About Cover Your Tracks
Cover Your Tracks is a research project designed to better uncover the tools and techniques of online trackers and test the efficacy of privacy add-ons.
When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. Some companies use this technology to try to identify individual computers.
In 2010, EFF launched Cover Your Tracks, a research project to investigate how unique each browser is. We gathered information about the configuration and version information from your operating system, your browser, and your plug-ins, and compared it to our database of many other Internet users' configurations. Then, we generated a uniqueness score — letting you see how easily identifiable you might be as you surf the web.
In 2015, we upgraded Cover Your Tracks with a new feature: tracker blocker testing. Million of Internet users are using privacy add-ons and other tools to block trackers, including tools like AdBlock, Ghostery and Disconnect. But how well do these add-ons actually protect users from invasive tracking?
Our new version of Cover Your Tracks researches both. We analyze how well you are protected against online tracking by checking the privacy protections you have in place. The test simulates loading of a visible ad that performs tracking, an invisible script that performs tracking, and a site that looks superficially like a tracker but actually has committed to honor Do Not Track.
Even if your privacy add-ons are working well, you may still be vulnerable if your browser fingerprint is unique. So we also analyze the uniqueness of your browser and let you know how it stacks up to other visitors we’ve observed recently.
We generate a report about your tracker protections and browser fingerprint for your own use, and we’ll include anonymous results from your test in our larger research report.
Running tests on Cover Your Tracks both gives you this information about your own browser, and also helps EFF use statistical methods to evaluate the capabilities of Internet tracking and advertising companies, and the best forms of protection against tracking without consent.
A paper reporting the early statistical results of this 2010 Cover Your Tracks experiment is available: How Unique Is Your Browser?, Proceedings of the Privacy Enhancing Technologies Symposium (PETS 2010), Springer Lecture Notes in Computer Science. https://panopticlick.eff.org/browser-uniqueness.pdf
The results of Cover Your Tracks use several simulated tracking domains to trigger tracker blockers. Some blockers (such as Adblock Plus or Ghostery) are triggered by URL parameters that match ads or tracking beacons. Other blockers (such as AdAway or Disconnect) match on a per-domain basis, and we strive to have our test domains included in such tools’ lists. Still other blockers (such as our own Privacy Badger) use a heuristic approach, blocking the inclusion of trackers by detecting their use across domains.
In order to detect these different approaches, we have simulated tracking which triggers all three types of blocking. The site generates third-party requests like:
Each of these URLs attempts to set cookies, and is loaded from three first party domains in order to trigger heuristic blocking.
The first URL simulates tracking by a visible ad (if the ad is blocked, the test passes); the second simulates a non-visible tracking beacon (if the beacon is blocked, the test passes); and the third interaction with a domain that has implemented the Do Not Track Policy (if the domain’s scripts are unblocked, the test passes).
If the simulated ad or beacon trackers load, but with their cookies blocked, those results are reported as “partial protection”, since the site doesn’t get an easy unique identifier, but tracking by IP addresses and other means remain possible.
In addition to tracker blocking, Cover Your Tracks measures the uniqueness of your browser. We anonymously log the following information, and compare it to a database of many other Internet users' configurations that we’ve observed recently:
- The user agent string from each browser
- The HTTP ACCEPT headers sent by the browser
- Screen resolution and color depth
- The Timezone your system is set to
- The browser extensions/plugins, like Quicktime, Flash, Java or Acrobat, that are installed in the browser, and the versions of those plugins
- The fonts installed on the computer, as reported by Flash or Java.
- Yes/no information saying whether the browser accepts various kinds of cookies and "super cookies"
- A hash of the image generated by canvas fingerprinting
- A hash of the image generated by WebGL fingerprinting
- Yes/no whether your browser is sending the Do Not Track header
- Your system platform (e.g. Win32, Linux x86)
- Your system language (e.g. en-US)
- Your browser's touchscreen support
Then, we generate a uniqueness score — letting you see how easily identifiable you might be as you surf the web. Here’s more information on how this score is derived.
What is fingerprinting? What does it mean if my browser is unique?
“Browser fingerprinting” is a method of tracking web browsers by the configuration and settings information they make visible to websites, rather than traditional tracking methods such as IP addresses and unique cookies.
Browser fingerprinting is both difficult to detect and and extremely difficult to thwart.
If your browser is unique, then it’s possible that an online tracker can identify you even without setting tracking cookies. While the tracker won’t know your name, they could collect a deeply personal dossier of websites you visit.
Deleting your cookies won’t help, because it’s the characteristics of your browser configuration that are being analyzed. Read our suggestions to help defend against browser fingerprinting.
What is Do Not Track? Why would I want to unblock ads that respect Do Not Track?
Every time your computer sends or receives information over the Web, the request begins with some short pieces of information called headers. These headers include information like what browser you're using, what language your computer is set to, and other technical details.
Do Not Track is a simple, machine-readable header indicating that you don't want to be tracked. Because this signal is a header, and not a cookie, users can clear their cookies at will without disrupting the functionality of the Do Not Track flag.
In all the major browsers, there is an easy way to tell websites that you do not want to be tracked by setting the Do Not Track header. (Do it yourself or install EFF’s Privacy Badger and we’ll turn it on for you in Chrome and Firefox.)
When websites respect the Do Not Track signal, it’s easy for users to protect themselves from online tracking. The average Internet user won’t need to remember to delete cookies, install additional privacy software, or even worry about browser fingerprinting. (link to browser fingerprinting section).
Unfortunately, most websites and online trackers — with some laudable exceptions — currently ignore the Do Not Track signal entirely.
Setting your browser to unblock ads from websites that commit to respecting Do Not Track rewards companies that are respecting user privacy, incentivizing more companies to respect Do Not Track in order to have their ads shown at all. By preserving privacy-friendly ads, sites that rely on advertising funding can continue to thrive without adjusting their core business model, even as they respect users’ privacy choices.
Over time, we believe we can shift the norms on the Web to ensure privacy and respect for users comes first. But that can only happen if online advertisers are incentivized to respect user choices.
You can help us by installing EFF’s Privacy Badger.
Is it possible to defend against browser fingerprinting?
Browser fingerprinting is quite a powerful method of tracking users around the Internet. There are some defensive measures that can be taken with existing browsers, but none of them are ideal. In practice, the most realistic protection is using the Tor Browser, which has put a lot of effort into reducing browser fingerprintability. For day-to-day use, the best options are to run tools like Privacy Badger or Disconnect that will block some (but unfortunately not all) of the domains that try to perform fingerprinting, and/or to use a tool like NoScript for Firefox, which greatly reduces the amount of data available to fingerprinters.
Use the Tor Browser
Try to use a "non-rare" browser
The most obvious way to try to prevent browser fingerprinting is to pick a "standard", "common" browser. It turns out that this is surprisingly hard to do. It appears that the most likely candidate would be the latest version of Chrome running on a modern Windows version. But even so, many of those Chrome on Windows browsers can be distinguished from one another by the enormous range of plugin versions and fonts that can be installed with them. The first generations of smartphone browsers were comparatively hard to fingerprint, but as these devices have become more diverse and supported wider ranges of features, they have also become very fingerprintable.