You're concerned about your online privacy, and you do all the right things to keep from being tracked around the Web: purge your cookies regularly, clean out Flash "supercookies," even switch to browsers like Browzar, which lets you "search and surf the web without leaving traces on your computer." Doesn't matter—your browser is giving you away.

Browsers can offer a window into a computer. The browser's "user-agent string" is visible to websites, for instance. So are "HTTP ACCEPT" headers. And it's simple to infer whether cookies are being blocked. In browsers with Javascript running, it's easy for websites to discover screen resolution, a list of all browser plugins, and the user's timezone. Throw in Flash, and it's possible to grab a complete list of system fonts.

Taken together, these bits of data produce a unique "fingerprint" that works even in the absence of cookies or other traditional Web tracking tools. The Electronic Frontier Foundation, concerned about the issue, has just wrapped up its own study (PDF) on browser fingerprinting, and it finds that even the privacy conscious have made themselves simple to track.

Of the 470,161 browsers that participated in EFF's Panopticlick project, 83.6 percent had an "instantaneously unique fingerprint." Browsers with Flash or Java installed could be uniquely identified 94.2 percent of the time. When one considers that "privacy conscious users" were over-represented in Panopticlick, these are surprising numbers.

Even the attempt to go stealthy could paradoxically make one more unique, and thus easier to track. According to the EFF paper, "many kinds of measures designed to make a device harder to fingerprint are themselves distinctive unless a lot of other people also take them." Thus, the seven Browzar users in the survey pools were all easy to pick out.

For systems that rely on tracking cookies, fingerprints can be used to bake new cookies for users who have deleted theirs, making cookie tracking that much harder to eliminate. And the EFF found that making tweaks to one's browser in the hope of altering a fingerprint was largely futile—algorithms could correctly decipher most fingerprint changes over time.

Does anyone really use "browser fingerprints" to track online surfers? Probably, but it's hard to know. Such tracking leaves no traces on the user machine (as a cookie would), and the companies that traffic in such practices aren't known for trumpeting them loudly. Back in February, though, we did speak to one firm that already uses JavaScript to gather biometric markers like typing cadence during password entry—input the same password in a different typing rhythm and the system can detect another user.

According to EFF, "There are several companies that sell products which purport to fingerprint web browsers in some manner, and there are anecdotal reports that these prints are being used both for analytics and second-layer authentication purposes. But, aside from limited results from one recent experiment, there is to our knowledge no information in the public domain to quantify how much of a privacy problem fingerprinting may pose."

A few things helped maintain anonymity: blocking JavaScript, using add-ons like TorButton, and browsing on "certain types of smartphone."

As for the policy implications, EFF argues that "policymakers should start treating fingerprintable records as potentially personally identifiable, and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms."