Re: User-Agent strings, privacy and Debian browsers

To: Peter Eckersley <pde@eff.org>
Cc: debian-devel@lists.debian.org
Subject: Re: User-Agent strings, privacy and Debian browsers
From: Jeremiah Foster <jeremiah@jeremiahfoster.com>
Date: Tue, 25 Sep 2007 14:38:59 +0200
Message-id: <[🔎] 1A51D9FB-6787-4C54-A0ED-C27679E5C818@jeremiahfoster.com>
In-reply-to: <[🔎] 878x6yjmmm.fsf@vorlon.ganneff.de>
References: <[🔎] 20070922181849.GA28786@illuminance.reworld.org> <[🔎] 878x6yjmmm.fsf@vorlon.ganneff.de>


On Sep 23, 2007, at 1:39 AM, Joerg Jaspert wrote:

On 11150 March 1977, Peter Eckersley wrote:
This is highly debateable. There may be tens or thousands ofusers of
the same package visiting a web site.
I've seen reports from very large sites indicating that User-Agent
strings are almost as useful as cookies for tracking their users.
I cant believe this. Looking at the stats from packages.debian.org- U-Ais the worst possible way to "track users". Would be totally dumbto try
something with U-A:

Whether it is dumb or not, it is widely used.

Same for anything matching "Firefox/", has 467789 total hits,
with more detail, first 15 rows we get
89003 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)51159 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7)Gecko/20070914 Firefox/2.0.0.721879 Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.7)Gecko/20070914 Firefox/2.0.0.711289 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3) Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)10975 Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.7)Gecko/20070914 Firefox/2.0.0.710217 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6)Gecko/20070725 Firefox/2.0.0.68542 Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.6) Gecko/20061201 Firefox/2.0.0.6 (Ubuntu-feisty)7572 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.7)Gecko/20070914 Firefox/2.0.0.76029 Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.7)Gecko/20070914 Firefox/2.0.0.75379 Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.7)Gecko/20070914 Firefox/2.0.0.74885 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.74859 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.7)Gecko/20070914 Firefox/2.0.0.74606 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.64549 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070919 Ubuntu/7.10 (gutsy) Firefox/2.0.0.64472 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
And thats a quick and very inaccurate way to do it. But it nicelyshowsthat modifying your UA (or forcing others to do so) does not gainyou or
anyone else anything. The only effect you have is to make statistics
more unusable than they already are.


I think that is the stated goal.

I am still not sure what the issue is from a privacy standpoint. Isit that the EFF fears that information in web server logs might pointto a particular user because that user could be identified by thepackage number of the web browser they are using as stated in the UAstring? This seems a pretty flimsy legal premise to identify someonebefore a court. Not least because that string is completely malleable.

Furthermore, the second that package gets updated, the string willchange. Packages can change frequently, at least in comparison to newversions of debian itself. Any change from upstream should bump thatversion string you speak of, as well as a new package inside debian(the last bit of the version string is often the version of thedebian package, if the package is not debian native. i.e. the -1ending in Debian-1.1.4-1). So the package version is a volatilestring and not something that a web site analytics software tool(like yaalr for instance :) ) would use to effectively "track" the user.

Furthermore, it seems highly unlikely that a web site would drilldown so low into the UA string to get this data and use that as aunique identification. What purpose would that serve? Certainly noweb site relies on the package version number of Iceweasel or Firefoxto be rendered correctly, and if so they would more likely look forthe version string of the software itself, ignoring any debianpackaging.

I could see one scenario where this might have relevance. That wouldbe if the UA string was logged on several servers. For example, ourhypothetical user goes to stealmp3.com and leaves her user string.Then she goes to hacktheNSA.org leaving her version string. Shecarefully refused any cookies and used different IP addresses, butthe version string shows which version of the Iceweasel package sheused and the authorities know that that package was only available ina two week period - coincidentally the same time as our user wassurfing. The authorities (or RIAA) use this information to narrowdown the network and potentially the location of the user (throughgeolocation perhaps, but that is also unreliable).


But this scenario seems highly implausible.

	Jeremiah

Reply to:

References:
- Re: User-Agent strings, privacy and Debian browsers
  - From: Peter Eckersley <pde@eff.org>
- Re: User-Agent strings, privacy and Debian browsers
  - From: Joerg Jaspert <joerg@debian.org>

Prev by Date: Re: How to detect if inside a buildd chroot
Next by Date: Re: volatile.debian.org: Does Debian still support it?
Previous by thread: Re: User-Agent strings, privacy and Debian browsers
Next by thread: Re: User-Agent strings, privacy and Debian browsers
Index(es):
- Date
- Thread