January 28, 2010

Here in the States, today is “National Data Privacy Day.” Declared as such on this day a year ago by the U.S. Congress, this unofficial holiday is meant to remind teens and young adults about the importance of protecting their personal information online, particularly in the context of social networking.

What’s that? You didn’t know about NDPD? Yeah, neither did I: A bloke I know from the U.K. clued me in over instant message with a link to this Wikipedia page. Oddly enough, his note interrupted my reading of a story about how at least 30 congressional Web sites were defaced in apparent response to President Obama’s State of the Union address last night. Social networking, indeed. [Update, 1:29 p.m. The AP is now reporting 49 House sites were hacked].

Incidentally, I got interested in the mass defacement story while searching for a distraction from going through all the mail on my desk. Among the bills and other notices we received recently was  a notice from the National Archives and Records Administration. It seems someone had stolen or misplaced a hard drive from the Archives a while back that contained the Social Security information on my wife (the breach affected roughly 250,000 other people as well). Why did the NARA have my wife’s Social? She made the mistake of touring the White House during the Clinton administration.

I, for one, applaud Congress for its example in encouraging all of us to take a  moment to reflect — at least once a year — on just how little privacy most of us have in today’s online world, and how little control most of us have over the security of personal information that countless organizations hold about us.

Little children are sometimes taught that — just as no two snowflakes are exactly alike – each of us is unique and special. There’s ample evidence to suggest this is also basically true for our online selves as well.

According to the Electronic Frontier Foundation, a myriad of unique characteristics of our computer’s Web browser, installed software and plugins, and other data usually can be used to build a unique fingerprint for each Web surfer. The EFF explains:

What fingerprints does your browser leave behind as you surf the web?

Traditionally, people assume they can prevent a website from identifying them by disabling cookies on their web browser. Unfortunately, this is not the whole story.

When you visit a website, you are allowing that site to access a lot of information about your computer’s configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. But how effective would this kind of online tracking be?

To test its theory, the EFF has put up a website — Panopticlick — which will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of five million other configurations. Then, it will give you a uniqueness score — letting you see how easily identifiable you might be as you surf the web.

The results I got back from running the Panopticlick scan were somewhat unnerving:

Your browser fingerprint appears to be unique among the 109,895 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 16.75 bits of identifying information.

Awareness, as today’s pseudo-holiday reminds us, is half the battle. Want to learn more about how you can guard your personal information online? EFF’s Top 12 Ways to Protect Your Privacy Online is a good start. For the slightly more black helicopter crowd, the EFF’s Surveillance Self-Defense is a good primer.

20 thoughts on “Dear Snowflake: Happy ‘Data Privacy Day’

  1. Carl "SAI" Mitchell

    Interesting data:
    My Firefox config, with javascript blocked: Within our dataset of several hundred thousand visitors, only one in 784 browsers have the same fingerprint as yours.
    Currently, we estimate that your browser has a fingerprint that conveys 9.61 bits of identifying information.

    With JS on: Your browser fingerprint appears to be unique among the 126,463 tested so far.
    Currently, we estimate that your browser has a fingerprint that conveys at least 16.95 bits of identifying information.

    Lynx: Within our dataset of several hundred thousand visitors, only one in 10,559 browsers have the same fingerprint as yours.
    Currently, we estimate that your browser has a fingerprint that conveys 13.37 bits of identifying information.

    Links2: unique, 16.95 bits (same as my other uniques. Interesting.)

    Konquerer: Unique, same deal.

    So, browsing with JS off seems to be a good idea, and the textmode browsers are uncommon enough that they’ll show up as unique.

  2. Wladimir Palant

    Interesting that my plugin configuration (Mozilla Default Plugin and latest Flash version) is by far the most unique part of my data. Guess most people have more plugins?

    The problem about tracking people with these “fingerprints” – they can change. I can update my plugins or my browser, install new fonts (I guess that updating MS Office would have that effect), even change the color depth of my display (ok, that’s relatively rare these days). This makes the fingerprints unreliable for long-term tracking – unlike cookies that will survive anything short of a switch to a different browser (Flash “cookies” will survive even that). Given that most people don’t restrict cookies in any way, I think they will stay the tracking mechanism of choice for the foreseeable future.

  3. AlphaMack

    While on the topic of privacy, don’t forget to check out the EFF’s Surveillance Self-Defense Project over at .

      1. BrianKrebs Post author

        AlphaMack — See the last sentence of this blog post, where I recommend that link you had trouble posting there.

  4. wiredog

    Damn. I’m a unique little snowflake too.

    Speaking of privacy:

    OTOH, Vanity search on Google:
    “Results 1 – 10 of about 210,000 for $NameEveryoneCallsMe ” and the first 5 pages (at least) are for products.

    “Results 1 – 10 of about 188,000 for $MyRealName” and none of the first 5 pages are actually me.

    “Results 1 – 8 of 8 for $MyRealName +$HomeTown+$State” none of whom are me.

  5. JBV

    Okay, my browser fingerprint also appears to be unique, and there are at least 17.09 bits of identifying information – very similar to Brian’s results, even though I still use IE as the browser.
    Panopticlicks “defenses against fingerprinting” are really sketchy, and don’t have a lot of suggestions. I agree with you, Brian, that it’s really disconcerting to lose one’s privacy, but how *dangerous* is it in real time, right now?

  6. xAdmin

    Not sure exactly what personally identifiable information could be gleamed as I have multiple systems behind my one IP address on my DSL connection, which does actually change IP’s every few days. Unique snowflake or not, how exactly can they collate my personal information to the point where it becomes a privacy issue? I’m not so much worried about my personal systems which I have complete control over (they’re locked down as much as possible but still functional). It is others that I choose to provide personal info that I’m worried about (I DO NOT use social networking what so ever). But, again, to some extent, that’s out of my control and you shouldn’t fret to the point of losing sleep over it. You have to trust others to a certain extent. At the same time, take realistic measures to prevent your personal information from getting into the wrong hands. But, don’t get overly paranoid! (Some paranoia is useful!)

  7. Rodin

    It’s taken me a while to follow you over here from the WP and a little while longer than that to get caught up with your posts. Worth the effort though!

    I did a bit better than some:

    “Within our dataset of several hundred thousand visitors, only one in 393 browsers have the same fingerprint as yours.

    Currently, we estimate that your browser has a fingerprint that conveys 8.62 bits of identifying information.”

  8. DMoser

    Many of your links for articles (EFF, CNN) go to items that were authored almost a decade ago (2001, 2002). While the principles explained are similar, the names have changed and there is newer technology (Netscape, not FireFox?), I sort of expected something more current. However, there may not be anything more recent to link too.

  9. Jonathan

    Thanks to this test I’ve just discovered that Microsoft had installed an internet plug-in for “OfficeLive” (isn’t that still in beta and not even officially available?) on my system, which must have come with the last update to Office 2008 I performed. Not once was I asked if I wanted to install this and I’m bloody furious. It’s bad enough that I even have to use Office 2008 (it is complete, utter tosh) but it is worse that MS chose to go behind my back in such a sneaky and diabolical fashion. Damned scumbags.

  10. M Henri Day

    «Your browser fingerprint appears to be unique among the 223,259 tested so far.

    Currently, we estimate that your browser has a fingerprint that conveys at least 17.77 bits of identifying information.»

    The above rating corresponds precisely to that for my «Browser Plugin Details» – and, to my perhaps naive surprise, to that for my «System Fonts». Values for other parametres, such as «Time Zone», «Are cookies enabled ?» «Limited supercookie test», and «Screen Size and Colour Depth» are much less, with that for «HTTP_ACCEPT headers» somewhere in between. But how worried need we be ? 17.77 bits of information, corresponding to a little more than two bytes or, in other words a little more than the information needed to encode two letters in the alphabet, doesn’t seem a great deal. Given that, say, Echelon is busy sifting all my communications – and yours as well ! – for certain key words (strings), I’m not certain the above constitutes the greatest privacy invasion to which we are being subject….


    1. Solo Owl

      The “bits of information” feature is just the logarithm, base 2, of the number in the sentence “Your browser fingerprint appears to be unique among the N tested so far”.

      Based on the very limited sample in the comments, just about everyone is “unique”. As more people submit to the test, the “bits of info” scores will increase. Therefore I think this number, this smidgen of information is actually meaningless.

      What we should take away from this is simple. After a few days of service, any installation of an OS is as unique as its user (who has been adding software and extensions and plugins, and tweaking settings). No two humans are alike, so no two computers are alike.

      No way you can change that. No way you can completely hide, as the human species is highly social.

      1. M Henri Day

        Thanks for clearing that up, Solo Owl ! So the information provided by the third column is the same as that provided by the second column ; all one has to do is perform 2^x to derive the latter from the former. I can confirm that the «bits of identifying information» score does increase as more people take the text – now, for example, I am 0.11 points more frightened than I was when I posted above. I see I’d better not check again tomorrow !…


  11. AlphaCentauri

    Apparently only 1:332 people is using the most recent version of Firefox with Javascripts turned off. It’s not my privacy I’m worried about there so much as everyone else using more vulnerable browser configurations.

    I’m unique among nearly 250,000 people if I use IE8 but manually override the Internet settings to have the lowest privacy and security levels. But that probably just means that people with trojans that change their setting aren’t visiting the Electronic Frontier Foundation website.

  12. Seth Wisely

    fingerprinting is a kind of datamining. as such its vulnerable to the same kind of poisoning strategy: provide enough bad data and you’re bucket is devalued.

    FX could be rigged to ratchet up the chaos.

    @ AlphaCentauri

    re: security

    do not surf the web with admin privileges. that problem solved. sandox/vm is not sufficient alone.

    @ Wladimir Palant

    re: flash cookies / SOL

    firefox extension: BetterPrivacy. I wager the next version of FX will contain these features.

    I don’t want to be prompted about plug-ins so the only plug-in I have allowed to stay active is flash.

    (@..@others.. you can change your FX to not-scan for plug-ins and drop the flash bits in … to switch between flash versions to avoid breathing hollywood tainted AIR)

    @ mozilla

    I don’t want my browser to be info leaky, but you’re probably going to continue moving toward OpenID integration and creepy google-wave-like features.

    yay? no!

    why not? How many people choose flock OVER firefox? yeah.. so you can bet it won’t be popular with any other than itards and fanbois.

Comments are closed.