The Electronic Frontier Foundation (EFF) investigated the extent to which modern web browsers are subject to "device fingerprinting" through version and configuration information they transmit to websites. They implemented a fingerprinting algorithm and collected fingerprints from 470,161 browsers. The results showed that the distribution of fingerprints contained at least 18.1 bits of entropy, meaning that if a browser is randomly selected, only one in 286,777 other browsers would share its fingerprint. For browsers with Flash or Java, the entropy was higher, with an average of 18.8 bits, and 94.2% of these browsers were unique in the sample.
The study also found that browser fingerprints change rapidly, but a simple heuristic could often guess when a fingerprint was an "upgraded" version of a previously observed browser's fingerprint, with 99.1% accuracy and a 0.86% false positive rate. Browser fingerprinting poses a privacy threat as it can be used to track users even when cookies are blocked or limited. However, some privacy measures may be self-defeating if not used by enough people.
The paper discusses the trade-off between privacy and debuggability in browsers, noting that current browsers are heavily weighted towards debuggability. It also highlights that fingerprinting can be used in combination with other data for more context-specific tracking. The study found that browsers with Flash or Java had higher entropy and were more identifiable. The paper also discusses the use of fingerprints to distinguish machines behind a single IP address and the potential for fingerprinting to be used as a cookie regenerator.
The methodology involved collecting browser fingerprints and analyzing their entropy and stability. The results showed that most browsers had unique fingerprints, with 83.6% of browsers in the sample having unique fingerprints. The study also found that fingerprints changed frequently, but a simple algorithm could often guess when a fingerprint was an upgraded version of a previously observed one. The paper concludes that browser fingerprinting is a powerful tracking technique that should be considered alongside cookies and IP addresses when discussing web privacy. It recommends that browsers reduce fingerprintability, particularly at the JavaScript API level, and that policymakers treat fingerprintable records as potentially personally identifiable.The Electronic Frontier Foundation (EFF) investigated the extent to which modern web browsers are subject to "device fingerprinting" through version and configuration information they transmit to websites. They implemented a fingerprinting algorithm and collected fingerprints from 470,161 browsers. The results showed that the distribution of fingerprints contained at least 18.1 bits of entropy, meaning that if a browser is randomly selected, only one in 286,777 other browsers would share its fingerprint. For browsers with Flash or Java, the entropy was higher, with an average of 18.8 bits, and 94.2% of these browsers were unique in the sample.
The study also found that browser fingerprints change rapidly, but a simple heuristic could often guess when a fingerprint was an "upgraded" version of a previously observed browser's fingerprint, with 99.1% accuracy and a 0.86% false positive rate. Browser fingerprinting poses a privacy threat as it can be used to track users even when cookies are blocked or limited. However, some privacy measures may be self-defeating if not used by enough people.
The paper discusses the trade-off between privacy and debuggability in browsers, noting that current browsers are heavily weighted towards debuggability. It also highlights that fingerprinting can be used in combination with other data for more context-specific tracking. The study found that browsers with Flash or Java had higher entropy and were more identifiable. The paper also discusses the use of fingerprints to distinguish machines behind a single IP address and the potential for fingerprinting to be used as a cookie regenerator.
The methodology involved collecting browser fingerprints and analyzing their entropy and stability. The results showed that most browsers had unique fingerprints, with 83.6% of browsers in the sample having unique fingerprints. The study also found that fingerprints changed frequently, but a simple algorithm could often guess when a fingerprint was an upgraded version of a previously observed one. The paper concludes that browser fingerprinting is a powerful tracking technique that should be considered alongside cookies and IP addresses when discussing web privacy. It recommends that browsers reduce fingerprintability, particularly at the JavaScript API level, and that policymakers treat fingerprintable records as potentially personally identifiable.