If I were to use a particular device–say a particular laptop–to surf the web on two separate free wi-fi networks, would someone looking at the ISP’s records be able to tell the same device was used for both surfing sessions?
Not really, as far as I know.
Your device sends a certain ‘fingerprint’ of its configuration - what browser you’re using, what operating system, some of your browser settings and capabilities, to help the web server tell what content it should send you. But that ‘fingerprint’ is much to vague to uniquely identify your device out of all laptops in the world.
Still, they won’t know whether you just use two different browsers/operating systems on the same computer, or whether you use multiple computers. And, even then, this isn’t the sort of thing most ISPs bother keeping track of, even the ISPs who try to charge you more if you use more than one computer.
I’m not aware of any devices that sign their web interactions.
Ludovic
Sent from my iPhone
<ElephantInTheRoom>
And, of course, it’s possible for the Web site you visit to leave a cookie on your computer. Then when you use the same computer to visit the same site from a different Starbucks, they know it’s the same computer.
My bank’s Web site, for instance, asks additional security questions if I’m using a computer that doesn’t have the bank’s cookie, and then asks me if I’ll be using this computer often (to determine if it should try storing a new cookie on it).
You can selectively enable and disable cookie support in your browser, although managing that can be a bit of a hassle.
</ElephantInTheRoom>
In addition to browser fingerprinting (mine is unique, apparently), some mobile data networks attach identifying details (such as mobile number) to the browser id string for selected (i.e. paying) partners.
There was an issue recently in the UK where a misconfiguration of this system enabled mobile number leakage to every website for a major mobile provider.
Si
5 of the 8 parameters they test for seem to rely on javascript. Since I use the noscript plugin for firefox, I would imagine that has to cramp their style a bit.
Yeah, same here on Chrome using NotScripts. I got a “unique” rating as well.
I don’t quite follow. Did you temporarily disable noscripts for it or did it uniquely identify your settings in spite of having no scripts on?
If you didn’t help it along then it sounds like it either doesn’t rely on javascript or noscripts isn’t really working.
In my case it actually asked permission to run a java applet but I didn`t check what would happen if I denied the request.
Browser cookies are mostly used to maintain session state. The cookie your bank sets will be a flash cookie or local shared object. The system your bank is using is usually called ‘risk-based authentication’ or ‘adaptive authentication’. When the bank sees you logging in from your ususal machine, on your usual ISP, and at the usual time of day it will let you in with just a userid and password. Variations from the usual generate risk scores and when the score gets too high the bank will ask for extra verification. The extra verification can be as simple as asking one of your security questions up to requiring out-of-band verification via email or phone.
I’m with chrisk on this one – just because my browser is unique among the 2±million they’ve tested doesn’t mean it’s truly unique. Also, my unique characteristics were my combination of plugins and my combination of fonts. They can detect that, sure, but the entire combination isn’t passed as part of an HTTP request. (The first table in the PDF linked from that page confirms this: https://panopticlick.eff.org/browser-uniqueness.pdf) In short, they can take steps to try to determine if it’s the same browser, but it’s not done by default – and turning off active scripting (Java and AJAX) would defeat this.
The fact that you have javascript disabled is itself an identifying value. Indeed that most people are not savvy enough to have noscript installed actually makes that fact that you are found with javascript disabled makes you more distinct than you might hope.
I’m not convinced about the calculation of uniqueness, as it looks as if they simply multiply the ratios together, and don’t take into account the likely correlation of the different measures. Having javascript disabled should not count more than once. Further the idea that an up-to-date Mac, with an up-to-date copy of Firefox accounts for one in 6800 browsers does not seem credible. Further I don’t see how the http_accept headers check is fully independent of the browser user agent. So I doubt the number of bits of id is as large as they make out - but none-the-less it is a significant amount of information.
That’s probably true but only to a very limited extent. Noscript has been downloaded 2.2 million times, so I still have a very big crowd to hide in.
Eh, using that very imprecise metric, Mozilla estimates currently 450 million Firefox users. NoScript downloads are less than half of 1 percent, even assuming that every download is a unique user.
If you consider that total Firefox downloads have exceeded 1 billion, it’s even less significant.
If you assume that NoScript users are less fingerprintable among other NoScript users, this might make sense, but if you’re a NoScript user thrown in to a mix of average Firefox users, that alone will make you stand out like a sore thumb.
I’ve always stood out like a sore thumb, so I suppose that’s fitting. 
There are however other plugins for both FF, Chrome and even Explorer I think that do the same thing, so it may not be as bad as you imagine.
How did you arrive at that conclusion? Without actual research, I’m guesstimating that’s not true because:
-
NoScript is likely the most popular script blocker (my assumption), so other plugins likely have even smaller installed bases. At most, then, script blocking users might be 1-2% instead of 0.5%, still not a big number.
-
If you add other browsers, you have to add in their users too. If each plugin is less popular than NoScript (#1) and both IE and Chrome are more popular than Firefox, then the ratio just gets worse with each browser you add.
The take-home message is that if your goal is anonymity among average internet users, NoScript and its elk are dangerously identifiable
I’m not invested enough in this to do any actual research. I just want to point out that the site we’re talking about doesn’t know that I’m using noscript - it just knows that javascript isn’t available.
also, it was probably a typo, but it’s ilk rather than elk. 
Oops, sorry, strike that last sentence – it’s not true because NoScript probably lowers your fingerprintability more than it makes you stand out from average users. (It might make you 1 out of 10,000 instead of 1 out of 450 million, but it prevents techniques that could reduce it to 1 out of 1)
You mean it doesn’t work like it does on TV?!?
Every Ethernet network card has a unique id number. It’s called the MAC address. It uniquely identifies your pc on a network. If its part of your motherboard then its a permanent identifier. Add in Ethernet cards can be swapped and your MAC address changes.
Our network software at work bans pc’s with suspected malware or viruses based on the MAC address.