User identification problem. Browser fingerprinting. How users are tracked on the web HTML5 and data storage

The problem of user identification is due to the fact that interaction on the Internet is objectively mediated due to the architectural features of this information and telecommunications network. Moreover, such mediation manifests itself at various levels of Internet architecture. This problem finds its expression in various branches of law, but in each of them it is associated precisely with the specified features of Internet architecture.

At the same time, the legal expression of the problem of user identification has two aspects, which can be conditionally designated as “positive” and “negative” (these terms are functional, not evaluative).

"Positive" aspect systemic problem user identification is expressed in the need to define the user as a subject of legal relations. Before the digital era, identification of the subject of legal relations could also be a problem, but the reason for such a problem, as a rule, was rooted in the will of the other party, who wanted to hide his “true” name, business name, organizational and legal status or other legal qualities that are aimed at isolating the person in the system of legal relations. In modern conditions of information and telecommunication networks, such a problem no longer depends on the will of the party, but is determined by the basic technical parameters of the methods of carrying out legal communication. In civil law Russian Federation, By general rule, citizens (art. 1, 19) and legal entities(Clause 1 of Article 48) acquire rights and obligations under their own name, and not under a network pseudonym - however, this aspect in practice is not considered as an obstacle to the validity of initially anonymous or “pseudonymous” legal relations on the Internet. In administrative and criminal law, this problem does not make it possible to reliably determine the person who committed the offense. In other areas of law and legislation, this problem manifests itself in a similar way.

« Negative» the aspect of the systemic problem of user identification is expressed in the need to protect the rights of Internet users as subjects of personal data. In this case, on the contrary, the other side of the problem of user identification is actualized. IN modern Internet so much information about users is accumulated that even if the user does not directly disclose his passport data to an indefinite (or certain, but unreliable) circle of people, sooner or later the volume of information on the Internet makes it possible to identify a certain user to any interested party. Today, legislation on personal data is actively developing in the Russian Federation, but the Law on Personal Data itself is based on the Convention on the Protection of individuals during the automated processing of personal data in 1981, in which at that time it was extremely difficult to take into account promising “big data” technologies. Practices and discussions in the field of personal data in the context under study are built around a restrictive or expansive interpretation of the provisions of the Personal Data Law, including the definition of personal data. The main difficulty in this situation is to find a balance between the interests of individual users (their legal protection as subjects of personal data) and a sufficient degree of freedom to develop an Internet business, many restrictions for which may represent an administrative barrier.

At the same time, the “positive” aspect of the problem of user identification is a classic expression of this problem. From a legal point of view, in the context of doctrinal and practical approaches developed in domestic jurisprudence, this approach can currently be resolved in the following ways, depending on the type of legal relationship in which it is updated:

• 1) protective legal relations. An example is criminal law. Here the problem of user identification becomes question of fact, and the user’s identity is subject to establishment through forensic methods and the totality of evidence. The manifestation of the architectural features of the problem of user identification in protective legal relations is that it is impossible to get by with “computer” evidence alone, since in any situation it must be assumed that another person was at the computer, or that the source of the corresponding electronic message was forged, or that the message was intercepted along the way and replaced with another, etc. Therefore, it is necessary to use additional evidence of the “pre-digital era” - witness testimony, as well as fingerprints [on the keyboard] and other traces in a forensic sense;
• 2) regulatory legal relations. An example is civil law. The parties are interested in having legally significant and legally supported confidence that actions leading to the establishment, change and termination of civil legal relations are carried out by precisely those entities with which they already have any legal relations or intend to join it. The same applies to a possible example with regulatory relations within the framework of administrative law - the subject of legal relations on the Internet, for example, must be sure that the requirement to delete “prohibited information” comes from Roskomnadzor.

The general legal solution in this situation is legal presumption identification of the subject of the legal relationship. This presumption is rebuttable - the alleged subject of the legal relationship can refute the fact, for example, of using a certain Internet communication service. Such a presumption may have different grounds - for example, legal - law or contract - or mixed - for example electronic signature, which rather relates to architectural aspects computer technology, but the meaning of which is determined precisely by law.

This is interesting

In the case of “prohibited information,” the interaction of Roskomnadzor with the hosting provider is determined by the Procedure for interaction of the operator of the unified automated information system “Unified Register of Domain Names, Page Indicators of Sites on the Internet and Network Addresses that Allow to Identify Sites on the Internet Containing Information the distribution of which is prohibited in the Russian Federation” with a hosting provider approved by Roskomnadzor Order No. 170 dated February 21, 2013. According to acting. 5 of this Procedure, notification of inclusion in the Register, drawn up in Russian and English languages, is sent to the hosting provider's email with email address This e-mail address is being protected from spambots. To view it, you must have JavaScript enabled and signed with an enhanced qualified electronic signature of the Registry operator. In this case, in fact, there are two ways to resolve the problem of user identification: a presumption based on the law (a letter sent from the specified address is considered a letter sent on behalf of Roskomnadzor on this issue) and a mixed one - the use of an enhanced qualified electronic signature is required.

In the same case, if such an issue turns into a protective, but private law and based on the principles of adversarial legal relationship, this presumption may already be of a procedural nature. For example, in a dispute with an Internet company, both the user and the Internet company may not dispute the existence of a legal relationship, although an argument arising from the systemic problem of identifying users in this case, depending on the circumstances, may be useful for both for the other side.

At the same time, the most interesting tool for resolving the “positive” aspect of the problem of user identification is an electronic signature, which can be of several types.

User identification

User identification

User identification - user recognition computer system based on a previously specified description. Identification is aimed at determining the user’s authority (the right to access data and choose the mode of its use).

In English: User identification

Finam Financial Dictionary.

See what “User Identification” is in other dictionaries:

user identification- vartotojo atpažinimas statusas T sritis automatika atitikmenys: engl. user identification vok. Anwenderidentifikation, f; Benutzerkennung, f rus. user identification, f pranc. identificateur d utilisateur, m … Automatikos terminų žodynas

network user identification- (ITU T X.7). Topics: telecommunications, basic concepts EN network user identificationNUI ...

Authorization (identification) of the user of the Internet site- Authorization (identification) checking the user’s right to view certain pages of the site. User identification is carried out using a user name (login) and password... Source: Order of the Treasury of the Russian Federation dated August 28, 2008 N 231 ... Official terminology

automatic user identification- - [L.G. Sumenko. English-Russian dictionary on information technology. M.: State Enterprise TsNIIS, 2003.] Topics information technology in general EN user automatic secure authentication ... Technical Translator's Guide

This term has other meanings, see Identification. Identification in information systems a procedure, as a result of which, for the subject of identification, his identifier is revealed, uniquely identifying this... ... Wikipedia

Identification- – the process of recognizing a user by an automated system, for which he tells it his unique name, for example, a login. This name is called an identifier. Identification allows the system to distinguish one user from another, two... ... Banking Encyclopedia

identification (code) of the user (to determine his powers)- - [E.S. Alekseev, A.A. Myachev. English Russian Dictionary in computer systems engineering. Moscow 1993] Topics information technology in general EN user identification ... Technical Translator's Guide

password identification- A procedure that allows you to uniquely identify a user using a password, a copy of which is stored in the system. The procedure is performed to determine the user's rights and authority to use system resources. [L.M. Nevdyaev... ... Technical Translator's Guide

GOST R ISO/IEC 19762-3-2011: Information technologies. Technologies for automatic identification and data collection (AISD). Harmonized dictionary. Part 3. Radio Frequency Identification (RFI)- Terminology GOST R ISO/IEC 19762 3 2011: Information Technology. Technologies for automatic identification and data collection (AISD). Harmonized dictionary. Part 3. Radio frequency identification (RFI) original document: 02/05/21 abstract... ...

GOST R ISO/IEC 19794-4-2006: Automatic identification. Biometric identification. Biometric data exchange formats. Part 4: Fingerprint Image Data- Terminology GOST R ISO/IEC 19794 4 2006: Automatic identification. Biometric identification. Biometric data exchange formats. Part 4. Fingerprint image data original document: 4.16 valley: Area, ... ... Dictionary-reference book of terms of normative and technical documentation

Just because you're paranoid doesn't mean no one is watching you.

Identification of users on the Internet - many methods to find out everything about the user from open and semi-open sources on the Internet. Using the Internet, a person leaves a huge amount of information about himself. Perhaps there would be nothing wrong with this if everyone were prophets and knew how, to whom and in what direction it would come out later. But until the connection with the astral is established, it would be nice to stop and look around: am I still doing this? The average Internet user may have a misleading impression of his own anonymity on the World Wide Web. So, the first thing you need to understand is that it is false! And there is only one reason - yes, yes, that is it. The saddest thing is that users themselves have killed the slightest hint of anonymity on the Internet, and as soon as it even tries to raise its head, people immediately drive a new aspen stake into the chest of anonymity.

Information about a user on the network should be divided into two unequal categories: what he leaves himself, and what programs quietly convey about him. And is it any wonder that the user posts most of the information about himself voluntarily and without any coercion - and the best dossier is the one that a person writes about himself. Yes, yes, the first thought about

You must be registered to see links.

Twitter and Facebook were absolutely correct. And if we add to this that the data in them will not go anywhere from the cache search engines and Internet archives, and all your messages written now can be read both in 5 years and in 40 years, it becomes scary. Moreover, not abstract intelligence officers, but everyone who wants to can read it. We live in a glass cage that we built ourselves.

Identification without user knowledge
Mobile phones are watching you, sir!
As is known,

You must be registered to see links.

He does not use a mobile phone so that any services cannot track his movements on the street and everywhere else. This makes a lot of sense if you -

You must be registered to see links.

The frequencies of your satellite phone are known to the FSB, and when you call, a homing missile will fly to you (look for the proof yourself). However, for the average citizen with a GSM phone, positioning is not the worst thing. But first things first and let’s start with the mentioned positioning.

• Positioning.
  Approximate location of included cell phone. Considering that the phone does not levitate by itself, but lies in the pocket, the location of the person using it is known. Two basic techniques are used: using positioning relative to base stations and using built-in phone gps(if it exists, and the vast majority of smartphones have it). The error in the case of the first method in GSM networks is about 100 meters (distance from the tower), and taking into account the unpredictable urban development - even more. Generally speaking, the ability to position in GSM networks is provided by time-sharing bandwidth technology, and is a side effect. The position of the phone is defined as the distance from the base station from which it operates at this moment. Which gives the possible position of the subscriber in the form of a ring: a width equal to the uncertainty along the radius, and around the base station. It works on this principle

  You must be registered to see links.

  From MTS, upsetting schoolchildren, skipping classes. The service from MTS, in general, should exclude the positioning of a person who has not given consent, but if you have a good friend in some opsos, he will be able to point you to the dude who is holding your stolen and turned on mobile phone.
  The second method (GPS) gives an accuracy of 5 to 50 meters, which is already quite good. You can always check how accurate your placement is by going to Google Maps from your smartphone (the author most often has an error of 15 meters). You can read more about this

  You must be registered to see links.

  .

• Wiretap.
  You need to decide whose wiretapping you are afraid of. If

  You must be registered to see links.

  Those fears are quite justified (

  You must be registered to see links.

  ). According to completely reliable data, the guys from the FSB have an agreement with the operators mobile communications and can listen to any number. But if you are afraid of kul-hackers with home-made devices for intercepting and decrypting signals on the fly in the GSM network, then you can calm down - at the moment there is no full-fledged working prototype. But the work

  You must be registered to see links.

  More details

  You must be registered to see links.

  .

You must be registered to see links.

You must be registered to see links.

And others like them. In general, mobile phones have radically changed the rules of the game - and Google and Apple understand this very well. Whoever controls the mobile market will control the future. The smarter the phone, the more useful and convenient functions, the more data it sends about you to the manufacturer. And not only about you - the task of smart phones is to index and send to servers the maximum possible amount of data about the world around you. Here are just some of the examples.

You must be registered to see links.

This is a database of over 100 million wi-fi points around the world with their geographical coordinates. With an accuracy of up to 20 meters, by the way. And it is replenished as follows - if you want to access Google Maps from your phone via Wi-Fi, then your phone scans, finds out the ssid and mac-address of not only the point to which you are connecting, but also all nearby ones and sends them to Skyhook - partner of the Empire of Good. For what? The fact is that having a database of 70% of wi-fi points in the USA and Canada, as well as points in all the largest cities in the world, it is more convenient for advertisers (Google) to track you and provide targeted advertising based on your location. At least for now for this purpose.

• Google glasses
  Excellent, breakthrough photo search technology. You can take a photo of a landmark using your phone and immediately find out all the information about it from Google. Can you google information about trademark, taking a photo of its logo. And there’s a lot more that can be done! You just need to understand that if before Google only had “ears” through which it read the queries you typed into it, now it has “eyes”. And given the ubiquity of GPS, Google knows where you are, what you’re looking at, and what you want to know about it. And, most likely, Google glasses will find application not only in mobile phones, and the functionality itself will seriously expand and integrate so conveniently with other Google services that it would be simply stupid not to use it. After all, it’s great to look at any object and immediately find out all the available information about it, look around on the street and see the names of people passing by, prices for the nearest cafe, and so on. This is where the fun begins.

• Google Account
  Android synchronization, which, however, is configured by the user, occurs in a very interesting way - all your data from the phone is synchronized with your Google account and stored on the server. Thus, Google knows your calendar, your contacts, your calls, your to-do list, your mobile number... and everything you did with your phone. By the way, they say that Android phones take regular screenshots of the screen and subsequently send them to Google servers - if there are Android owners with root access, check and unsubscribe here.

You must be registered to see links.

). And, of course, Google and Apple, thanks to the ability to buy applications for your phone, know your credit card number.

At all, Android phones are phenomenal, they fully correspond to expectations from a phone. If Apple's phone is a racial fascist phone (nyah!) that only allows you to do what Fuhrer Steve Jobs allowed (unless you jailbreak it, of course), then Google's phone gently tells you: "do what you want, but only please tell me everything, everything, okay?” And it’s very difficult to refuse this insinuating whisper... But just think about whether it’s worth sharing most aspects of your life with a transnational corporation, whose mission is “to organize the world’s information and make it accessible and useful.” Yes and Apple It would be worth knowing a little more about your hamsters. How to resist all this? Buy yourself a mobile phone, which is just a phone, not a small computer. For the rest it is better to use a laptop.

Browsers are after you too!
Once upon a time, cookies were invented for this task. But, unfortunately, cookies are only the most harmless thing that a user who wants to maintain anonymity on the Internet has to face.

You must be registered to see links.

(external ip, IP address) - every computer on the Internet has an external IP address, which is generally obvious. And at first glance, identifying a specific user using it is very difficult... Firstly,

You must be registered to see links.

Dynamic IP addresses randomly issued by the provider to a user from a certain range of addresses with each new connection. And, secondly, there are networks where many computers sit on the same external IP (yes, and for the sins of one they will ban everyone at once). Let's assume that you still have a static white IP and an off-scale degree of paranoia. In this case, immediately put

You must be registered to see links.

Or join the ranks

You must be registered to see links.

But difficulties with identification exist only at first glance. If you take a closer look, you can understand that even with the help of a dynamic IP address, you can determine the user’s country and provider (and split it - with respect, ZOG curator). Well, this already narrows the search circle. If this confuses you, then in Ognelis there is a way to falsify your ip in the server logs without the help of Tor.

You must be registered to see links.

Making the server believe that your true external IP is just a proxy, and behind which is hidden the “real” IP (from an arbitrary range specified in the settings).

You must be registered to see links.

(HTTP cookies) are perhaps the most publicly known identification method on the Internet. It works like this. When a user makes his first http request to a site (it is not without reason that the name of the site is preceded by

You must be registered to see links.

It receives cookies from the site - pieces of data that the browser saves as a file. This data is a kind of identification of the user on this site and is valid until the expiration date. As the name suggests, the expiration date tells the browser when to delete received cookies. As soon as the shelf life has expired, the cookies are removed. If the date is not specified, the cookies live until the end of the session (for example, closing the browser). And, of course, they can be deleted at the user’s request (that is, manually). The most interesting example in terms of cookies is, of course, Google. The Empire of Good issues cookies immediately until 2020 and sincerely hopes to use them to track user requests and transitions from site to site. There are other methods - for example, using so-called third-party cookies. The idea is this: when the user loads the page

You must be registered to see links.

Among other things, it contains components of other sites - for example

You must be registered to see links.

We are talking about pictures, banners and other elements in the spirit of java scripts. And these components may well persuade the browser to accept cookies with a long lifespan from

You must be registered to see links.

And if similar banners

You must be registered to see links.

There are many on various sites on the Internet, then each site with them will be recognized by your browser. And you can always track where the user went and what interests him. Of course, it is not the special services that are interested in this, but advertisers (let’s not recall the cases when the FBI implanted its cookies into the computers of Americans). They need to know what kind of porn the user fapps for and what lubricant he prefers - that’s the advertising business.
How to deal with this - a competent cookie management policy in the browser. For Mozilla Firefox recommended

You must be registered to see links.

Addition.

You must be registered to see links.

(Local Shared Objects, flash cookies) - flash-based cookies. The main danger of flash cookies is that they are installed secretly, remove standard means browser they are impossible and most users know little about them. You can fight them in Mozilla Firefox by installing the add-on

You must be registered to see links.

After installation, don’t forget to be happy about how crap your computer is. But protection will be incomplete unless Adobe is banned Flash Player save LSO to HDD. To do this, go to the Adobe website

You must be registered to see links.

On the Global Storage Settings tab, reduce the amount of disk space allowed for storing information to a minimum and prevent third-party flash content from saving data to your computer. By the way, there is an interesting observation related to flash cookies. If in Skype settings prohibit saving regular http cookies, then it quietly starts saving LSOs every time the browser is opened in the hope that no one will find out.

You must be registered to see links.

(web beacon, tracking bug, tracking pixel, pixel tag, 1×1 gif) - an object embedded in a web page or e-mail, invisible to the user, but allowing to determine whether the user has viewed this page/soap or not. Initially, web bugs were 1x1 pixels that were loaded into a page or email from a third-party site (remember the analogy with third-party cookies?). Nowadays, the matter is not limited to pixels alone - web bugs mean a whole range of various features that allow you to find the user’s direction (details in the links in English Wikipedia). In html pages, web bugs are most often used to collect statistics about traffic (they are introduced into lurk Google Analytics and LiveInternet). Things are much more interesting in e-mail- with the help of web bugs you can not only determine which IP opened the message, but also to whom it was subsequently forwarded). Firefox fights them

You must be registered to see links.

You must be registered to see links.

This is the name in the HTTP protocol for one of the client request headers, which allows the server to determine from which page the user came to this site. That is, if a transition was made from

You must be registered to see links.

You must be registered to see links.

Then Big Brother will figure out the user’s sexual preferences. This problem is solved in Mozilla Firefox using

You must be registered to see links.

Unfortunately, this is not all. There are also cross-site requests - here http-referer and web-bugs have a lot in common. Let me explain with an example - let’s say a user viewed a blog with an embedded video from YouTube, then looked at friends’ profiles on MySpace, and finally ordered a book on Amazon. Attention! He has never visited the Google website, but Google already knows what kind of video he watched and on what blog, what friends he was interested in and what kind of books they would bring him. Remember that Google is watching everyone. Always. The secret is that all these sites have different Google components: on the blog there is a link to YouTube, owned by Google, on MySpace there is Google Analytics traffic analytics, and on Amazon the Google advertising company DoubleClick is registered. And rest assured, all transitions are logged and compared with the most advanced statistical algorithms to uniquely link the data specifically to you. I mean last name, first name, patronymic. But don’t think that Google is such a universal evil. He lives from targeted advertising and wants to know your interests. And not only him - all search engines are guilty of this to the best of their ability. It’s just that Google does this on a planetary scale, unlike Yandex. To block unnecessary requests, there is an add-on

You must be registered to see links.

You must be registered to see links.

You can use the browser cache different ways. The simplest is using the ETag HTTP header. When a page is accessed, the server issues an ETag, which the browser uses to cache the content. On subsequent requests, it sends this ETag to the server, which thus knows who came to it. The best part is that even when the page is reloaded, the ETag does not change its value and the server will still recognize you. Treated with

You must be registered to see links.

At all,

You must be registered to see links.

You must be registered to see links.

They remove a lot of holes with the help of which your browser becomes one and only on the vastness of the World Wide Web. With NoScript you can control JavaScript, Java, Silverlight, Flash (which knock like woodpeckers in the spring -

You must be registered to see links.

). Without them, it is impossible to guarantee user protection from many attacks such as XSS, CSRF and Clickjacking.

You must be registered to see links.

Yes, and the TCP protocol too. He will be happy to provide information about your operating system. The fact is that the TCP stack is configured differently in different OSs. And the router, as a rule, does not change the packet, but simply passes it on. The characteristics of TCP packets form their own digital signature fragment. And to recognize data about your OS, the easiest way is to use the utility

You must be registered to see links.

Browser fingerprinting is a very interesting technology that allows

You must be registered to see links.

User's browser without any cookies. Simply using information transmitted to the server - HTTP headers, presence/absence of cookies, java, javascripts, silverlight, browser plugins, etc. This is a kind of final boss, building a unique digital signature based on the above elements (and probably many more) described in the article

You must be registered to see links.

Moreover, the above test only leads to Pantoptclick - open project, designed to protect users. And he uses a small part of the techniques described in the article, and at the same time is very effective. The real algorithm can be more complex and much (tens and hundreds of times) more efficient. There is a suspicion that it will not be advertisers who will use it in order to sell their goods... On Pantoptclick it is possible to bring the uniqueness of your browser to 1 out of 50,000. However, you should take into account the following - if you disguise the browser in such a way that nothing will be possible about find out, then among other browsers it will stand out like a man in a space suit in the center of a densely populated metropolis. You can try to disguise your build into something fairly generic with

You must be registered to see links.

But the main thing here is not to change the type of operating system. Remember - TCP reports it, and if it says you have Linux, and the disguised User Agent Switcher HTTP headers convince that Windows, then congratulations - you have been found! Most likely, you are the only one on the Internet.

Search in Google and Yandex - if you look at the html code of the Google search results page, you can make sure that all the results found are not just links. Each search results link contains an onmousedown method, which causes the browser to perform specific actions when the link is clicked. In this case, the transition to the desired page occurs through a redirect to an intermediary address. That is, first the browser goes to the Google server, and only after entering there it goes to the desired page. The transition is carried out quite quickly, which is imperceptible on a wide channel. Meanwhile, Google gets statistics with information about what you searched for and where you went as a result. Yandex, Yahoo, and other search engines do the same. You can counter this by using client-side scripts in the browser that will convert the links into the correct format. Install the Firefox add-on plugin

You must be registered to see links.

And add link scraping scripts to the list for

You must be registered to see links.

You must be registered to see links.

This is the only way to fight. Even if you configure Google search so that it does not save search history, this will lead to nothing. However, you can open the link in a new tab, this will bypass onmousedown and prevent Google from finding out the truth.

How to protect yourself from all this?
As you can see, literally everything knocks. First, you need to understand that any protection is not absolute and come to terms with it. Secondly, listen to the advice in this article. Thirdly, you can use

You must be registered to see links.

(I’ll post an article about it in due course). Fourthly - never, never use panels from Google, Yandex and others. It's not worth it - it's a giant hole into which everything possible is lost, both about the search history and about the computer as a whole. After all, you want only you to use your computer, and not marketers, right? Fifth, use Firefox, Opera or

You must be registered to see links.

But try to stay away from IE and Chrome. Sixth - check your browser

You must be registered to see links.

And most importantly, remember that the data that is collected now will never go anywhere. They will forever remain in the cache of Google, Yandex, Wayback Machine and sooner or later they will be processed. Can you guarantee that in the future (by the way, very near - read about Google’s plans for 2020), the mathematical apparatus will not make it possible to compile a dossier on each Internet user and establish soft but persistent surveillance of everyone? Even now, when using an Android phone, you leak your location and speed. Not counting absolutely all the information that you are looking for from him on the Internet. And this is just the beginning.

There is such an organization

You must be registered to see links.

which owns

You must be registered to see links.

Servers and manages everything on the Internet. ICANN Servers

You must be registered to see links.

From all external IPs and this is the basis of the entire Internet. Who do you think

You must be registered to see links.

I've always been bothered by how intrusive Google AdSense slipped contextual advertising depending on my old queries in the search engine. It seems that quite a lot of time has passed since the search, and the cookies and browser cache were cleared more than once, but the advertising remained. How did they keep tracking me? It turns out there are plenty of ways to do this.

A short preface

Identification, user tracking, or simply web tracking involves calculating and setting a unique identifier for each browser visiting a specific site. In general, initially this was not intended as some kind of universal evil and, like everything, has reverse side, that is, it is intended to be beneficial. For example, allowing site owners to distinguish ordinary users from bots or provide the ability to store user preferences and apply them during a subsequent visit. But at the same time this opportunity The advertising industry really liked it. As you well know, cookies are one of the most popular ways to identify users. And they began to be actively used in the advertising industry since the mid-nineties.

Methods for determining the uniqueness of a user are developing every day. There are 15 main factors that define a user.

1. Browser client
2. Browser fingerprint
3. Web Cookies
4. LSO Cookies
5. Temporary files
6. Time zone correspondence to IP address and DNS
7. JavaScript
8. MAC address + HWID
9. Browser cache
10. Evercookie
11. System fonts
12. operating system
13. Installed languages

Let's look at them in more detail:

Let's look at them in more detail:

IP address(IP address, abbreviation for the English Internet Protocol Address) is a unique network address node in a computer network built using the IP protocol. The Internet requires globally unique addresses; in case of work in local network Uniqueness of the address within the network is required. In the IPv4 protocol version, the IP address is 4 bytes long.

DNS(eng. Domain Name System - domain name system) - a computer distributed system for obtaining information about domains. Most often used to obtain an IP address by host name (computer or device), obtain information about mail routing, serving hosts for protocols in a domain (SRV record).

Web browser, browser, browser- Software for viewing web pages; displaying web documents, computer files and their folders; launching web applications; as well as for solving other problems. On the Internet, web browsers are used to request, process, modify, and view the content of web pages. Modern browsers can use file sharing with ftp servers, as well as to directly view the contents of files with graphic content (gif, jpg, png), audio-video content (mp3, mpg, avi, mp4), text content (txt, pdf, djvu ) and other files.

Browser fingerprint (BF)- very interesting way identification of the user's browser without analyzing any cookie files. The analysis is carried out based on the information transmitted to the web server upon request - HTTP headers, cookies present/not, whether java is installed, whether javascript is installed, whether flash is installed, whether silverlight is installed, what plugins are built into the browser, etc. This is the final check that creates a unique digital signature based on the above elements. There is a famous article describing in detail this check"How Unique is Your Browser?" The test in it is from Pantoptclick (an open source project created to protect users) and it uses some of the methods described in the article, but nevertheless they are very effective. The existing verification algorithm can be more complex and much more efficient. With Pantoptclick, you can bring the uniqueness of your browser to 1 in 50,000. Just don't forget about one important thing - if you make your web browser unique so that nothing can be learned about it, then among other browsers it will stand out like a naked man in the center densely populated metropolis during rush hour. It is possible, if you wish, to change your version of the browser into something typical using User Agent Switcher, but the main thing is not to change the type of operating system in which you are using the program. TCP protocol reports the OS version, and if it says that you are using a Unux-like OS, and the User Agent Switcher HTTP headers inform that it is a Windows OS, then most likely this will arouse suspicion among the administration of the web servers.

Web Cookies- a small piece of data sent by a web server and stored on the user’s computer. Every time a web client (usually a web browser) tries to open a page on the corresponding site, it sends this piece of data to the web server in the form of an HTTP request. Used to save data on the user side, in practice it is usually used for:

• user authentication;
• storing personal preferences and user settings;
• session state tracking*en+ user access;
• maintaining statistics about users.

Local Shared Objects- Flash cookies. This is a type of metadata that is stored as files on each user's computer. That's all for today Flash versions Player use LSO.
With default settings, Flash asks the user for permission to save local files to the computer. Most of you have noticed this many times, so some of the readers of my blog already understand what I’m talking about. As with regular cookies, online banks, advertisers or merchants use LSO to analyze and monitor traffic. Flash cookies cannot be used by third parties on other websites. For example, LSOs from the site “www.name.ru” cannot be read by the site “www.name.com”. In the event that a user deletes stored cookies from a site, a new unique cookie ID will be assigned to the new file, using the stored Flash data as a “backup”.

Temporary files- data that is created by most programs or the operating system to save intermediate results during operation or transfer data to another program. Typically, such files are deleted automatically by the process that created them.
Some operating systems have additional features when working with temporary files - the ability to get the name of the temporary file (and one that will be unique - that is, it will not coincide with the name already existing file); the ability to specify a special parameter when creating (opening) a file, instructing the file to be deleted immediately after recording.

JavaScript is a prototype-oriented scripting programming language. It is a dialect of the ECMAScript*~ 1+ language.
JavaScript is commonly used as an embedded language for software access to application objects. It is most widely used in browsers as a scripting language for adding interactivity to web pages.
Key architectural features: dynamic typing, weak typing, automatic memory management, prototype programming, functions as first-class objects.

MAC address(from the English Media Access Control - media access control, also Hardware Address) is a unique identifier assigned to each piece of active equipment computer networks. Majority network protocols The link layer uses one of three IEEE-managed MAC address spaces: MAC-48, EUI-48, and EUI-64. Addresses in each space should theoretically be globally unique. Not all protocols use MAC addresses, and not all protocols that use MAC addresses need these addresses to be so unique. On broadcast networks (such as Ethernet-based networks), the MAC address allows each node on the network to be uniquely identified and data can be delivered only to that node. Thus, MAC addresses form the basis of networks on link level, which is used by higher (network) level protocols. To convert MAC addresses to addresses network layer and vice versa, special protocols are used (for example, ARP and RARP in IPv4 networks and NDP in IPv6-based networks). HWID is the general name for a unique (with some degree of assumption) identifier that is generated from data associated with specific hardware. The generation algorithm can be any, and there is no unification here. Countless numbers of algorithms can be imagined.

Browser cache- These are copies of web pages, pictures, videos and other content viewed using a browser. The cache is stored on your computer.
The cache helps reduce the number of requests to sites: if the page you want to view is already in the cache, the browser will instantly load it from your hard drive.

Evercookie— Samy Mamkar has developed a system that allows you to store cookies in 8 places, automatically restoring each other, and even ensure that a cookie set in one browser is valid in another. It is almost impossible to delete this cookie! (Everything is possible, of course, but too much trouble)
Cookies are stored in:

• HTTP Cookies;
• Local Shared Objects (Flash);
• Storing cookies in RGB values ​​of auto-generated and force-cached PNGs using HTML5 canvas;
• Saving cookies in Web History;
• HTML5 Session Storage;
• HTML5 Local Storage;
• HTML5 Global Storage;
• HTML5 Database Storage via SQLite.

When deleted from one of these locations, the cookie is automatically restored from the remaining ones. Works even if the user changes browser (via Local Shared Objects from Flash).

operating system- a set of control and processing programs, which, on the one hand, act as an interface between computer system devices and application programs, and on the other hand, are designed to control devices, manage computing processes, effectively distribute computing resources between computing processes and organize reliable computing. This definition applies to most modern operating systems general purpose.

You can partially check your browser here - https://panopticlick.eff.org

All partnership programs These points are observed to identify the user, some comply with everything, others only half - only the developers know about this.