Your Web browser's fingerprints can betray you, study finds

Test reveals that unique browser configurations can allow tracking without the use of cookies

Browsers have fingerprints, too, which means that Web sites could be able to identify and track visitors even without the use of cookies or super cookies, according to a recent study by the Electronic Frontier Foundation.

EFF set up a test site for what it calls its Panopticlick project and invited people to take part. Of the 470,161 visitors who did, 83.6 percent of the browsers had a unique fingerprint, EFF’s report said. And 94.2 percent of the browsers with Flash or Java installed were identified as unique.

The test collected information on visiting browsers – such as type of browser, operating system, screen resolution, browser plug-ins and system fonts – and compared them to EFF’s extensive list of configurations. Browsers with Java installed make it easier to identify such things as screen resolutions and Flash can give up the system fonts, which is why those browsers were easier to identify. Taken together, the configurations often add up to a unique fingerprint that could identify the browser when it visits another site.

“In general, modern desktop browsers fare very poorly,” in terms of protecting privacy, the report said.

The browsers that were the least unique, and therefore the most difficult to identify, were those with JavaScript disabled, those using TorButton (an add-on that protects privacy), and iPhone and Android browsers, which the report said are more uniform than other browsers. However, iPhone and Android browsers don’t have good cookie control, so those users are subject to tracking anyway, the report said.

The idea of browser fingerprints isn’t new, but report puts a number on how many browsers are could be tracked without cookies. And although it’s uncertain whether many Web sites are using fingerprinting to track visitors, some banking, e-commerce and social Web sites have been using this kind of tracking in incidents of suspected fraud.

At any rate, the study shows that users are not as anonymous as they might have thought, even if they’re careful about blocking cookies.

“Policy-makers should start treating fingerprintable records as potentially personally identifiable,” the EFF reported concluded, “and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms.”

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.