• Posted on: Apr 24, 2012
  • Tag:
  • Reactions: 11

> Project Underpants explained

This weekend my good friend Mark Boas and I released the Underpants Project, a proof of concept aimed to raise awareness over the lack of privacy on the internet. The 1-day-project received quite a few of attention and it’s time to give you an insider look on how it works.

Posts about security and privacy on the web tend to be long, boring and too techy. I’m trying to keep it simple this time, it’s an important matter and it deserves all of your attention.

What is the Underpants Project?

First of all visit with your desktop browser lab.cubiq.org/underpants and take the survey.

The demo collects data commonly exposed by your browser to create an (almost) unique fingerprint that can be used to track your web surfing habits across domains, with no need of being signed in to any service (such as Google or Facebook). This demonstrates that even when you think you are logged out and untraceable you are in fact still naked to the eye of the web (thus the underpants name).

Please note that this is nothing new, the Electronic Frontier Foundation already raised the concern years ago, but I was surprised that: 1) this is not more widely discussed; 2) to date this “exploit” is still valid. So we decided to make this real-world experiment.

How it works

Your browser exposes a series of information that individually are pretty harmless. For example I can find out what is your browser vendor, operating system, your timezone, country, if you have flash installed, if you disabled javascript, your screen resolution, what fonts are installed on your system…

Those are important bits that web applications use to better serve you contents and services, but when you take all of them together they almost uniquely identify you. This means that a network of sites using this technique could easily follow you, and there’s very little you can do about it.

You can easily fool the script

Now you probably tried to fool our little script and admittedly it’s pretty easy to cheat, but like I said this is just a 1-day proof of concept, imagine what a well motivated entity could do with more time and resources.

For the sake of the demo we do not store each piece of information individually but we just create a hash out of them. If we stored the data in a well structured database we could for example find out if you updated your browser, or you installed a new plugin or a new typeface.

Google/Facebook disconnect doesn’t make you safer

The information we gather comes from your browser not some online services. That’s why plugins such as Disconnect don’t make you safer.

I do not have Flash, Am I still traceable?

For the sake of this demo we use Flash to find the fonts installed on your system. Even without fonts we have enough bits to identify you. Also consider that if you disable Flash we have to check your uniqueness only against users without Flash, that are a minority.

That said, it would be possible to find out what fonts you have installed even without Flash.

I surf with Javascript disabled, can’t touch me!

Good for you, but unfortunately you are not safe. Most of the info can be gathered without javascript and browsing with javascript disabled puts you in a very restricted niche making you probably easier to track.

Do encryption, VPN, https help?

Unfortunately not. All data is served on a silver plate by your browser once the connection has already being established.

You could better just track my IP

We voluntarily excluded the IP address from the equation. Most users don’t have a unique IP, most of the times the same IP is shared amongst many PCs (offices, internet cafes, public hot-spots, …). But we could add the IP to the tracking software making it even more dangerous. For example we could find all the places where you connect to the internet from, we would know what is your preferred café and where you work.

This doesn’t work on mobile

Most mobile browsers share the same User Agent and often you can’t install plugins and new fonts. That makes them all the same, but consider that if you are using mobile you are already being tracked to death by so many applications that that’s not even a question.

Each time you twit your location is saved, each time you use Google maps they know where you are. Each time you post a photo on Facebook… They can even find your location from the mac-address of the hotspot your are connected to, so disabling GPS doesn’t make you safer.

Who cares? Let them spy on me

That is generally a good point. I have nothing to hide, I’m not a terrorist, it doesn’t bother me being tracked.

The problem is: to which extent am I willing to give my life away? Where is the limit? They know I visited porntube, no problem with that. They know where I drink coffee, no problem either. They know that my grandpa died. They know that I visited a site about a rare illness I’m affected. They know… well, you’ve got the point. On this matter I would recommend you watching a wonderful speech by Karen Sandler.

If we are not going to give them a limit they will always be raising the bar until one morning you’ll wake up and find yourself with your wallet directly connected to the pipes in the same manner cows are milked.

Governments won’t let it to happen

The same governments that allowed this or this or this to happen?

What can I do about it?

First, knowledge.

Knowing the problem is the first step to the rabbit hole. Take the red pill, spread the word, talk with your family and colleagues about it. Point them to this post or better write your own piece on this topic. Laziness is status quo‘s best friend.

What can I do to protect myself?

The best solution would be to build a plugin that slightly shuffles the browser data. Not too much to compromise user experience but just enough not to be tracked. Ideally data should be scrambled the first time you access a new website and kept unaltered until you leave. This would grant you a new token per website per session. If I can’t find something like this I’ll personally work on it.

Why don’t you release the code?

We did. The Underpants Project is available under MIT license on Github.

/Share the joy


    • Author: Simon Templar
    • Posted on: 2012/04/24
    • At: 15:26

    Awesome. Thanks for the explanation guys!

  • Really great write-up, Matteo. Thanks.

    • Author: Luca Rosaldi
    • Posted on: 2012/04/24
    • At: 17:46

    Whoa, didn’t know about this “digital fingerprint”. I assumed one could only be tracked by IP or such.

    Even if you’ve got nothing to hide and don’t mind being spied, knowing how much of your life is exposed to the public is a bit terrifying.

    As soon as a browser extension is released to fix this problem, I’ll install it at once.

    Thanks for the info, Marco. Continua così. :)

    • Author: Kilian
    • Posted on: 2012/04/25
    • At: 09:49

    This article in the Facebook era creaks a bit… People give their data for free, more or less in a conscious way, the problem is “you” not the technology itself.

    • I mostly agree

        • Author: grigio
        • Posted on: 2012/04/25
        • At: 19:45

        Hi, just a curiosity what do you think of chrome and multiple identities?

      • The problem is for the 90% userbase not for the geeks like you and I ;) We know the problem, we can at least try to protect ourselves, the problem is that the commoner is not even aware of the problem. They maybe heard of “disconnect” they install it and they think they’re safe.

    • Author: jch
    • Posted on: 2012/04/26
    • At: 09:59

    One possible reply to people who collect our private information could be to give them a huge amount of false information. Take some time to visit website dedicated to dogs if you hate them, try to find a good fly to go to australia even if you are afraid of planes and so on. If the info collected has no sense it will loose its value.

    • Author: Shin Senter
    • Posted on: 2012/07/09
    • At: 11:24

    Nice post

  • Really great article, and thanks for sharing the source. However this is not a new issue and never been, although companies like http://www.bluecava.com/ have almost perfected the art of tracking, and yes with some of the techniques mentioned here as well. If you do a Google search on “You Have Zero Privacy Anyway. Get Over It” you will find many articles and stories related to concerns about online privacy.

    • Author: joel
    • Posted on: 2013/03/14
    • At: 21:51

    Great post. I use Tor for anything I need privacy with. Would you recommend people use services like that all the time?