It’s a common misconception that when you’re on the Internet, you’re anonymous. Surfing along, happily not giving away any personal data; it’s hard to imagine how you could be recognisable amongst the vast sea of people browsing online. In fact, your computer gives away a wealth of information about you to every single website you visit. For web developers, this data can be invaluable in making interesting, dynamic websites, but it can also be used to build up a picture of who you are and where you come from.
The first major source of this information is your browser. The actual data available varies from browser to browser, but most of them transmit your operating system, the resolution of your screen and what fonts and plug-ins you have installed. This might not seem like much, but in fact it’s enough to differentiate a single person from more than half a million others. Panopticlick (http://panopticlick.eff.org/), an experiment started by the Electronic Frontier Foundation, aims to see just how much information you give away as you surf. Information about your browser is collected and compared to others they’ve already seen, and how traceable you are online is calculated. To the shock of many, it is often the case that a user is completely unique amongst the 640,000 or so entries, being identifiable from browser information alone.
All this would not be so bad, were it not for the fact that web sites can also tell where you live. An IP address is a unique number assigned to you when you connect to the Internet through your ISP. Web servers use your IP address to route ‘packets’ or data from a website to you, but websites can also detect and use your IP address to find out information about you. Using a look-up service, your IP address can tell a website your approximate location, accurate to the town or village you live in. In special cases like universities this can be even more accurate. For instance, anyone using a college connection broadcasts that they are connected at Imperial College London. Location information can also be gained using a relatively new technology called the ‘Geolocation API’. Websites can request location data from the browser, which provides the exact position of the user right down to the actual street address they currently inhabit. Although this information is only meant to be sent if the user gives their consent, with more and more location-aware browsing, one day it may be sent automatically.
Even though a lot of information is provided to web sites, up until now it has been impossible to actually differentiate between individual users of one computer who browse a site. After all, the computer looks and runs the same no matter who is using it. The solution to this came from a company called Scout Analytics, who have used ‘typing cadence’ to tell the difference between individuals online. When you type, you have a characteristic rhythm and pace, characterised by the time taken to move between keys and how long you hold a key down for. Scout Analytics have developed a method to collect these timings and have reported the ability to detect individual users just by the way they type in their username and password. The algorithm has already been successfully used in a trial to stop multiple users accessing expensive online services for which only a single license has been purchased.