The Web was designed to be anonymous, at least when users wanted. But one essentially unavoidable privacy hole when you’re using the Internet is your browser’s user agent string, which sites can use to identify and track you even if you disable cookies and the like.
Every Web browser has a user agent string. When a browser communicates with servers over the HTTP protocol — which happens basically every time you open a Web page, and sometimes even just when you use certain apps — it transmits the user agent string. The string contains information about your browser and computer configuration.
In theory, this data serves the perfectly benign purpose of making it easier for websites to tailor themselves to your particular needs. User agent strings are why, when you visit a site from a tablet or phone, you often get the “mobile” version of the site, with a layout designed for devices for devices with smaller screens. Similarly, user agent strings make it possible for a site to know which operating system you’re using so that, if you try to download an installer for a program, it automatically delivers one for your platform, rather than requiring you to select the right one on your own.
But with convenience comes a privacy price. Because the user agent string details which operating system, Web browser and other software you are using — including in many cases the exact versions — it can make you stand out from other people. And that can become a way for sites to track you, even if you disable cookies and other identifying information.
That’s especially true if you have an uncommon computer configuration — which, paradoxically, is likely to happen if you’re someone concerned about privacy. If you browse the Web using Windows 7 (which remains the most popular edition) in the latest version of Internet explorer, you’ll look like a lot of other users. But if you use, say, a customized version of Linux that is designed to help make you more private, you’re going to stand out from the crowd, because only a small minority of Web users run Linux.
User Agent Spoofing
Fortunately, like MAC addresses, user agent strings are easy to spoof — which means changing them to say whatever you want them to say, whether or not it accurately describes your computing configuration. If you use Firefox or a browser based on it, you can spoof your user agent string by installing an extension. Chrome comes with a user agent changer built in.
To keep yourself private, use a spoofer to change your user agent string to something popular, like the Windows 7/IE setup mentioned above. If you wanted, you could even experiment with masquerading as a Web crawler rather than a browser, although some sites may not work well that way.
To test how unique your user agent string, along with other advanced browser settings, makes you, you can take advantage of the Electronic Frontier Foundation’s Panopticlick tool.