People frequently complain about cookies. They don’t like the idea that their actions are being tracked and watched, so they disable cookies outright. The thing is that cookies are really the least of your problems.
Cookies may be a good way to track people, but they are at least a known way. You can clear your cookies, disable them, manage them—and if you know enough, edit them.
More insidious tracking methods exist. One frequently talked about one these days is flash cookies, which can reset cookies upon deletion.
What really impressed me recently, however, was the EFF’s Panopticlick. This neat little web app scans your browser using methods available to any website and gives you information about how unique your “digital finger print” is. Every computer and browser I’ve tried it on (including using privacy modes) comes up with a unique fingerprint.
The theory behind this app is pretty neat—at least for the ubergeeky. It’s founded on the idea of informational entropy (roughly the number of possibilities that exist for a random variable).
From the EFF:
There is a formula to say how much:
ΔS = – log2 Pr(X=x)
Where ΔS is the reduction in entropy, measured in bits, 2 and Pr(X=x) is simply the probability that the fact would be true of a random person
By gaining more information about a person you can reduce the entropy level required to identify them.
In the case of computers, when surfing we give a lot of information about our browsers capabilities. By combining this information with data such as available fonts, installed plugins, and even privacy options, you reduce the information required to identify a single computer greatly. In most cases, even to 0.
My question for the EFF, though, is that while this is a fantastic way to identify some one, how well would it work to track some one?
Take the following situation:
I have Firefox on my netbook. As Im surfing I start getting annoyed at how much screen realestate the Google Toolbar takes, and how slow Firefox is, so I uninstall it. I also go through and uninstall a bunch of other plugins. Then I decide to add a bunch of font’s because, hey, I like fonts. Then I notice a neat privacy plugin so I install that, which in turn changes one of my various user data sets.
How well would this method cope?
Here’s the thing about fingerprinting. Fingerprinting is not when you acquire unique data, but when it gets permanent unique data. For instance, hair is a pretty poor item to finger print on, though its an incredibly unique data set—it changes to much. Fingerprints are fantastic because they almost never change (barring injury or what not).
The entropy model that the EFF uses appears to be good at distinguishing, but no so much at identifying. With enough distinguishing you can develop an identifiable profile, but if we begin to change data how accurately can we still track? Maybe I’ll delete my cookies, clear my fonts, try again, and see if it still registers me as unique…