Fear Your Browser, Episode 4: Your Browser’s Fingerprint

I left you last time (I hope) in a tantalizing state of uncertainty: Browser fingerprint? What the heck is that?You should take a gander at Mark Gibbs’ article,  “What your browser says about you”, at


He discusses a concept that’s blinding in its obviousness, since hardly anyone has thought of the ramifications. So far.

The idea is this: your browser gives quite an array of information to any web server it contacts, including OS and browser version, personalizations and cookies, security settings and plugins. Their potential usage is completely different from clickpath records: they can be used to pin you (or some vanishingly small number of other people with the same browser fingerprint) as being at a certain place at a certain time, using a certain connection and a certain computer, visiting a specific site and entering specific data. All of which can be subpoenaed.

If you haven’t tested your browser by now, go visit Panopticlick at https://panopticlick.eff.org/ so you can see for yourself just how unique your browser fingerprint is.

The Electronic Frontier Foundation (EFF) hosts an interesting article titled A Primer on Information Theory and Privacy, which says, “as of 2007, identifying someone from the entire population of the planet required … 32.6 bits of information.” My browser (testing from my BackTrack machine) gave away only 14.52 bits of information. Once we transition to native IPv6, just your address is going to offer a huge array of information: geolocation, hosting, the bloody MAC address of my laptop (unless I spoof it, of course).

Now, those of you who know me know that I can always come up with an example of malicious intent. It’s an exercise in futility even worrying about why someone might do something. It just doesn’t matter. What matters is that they *can*. So given that, what do you think someone, whether marketer or phisher, legal authority or outright fraudster, how *can* this information be used against you? Or even worse, how could it potentially be used to “prove” something that flatly isn’t true?