> Project Underpants explained
This weekend my good friend Mark Boas and I released the Underpants Project, a proof of concept aimed to raise awareness over the lack of privacy on the internet. The 1-day-project received quite a few of attention and it’s time to give you an insider look on how it works.
Posts about security and privacy on the web tend to be long, boring and too techy. I’m trying to keep it simple this time, it’s an important matter and it deserves all of your attention.
What is the Underpants Project?
First of all visit with your desktop browser lab.cubiq.org/underpants and take the survey.
The demo collects data commonly exposed by your browser to create an (almost) unique fingerprint that can be used to track your web surfing habits across domains, with no need of being signed in to any service (such as Google or Facebook). This demonstrates that even when you think you are logged out and untraceable you are in fact still naked to the eye of the web (thus the underpants name).
Please note that this is nothing new, the Electronic Frontier Foundation already raised the concern years ago, but I was surprised that: 1) this is not more widely discussed; 2) to date this “exploit” is still valid. So we decided to make this real-world experiment.
How it works
Those are important bits that web applications use to better serve you contents and services, but when you take all of them together they almost uniquely identify you. This means that a network of sites using this technique could easily follow you, and there’s very little you can do about it.
You can easily fool the script
Now you probably tried to fool our little script and admittedly it’s pretty easy to cheat, but like I said this is just a 1-day proof of concept, imagine what a well motivated entity could do with more time and resources.
For the sake of the demo we do not store each piece of information individually but we just create a hash out of them. If we stored the data in a well structured database we could for example find out if you updated your browser, or you installed a new plugin or a new typeface.
Google/Facebook disconnect doesn’t make you safer
The information we gather comes from your browser not some online services. That’s why plugins such as Disconnect don’t make you safer.
I do not have Flash, Am I still traceable?
For the sake of this demo we use Flash to find the fonts installed on your system. Even without fonts we have enough bits to identify you. Also consider that if you disable Flash we have to check your uniqueness only against users without Flash, that are a minority.
That said, it would be possible to find out what fonts you have installed even without Flash.
Do encryption, VPN, https help?
Unfortunately not. All data is served on a silver plate by your browser once the connection has already being established.
You could better just track my IP
We voluntarily excluded the IP address from the equation. Most users don’t have a unique IP, most of the times the same IP is shared amongst many PCs (offices, internet cafes, public hot-spots, …). But we could add the IP to the tracking software making it even more dangerous. For example we could find all the places where you connect to the internet from, we would know what is your preferred café and where you work.
This doesn’t work on mobile
Most mobile browsers share the same User Agent and often you can’t install plugins and new fonts. That makes them all the same, but consider that if you are using mobile you are already being tracked to death by so many applications that that’s not even a question.
Each time you twit your location is saved, each time you use Google maps they know where you are. Each time you post a photo on Facebook… They can even find your location from the mac-address of the hotspot your are connected to, so disabling GPS doesn’t make you safer.
Who cares? Let them spy on me
That is generally a good point. I have nothing to hide, I’m not a terrorist, it doesn’t bother me being tracked.
The problem is: to which extent am I willing to give my life away? Where is the limit? They know I visited porntube, no problem with that. They know where I drink coffee, no problem either. They know that my grandpa died. They know that I visited a site about a rare illness I’m affected. They know… well, you’ve got the point. On this matter I would recommend you watching a wonderful speech by Karen Sandler.
If we are not going to give them a limit they will always be raising the bar until one morning you’ll wake up and find yourself with your wallet directly connected to the pipes in the same manner cows are milked.
Governments won’t let it to happen
What can I do about it?
Knowing the problem is the first step to the rabbit hole. Take the red pill, spread the word, talk with your family and colleagues about it. Point them to this post or better write your own piece on this topic. Laziness is status quo‘s best friend.
What can I do to protect myself?
The best solution would be to build a plugin that slightly shuffles the browser data. Not too much to compromise user experience but just enough not to be tracked. Ideally data should be scrambled the first time you access a new website and kept unaltered until you leave. This would grant you a new token per website per session. If I can’t find something like this I’ll personally work on it.