The project is based upon information theory – using entropy to singulate an individual from a wider population by combining facts about smaller groups. For example, a postcode does not disclose a single individual, but coupled with a gender and a month of birth it’s quite possible to pick out the subject. This singulation is measured in entropy, where 1 ‘bit’ of entropy indicates 2 possibles; 2 bits of entropy indicates 4 possibles; 3 bits of entropy indicates 8 possibles, and so on. As EFF point out, with approximately 7bn humans on the planet, an entropy of 33 bits should suffice to identify one individual in that population.
So, pretend you’ve set up your browser to be relatively anonymous – you’ve tied down the cookies, you have a dynamic IP address, you don’t enter personal data unnecessarily – you’d imagine that you have ‘anonymous’ browsing? Not necessarily. EFF’s Panopticlick test tool looks at a number of qualities of your browser to consider its entropy, including:
- revealed browser ID (IE, Safari, Firefox, Chrome etc);
- the plugins available within the browser (Flash, QuickTime etc);
- time zone;
- screen size and color depth;
- installed fonts;
- cookies enabled.
The Panopticlick engine scores the browser based on these and other attributes, and calculates an entropy. So, my Safari browser holds at least 19 bits of identifying information, and that is sufficient to render it unique of the 0.5m+ browsers that have visited the site so far.
The implications are important: a site utilising this approach can, to a reasonable level of probability, identify continuity of relationship between site visits, even without planting a cookie on the user’s machine. Once the user is known, the site can track that user on return visits, even if they refuse to disclose who they are. Users that wish to protect themselves need to use ‘non-rare’ browsers (i.e. Firefox on Windows), with a minimum of plug-ins, and exploit anonymisation tools such as TorButton.
There are of course some flaws in this approach; fonts and plug-ins may change, and the engine appears to think that the browser is unique regardless of how many times it returns (thanks to Jerry for pointing that out). But either way, there’s a fresh level of anonymisation needed for users who wish to browse without being tracked.