#panopticlick

Sometimes you can’t take EFF serious

Well, I’m already fighting since years against FUD, especially when it comes to privacy tools and recommendation I often fight against individuals or people who still to belive in application security. However, this time Electronic Frontier Foundation (EFF) failed – so what happened? We had the recent leak called Efail which is a weakness in PGP and S/MIME and EFF wrote in their documentationas…

My wife and I have this…ahem…”discussion” alla time about whether the internet has ultimately been good or bad for humankind.

My position is that there is evidence to support both arguments equally. Which is to say this latest invention of our collective culture is much like all the other innovations through the centuries.  The yin/yang nature of the human mind can find nefarious or beneficial…

May I Have Your Browser Fingerprint?

For the privacy-minded among us, you’ve probably heard the term “browser fingerprint.”  If not, allow me to quote Panopticlick: ‘Browser fingerprinting’ is a method of tracking web browsers by the configuration and settings information they make visible to websites, rather than traditional tracking methods such as IP addresses and unique cookies. So, call me paranoid if you must, but I’ve…

If all I know about a person is their ZIP code, I don't know who they are. If all I know is their date of birth, I don't know who they are. If all I know is their gender, I don't know who they are. But it turns out that if I know these three things about a person, I could probably deduce their identity! Each of the facts is partially identifying.

There is a mathematical quantity which allows us to measure how close a fact comes to revealing somebody's identity uniquely. That quantity is called entropy, and it's often measured in bits. Intuitively you can think of entropy being generalization of the number of different possibilities there are for a random variable: if there are two possibilities, there is 1 bit of entropy; if there are four possibilities, there are 2 bits of entropy, etc. Adding one more bit of entropy doubles the number of possibilities.

Because there are around 7 billion humans on the planet, the identity of a random, unknown person contains just under 33 bits of entropy (two to the power of 33 is 8 billion). When we learn a new fact about a person, that fact reduces the entropy of their identity by a certain amount.

I’m surprised I’ve never come across this article before now.  It does a really great job explaining the concept of entropy and the mathematics of how websites and entities can unravel your identity online even when you try to cover your tracks as much as possible.  This is a highly suggested read for all Internet users, whether you’re concerned about privacy or not, because it explains some very core concepts in easily understood language.  And maybe after having read it, you will start to become a little more concerned about your privacy and what implications it has for your security.

This article goes hand-in-hand with an excellent web tool, also from the Electronic Frontier Foundation, called Panopticlick.  It uses the principles in the Information Theory article to fingerprint your browser and tell you just how identifiable you are on the internet.  Websites and entities can track you even if you disable cookies, even if you’re on Incognito mode, even if you’re trying to cover your tracks.  Go ahead, click the link and run the test.

Got your results?  What did yours say?  Mine says:

My fingerprint appears to be unique from over 5+ million fingerprint tests run thus far.  So a website, given a sample size of 5 million users, has an extremely high likelihood of being able to fingerprint me specifically and explicitly.  They don’t necessarily need to know who I am - that is, they don’t need to look at my fingerprint and say, “This is Jeff Cho”.  All they need to be able to do is track my fingerprint across the web.  What I look at on Amazon, what flights I search for, what I bring up when I drop into Incognito/Privacy Mode, what ads I respond to.  What source IPs I access the web from.  What VPNs I tunnel through.