The Electronic Frontier Foundation (EFF) has published results from a study of nearly half a million website visitors’ browsers and concluded that the settings configurations exposed to sites we visit are close enough to unique to identify repeat visitors with a high degree of accuracy even if cookies are deleted.
Highly granular version numbers of installed plug-ins and seemingly random orders in lists of installed fonts were the primary offenders. The EFF has concluded that the most viable remedy may be consumer pressure applied to software vendors to change these practices. Even if you’re not particularly concerned about privacy on this level, the findings are quite interesting.
Flash and Java were the primary examples provided as identifiers. These plugins expose version levels beyond what is needed for users in order to maximize developer convenience when debugging, the organization says. The EFF’s tests were fairly sophisticated, but the organization says there are already companies selling commercial software that claims to track browser fingerprints.
Reasonable Expectations?
Readers will need to decide for themselves whether the understanding of privacy found in the report is reasonable by their standards. The report notes that cookies, for example, are valuable as a way to deliver certain features, but suggests that users somehow balance that with privacy concerns. The EFF’s stance on cookies can seem downright antiquated at times, though. “There is growing awareness among web users that HTTP cookies are a serious threat to privacy,” the organization writes, “and many people now block, limit or periodically delete them.”
While the ability to visit websites anonymously remains an important part of democratic communication and the preservation of liberty, more contemporary privacy debates tend to focus on sites sharing user data with third parties without consent. None the less, the fact that individual users’ browsers have nearly unique fingerprints is disconcerting.
The EFF’s call for software developers to stop using such granular version numbers might be reasonable, or it might be contrary to the core of software development culture. Likewise, the random ordering of installed font lists seems like an indication of the futility of expecting privacy as a casual user of such complex software with so many variables in play.
What do you think? Should users demand that browser and plugin software providers account for this dilemma or is the EFF barking up the wrong tree on privacy?