Surfing the web anonymously

Is it possible to surf the web anonymously today? Take the case of cookies. They are becoming increasingly powerful, particularly when it comes to personalising browsers. However, even without this technology, the browser itself leaves traces that are capable of clearly identifying the user. This is an observation that we are able to confirm after examining and testing the Panopticlick algorithm.

Since the beginning of the Internet, cookies have made surfing easier. Cookies are small files that are stored on our computers every time we visit a website, and contain information such as the language in which the website should be displayed. Their purpose is to allow the website to «recognise» the user at the next visit.

Researchers who have studied cookie technology have come to realise that every browser actually leaves a trace that is unique, or almost unique. In fact, even without cookies it is possible to find out which computer has connected to which website. All that needs to be done is to follow the traces left by the browser.

We examined and tested the Panopticlick algorithm developed by Electronic Frontiers Foundation (the Panopticon is a model prison in which the guards can keep a watch on inmates without being seen). The algorithm registers a certain number of parameters during data input, and produces an entropy measurement that is used to determine the uniqueness of the tested browser. The parameters may include a «user agent», which provides information about the type and version of the browser itself, the operating system, and the list of plug-ins - a plug-in being a small piece of software which adds functionalities to the browser enabling it to play videos, to determine system fonts or to obtain information about the screen that is being used. Indeed, all the information that can be accessed via the web browser is collected, and when placed end to end serves as an identifier or fingerprint. The potential uniqueness of this identifier can thus determine the uniqueness of the browser.

During the first phase of the algorithm's deployment, 400,000 identifiers were collected and anonymized. Each new fingerprint was then checked against this collection in order to determine whether it matched a known fingerprint. If a match came up, we checked to see how many fingerprints needed to be contained in a subset in order to determine with certainty that we would find an identical identifier.

We tested the algorithm with the latest versions of the best-known browsers (Internet Explorer, Firefox, Chrome, Safari and Opera) under various conditions: directly after installation of the browser, after a specific amount of surf time, in anonymous mode and after installing certain add-ons.

In conclusion, we can state that it must indeed be admitted that the fingerprint of every browser is unique and that it is easily identifiable. There are ways, however, of reducing the dangers of a positive identification. For example, all browsers today let the user switch to anonymous surfing mode (at least in their most recent versions) - a very useful tool. This, together with certain add-ons like NoScript, which is a feature offered by Firefox, is the best way to preserve anonymity when surfing the Internet.

https://www.edoeb.admin.ch/content/edoeb/en/home/documentation/annual-reports/older-reports/18th-annual-report-2010-2011/surfing-the-web-anonymously.html