
 Can websites personally identify visitors? - goatcurious
https://plus.google.com/u/1/106142598193409336347/posts/2jLJ5B4yPYF
======
uptown
Online anonymity is pretty much gone. You can uniquely identify most visitors
without cookies using a bunch of other exposed attributes.

This site shows you how unique your system appears:
<http://panopticlick.eff.org/>

When you combine things like screen-resolution, installed fonts, etc. you get
a pretty-unique profile of each person.

Bruce Schneier addresses the topic here:
[http://www.schneier.com/blog/archives/2010/01/tracking_your_...](http://www.schneier.com/blog/archives/2010/01/tracking_your_b.html)

How UberVu mapped this back to an actual email address is a separate matter -
but I'm guessing they used the profile of his machine and connected it to a
matching profile they had access to from some site he does authenticate with.

Now extend that concept to Google. They've got their digital hooks on millions
of sites using Google Analytics. They can map those hits back to an IP address
that correlates to a GMail login and get a pretty good idea about where else
their users browse.

~~~
notatoad
Panopticlick is a bunch of fearmongering nonsense. I'm on an ipad right now,
and they tell me that "only one in 350000 browsers has the same fingerprint as
mine". All fully-updated iPads have the exact same fingerprint, you can't even
come close to uniquely identifying me with that.

~~~
tghw
You're forgetting localization. Your timezone alone makes you more
identifiable. Add in your IP address and you're pretty identifiable. Not to
mention that iPads don't really have any private browsing mode.

~~~
flxmglrb
> Not to mention that iPads don't really have any private browsing mode.

Safari on iOS certainly does have "private browsing". Just go to the Settings
app and select "Safari" from the top level and it's the first setting under
the "Privacy" (just below the "General" section). When it's enabled, the
browser looks different to let you know -- the normally gray bezel UI becomes
black. This has been a feature ever since iOS 5.0 was released in 2011.

More info here: <http://support.apple.com/kb/HT1677>

~~~
chiph
I just tried Panopticlick both before and after enabling private browsing in
Safari (Mac OS X) and the site identified the same number of identifiable
pieces of information about me. So it looks like that has no effect.

Which sort of makes sense - the info it's looking at is basically the header
info. Screen size, installed fonts, IP address, and so on. It's not relying on
cookies, as cookies can't be seen/read across domains (you can't tell I'm an
Amazon customer if I just visit you out of the blue).

~~~
justincormack
You used to be able to by reading back CSS styles of visited links. May be
fixed now. [http://blog.adrianroselli.com/2010/03/mozilla-to-modify-
how-...](http://blog.adrianroselli.com/2010/03/mozilla-to-modify-how-css-
visited-works.html?m=1)

~~~
cynwoody
It is fixed.

CSS may color visited links red, but they hacked getComputedStyle to return
the normal color instead. So, you can't tell if that link to Amazon you just
created is visited or not.

And you can no longer set, for example, font-weight:bold for visited links,
because that would change the size of the element, and they decided, unlike in
the color case, that it would be too complicated to get all the APIs to lie
about the new geometry.

~~~
justincormack
Is it fixed in all browsers?

------
NiekvdMaas
Looking at the <http://ubervu.com/> website, it seems they are using a
tracking service hosted on <http://trackalyzer.com/>. This is a privately
registered domain (there is no index page either), but from
<http://trackalyzer.com/w3c/policy1.xml> we can derive that this service is
operated by LeadLander.com.

The LeadLander product seems to identify users by company name (most likely by
checking the IP address/netblock) and then "integrates" with LinkedIn and
Jigsaw in order to contact (spam?) the users by email (see:
<http://www.leadlander.com/web_analytics.asp>).

Definitely interesting, but legal? Not very likely...

~~~
Cieplak

        f :: IPAddress -> [Maybe EmailAddress]
    

I am guessing that in order to get this function to work, the ad company would
have a contract with a company such as LinkedIn or Twitter, who can perform
this mapping, based on their server logs.

~~~
chm
Which would be quite vile.

~~~
kordless
And probably illegal.

------
uptown
UberVU Response:

For the life of me, I can't figure out how to link directly to a specific
reply in Google+, but here's the reply from UberVU:

"Elisabeth Michaud Hi Sumit - Elisabeth from uberVU here (I also run the
uberVU twitter account where we were chatting earlier). Niek is right that we
have been using a tool called LeadLander (based in San Francisco) to help us
connect with companies who visit our site. We take privacy very seriously and
definitely don't want visitors to our site to feel we are overstepping our
boundaries. As such, we've decided as a team to discontinue our use of
LeadLander and focus our efforts on other ways to engage website visitors. You
won't see any further emails from us, and these changes will be implemented
globally.

If you have any further concerns, don't hesitate to reach out to me at
<redacted>"

~~~
mwill
Wow that seems like a pretty sweeping change from a post and thread on G+. I'm
wondering of they were seeing much value from those kinds of emails?

It seemed like it would be effective overall, considering their product and
audience, so I'm surprised they backed away from it so quickly.

------
seestheday
I run analytics for a major enterprise and have had this technology pitched to
me for years. It is a very common practice for B2B lead gen.

That said, don't believe the sales copy on their websites. They will tell you
that they can reliably identify the individual, but that is horseshit.

They usually maintain and/or purchase access to lists of people who work at
companies and have relevant job titles. The lists are captured from multiple
sources ranging from stuff pubically posted on company websites to business
cards collected (and sold) at trade shows/conferences. There are lots of other
sources and I'm sure this audience can think of many on their own.

Comapny/ip/id can be gleaned from either an ip block or someone who registered
to download a free report or other content from a partner site at some prior
time.

Sure you'll sometimes get the contact for the exact person that browsed the
site, but you'll often get it wrong. That said, it could still be valuable to
contact someone at the company about your services, because if one person is
looking into it, then someone else might be interested too.

The tech/idea certainly isn't new - I've been getting pitched it for 5+ years.

------
antoncohen
Does anyone know for sure that cookies or browser uniqueness were exploited to
identify the visitor? I've used LeadLander, and as far as I can tell
LeadLander and Relead both use reverse DNS to find what company the visitor is
from. They track what pages the visitor goes to, and time spent (Google
Analytics style). Plus "helpful" information like the company's location, and
publicly available info about who works there.

That sort of information doesn't feel creepy to me, it's basically what you
could do manually with info from the server logs and lots of searching (DNS,
Google, LinkedIn).

 _If_ they are using information from another website where the user is
logged-in to get the contact information it might be illegal, as it is likely
that the first website's privacy policy doesn't say they are giving away that
information. If company X uses LeadLander, and LeadLander gathers a user's
email address from them, then gives that address to company Y when the same
person visits, company X might be breaking the law because they are giving
away personal information without stating it in their privacy policy. And
privacy policies are required by California law.

------
Samuel_Michon
Title: _"Can websites personally identify visitors?"_

Links to: _plus.google.com_

That's hilarious.

------
klearvue
I've no idea if their service actually works but if it does, it's illegal in
the EU and it would also be illegal for their clients to use such information
to e-mail those visitors.

EDIT: talking about relead.com mentioned in a g+ reply.

~~~
huskyr
That relead.com stuff seems pretty scary:

"Unmatched in quality and accuracy We can track exactly WHO is visiting your
website, and how valuable or interested they are in your business"

"See complete company profiles of your visitors: Company Name, Industry, Size.
We'll also be adding Credit Risk soon."

~~~
kawera
And the animation in their home is pretty sinister too.

~~~
g-garron
Kind of remembers me The Wall (Pink Floyd)

------
wiremine
Reposting the paper referenced in the G+ thread:

<https://panopticlick.eff.org/browser-uniqueness.pdf>

From the paper:

"By observing returning visitors, we estimate how rapidly browser fingerprints
might change over time. In our sample, fingerprints changed quite rapidly, but
even a simple heuristic was usually able to guess when a fingerprint was an
'upgraded' version of a previously observed browser's fingerprint, with 99.1%
of guesses correct and a false positive rate of only 0.86%"

------
mtgx
Apparently, yes:

[http://venturebeat.com/2012/12/08/anonymous-tracking-now-
inc...](http://venturebeat.com/2012/12/08/anonymous-tracking-now-includes-
knowing-your-name-email-address-and-everything-about-you-just-not-your-full-
browsing-history/)

------
kijin
> _I did not ... connect with any of their social media properties_

What do you mean by "connect"? Do you mean you didn't _visit_ any of UberVu's
social media pages, or that you didn't _load_ any of the tracking-related
assets that their website includes? Right now, Ghostery is reporting 5
tracking-related assets on their home page, including something called
LeadLander. Click around a bit, and you might even come across assets that are
loaded directly from a social media service that you use. Or maybe your
browser willingly supplied personally identifiable information to them without
telling you about it. Like auto-completing some fields in a hidden form, or
automatically connecting to an identity provider that the website happens to
support.

Every time I try Panopticlick [1], it tells me that my browser is unique among
millions. I guess it means I'm leaving greasy fingerprints everywhere I go,
even with AdBlock and Ghostery enabled, and even without logging in anywhere.

[1] <https://panopticlick.eff.org/>

~~~
pestaa
I'd say using AdBlock and Ghostery greatly increases the chance you're
uniquely identifiable, provided there is a client-side (perhaps non-Java) test
to list the browser plugins you use.

At least that is the worst offender to my identity, revealing 21.29+ bits of
information.

~~~
goodside
Trying to strip all identifying bits from your browser is a fool's errand.
Strictly speaking, all web users are uniquely identified by the combination of
IP address and the timestamp of an HTTP GET. The only reason that's not
_practically_ an identifier is that web sites don't have access to the ISP
logs necessary to resolve ('192.0.2.0', 'www.example.com', 1354989355) back to
you. The question you should be asking is how likely it is that the specific
website you're visiting, as opposed to a third-party partner, is snooping your
Chrome plugins so it can later resolve your identity against the databases of
other websites that you've explicitly visited, who also snoop such data
themselves, so that both businesses could identify the extreme minority of
users who go to this much trouble to protect their privacy. You're much better
off with that risk vs. having dozens of third-party cookies hovering around
you.

------
netdog
There was a time, in the not-too distant past, when the Internet was mostly
about sharing educational information.

Sadly, the Internet is now full of companies who want to use it as a vehicle
for advertising and who are obsessed with building up a dossier on as many
people as possible, to exploit for financial gain. Your privacy means nothing
to these companies; they will collect as much information about you as
possible, with no regard for your wishes.

I take active countermeasures against these hostiles. I browse with javascript
disabled. I don't have flash installed. I don't accept cookies blindly. I
adjust my user agent. I run my own DNS server and cache and have hundreds of
sites blackholed, including facebook, google analytics, and all the major ad
servers.

It's some trouble to set all this up, and inconvenient at times. But
unfortunately it's a jungle out there, and the default setup of browsers
leaves you like a naked person in a mosquito-infested swamp.

------
throwaway125
Reducing the uniqueness of a browser's fingerprint seems like a more valuable
privacy investment than a DNT header that may or may not be adhered to by the
websites you visit. Are any of the major web browsers actively working on
this?

~~~
lumberjack
There are add-ons and extensions available. To give an example I have an old
firefox setup here with these add-ons: RefContol (forge referrer),
UserAgentSwitcher (user agent manipulation), NoScript (block all scripting and
therefore many tracking scripts), AdBlock (not sure is this helps to be
honest), CookieMonster (easy cookie management), RequestPolicy (blocks request
from your browser, helps with cross site scripting attacks; note this add-ons
makes for a painful user experience unfortunately). Of course Java and Flash
are disabled but if you don't want to disable them there are add-ons like
BetterPrivacy for Flash that deal with them too. Note this setup is somewhat
outdated and I have not kept up with recent developments. Finally all of this
is useless if you don't also proxy your IP.

------
paulgb
It could be that they're taking advantage of a third-party service that he's
signed up for. For example, Google Docs used to show a user's email when they
clicked a link to a document that you created (it's anonymised now)

------
selectout
Quick privacy scan of their homepage only shows scripts being launched from 6
different companies and tracking cookies from optimizely and themself. (along
with google analytics).

This actually has fewer than the average for tracking cookies placed on a
homepage yet they are able to uniquely identify you. Privacy isn't gone on the
web, but it is getting harder by the day. Some data can be passed outside of
cookies and just through loading the scripts, but in general this site seems
to be much ahead of average. (~10 unique domained scripts and ~7 unique
domained cookies).

------
ubojan
Can we share tips for "feeding" a browser with fake data and keeping some
level of anonymity? For example, I noticed that one of the factors for
Panopticlick is time zone. This is easily faked with changing a time zone on
your computer and then starting a browser. You can fake IP address with
anonymous proxies and change user agent in browser settings. Is there a way to
change/fake plugin and fonts list as these are worst offenders regarding
fingerprinting?

~~~
97-109-107
Yes, there are too small projects that I know about for Firefox: Firegloves
<https://addons.mozilla.org/en-US/firefox/addon/firegloves/> Blender
[https://addons.mozilla.org/en-
US/firefox/addon/blender-1/?sr...](https://addons.mozilla.org/en-
US/firefox/addon/blender-1/?src=search)

------
jasonkolb
I don't think it's hard right now to get information on a visitor's company if
they work somewhere large enough to have their own public IP block.

What I would love to know is how they take that and get an email address out
of it. Which 3rd party are they working with that 1) had the IP -> email
address link, or this guy logged in and 2) is willing to share that data with
a 3rd party?

~~~
rebelde
I've been told that, if you buy something online, some vendors sell your
information (like email and postal addresses) tied to a 3rd party cookie on
your browser.

Now, any site you visit that is able to check that 3rd party cookie knows all
about you.

I don't know which 3rd parties do it, though.

------
dholowiski
As an operator of a large web site, I was once pitched a product like this.
Basically it used various sources to gather as much personally identifying
information as possible from your visitors, right down to name, email address,
address and phone number (where possible.

Super creepy, chewed the sales person out and told them to go away. But this
is a thing.

------
datamaze
Does anyone know where they are buying these data sets that link browser
characteristics to personally identifiable information? Obviously, companies
like Linkedin and Facebook have these data sets but I can't imagine them
selling that information.

------
steve8918
This is pretty scary. Is there a web page I could go to that would identify
what information they have about me?

------
forkrulassail
TOR

<https://www.torproject.org/index.html.en>

~~~
VMG
Your browser still provides a pretty unique fingerprint.

~~~
nwh
Tor uses either an isolated browser or VM. You'd be moronic to use the same
browser both in and outside of the onion router.

------
desbest
I can identify the name and address of at least 50% of the people who use my
websites.

------
mylittlepony
I don't think they are using browser uniqueness. I mean where would they get
the fingerprint/email pairs from?

Everyone should use Firefox and install/do these:

\- BetterPrivacy (removes supercookies)

\- RefControl (to stop sending http referrers)

\- User Agent Switcher (just in case)

\- HTTPS-Everywhere

\- Disable third party cookies in Preferences > Privacy

\- Use a VPN

\- Change Google for StartPage

\- Use fake accounts (eg: youtube) and emails (dispostable.com) whenever
possible. This is very easy if you have a password manager like LastPass, you
don't have to remember many passwords.

With all this, you can surf the web quite safely, unless someone with your ID
is creating a shared database of fingerprint/ID pairs. In that case you will
also have to remove all your other plugins or use NoScript.

~~~
18pfsmt
This is good advice, but I would ad Request Policy (if using Firefox) or
Ghostery (if using Chrome; I would also suggest using Chromium instead of
Chrome). I believe NoScript is also a must, but it does take some work to
whitelist the sites you trust.

It took me a half hour to explain how to use NoScript to a non-technical
person the other day. This stuff is not intuitive, and it will take time to
educate our friends and family. Now that Facebook has made it acceptable for
normal folks to be social on the web, we must be persistent in teaching these
people to protect themselves.

~~~
mylittlepony
Wow, I didn't know about Ghostery and Request Policy. Been testing them and
they are awesome, thanks a lot!

------
martinced
Is there a VM offering preconfigured browsers being identical for everybody?
Same JavaScript settings, same (VM) screen resolution, same browser size...
Make it fixed and use that VM _only_ for browsing...

That would not prevent all types of tracking but it give people using
panopticlick-like tracking techniques a few headaches...

~~~
andrewaylett
The TOR browser bundle is probably the closest thing at the moment, but there
probably aren't all that many people using it, at least compared to the
Internet population at large.

<https://www.torproject.org/projects/torbrowser.html.en>

~~~
nwh
Go further with TAILs.

A virtual machine or USB boot disk that allows nothing to be written to disk,
and destroys all the memory contents on shutdown. Oh, and all connections are
forcefully proxied through TOR.

<https://tails.boum.org/>

