Browser fingerprinting is a method of identifying internet users without using cookies. It doesn’t necessarily uniquely identify you, but it can sometimes.
Here’s a traditional browser fingerprinting site, using only the most generic information AmIUnique
What surprised me about that one is that they’ve picked up my time zone … turns out that on a world scale, there are relatively few English speaking web users in my time zone.
And here’s a new one: External Protocol Flooding Vulnerability Demo (schemeflood.com)
That detects just 32 common installed web-apps to give a 32-bit identifier (for desktop computers).
What surprised me about the new technique is that it works on me – I don’t use web apps, I don’t have that stuff installed … but – well --. that’s just as unusual as anything else. I share the generated identifier with only a small number of people. And this same identifier is true for all of the web browsers I have installed, so I can’t de-identify myself by switching browsers.
I tried the second (schemeflood) site. I have but 3 apps installed. 2 of which I could delete with nil impact to my life and one that I could delete with small impact. But in any case I’m in a pretty small minority too. Deleting those apps would put me into a smaller minority. So that’s nowhere to hide.
What’s a bit surprising to me is that a webpage running in the sandbox in the browser has access to an API that will report that much global state info about your machine.
It seems ridiculous that having Skype and Steam installed but no other apps is over 99% unique. Similarly with my useragent. And there’s no way having the generic “audiooutput” option is “unique”: it’s just what Chrome displays if the only output device is a sound card. Even if it were unique the soundcard on my motherboard, that motherboard is not rare.
That said, I do think there is enough info there that I am uniquely fingerprinted. I just question if there is selection bias at work on some of these, due to people having to deliberately go check these sites.
That said, I wouldn’t mind an extension or something that made all of this data look less unique.