About Cover Your Tracks

About

Cover Your Tracks is two things: a tool for users to understand how unique and identifiable their browser makes them online, and a research project to uncover the tools and techniques of online trackers and test the efficacy of privacy add-ons. Running tests on Cover Your Tracks gives you information about your own browser’s privacy protections, and also helps EFF use statistical methods to evaluate the capabilities of third-party trackers and the best forms of protection against them.

In 2010, EFF launched this project as “Panopticlick,” a research project to investigate how unique each browser is. We gathered information about the configuration and version information from your operating system, your browser, and your plugins, and compared it to our database of many other Internet users' configurations. Then, we generated a uniqueness score letting you see how easily identifiable you might be as you surf the web. A paper reporting the early statistical results of this 2010 experiment was published in the Proceedings of the Privacy Enhancing Technologies Symposium (PETS).

In 2015, we upgraded the project with a new feature: tracker blocker testing. Millions of Internet users are using privacy add-ons and other tools to block trackers, including tools like AdBlock, Ghostery, and Disconnect. But how well do these add-ons actually protect users from invasive tracking?

Our new version of the project, rebranded and launched in 2020 as Cover Your Tracks, researches both how unique your browser is and how effective tracker blockers are. We analyze how well you are protected against online tracking by checking the privacy protections you have in place. The test simulates loading of various types of trackers, and determines your level of protection based on if the trackers load or not.

Even if your privacy add-ons are working well, you may still be vulnerable if your browser fingerprint is unique. So we also analyze the uniqueness of your browser and let you know how it stacks up to other visitors we’ve observed recently. We generate a report about your tracker protections and browser fingerprint for your own use, and we’ll use anonymous results from your test when generating uniqueness results for others when they take the test.

Methodology

The results of Cover Your Tracks use several simulated tracking domains to trigger tracker blockers. Some blockers (such as Adblock Plus or Ghostery) are triggered by URL parameters that match ads or tracking beacons. Other blockers (such as AdAway or Disconnect) match on a per-domain basis, and we strive to have our test domains included in such tools’ lists. Still other blockers (such as our own Privacy Badger) use a heuristic approach, blocking the inclusion of trackers by detecting their use across domains.

In order to detect these different approaches, we have simulated tracking that triggers all three types of blocking. The Cover Your Tracks site generates third-party requests like:

https://trackersimulator.org/?action=tracking_tally&ad_url=123456
https://eviltracker.net/?action=tracking_tally&trackingserver=123456
https://do-not-tracker.org/?action=tracking_tally&random=123456

Each of these URLs attempts to set cookies, and is loaded from three first party domains in order to trigger heuristic blocking.

The first URL simulates tracking by a visible ad (if the ad is blocked, the test passes); the second simulates a non-visible tracking beacon (if the beacon is blocked, the test passes); and the third interaction with a domain that has implemented the Do Not Track Policy (if the domain’s scripts are unblocked, the test passes).

If the simulated ad or beacon trackers load, but with their cookies blocked, those results are reported as “partial protection”, since the site doesn’t get an easy unique identifier, but tracking by IP addresses and other means remain possible.

In addition to tracker blocking, Cover Your Tracks measures the uniqueness of your browser. We anonymously log the following information, and compare it to a database of many other Internet users' configurations that we’ve observed recently:

  • The user agent string from each browser
  • The HTTP ACCEPT headers sent by the browser
  • Screen resolution and color depth
  • The Timezone your system is set to
  • The browser extensions/plugins, like Quicktime, Flash, Java or Acrobat, that are installed in the browser, and the versions of those plugins
  • The fonts installed on the computer, as reported by Flash or Java.
  • Whether your browser executes JavaScript scripts
  • Yes/no information saying whether the browser accepts various kinds of cookies and "super cookies"
  • A hash of the image generated by canvas fingerprinting
  • A hash of the image generated by WebGL fingerprinting
  • Yes/no whether your browser is sending the Do Not Track header
  • Your system platform (e.g. Win32, Linux x86)
  • Your system language (e.g. en-US)
  • Your browser's touchscreen support

Then, we generate a uniqueness score — letting you see how easily identifiable you might be as you surf the web. Here’s more information on how this score is derived.

What is fingerprinting? What does it mean if my browser is unique?

“Browser fingerprinting” is a method of tracking web browsers by the configuration and settings information they make visible to websites, rather than traditional tracking methods such as IP addresses and unique cookies.

Browser fingerprinting is both difficult to detect and and extremely difficult to thwart.

When you load a web page, you will automatically broadcast certain information about your browser to the website you are visiting — as well as to any trackers embedded within the site (such as those that serve advertisements). The site you are visiting may choose to analyze your browser using JavaScript, Flash and other methods (just like Cover Your Tracks does). It may look for what types of fonts you have installed, the language you’ve set, the add-ons you’ve installed, and other factors. The site may then create a type of profile of you, tied to this pattern of characteristics associated with your browser, rather than tied to a specific tracking cookie.

If your browser is unique, then it’s possible that an online tracker can identify you even without setting tracking cookies. While the tracker won’t know your name, they could collect a deeply personal dossier of websites you visit.

Deleting your cookies won’t help, because it’s the characteristics of your browser configuration that are being analyzed. Read our suggestions to help defend against browser fingerprinting.

What is Do Not Track? Why would I want to unblock ads that respect Do Not Track?

Every time your computer sends or receives information over the Web, the request begins with some short pieces of information called headers. These headers include information like what browser you're using, what language your computer is set to, and other technical details.

Do Not Track is a simple, machine-readable header indicating that you don't want to be tracked. Because this signal is a header, and not a cookie, users can clear their cookies at will without disrupting the functionality of the Do Not Track flag.

In all the major browsers, there is an easy way to tell websites that you do not want to be tracked by setting the Do Not Track header. (Do it yourself or install EFF’s Privacy Badger and we’ll turn it on for you in Chrome and Firefox.)

When websites respect the Do Not Track signal, it’s easy for users to protect themselves from online tracking. The average Internet user won’t need to remember to delete cookies, install additional privacy software, or even worry about browser fingerprinting. (link to browser fingerprinting section).

Unfortunately, most websites and online trackers — with some laudable exceptions — currently ignore the Do Not Track signal entirely.

Setting your browser to unblock ads from websites that commit to respecting Do Not Track rewards companies that are respecting user privacy, incentivizing more companies to respect Do Not Track in order to have their ads shown at all. By preserving privacy-friendly ads, sites that rely on advertising funding can continue to thrive without adjusting their core business model, even as they respect users’ privacy choices.

Over time, we believe we can shift the norms on the Web to ensure privacy and respect for users comes first. But that can only happen if online advertisers are incentivized to respect user choices.

You can help us by installing EFF’s Privacy Badger.

Is it possible to defend against browser fingerprinting?

Browser fingerprinting is quite a powerful method of tracking users around the Internet. There are some defensive measures that can be taken with existing browsers, but none of them are ideal. In practice, the most realistic protection is using the Tor Browser, which has put a lot of effort into reducing browser fingerprintability. For day-to-day use, the best options are to run tools like Privacy Badger or Disconnect that will block some (but unfortunately not all) of the domains that try to perform fingerprinting, and/or to use a tool like NoScript for Firefox, which greatly reduces the amount of data available to fingerprinters.

For more information on how to protect yourself against fingerprinting, visit our learning page.