EFF releases final Panopticlick report

David Heath
Thursday, 20 May 2010 11:10

Business IT - Security

Having collected data from nearly 1,000,000 participants, the EFF has determined that your PC is easy to identify on the Internet, without a single bit of information written to it by any site.

The Panopticlick project, run by the Electronic Privacy Foundation (EFF), was an attempt to demonstrate that there are plenty of ways to uniquely identify visitors to a site that don't include leaving a cookie behind.

Panopticlick did one simple thing - it collected the unique information that any and every browser openly offers up upon request.  This includes the user agent string, the screen resolution, time zone (none of these particularly rare) and the lists of installed plug-ins and fonts (both were unique amongst the 994,257 users at the time of writing).

"We took measures to keep participants in our experiment anonymous, but most sites don't do that," said EFF Senior Staff Technologist Peter Eckersley. "In fact, several companies are already selling products that claim to use browser fingerprinting to help websites identify users and their online activities. This experiment is an important reality check, showing just how powerful these tracking mechanisms are."

So, how can you reduce this leaking of unique information? 

Really, you can't.  The browser is constructed to release this information (why they do is a different question) and there is no simple way to block it; unless users consider a CD-bootable OS with browser that is shared amongst a wide group of users.  Alternately, users might consider a plug-in and font manager that randomly swaps components in and out randomly.  Unfortunately, neither is particularly feasible.

The full paper will be delivered at the Privacy Enhancing Technologies Symposium (PETS 2010) in Berlin in July this year.