How UberVu mapped this back to an actual email address is a separate matter - but I'm guessing they used the profile of his machine and connected it to a matching profile they had access to from some site he does authenticate with.
Now extend that concept to Google. They've got their digital hooks on millions of sites using Google Analytics. They can map those hits back to an IP address that correlates to a GMail login and get a pretty good idea about where else their users browse.
Panopticlick is a bunch of fearmongering nonsense. I'm on an ipad right now, and they tell me that "only one in 350000 browsers has the same fingerprint as mine". All fully-updated iPads have the exact same fingerprint, you can't even come close to uniquely identifying me with that.
You're forgetting localization. Your timezone alone makes you more identifiable. Add in your IP address and you're pretty identifiable. Not to mention that iPads don't really have any private browsing mode.
> Not to mention that iPads don't really have any private browsing mode.
Safari on iOS certainly does have "private browsing". Just go to the Settings app and select "Safari" from the top level and it's the first setting under the "Privacy" (just below the "General" section). When it's enabled, the browser looks different to let you know -- the normally gray bezel UI becomes black. This has been a feature ever since iOS 5.0 was released in 2011.
I just tried Panopticlick both before and after enabling private browsing in Safari (Mac OS X) and the site identified the same number of identifiable pieces of information about me. So it looks like that has no effect.
Which sort of makes sense - the info it's looking at is basically the header info. Screen size, installed fonts, IP address, and so on. It's not relying on cookies, as cookies can't be seen/read across domains (you can't tell I'm an Amazon customer if I just visit you out of the blue).
CSS may color visited links red, but they hacked getComputedStyle to return the normal color instead. So, you can't tell if that link to Amazon you just created is visited or not.
And you can no longer set, for example, font-weight:bold for visited links, because that would change the size of the element, and they decided, unlike in the color case, that it would be too complicated to get all the APIs to lie about the new geometry.
True, timezone could be a biggie. Although in my case (GMT) is 1/22. Screen res is another possibility (1920x1080) = 1/28.
All the site doesn't mention anything about IP address on the report page and presumably doesn't have access to third party tracking cookies however so private browsing shouldn't make much difference (I cleared my cookies and got the same score).
iOS Chrome has "Incognito Mode*". The asterisk is there because WebKit does not have any way to make localStorage private, meaning it's shared between Incognito and Normal browsing modes, so there's a possible leak of information there, especially if they're using a third party tracking service. This is true for any of the private web surfing apps that use WebKit.
It only clears your browsing traces locally (history, cookies, cache, etc). Everything else can still be tracked on server-side. BTW, every private browsing mode that I know works pretty much that way.
In the current model real privacy can only be achieved running something like Tor.
I'm confused as well, apparently my browser (stock firefox on Ubuntu) is completely unique. I would expect it to be reasonably rare but certainly not that rare.
I haven't done the math, but I have a feeling it just keeps dividing by the "one in x browsers have this value". Maybe it doesn't look at the intersections , for example: Using Totem as the default wmv player is rare and using Ubuntu is rare but reporting Totem as .wmv player is going to be a lot less rare amongst Ubuntu users that it is amongst Windows users.
>I haven't done the math, but I have a feeling it just keeps dividing...
Why would it have to use division, or for that matter, any kind of math at all? I imagine that as each new visitor is recorded, they simply count how many other visitors had the exact same browser configuration.
The "one in x browsers have this value" column is probably just for informative purposes (and not the raw data that was somehow munged to determine the uniqueness of your browser fingerprint).
I'm not sure what you mean by "resolution"; the site doesn't claim that a browser fingerprint is unique among all instances of all browser software ever run, just that (for example, to quote from my test results) "Your browser fingerprint appears to be unique among the 2,568,783 tested so far".
One in 350k means you are similar to ~1100 other Americans. A large crowd to be sure, but not great for being completely anonymous. There is still a lot of value in even making groups with this many members.
but still: so I'm only as unique as any iPad users in GMT-7, not all iPad users globally. That's not information that is of any use in identifying me, but EFF insists on presenting it as though SWAT teams from adwords will be breaking down my door any day now to shove targeted marketing materials down my throat.
Next time I visit the Apple Store, I should remember to visit Panopticlick from some of the machines on display and see what only-one-in numbers it reports.
Panopticlick also glosses over the fact that the browser characteristics it uses for 'fingerprinting' change over time. In the time it took me to write this comment, Chrome updated itself three times, for example.
Does pressing a "like" button actually redirect the browser to facebook? Or is it trying to do something based on evaluating what the FB javascript does?
The best way to implement something like this would be "if facebook.com" is not in the address bar don't allow any requests to anything with a facebook IP address.
Trying to do something cleverer might be simple for FB to break by changing the like button code.
Tracking doesn't start at "pressing Like", but the Like button is actually loaded from an HTTP call to Facebook's server with the referer of the site you're on ... so they know could (claim: don't) track every site you visit with any original cookie you set on Facebook's site.
Just because of that I have disabled fb like, twitter and g+ from my blog.
I had also disabled google analytics but traffic started to go down. Today I have re-enabled analytics to see if that is the reason.
I did not have too much traffic from fb or twitter to think that is because I took their buttons out.
Anyway, I prefer to avoid those sites tracking my readers, savvy people can anyway share my content if they want.
Honestly I found Ghostery useless and ultimately uninstalled it. I am not paranoid enough to want to completely deprive every site of statistics, so I had opt-in by default, and it's difficult to block the especially nefarious packages because they're all lumped together with typical counters/stats scripts.
I think NoScript does an adequate job preventing most undesired analyzers, as they will often be on a separate domain that needs temporary activation. Ghostery was just annoying because it'd always be blaring that there were trackers tracking me, but include mostly things that I don't really mind, basically all counters. In fact, I usually want counters to register my UA/OS, so that their recorded Linux marketshare increases.
Would be nice if we could install Ghostery as a private-browsing-only extension and turn its default to block everything, but barring that, I don't think it's valuable unless you make it block everything all the time.
You know, sites have log files for basic stats... Tracking is completely another league. I feel no guilty using Ghostery fully blocking everything by default (and I'm not so paranoid).
Ghostery is fantastic. It takes a little while to get setup and maintain as you'll want to disable everything by default then reenable services when things don't work. But it's well worth the effort.
I use the Ghostery add-on for Firefox, but if you enable "GhostRank" then the add-on will send every URL you visit to Evidon. This is purportedly for "tracking the trackers", but it does give one pause.
"Enough for what? is the question. I hope it is enough to disrupt the FB and Google from from getting a total view of my activity but I don't think its enough to stop all monitoring and tracking.
My main browser is Firefox with NoScript installed and I've been known to back away from sites that won't work without a number of different domains being authorised. Flash isn't installed at all. I use Chrome with Ghostery for Linked In/Facebook and any Google logins plus anything that needs Flash (as I trust Google to keep that up to date even though I don't trust them not to track me).
I never log in to Linked In/Facebook/Google on my phone or tablet although I don't have much other protection from tracking there.
We added Panopticlick-inspired user fingerprinting to SnowPlow recently - as far as we know, we're the first analytics package to make user fingerprinting generally available. If you're interested in the implementation, it's here:
Way to make a name for yourself under the Be Evil brand--democratizing access to abusive user-hostile technology. It has the same feel as an open access community meth lab.
While trying to find a browser add-on for the above, found that Facebook detects NoScript and adjusts links accordingly [1]. In other words, the list of add-ons is used proactively to try to bypass some of them.
The list of fonts is only available through flash, so if you get rid of flash (either permanently or with flashblock) that should cut down your fingerprint a bit.
I was just thinking earlier today, "I should turn on the Do Not Track header in Chrome." Then I thought, "...and become one of a very tiny group of people with that characteristic."
I'm going to do it anyway, though on principle. And I encourage all of you to do the same. ;)
I wouldn't bother, to be honest. Personally, given MS's stupid, stupid idea to turn it on by default in IE10, its just gonna be ignored (i actually asked our analytics vendor if we could record it so I could segment based on it).
The only way DNT will work is if its legally mandated, and I don't think that's gonna happen (though I could be wrong).
The LeadLander product seems to identify users by company name (most likely by checking the IP address/netblock) and then "integrates" with LinkedIn and Jigsaw in order to contact (spam?) the users by email (see: http://www.leadlander.com/web_analytics.asp).
Definitely interesting, but legal? Not very likely...
> Definitely interesting, but legal? Not very likely...
There is nothing in the US that makes this sort of activity illegal. The exceptions would include minors, health or certain financial information. Excluding that, unless it goes against something stated in their policies it is perfectly legal in the US.
The mapping part (IP/netblock --> email) might not be illegal in the USA, but I'm pretty sure that sending users unsolicited emails after visiting a website is.
That's a good point. An unsolicited advertisement for something could be considered illegal according to CAN-SPAM but if the individual has a relationship with that company than an email like the one the sent to Sumit is legal. It could likely be argued that visiting a site could be considered establishing a relationship.
That's just a guess on my part. I'd love to hear from someone better versed on the law about the legality of that email.
Sending unsolicited emails is not against the law. CAN-SPAM law states that users must be able to opt out of receiving emails after they receive the email. There is nothing against the law of random companies sending emails to any individual they like, regardless of a previous business relationship.
I am guessing that in order to get this function to work, the ad company would have a contract with a company such as LinkedIn or Twitter, who can perform this mapping, based on their server logs.
Have the various spam-blockers of the world gotten more complacent? This seems like the sort of indiscriminate crawling that would get you both a lot of valid e-mail addresses and a permanent home in everyone's junk folder.
For the life of me, I can't figure out how to link directly to a specific reply in Google+, but here's the reply from UberVU:
"Elisabeth Michaud
Hi Sumit - Elisabeth from uberVU here (I also run the uberVU twitter account where we were chatting earlier). Niek is right that we have been using a tool called LeadLander (based in San Francisco) to help us connect with companies who visit our site. We take privacy very seriously and definitely don't want visitors to our site to feel we are overstepping our boundaries. As such, we've decided as a team to discontinue our use of LeadLander and focus our efforts on other ways to engage website visitors. You won't see any further emails from us, and these changes will be implemented globally.
If you have any further concerns, don't hesitate to reach out to me at <redacted>"
I run analytics for a major enterprise and have had this technology pitched to me for years. It is a very common practice for B2B lead gen.
That said, don't believe the sales copy on their websites. They will tell you that they can reliably identify the individual, but that is horseshit.
They usually maintain and/or purchase access to lists of people who work at companies and have relevant job titles. The lists are captured from multiple sources ranging from stuff pubically posted on company websites to business cards collected (and sold) at trade shows/conferences. There are lots of other sources and I'm sure this audience can think of many on their own.
Comapny/ip/id can be gleaned from either an ip block or someone who registered to download a free report or other content from a partner site at some prior time.
Sure you'll sometimes get the contact for the exact person that browsed the site, but you'll often get it wrong. That said, it could still be valuable to contact someone at the company about your services, because if one person is looking into it, then someone else might be interested too.
The tech/idea certainly isn't new - I've been getting pitched it for 5+ years.
Does anyone know for sure that cookies or browser uniqueness were exploited to identify the visitor? I've used LeadLander, and as far as I can tell LeadLander and Relead both use reverse DNS to find what company the visitor is from. They track what pages the visitor goes to, and time spent (Google Analytics style). Plus "helpful" information like the company's location, and publicly available info about who works there.
That sort of information doesn't feel creepy to me, it's basically what you could do manually with info from the server logs and lots of searching (DNS, Google, LinkedIn).
If they are using information from another website where the user is logged-in to get the contact information it might be illegal, as it is likely that the first website's privacy policy doesn't say they are giving away that information. If company X uses LeadLander, and LeadLander gathers a user's email address from them, then gives that address to company Y when the same person visits, company X might be breaking the law because they are giving away personal information without stating it in their privacy policy. And privacy policies are required by California law.
I've no idea if their service actually works but if it does, it's illegal in the EU and it would also be illegal for their clients to use such information to e-mail those visitors.
EDIT: talking about relead.com mentioned in a g+ reply.
As an American who built several web businesses before moving to Germany 4 years ago, I now shudder at what can be legally done in the US. There is no real perspective of data privacy at all. Now, I often feel that the German (and proposed new EU) standard goes way too far. But, I'm a fan of at least something that can keep such creepy behavior away from identifying users until they identify themselves.
I realize I'm being idealistic in my stance, but I'm not a fan of going too far either. One thing I'm very happy to see in the EU is the focus on there being a standard. Today it it makes it difficult to manage a globally focused user base with so many different legal requirements. The proposed standard in the EU would make it easy to do business here and have a better framework for cooperation with the US than the safe harbor structure today.
Actually, it looks as if they stop short of personal identification, though they can achieve personal identification in some cases, depending on the size of the company, location of query vs location of key contacts, etc.
As I read their pitch, they identify the company a visitor to your site represents, and then they suggest the contacts at that company and give you a bunch of info about the company and the key staff.
"By observing returning visitors, we estimate how rapidly browser fingerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a fingerprint was an 'upgraded' version of a previously observed browser's fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%"
> I did not ... connect with any of their social media properties
What do you mean by "connect"? Do you mean you didn't visit any of UberVu's social media pages, or that you didn't load any of the tracking-related assets that their website includes? Right now, Ghostery is reporting 5 tracking-related assets on their home page, including something called LeadLander. Click around a bit, and you might even come across assets that are loaded directly from a social media service that you use. Or maybe your browser willingly supplied personally identifiable information to them without telling you about it. Like auto-completing some fields in a hidden form, or automatically connecting to an identity provider that the website happens to support.
Every time I try Panopticlick [1], it tells me that my browser is unique among millions. I guess it means I'm leaving greasy fingerprints everywhere I go, even with AdBlock and Ghostery enabled, and even without logging in anywhere.
I'd say using AdBlock and Ghostery greatly increases the chance you're uniquely identifiable, provided there is a client-side (perhaps non-Java) test to list the browser plugins you use.
At least that is the worst offender to my identity, revealing 21.29+ bits of information.
Trying to strip all identifying bits from your browser is a fool's errand. Strictly speaking, all web users are uniquely identified by the combination of IP address and the timestamp of an HTTP GET. The only reason that's not practically an identifier is that web sites don't have access to the ISP logs necessary to resolve ('192.0.2.0', 'www.example.com', 1354989355) back to you. The question you should be asking is how likely it is that the specific website you're visiting, as opposed to a third-party partner, is snooping your Chrome plugins so it can later resolve your identity against the databases of other websites that you've explicitly visited, who also snoop such data themselves, so that both businesses could identify the extreme minority of users who go to this much trouble to protect their privacy. You're much better off with that risk vs. having dozens of third-party cookies hovering around you.
You'd be surprised. I know quite a few people still using 2.x They (we?) come from an era where you don't upgrade just because there's an upgrade available - you make changes when you're affected by a bug, or something important to you quits working.
There was a time, in the not-too distant past, when the Internet was mostly about sharing educational information.
Sadly, the Internet is now full of companies who want to use it as a vehicle for advertising and who are obsessed with building up a dossier on as many people as possible, to exploit for financial gain. Your privacy means nothing to these companies; they will collect as much information about you as possible, with no regard for your wishes.
I take active countermeasures against these hostiles. I browse with javascript disabled. I don't have flash installed. I don't accept cookies blindly. I adjust my user agent. I run my own DNS server and cache and have hundreds of sites blackholed, including facebook, google analytics, and all the major ad servers.
It's some trouble to set all this up, and inconvenient at times. But unfortunately it's a jungle out there, and the default setup of browsers leaves you like a naked person in a mosquito-infested swamp.
Reducing the uniqueness of a browser's fingerprint seems like a more valuable privacy investment than a DNT header that may or may not be adhered to by the websites you visit. Are any of the major web browsers actively working on this?
There are add-ons and extensions available. To give an example I have an old firefox setup here with these add-ons: RefContol (forge referrer), UserAgentSwitcher (user agent manipulation), NoScript (block all scripting and therefore many tracking scripts), AdBlock (not sure is this helps to be honest), CookieMonster (easy cookie management), RequestPolicy (blocks request from your browser, helps with cross site scripting attacks; note this add-ons makes for a painful user experience unfortunately). Of course Java and Flash are disabled but if you don't want to disable them there are add-ons like BetterPrivacy for Flash that deal with them too. Note this setup is somewhat outdated and I have not kept up with recent developments. Finally all of this is useless if you don't also proxy your IP.
It could be that they're taking advantage of a third-party service that he's signed up for. For example, Google Docs used to show a user's email when they clicked a link to a document that you created (it's anonymised now)
Quick privacy scan of their homepage only shows scripts being launched from 6 different companies and tracking cookies from optimizely and themself. (along with google analytics).
This actually has fewer than the average for tracking cookies placed on a homepage yet they are able to uniquely identify you. Privacy isn't gone on the web, but it is getting harder by the day. Some data can be passed outside of cookies and just through loading the scripts, but in general this site seems to be much ahead of average. (~10 unique domained scripts and ~7 unique domained cookies).
Can we share tips for "feeding" a browser with fake data and keeping some level of anonymity? For example, I noticed that one of the factors for Panopticlick is time zone. This is easily faked with changing a time zone on your computer and then starting a browser. You can fake IP address with anonymous proxies and change user agent in browser settings. Is there a way to change/fake plugin and fonts list as these are worst offenders regarding fingerprinting?
I don't think it's hard right now to get information on a visitor's company if they work somewhere large enough to have their own public IP block.
What I would love to know is how they take that and get an email address out of it. Which 3rd party are they working with that 1) had the IP -> email address link, or this guy logged in and 2) is willing to share that data with a 3rd party?
I've been told that, if you buy something online, some vendors sell your information (like email and postal addresses) tied to a 3rd party cookie on your browser.
Now, any site you visit that is able to check that 3rd party cookie knows all about you.
As an operator of a large web site, I was once pitched a product like this. Basically it used various sources to gather as much personally identifying information as possible from your visitors, right down to name, email address, address and phone number (where possible.
Super creepy, chewed the sales person out and told them to go away. But this is a thing.
Does anyone know where they are buying these data sets that link browser characteristics to personally identifiable information? Obviously, companies like Linkedin and Facebook have these data sets but I can't imagine them selling that information.
you could use some privacy consious browser, like xombrero. for example: it has a feature to allow you to define a list of user-agents from which one is randomly selected on each request, allows you to use whitelist-mode in which you have to explictly allow cookies and js for each page.
I don't think they are using browser uniqueness. I mean where would they get the fingerprint/email pairs from?
Everyone should use Firefox and install/do these:
- BetterPrivacy (removes supercookies)
- RefControl (to stop sending http referrers)
- User Agent Switcher (just in case)
- HTTPS-Everywhere
- Disable third party cookies in Preferences > Privacy
- Use a VPN
- Change Google for StartPage
- Use fake accounts (eg: youtube) and emails (dispostable.com) whenever possible. This is very easy if you have a password manager like LastPass, you don't have to remember many passwords.
With all this, you can surf the web quite safely, unless someone with your ID is creating a shared database of fingerprint/ID pairs. In that case you will also have to remove all your other plugins or use NoScript.
This is good advice, but I would ad Request Policy (if using Firefox) or Ghostery (if using Chrome; I would also suggest using Chromium instead of Chrome). I believe NoScript is also a must, but it does take some work to whitelist the sites you trust.
It took me a half hour to explain how to use NoScript to a non-technical person the other day. This stuff is not intuitive, and it will take time to educate our friends and family. Now that Facebook has made it acceptable for normal folks to be social on the web, we must be persistent in teaching these people to protect themselves.
Is there a VM offering preconfigured browsers being identical for everybody? Same JavaScript settings, same (VM) screen resolution, same browser size... Make it fixed and use that VM only for browsing...
That would not prevent all types of tracking but it give people using panopticlick-like tracking techniques a few headaches...
The TOR browser bundle is probably the closest thing at the moment, but there probably aren't all that many people using it, at least compared to the Internet population at large.
A virtual machine or USB boot disk that allows nothing to be written to disk, and destroys all the memory contents on shutdown. Oh, and all connections are forcefully proxied through TOR.
This site shows you how unique your system appears: http://panopticlick.eff.org/
When you combine things like screen-resolution, installed fonts, etc. you get a pretty-unique profile of each person.
Bruce Schneier addresses the topic here: http://www.schneier.com/blog/archives/2010/01/tracking_your_...
How UberVu mapped this back to an actual email address is a separate matter - but I'm guessing they used the profile of his machine and connected it to a matching profile they had access to from some site he does authenticate with.
Now extend that concept to Google. They've got their digital hooks on millions of sites using Google Analytics. They can map those hits back to an IP address that correlates to a GMail login and get a pretty good idea about where else their users browse.