SOFTWARE

I develop the software, especially web applications,
for your needs. As a computer scientist I take care of
efficiency and performance.

DESIGN

I'll give your product the great design, that it deserves.
Whether it's being used on a desktop computer, tablet or smartphone:
Great usability and elegant optics, still unobtrusive.

CONSULTING

I support your product and help making technical decisions.

~$

Research with more than 23.000 data sets

Almost every computer leaves unique traces on websites

Recognition is possible without using Cookies

Weiterlesen

Browser Finger­printing

If you want to protect yourself from being tracked, you could disallow websites putting cookie files on your computer. Contrary to popular belief, there are also other techniques for tracking. Every time you request a website, a digital fingerprint of your computer can be created, which can be used to recognize your computer in the future. I was able to proof this assumption in my diploma thesis and detailed field research with more than 20.000 browser fingerprints.

I collected 23,709 digital fingerprints on a project website in November and December of 2012. The website captured information about the used browser, operating system, system colors, installed fonts, plugins, and much more in the background – naturally with prior permission by the user. Afterwards I analyzed the captured data and was able to proof, that about 93 % of all browser fingerprints during that time were unique.

23,709

fingerprints

92.6%

unique

89.9%

of all users have almost stable fingerprints

Some facts

Uniqueness of attributes

List of plugins (65%)
+ List of supported MIME types (67%)
+ List of installed fonts (79%)
+ User-Agent (87%)
All attributes (93%)

The more attributes are being used, the more unique fingerprints are in the given set of data. If only the list of plugins are used, about 65 % of all captured fingerprints are unique. If three attributes are combined, already 79 % of the fingerprints are unique.

Change of attributes

No change (60%)
One change (13%)
Two changes (10%)
Three changes (7%)
Four changes (2%)

The configuration of the computers, that participated in the research on multiple days, almost has not changed at all. 60 % of the fingerprints had no single change, in 90 % of the fingerprints not more than three attributes differed.

The project website is still online. If you like, you can create a fingerprint online with just one click and see, what attributes can be fetched by a normal website.

Frequently asked questions

A browser fingerprint is a list of configuration attributes of your computer. Any website is technically able to create and capture such a digital fingerprint. Some information is automatically transfered to the server by requesting a website (so called “passive fingerprinting”). Other attributes can be retrieved on your computer locally by JavaScript or Flash and afterwards returned to the web server (“active fingerprint”). An example for an attribute can be the list of your installed fonts, the name of your operating system or the used system colors. Combining all these attributes allows browser fingerprinting.

Fingerprinting can be used for tracking, especially for making personalized advertising possible. At the moment, primarily cookies (small text files on your computer containing unique identification data) are used for tracking purposed. But if cookies are deleted or not allowed by the client, the tracking approach will fail. By using browser fingerprinting, cookies can be redundant in the future. Instead, your system configuration is used as a fingerprint to identify your computer.

Besides tracking, fingerprinting can also be used to protect you online (preventing identity fraud).

The list of passive attributes is limited by the HTTP, TCP and IP protocols (e. g. the IP address or the User-Agent, that identifies your used browser and operating system). Active attributes are captured by JavaScript or by browser plugins such as Flash. Depending on the used techniques, system properties like screen resolution, time zone, system colors, list of plugins and fonts, among others can be captured.

Of course, even 23,000 fingerprints are just a few compared to all the clients connected to the Internet. Still, uniqueness of a fingerprint is still easy to achieve—even in a global sense. Example: If a user has installed two very uncommon fonts and uses a desktop background that is not black, blue or white, the likelihood of a unique fingerprint within a given sample is very high.

No. Four attributes (list of plugins, fonts, supported MIME types and the User-Agent string) are sufficient for determining 87% of all unique fingerprints.

Yes, but usually only after a couple of days and even then only a few attributes will change. Almost 90% of all participating clients, who took part on different calendar days, had fingerprints that had three changed attributes at most.  60% of the recurring clients had no changes to their fingerprint at all.

Yes. If the old fingerprint X is sufficiently significant, then a simple algorithm can be used to make a supposition, that the new fingerprint Y is a derivation of X.

Yes. Generally speaking: the more customization a system offers, the easier it can be used for fingerprinting. Smartphones mostly do not allow installing plugins or fonts. Example: 356 fingerprints (out of the simplified set F“‘) came from an iPhone, while only 89 of them were unique (25%).

Not really. Some attributes are transmitted every time you open a website. Others can be blocked by disabling JavaScript or Flash. Thus, most of the websites are not usable anymore. Generally speaking there is a dilemma: every approach in protecting your device against fingerprinting makes it more unique. Please refer to the corresponding chapter in the diploma thesis.

Yes, some information can also be found in my diploma thesis. There is a chapter about tracking using cache graphic files, i. e. an image file contains an identification number. This file is then stored in the client’s cache. This was also tested during the field research.

Download files

Additional files:

Donation

I think that research, that was done on public universities or research facilities, should be available at no cost for the public (open science / open access). Nevertheless, writing the diploma thesis was a lot of work. If you like it, you can donate a small amount. You can use the PayPal button or contact me using the form below. Thank you!

Media coverage

Some selected articles published online.

ZEIT ONLINE

Der verräterische Fingerabdruck des Browsers

Henning Tillmann sammelt Daten. Daten über Browser. Für seine Diplomarbeit an der Humboldt-Universität zu Berlin untersucht der Informatikstudent , ob er Internetnutzer – beziehungsweise Endgeräte – auch ohne den Einsatz von Cookies wiedererkennen kann. So viel vorweg: Er kann. Schuld sind die Informationen, die der Browser preisgibt, ohne dass der Nutzer etwas davon mitbekommt. Browser-Fingerprinting nennt Tillmann sein Projekt – er nimmt digitale Fingerabdrücke.

More…

Deutsche Welle Akademie

Your browser’s ‘fingerprints’ and how to reduce them

Those concerned about online security have likely already checked their browser’s “Do-not-track-me” option or installed add-ons like Ghostery that make it hard for cookies to crumb up their computers. But these days, that’s not enough. Websites can still easily identify you.

More…

taz

Bitte zurückverfolgen!

Für Ämter und Behörden bezeugt der Fingerabdruck die Identität einer Person. Im Internet fehlt es aber bislang an einer sicheren Methode, vom Nutzer auf die reale Person zu schließen. Gott sei Dank, sagen Datenschützer. Leider, sagen Werbeunternehmer. Zwischen diesen beiden Polen bewegen sich jene, die finden, eine Zuordnung von Rechner und Person berge nicht nur die Gefahr personalisierter Werbung, sondern auch die Chance, den Missbrauch von Daten zu verhindern.

More…

heise online

Studie zur Verlässlichkeit von Browser-Fingerprints

Können Browser-Fingerprints zuverlässig Auskunft geben, ob eine Web-Seite erneut aufgerufen wurde? In einer aktuellen Studienarbeit versucht der Diplom-Informatikstudent Henning Tillmann herauszufinden, wie stabil Browser-Fingerprints sind und ob mit ihnen eine verlässliche Identifizierung von Nutzern funktioniert.

More…

GOLEM

Tracking geht auch ohne Cookies

Das Tracking von Nutzern im Netz wird weitgehend mit Hilfe von Cookies durchgeführt. Doch es geht sehr gut ohne, denn rund 93 Prozent der Nutzer hinterlassen mit ihrem Browser bereits einen eindeutigen Fingerabdruck im Netz, wie Henning Tillmann im Rahmen seiner Diplomarbeit herausgefunden hat.

More…

WAZ

Unsere Spuren im Netz

Was sind persönlichen Daten wert? Für viele nichts, wenn man bedenkt, wie sorglos viele Leute allerlei Interessantes im Internet von sich preisgeben: Geburtsdatum, Hobby, Vorlieben, Bildung, Beziehungsstatus und das sind nur fünf von tausenden Informationen, die einige ins Internet stellen.

More…

DerStandard

Browsererkennung ohne Cookies möglich

Zur Erkennung eines Browsers – beispielsweise für Website-Statistiken und in weiterer Folge für Marketing-Zwecke – sind Cookies nicht unbedingt notwendig. Der deutsche Informatiker Henning Tillmann hat für diese Erkenntnis nämlich den Fingerprint von 20.000 Browsern untersucht.

More…

WDR Blog

Browser Fingerprinting: Fieser als Cookies

Im Netz finden sich nur relativ wenige deutschsprachige Artikel darüber, den Vortrag zum Thema von WWW: Henning Tillmann auf der re:publica fand ich aber geradezu alarmierend. Wenn diese Technik wirklich eingesetzt wird, ist sie ein deutlich größeres Datenschutzproblem, als die bekannten WWW: Cookies. Auch ohne diese ist nunmehr eine Identifierung einzelner Nutzer mit „Browser Fingerprinting“ relativ genau möglich.

More…

Questions?

Feel free to send me a message!

7 + 0 = ?