Does Your Browser Threaten Your Privacy?
The Electronic Frontier Foundation wants to let you in on a little-known fact about your browser: it talks behind your back. The secret’s out thanks to a newly published study from a project EFF calls Panopticlick that set out to show how your browser can be used as a way to uniquely identify your computer.
This research project kicked off in January demonstrates how anonymous data from your browser can be used to identify your computer. EFF created a web application that “will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of many other Internet users’ configurations” to derive a uniqueness score that indicates how identifiable your computer is among a population of similarly logged computers. I’ve been following the Panopticlick story and writing about it since March in this blog and in Security Week.
An article by Robert McMillan that appeared in ComputerWorld yesterday delves into EFF’s research and the privacy issues raised by the notion that a web site can stealthily identify and track your computer using your browser. The big “aha” reported in the news is that web sites can track you by way of your browser—a convenient discovery in light of Gartner Analyst Avivah Litan’s prediction that flash cookies will eventually lose their effectiveness as a means to identify a computer since Adobe has opened up control over flash cookies so users can control their privacy. The important question isn’t how a website references your computer to track you (cookie, LSO, browser, etc.)—it’s whether they have made it clear to you what they’re doing and for what purpose.
To illustrate, suppose my favorite online electronics etailer wants to profile my computer (browser, cookie, LSO, whatever) as a means to monitor my purchasing behavior. In this scenario I want them to tell me that they are tracking me, and what they will or won’t do with my data. Now, if the same etailer is profiling my computer to protect me (and their business) from fraud – I also want to know about it, I want to know what they’re doing with my data–and I’m glad to see that they’re taking steps to protect me. The same scenario for online banking underscores this point because of the higher risk and greater loss potential. I would feel much better going online to bank if my bank profiled my computer and gave it a unique identify so that if someone else is trying to use my (stolen) personal credentials to try and login to my accounts from a computer other than mine, the bank can intervene.
Web sites of all stripes use cookies and IP addresses to identify you by your Internet connection and your computer—banks, SaaS applications, content providers, internet retailers and so on. I know too much about how easy it is to fool/get around/spoof/defeat these flimsy handles to trust them. I would rather they employ a far more reliable method to profile my computer—you guessed it, ThreatMetrix; because how a website profiles and references your computer is very important after all.
- Tom
