Privacy online no longer exists and there is nothing at all you can do about it. In fact, everything you can try to do about it will just make it worse. While everyone and the media and their dog have all been screaming and shouting about privacy on Facebook, privacy and Google Street View and privacy on Blackberries and iPhones, the real battle has been going on very quietly in the background. The battle is now over, the war is over, the bad guys won and you have lost your privacy. All of it. And you never even noticed. Everything you do online is trackable. Everything, and it is happening now.

This post just summarizes what is going on. For the full details, listen to the Security Now podcast on “Side Channel Privacy Leaking” by Internet security expert Steve Gibson.

Your computer’s fingerprint is as unique as yours

This is made possible by what is called “computer fingerprinting” or “browser fingerprinting”. The idea is very simple: Your browser and computer have a  large number of characteristics that web pages need to know to be able to display the pages properly, and other characteristics that they don’t really need to know but that your computer shares anyway. Put all this information together, combine it with your computer’s clock time, your IP address range and a few other little items that are all freely available and it is generally possible to identify you with over 99% accuracy. None of these things can be switched off, any more than you can switch off your own fingerprints, height or eye color. Any changes you make to “protect” yourself will actually make it even easier to identify you, because it will make your computer even more easily identifiable.

Browser fingerprinting is being used now

There are already commercial companies selling browser fingerprinting services. These services are hugely valuable to advertisers – they make it possible to track users and create very accurate user profiles for targeted advertising without using cookies. In fact, turning off cookies is part of your browser fingerprint, because it can distinguish an otherwise identical computer from one that has cookies turned on. That is over-simplified, but it describes the basic principle.

Who is doing this? See this quote from the show notes on Steve Gibson’s podcast:

There are many companies selling robust commercial solutions: “Arcot” claims it is able to ascertain PC clock processor speed along with common browser factors to identify a device. “41st Parameter” looks at more than 100 parameters and at the core of its algorithm is a time differential parameter that measures the time difference between a user’s PC — down to the millisecond — and a time reference. “ThreatMetrix” claims that it can detect irregularities in the TCP/IP stack and can pierce through proxy servers. “Iovation” provides device tagging (through LSO – Local Shared Objects) and clientless fingerprinting and operates a “reputation database” which maintains data on millions of PCs.

How browser fingerprinting works

The information your browser shares with websites  includes things like screen size, screen resolution, operating system name and version (Windows, OS X etc.), browser name, browser version, the browser plugins you have installed and the versions of those plugins, whether cookies are accepted and so on. These are just simple examples – there are also more arcane things like the type of webcam you have installed, how quickly your computer processes tasks for web pages and many even more obscure parameters. These can all be measured and checked by scripts in web pages.

None of these pieces of information on its own is enough to identify you. However, start combining them and your computer and browser suddenly look more and more clearly unique. Even with Java and Flash turned off, it has been found that users can be identified and tracked with over 83% accuracy. Turn them on and the accuracy goes up to over 90%. Add the IP address range shared by your Internet provider, which is almost always the case, and you are already over 99%, because it puts you in a certain geographical area. Include cookies, which are also almost always on, and you are so close to 100% that it makes no difference any more. And anything over 80% is already hugely valuable for advertisers.

Changing things doesn’t help

You might think that it would be possible to throw the trackers off track by changing things. Updating plugins, removing plugins, changing your screen resolution or even changing your browser identification string (if you are technically minded and think you’re being really clever). None of this works. First, every change you make actually makes your browser and computer even more clearly identifiable. And second, the trackers know that changes are happening all the time and they can adjust for the changes. The Panopticlick Project by the Electronic Frontier Foundation has demonstrated that it is quite possible to allow for these changes on an ongoing basis and still maintain very high tracking accuracy, even when users have cookies turned off.

What does all this mean?

None of this information actually identifies you personally, it just creates a profile of everything that has been done online by your computer and your browser. However, sites you share your name with also use these services, and it would be very easy for them to connect the profiles collected by the browser fingerprinting companies with your real name and address. And of course, this includes “legitimate” services like your bank, your video rental service, forums you participate in and so on. Oh yes, and also government and law enforcement services as well, just as an added cherry on this tasty little cupcake of data. I’m not saying that they are doing this, of course. Just that it is very easy, very very very tempting and potentially enormously profitable and useful for them to do so. Honi soit qui mal y pense…

Basically, this means that everything you do online is just as public as something you do in a crowded public square on a sunny day. But a public square where every single person on the square has a video camera pointed at them, that is following just them. And that includes you. Everything you do online can be tracked and recorded. And it can be used to create a profile of you.

Is there anything you can do about it?

In a word: No. Nothing. Even if you delete your cookies, for example, browser fingerprinting can now be used by websites to restore the cookies that you deleted, because they are stored in the website’s database and your fingerprint identifies you as the person the cookie belongs to. Anything you change in your computer just makes it more identifiable, including anything and everything you do to “protect” yourself against tracking. If you’re really worried about it then you need to buy a mechanical watch, stop using a mobile phone (they are even more identifiable than computers, of course), throw your computer in the river and go back to using a fountain pen and a typewriter.

The only partly effective thing you can do is to browse only with Firefox and use the NoScript plugin to control which web pages and services are allowed to use scripting in the web pages you visit. However, you will quickly find that this makes the Web almost unusable, and adds a great deal of work to your browsing. Also, on many web pages you will find that NoScript delivers a list of 10, 20, 30 or more web services that are being used on those pages – good luck on choosing the ones that are doing the tracking.

More realistically, you just need to start being aware. You can no longer assume that you have any kind of privacy online, and you need to be aware that this is going to get worse rather than better. The Internet, the Web, browsers, computer operating systems and everything to do with them were never designed with privacy in mind and it is probably too late to fix them now. You need to be aware that everything you do online is probably being stored in a profile somewhere.