information.

More identifying information when I provide less information? WTF?

I don't think this is true; besides, it identifies my browser as "unique" no matter how many times I test.

Xbehave
January 29th, 2010, 12:09 PM
I'm unique (probably because I tried to modify my user string the other day though). I've always thought UA strings were a bad idea, but then so is a lack of them, perhaps the solution is for ubuntu (due to linuxs low market share we need this much sooner than windows/mac users) to put less info in the UA string

mine is

Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.2.1pre) Gecko/20100127 Ubuntu Firefox/3.6

i.d rather it only had the essential info in it
Gecko/20100127 (en-GB) Firefox Ubuntu Linux (x86_64)

Gecko/20100127 important tech info for displaying a page
(en-GB) important info for localisation
Firefox.\
Ubuntu...} core details for displaying the right page
Linux.../
(arch) Is this important? surely you give x86/arm/etc the same page

other examples:
Trident/6.0 (en-US) Internet_Explorer windows_7 windows (x86)
Webkit/r53846 (es-ES) Chromium Arch Hurd (x86)
etc

Maybe there could be an option like in cookies
1. Full UserAgent
2. Limited UserAgent
3. No UserAgent (this is a bad idea but let people pick it anyway)


If you happen to be using a distro that renames your browser to Shiretoko, or Iceweasel for example, you have just become even more trackable, & on it goes. BSD users would be in an even more obvious state.
I think:
Your distro is usually identified in the UA string, so it makes no difference what your distro does
The UA for Iceweasel are the same as for equivalent version of FF
The UA for Shiretoko doesn't lose any entropy because the rest of the version is unique

so while the rest of your post is correct i think your wrong on this point.

Xbehave
January 29th, 2010, 12:18 PM
Wget: 9.4 bits of identifying information

Wget with --user-agent="" (no user-agent sent): 13.58 bits of identifying information.

More identifying information when I provide less information? WTF?
You need to understand entropy, but basically yes, because a man in a gorilla suit is more identifiable than a man without one (none of this deals with personal data just how easy it is to spot that it's you coming back to the same shop)

3rdalbum
January 29th, 2010, 12:41 PM
You need to understand entropy, but basically yes, because a man in a gorilla suit is more identifiable than a man without one (none of this deals with personal data just how easy it is to spot that it's you coming back to the same shop)

Yeah I understand both things - there's only one man in the gorilla suit so he can easily be identified, but you recieve fewer pieces of information about the man (you don't know the colour of his eyes or skin, you don't know what hairstyle he has, etc).

The website's sample size is not statistically valid; the scenario that the EFF raises (a group of websites collaborating to track users) would probably have so many visitors that almost none of them would be totally unique. And in reality, tracking cookies would be used, and there are ways of retrieving them cross-site using an iframe.

SecretCode
January 29th, 2010, 01:07 PM
With javascript off, my result is

only one in 889 browsers have the same fingerprint as yours.

Not bad. But the user agent string identifies a lot of detail. So I want to know what is the commonest user agent string? Ideally I'd also like to know what is the commonest user agent string that still identifies firefox and linux (for a bit of evangelism). I'm sure there are web sites that track and report this kind of thing ... but I can't find one.

Http User Agent Lists (Browsers, Robots, Spliders, Crawlers) - HttpUserAgent.org (http://www.httpuseragent.org/) gives a partial view but can't be sorted by frequency.

UserAgentString.com - Firefox version 3.5.7 (http://www.useragentstring.com/) gives a complete list, but doesn't analyse frequency.

Any ideas?

handy
January 29th, 2010, 01:12 PM
It is likely that EFF will release results when this experiment is done.

You could contact them & ask them to anyway.

Xbehave
January 29th, 2010, 01:36 PM
The website's sample size is not statistically valid; the scenario that the EFF raises (a group of websites collaborating to track users) would probably have so many visitors that almost none of them would be totally unique.
That's a nice hypothisis, but the EFF are gatherings data to see how unique this info is. It might turn out that just 2% of people can be tracked correctly using this, but it might be 20% or higher.


And in reality, tracking cookies would be used, and there are ways of retrieving them cross-site using an iframe.
I think there point is that cookies can be blocked, this can't. It's not an either OR situation either, this can be used in addition to cookies, say if google wanted to track you without you knowing.

handy
January 30th, 2010, 03:57 AM
These two may be useful?

http://chrispederick.com/work/user-agent-switcher/help/

http://www.stardrifter.org/refcontrol/


UAS did this for me:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

Which when combined with the other variables from my browser made me unique! So I'm better off by 25,000 not using UAS.

Brandel Valico
January 30th, 2010, 04:11 AM
one in 598 browsers have the same fingerprint as yours. With Java off

appears to be unique among the 258,002 tested so far. Java On

With Java scripts enabled I am Unique completely from everyone else tested. It's those evil Java scripts I say we burn them all!

No one expects the Java Inquisition!!!

Shpongle
January 30th, 2010, 04:19 AM
if you were really paranoid you could run ff in a win vm an get id as a win machine , or as said disable cookies , JavaScript flash etc! but the web today is practically unusable without these!. there


here yous go http://anonymityanywhere.com/index.php?option=com_frontpage&Itemid=1

lisati
January 30th, 2010, 04:26 AM
It isn't just your on-line habits that are being tracked, those little "shopper savings" cards you get at grocery stores are not there for saving you money but to track your buying habits. Your credit card purchases are also tracked by the retailer and the credit card company. You are being watched very carefully.

I'm pretty sure the "scan as you go" service operated by one of my local supermarkets does this: a few months back I was waiting in line behind someone who had been asked to do a rescan, and was understandably annoyed that the checkout operator's scan came to more than what she had scanned herself. I gather from what I overheard (it was fairly calm) that this had happened before on another rescan....

handy
January 30th, 2010, 05:44 AM
if you were really paranoid you could run ff in a win vm an get id as a win machine , or as said disable cookies , JavaScript flash etc! but the web today is practically unusable without these!.

I use the Ghostery FF add-on to block trackers that aren't cookies, I forget how many, might be 230 of them I think. Google analytics & that type of thing.

It has no effect on what Panopticlick sees though. :(

Shpongle
January 30th, 2010, 06:24 AM
same i have ghostery on ff , its a handy little add on , (no pun intended). just messing around with tork on kubuntu , its not configured right , must have missed something in the privoxy config file or something but il deal with it tomorrow . Its five in the morning here so im gonna call it a night / morning . good night /morning /day wherever yous are!



Dill

Malakai
January 30th, 2010, 06:31 AM
Wow their script learned every font I have, what a massive waste of bandwidth (I have 100+ hehe).

I don't think I really care, sure most of our setups are going to be pretty unique if you compare every detail down to firefox ver, os ver, and specific fonts installed. But is that information actually useful to anyone?
Is there enough data sharing between different online marketing/tracking companies and sites for this to mean anything?


edit: My win7 install is also unique among over 200k tests run. So while it may end up being a problem for peoples privacy in the future (im sure we will get a good firefox plugin fix by then) it has nothing to do with linux specifically.

handy
January 30th, 2010, 07:24 AM
same i have ghostery on ff , its a handy little add on , (no pun intended). just messing around with tork on kubuntu , its not configured right , must have missed something in the privoxy config file or something but il deal with it tomorrow . Its five in the morning here so im gonna call it a night / morning . good night /morning /day wherever yous are!

Dill

I run Privoxy on IPCop (headless firewall), I have FF set to ask my permission for every cookie that wants to live on my computer & only allow those that I must (forums & such).

I also use the following FF security enhancement add-ons: User Agent Switcher (rarely as it makes me stand out more!), Ghostery, RefControl.

& I rarely search any other way than with Scroogle SSL. :D

Frak
January 30th, 2010, 08:28 AM
someone make a fresh xp install, use internet exporer, you probably very ununique
Your browser fingerprint appears to be unique among the 264,047 tested so far.

That's on a generic Windows XP Professional installation with a fresh install of Firefox 3.6, no browsing history, no cookies, no plugins. I get the point they're trying to put across, but it seems fishy to me if they are really scanning or if it's just a bunch of random values to scare you.

SecretCode
January 30th, 2010, 08:48 AM
Of course they're real values ... do you see anything that is actually wrong there?

If you've got no plugins or extensions in Fx, there's still the system fonts. That can add significant identifying information.

Frak
January 30th, 2010, 09:01 AM
Of course they're real values ... do you see anything that is actually wrong there?

If you've got no plugins or extensions in Fx, there's still the system fonts. That can add significant identifying information.
I've taken the liberty of making my system fonts private. My browser can see my fonts, but they aren't accessible by 3rd parties. These are from my own patches. In fact, here's what mine looks like.

http://grab.by/24AC

SecretCode
January 30th, 2010, 09:20 AM
I've taken the liberty of making my system fonts private.

And that makes you more identifiable! At least until a large number of us adopt the same privacy settings...

ikt
January 30th, 2010, 09:25 AM
Your browser fingerprint appears to be unique among the 266,008 tested so far.

:(

diskotek
January 30th, 2010, 01:19 PM
the name of this thing is enough horrifying: comes from panopticon

the term first used by jeremy bentham as sort of controling & survailiance. than this term used by michel foucault (one of the most leading philospoher in this century).


check this out also:
http://en.wikipedia.org/wiki/Panopticon

ssj6akshat
January 30th, 2010, 03:12 PM
Your browser fingerprint appears to be unique among the 287,324 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 18.13 bits of identifying information.

that's on a 1 year old ubuntu which started as 8.10 and is now 9.10

koleoptero
January 30th, 2010, 03:14 PM
Your browser fingerprint appears to be unique among the 287,960 tested so far.

It looks like we're all special after all.

handy
January 30th, 2010, 03:24 PM
When I changed the header to windows NT & I.E.8, I became totally unique, due to the other stuff it picked up.

Frak
January 30th, 2010, 06:07 PM
And that makes you more identifiable! At least until a large number of us adopt the same privacy settings...
When I set my plugins/fonts to private, it said I was not identifiable about of a group of 800 some-odd people.

Raian the Fallen
January 30th, 2010, 08:55 PM
Your browser fingerprint appears to be unique among the 334,251 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 18.35 bits of identifying information.

xD

Zoot7
January 30th, 2010, 09:31 PM
From Debian with Firefox 3.6

Your browser fingerprint appears to be unique among the 337,819 tested so far.

From XP again with Firefox 3.6

Your browser fingerprint appears to be unique among the 337,093 tested so far.

Doesn't seem to be much of a difference for me, go figure.

handy
January 31st, 2010, 12:01 AM
When they eventually release the results of this test, we will be able to change our headers to the most common in Ff via about:config

texaswriter
January 31st, 2010, 06:31 PM
@texaswriter: I expect that you will enjoy reading this;

http://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy

just saw your message, and yes, very interesting!!

Vostrocity
January 31st, 2010, 10:56 PM
I don't use IE much (no surprise), but I was poking around and found this little feature. Turning it on didn't change my test results though, likely because the filter only engages when it senses that there are multiple websites using the same tracking. I don't believe this exists in Firefox or Chrome but there are probably add-ons that replicate the functionality.

http://i47.tinypic.com/2w3x3qh.png