{"id":1089,"date":"2010-02-17T07:20:19","date_gmt":"2010-02-17T15:20:19","guid":{"rendered":"\/?p=1089"},"modified":"2010-02-17T07:25:28","modified_gmt":"2010-02-17T15:25:28","slug":"sorry-tomek-but-i-win","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1089","title":{"rendered":"Sorry Tomek, but I &#8220;win&#8221;"},"content":{"rendered":"<p>As I discussed <a href=\"\/?p=1086\">here<\/a>, the EFF\u00a0is running an <a href=\"http:\/\/panopticlick.eff.org\/index.php?action=log&amp;js=yes\" class=\"broken_link\">experimental site\u00a0<\/a>demonstrating that\u00a0browsers ooze an unnecessary\u00a0&#8220;browser fingerprint&#8221;\u00a0allowing users to be identified across sites without their knowledge.\u00a0 One can easily imagine this scenario:<\/p>\n<ol>\n<li>Site &#8220;A&#8221;\u00a0offers some service you are interested in and you release your name and address to it.\u00a0 At the same time, the site captures your browser fingerprint.<\/li>\n<li>Site &#8220;B&#8221; establishes a relationship with site &#8220;A&#8221; whereby\u00a0when\u00a0it sends &#8220;A&#8221; a browser fingerprint and &#8220;A&#8221;\u00a0responds with the matching identifying information.<\/li>\n<li>You are\u00a0therefore unknowingly identified at site &#8220;B&#8221;.<\/li>\n<\/ol>\n<p>I can see\u00a0browser fingerprints\u00a0being used for a number of purposes.\u00a0\u00a0Some sites might use a fingerprint to keep track of you\u00a0even after you have cleared your cookies &#8211; and rationalize this as providing added security.\u00a0 Others\u00a0will inevitably\u00a0employ it for commercial purposes &#8211; targeted identifying customer information is high value.\u00a0\u00a0And the technology\u00a0can even be used for\u00a0corporate espionage\u00a0and cyber investigations.<\/p>\n<p>It is important to point out that like any fingerprint, the identification is only <span style=\"line-height: 115%; font-family: \">probabilistic<\/span>.\u00a0 EFF is studying what these probabilities are.\u00a0 In my original test,\u00a0my browser\u00a0was unique in 120,000 other browsers &#8211; a number I found very disturbing.<\/p>\n<p>But friends soon wrote back to\u00a0report that their browser was\u00a0even &#8220;more unique&#8221; than mine!\u00a0 And\u00a0going through\u00a0my feeds today I saw a <a href=\"http:\/\/blogs.dirteam.com\/blogs\/tomek\/archive\/2010\/02\/09\/is-your-browser-cheating-on-you.aspx\" class=\"broken_link\">post <\/a>at <a href=\"http:\/\/blogs.dirteam.com\/blogs\/tomek\" class=\"broken_link\">Tomek&#39;s DS World<\/a> where he reported a staggering\u00a0fingerprint uniqueness of 1 in 433,751:<\/p>\n<p>\u00a0 <img loading=\"lazy\" src=\"\/wp-content\/images\/2010\/02\/tomek_browser.jpg\" alt=\"\" width=\"500\" height=\"74\" \/><\/p>\n<p>It&#39;s not that I really think of myself as super competitive, but these results were so extreme I decided to take the test again.\u00a0 My new score is off the scale:<\/p>\n<p><img src=\"\/wp-content\/images\/2010\/02\/browser_kim_17_12.gif\" alt=\"\" \/><\/p>\n<p>Tomek ends his post this way:<\/p>\n<p style=\"padding-left: 30px;\">&#8220;So a browser can be used to identify a user in the\u00a0Internet or to harvest some information without\u00a0his consent. Will it really become a problem and will it be addressed in some way in browsers in\u00a0the future? This question has to be answered by people responsible for browser development.&#8221;<\/p>\n<p>I have to disagree.\u00a0 It is already a problem.\u00a0 A big problem.\u00a0\u00a0These outcomes weren&#39;t\u00a0at all obvious in the early days of the browser.\u00a0 But today the writing is on the wall and needs to be addressed.\u00a0 It&#39;s a matter right at the core of\u00a0delivering on\u00a0a trustworthy computing infrastructure.\u00a0 \u00a0 We need to evolve the world&#39;s browsers to employ minimal disclosure, releasing only what is necessary, and never providing a fingerprint without the user&#39;s consent.<\/p>\n<p>\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>These results are sad and staggering<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,17,71,47,40,11,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1089"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1089"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1089\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1089"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1089"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1089"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}