Websites Can Probably Guess Your Identity With Three Basic Data Points

"If you want to be sure that no one is tracking your activity online, you'll need to buy a new computer and use a different network for every session."

An undersea fiber optic cable brings broadband Internet to East Africa in 2009. (Photo: Stringer/AFP/Getty)

An undersea fiber optic cable brings broadband Internet (and a new means of public surveillance) to East Africa, in 2009. (Photo: Stringer/AFP/Getty) (Photo: Stringer/AFP/Getty)

With just your date of birth, your zip code and your gender, it is almost guaranteed that someone could identify exactly who you are. Our web browsers are readily giving up at least three pieces of information about us, which makes it easy to identify users across websites without actually putting anything on our computers. Two of the latest surveillance techniques, HTTP injection and browser fingerprinting, are all but impossible to detect or stymie.

Once websites and telecoms figured these techniques out, high level operators of the web know who you are despite your privacy precautions and they are probably sharing that information with third parties for a price. That’s the conclusion of the World Wide Web Consortium‘s [W3C] Technical Architecture Group [TAG] has come to as its members finalized a statement on unsanctioned web tracking, recommending courses of action to make sure the web serves the most users in the best way.

“If you want to be sure that no one is tracking your activity online, you’ll need to buy a new computer and use a different network for every session,” Mark Nottingham, a member of the TAG and chair of the Internet Engineering Task Force‘s HTTP Working Group, told the Observer via email.

Websites and Internet service providers have found ways to track user activity that aren’t detectable by users, which means there is no transparency. The Technical Architecture Group writes, “The aggregate effect of unsanctioned tracking is to undermine user trust in the Web itself.” As the group currently sees no purely technical solution to unauthorized tracking, it recommends that policy makers “consider appropriate action.”

In other words, make big websites and telecoms quit spying on us.

The W3C group identified two nefarious new kinds of tracking, HTTP injections and browser fingerprinting.

HTTP injection

‘The aggregate effect of unsanctioned tracking is to undermine user trust in the Web itself.’

When you go to a website, your Internet provider might be whispering about you over your shoulder.

HTTP (Hyptertext Transfer Protocol) is the system by which the web’s users and its big servers figure out how to send who what. It’s the system for how a user makes a request and the server it makes it of sorts out to what to send them.

Open Internet advocate organization, Access, recently released “The Rise of Mobile Tracking Headers: How Telcos Around the World Are Threatening Your Privacy,” a report on one form of spying, HTTP Header Injections. The report describes how when a mobile user on some networks goes to a website, their carrier injects some identifying information into the HTTP fields of their request, letting the site know who the person is, presumably for purposes of delivering more targeted advertisements to them.

User can’t see the injected information by, for example, hitting ‘reveal codes’ on a web page, because the information is delivered to the site, not the user’s browser, but Access’s Gustaf Björksten provided an example of what an HTTP injection header looks like for a website:

Host: net.tutsplus.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5)
Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: PHPSESSID=r2t5uvjq435r4q7ib3vtdjq120
Pragma: no-cache
Cache-Control: no-cache

Not that we mere mortals can make heads nor tails of that.

Verizon and AT&T did the most header injections, of US carriers, according to Access’s research. AT&T has stopped and Verizon has created an opt out—this reporter’s Verizon device was still delivering header injections, however.

Want to find out if you’re mobile device is being tracked? Go here, though keep in mind that it’s only able to check for known header injections.

Online publishers that want to protect their users from these attacks need to move to HTTPS. Not only will Google give your site a boost in traffic, but it will be helping to keep the Web open. Mr. Nottingham pointed us to this new organization will even certify your site as secure for free.

The big telecoms may be pulling back on header injections, though, because an even more cagey form of tracking is now possible.

Browser fingerprinting

Browser fingerprinting is one of those hustles that’s so clever, you have to admire its despicable originality.

Every time you visit a website, your browser sends at least a few pieces of information to that site: it says what browser you are using, its precise version number and your operating system. And that’s just passive tracking. Factor in cookies and it’s almost certainly game over.

This Reagan-era executive order authorizes the Feds to follow your cell phone around.

The Electronic Frontier Foundation has built Panopticlick, a site that assesses how fingerprintable you are. The idea is this: with about three pieces of information (more precisely, 33 bits worth of data), its possible to identify exactly who a person is with a high degree of certainty. The Panopticlick assessment of my browser said it yielded 22.47 bits of information and that its fingerprint was unique across the 5.8 million sites that EFF’s service has evaluated.

With that level of information, advertisers might not know for absolutely certain that it was me visiting, but the guess would be better than nothing. In fact, if there were a small handful of people I might be, it could simply change up the targeting from site to site and strike the right chord from time to time.

Aren’t we completely 100% tracked already anyway?

Like, remember that Valentine’s Day you were really proud of yourself because the fall before your girlfriend had mentioned wanting this pajama onesie that made her look like a polar bear? Then, miraculously, you actually remembered and ordered them for her, but the weekend before she borrowed your computer to read the news while you made hashbrown nachos and there were ads for polar bear pajama onesies everywhere. It completely wrecked the surprise, right? That was tracking, right?

Yes, but it probably wasn’t unauthorized tracking.

Your phone’s hunger for wifi also reveals your travels.

Onesie-Gate probably happened because of cookies.The truth is, a lot of functions of the web wouldn’t work without them (like shopping carts). As annoying as cookies can be, they conform to W3C transparency standards, such as making it possible to opt-out. Your browser downloads cookies and stores them in folder you can look in at your leisure, block them or delete them. You can also check out what they are doing (apps like Mozilla’s Lightbeam make it even easier).

You could have cleared the cookies from the pajama site and your girlfriend would have never found out. You can’t opt out of HTTP injections or browser fingerprinting. You can’t even know for sure they are happening.

Further, it’s not hard to imagine Minority Report‘esqu applications of this technology where certain behavior profiles become associated with what authorities might define as socially undesirable activities, yielding increased surveillance for certain users in advance of actually committing any sort of crime.

Before the authorities go to that step, the TAG argues, they should remove the temptation from themselves by acting to constrain the practice now.