Even though I’ve seen it about a dozen times over the years, there’s always something new to learn from Monty Python’s Life of Brian. This time, I discovered that Brian’s last name was Cohen.

For anyone unaware, the Life of Brian describes the life of a Judean man, Brian Cohen, who happened to be born in a stable next to the one in which Jesus was born. He was visited by three wise men, who praised him as King of the Jews and presented him with gifts – until they realized they were in the wrong stable, took back the gifts, and went next door.

The film was called blasphemous and generated significant controversy, but I really don’t agree. It didn’t mock Jesus, though he appeared in it. In one scene, he is shown standing, reciting the Sermon on the Mount. We watch as the camera pulls further and further back, and his voice gets harder and harder to hear, until you get back to Brian and his mother (Terry Jones, in drag), who calls out: “Speak up!”

The mockery was mainly reserved for people and institutions. One theme was the way the various independence movements spent more time bickering among themselves than they did fighting the Romans. Another was the way that people will follow people claiming to be prophets – in one scene, Brian accidentally falls on one of the “prophets” who line the street and begins speaking because he sees a Roman soldier looking at him suspiciously.

It does not go well, and Brian gets into an argument with the people who were listening, but when the Romans pass and he trails off and walks away, the people begin following him as a prophet. This leads to the wonderful scene where he speaks to a sea of people, with them responding.

Which brings us to anonymity, and the degree to which it is real.

Maybe it’s an IT or InfoSec thing, but I think most people have probably heard someone talk about how they don’t care about online privacy because “they don’t care about me”. This is related to “there’s nothing you can do about it anyway” and “my browser protects me – I use incognito mode”.

These points, or variations on them, appear on an enormous number of lists of “Cybersecurity myths”, and this is because none of them are true. That said, it’s important to understand why they are untrue, and the degree to which you can do something about it.

I’ve written several posts about “InfoSec Basics”, covering topics including passwords, hashing, and credential stuffing. These try to illustrate some basic concepts, and how they apply to our online lives.

To summarize, criminals may or may not care about you as an individual, but they DO care about your account and your personal data, which they can use, sell, or trade. Full identities (known as “Fullz”) can range from $20 to $100 USD, while social media accounts can range from $0.30 to thousands of dollars, depending on the platform, age, and number of followers.

Advertisers also care about your data, and they are much harder to evade.

It’s bad enough that companies like Meta gather up huge amounts of data from their platforms and advertisers, but the ways they do it are sometimes quite... problematic. “Tracking pixels”, for example, raise regulatory concerns, but other methods seem particularly slimy – In one case, Meta was found to use native Android apps to bypass typical privacy protections, and apparently stopped immediately after the story appeared. Interesting...

Advertising platforms do everything they can to gather as much information as they can, from as many sources as they can. Part of this is to improve the perceived value of the data and services they sell, and part is because they are looking for new ways to monetize data. But, in my opinion, another factor is that they want to ensure that they have backups in case regulators block some of the methods by which they gather data currently.

This is where fingerprinting comes in.

Even when all of the “obvious” methods of identifying you are blocked (to the degree they can be), you can still be identified, with astonishing accuracy, simply by gathering the information your web browser provides.

Cover Your Tracks is a service provided by the Electronic Frontier Foundation. It reads the information shared by your browser and provides an assessment of the degree to which you can be identified uniquely. It takes a while to run, but the information provided can be quite eye-opening.

When you connect to a website, quite a lot happens before the site appears on your screen, and most of it is invisible to the user. To wildly simplify, we can break this into two main parts – establishing the connection, and using the connection.

Establishing the connection starts with the URL (“Uniform Resource Locator”, or the website address, eg, “www.til-technology.com”). Your browser goes through a series of steps involving DNS (“Domain Name System”) to look up the actual IP (“Internet Protocol”) address of the site, establishes a connection with the site using TCP (“Transmission Control Protocol”), and then “secures” the connection using HTTPS (“Hypertext Transfer Protocol Secure”).

So far, the information passed to the website consists of your IP address, a list of cipher suites (for the HTTPS connection), and a few other bits of data, but now things become more interesting. (I’ll set aside the potential value of the IP address – perhaps more on that another time)

Once you have connected to the site, your browser provides information about your browser, so that the website experience can be optimized to your screen, location, and such, but this data can be used to identify you as well – to varying degrees of uniqueness. Combine this with cookies and your IP address, and you get a somewhat clearer picture of how difficult it is to be anonymous online.

Let’s assume that you have blocked cookies and trackers to the limits provided by your browser (without making your browser near-unusable). According to Cover Your Tracks, I have “strong protection against Web tracking”, but I can still be uniquely identified within the (relatively small) data set they match against. In my case, they indicated that I was unique among the roughly 300K tests done in the past 45 days.

But what information do they need to uniquely identify me?

Well, start with my “USER AGENT”. It tells the site that I am running the latest Firefox version on Ubuntu. Apparently, this provides them with more than 8 bits of identifying information, and only one in about 500 browsers run this setup.

So, they know you run Ubuntu. Whatever.

Then, there are the details of the plugins supported by my browser – mostly obsolete, but it provides another half-a-bit of identifying information, and identifies me to one in about 1.5.

Eyeroll.

And then there’s my timezone, which gives another few bits of identifying information, and identifies me to one in about 60.

So, running Firefox on Ubuntu in the EST timezone...

...with a screen resolution that provides another few bits, and identifies me to one in about 15.

...and a specific list of fonts installed, that limits me to one in about 100.

... Canadian English as the language, limiting me to about one in 95.

Uh...

It adds up pretty quickly, along with a bunch of other information, which identify me far more exactly than most people would think possible.

But, what if we just picked the most common values for everything? Like picking GMT as the timezone and US English as the language. That would help (a bit) with identification, but my system clock would be wrong and words like “colour” would show as if they were spelled wrong. Also, a lot of the features measured cannot easily be changed.

We could also use a browser which blocks or randomizes as many of these data elements as possible (like the Brave browser, for example), or browser plugins like Privacy Badger, which attempt to block as much tracking content as possible.

These can help, but let’s be clear – this tracking is almost universal, mostly legal (or at least not explicitly illegal), and is not a priority for most people, politicians, and regulators. Thus, it is unlikely to change soon, though organizations like EFF continue to promote privacy in any way they can.

The big question, though, is what we can do about it.

At this point, not much, except educate yourself (Cover Your Tracks, for example, has links to more information and tools) and assume that pretty much everything you do on the web can be traced back to you.

Privacy is becoming more and more important, but less and less easy to obtain. In this age of near-constant surveillance, it’s important not to forget that.

Cheers!