On Sep 22, 2007, at 8:18 PM, Peter Eckersley wrote:
On Sep 22, Marco D'Itri <md@Linux.IT> wrote:On Sep 22, Peter Eckersley <pde@eff.org> wrote:This means, in practice, that many sites will be able to track Debian users by their User-Agent, even if (say) the user is blocking cookies or limiting them to a single session and is changing IP address regularly.This is highly debateable. There may be tens or thousands of users of the same package visiting a web site.I've seen reports from very large sites indicating that User-Agent strings are almost as useful as cookies for tracking their users.
There is no question that many, if not all, web sites that track visitors use the UA string in some way or other. Often it is used for tracking and more commonly it is used to create work-arounds for non- standard compliance. For example IE 6 has some quirky CSS behavior that people often have to consider. Or people use the UA string with the IP and create a hash that is the 'signature' of the visitor. This of course breaks easily but it is still done.
Jeremiah