A simple exercise about online privacy

We regularly hear from prime time news or urban legends how Internet is some sort of Big Brother (the real one…) able to track and report to some more or less hidden controllers everything we do online, to the point that what was once called privacy is dead.

Even if such rumours are likely overestimated, here are a couple of really easy exercises that will help you realize how many, usually harmless clues you leave surfing online without even realizing it: please do click first on the Panopticlick page e then check what is your IP address.

The first website is part of an online, ongoing research by the good guys of the Electronic Frontier Foundation (EFF). When you click on the first link I gave you, what you get is a report of how unique the fingerprint of your browser is (more on this in a second). When I ran the test myself, Panopticlick told me that "my browser fingerprint appears to be unique among the 69,357 tested so far".

A simple exercise about online privacy /img/panopticlick-3.0.jpg

This mean that I would be immediately recognizable among those almost 70000 people, because none of them has a browser with the same fingerprint. Had I got an answer like "there are 1000 people with the same fingerprint", it would have been better for my privacy, because nobody could see by looking at that fingerprint if it's me or any of those other 999 people.

Let's look now at what is a browser fingerprint. Whenever a browser connects to a website, it transmits its name and version, the operating system it runs on and a bunch of other data about its internal configuration. "Browser fingerprint" is just a shorter name for all that data. The original reason why this happens is perfectly innocent: the browser tells the website server all it's capable of, so the server can (if properly configured) return a version of the requested webpage that is the best possible one for that browser. Whatever the original reason was, the point of EFF is that a browser fingerprint can also be used as an identikit. The next website you visit may not know your name, but it will still be able to recognize you (if it exchanges fingerprints with other websites) as the same person who before coming spent the whole morning playing online poker or looking for partners in some dating portal.

What is IP address geolocation?

In order to communicate in any way through the Internet a computer must have a unique identification number called *IP (Internet Protocol) address. If you click on the second website I mentioned, "What is my IP address?", it will tell you both what your IP address is and show on a Google map the approximate geographical position of the corresponding computer (geolocation). This second website is quite useful because it displays in a very understandable way the fact that there is another parameter of your computer that tells quite a bit about us. More than the precision of the geolocation measurement (which can be quite low), what matters is the fact that geolocation can be automatically used together with the browser fingerprint technique to make user identification more reliable. If two people have the same browser fingerprint but their IP addresses are in surely different areas, associating all those data it's possible to follow them from website to website without risks to confuse one with the other.

So they ARE spying on me, aren't they?

Probably not, at least not in the sense that somebody is deliberately spying just you, just now. Panopticlick reports are aproximate and should not be taken literally, if nothing else because they haven't had time yet to collect enough browser fingerprints to draw any reliable conclusion.

The real meaning of these two little exercises is simply to prove that there are plenty of ways to have an idea of who somebody is and what he or she is doing online that most people never, ever notice or know about. Neither browser fingerprint nor geolocation can be 100% accurate. However, they are both extremely simple procedures that, at least in theory, every website could perform and correlate automatically, maybe exchanging results with other websites in real time to try to follow people while they surf the Internet. Possible scenarios become even more interesting if even one, and only one of those websites is one that must know exactly who you are in order to do what you need from it (think Facebook or home banking).

Data inside browser fingerprints can also tell other things. In some cases, Panopticlick (or any other website doing the same analysis without telling you) can read which fonts you installed in your computer.

Cool, huh? Maybe in this very moment there is a terrorist somewhere who's using some special, easily recognizable fonts to *print subversive brochures that he'll "secretly" leave in streets and subway stations, all while his browser is telling the whole world he's one of the people using those fonts! Too bad he didn't read Stop! Zona-M first...