https



FREE Internet Security & Privacy Enforcement Resources
brought to you by Gibson Research Corporation


The Composition of EarthLink's
Custom Browser Token

Are users of EarthLink's web browser receiving a unique tag
so that they can be tracked and identified — without
cookies — anywhere they go on the Internet?

Background
Over the weekend of March 17th, 2001, the combined efforts of a team of researchers operating through the newsgroups at grc.com revealed that users of EarthLink's web browser were apparently receiving a persistent and unique "tag" which would be presented to every web site, web advertiser, and web tracking bug their browser came into contact with. This concerned us greatly.

Here's a sample provided by one user:

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT)
::ELNSB50::0000811505000400029802c3000000000505000b00000000

To see additional samples of these EarthLink browser tags which appear to be following their users around the Internet, simply use your favorite Internet search engine to search for the string ELNSB50. Click here to see what GOOGLE finds. You will quickly see that tens of thousands of users have been tagged and are apparently leaving trails of their activities.

We were EXTREMELY concerned about this because it could have represented a persistent, cross-domain, "super-cookie", which would provide a robust and reliable means for third-parties to track the movements of EarthLink's users across the Internet. Unlike traditional browser cookies which are only presented to the domain which "set" them, this super-cookie, added to the traditional "HTTP User-Agent" header, would require no "domain name match", it would be sent ubiquitously with every Internet request made by the browser, and it would be sent regardless of the browser's deliberate privacy and cookie settings.

Clearly an alarming cause for concern and attention.

A False Alarm
When we brought our concerns over this to the attention of the industry, EarthLink quickly stepped up to explain exactly what was going on with their custom browser tag.

(It turns out that this issue had been raised a number of times in the past by various persons and within various forums in the PC industry, but for some reason it was never brought to a final resolution. It has been now.)

EarthLink explained that this scary looking "serial number like" tag was actually a composite of information gained from various characteristics of the user's computer and their Internet connection. The 48-character token is a concatenation of the hexadecimal values of the following parameters from the user's machine:

   Field Name     Bit Length         Purpose
----------------  ----------  -----------------------
reserved:             14      future growth
monitorDepth:          8      monitor bit depth
browserFontSize:       3      font, small to large
connectionSpeed:       3      one of 4 categories
connectionType:        4      modem, high speed, etc.
monitorHorz:          16      horizontal area
monitorVert:          16      max vertical area
browserViewHorz:      16      views horizontal area
browserViewVert:      16      views vertical area
popID:                32      numerical POP ID
programVersion:       32      version that sent this
reserved:             14      future growth

This data layout completely matches all of the evidence we observed over the weekend. And the fact that this token contains the browser's current horizontal and vertical viewport (window) sizes, resolves the biggest mystery we were facing:

Some data near the middle of the tag was not changing often, but it WAS changing sometimes. It appeared to be an "installation serial number" of some sort because it DID change whenever we uninstalled and reinstalled the browser. Now we know that this occurred because the browser "remembered" its own window size and returned to it when it was restarted or after restarting the system — so those numbers were relatively static. But after removal and reinstallation, the user would naturally "stretch" the browser window to a slightly different initial size, thus creating the effect of a new "serial number."

Oops.

So, What do we know about the guy whose
EarthLink browser tag was captured above?

Breaking the tag into field regions, yields:

0000811 5 0500 0400 0298 02c3 00000000 0505000b 00000000

And laying this back into EarthLink's template reveals:

   Value      User's Machine Property
 ---------   --------------------------
     --      not used
     32      bits per display pixel
      2      browser font size
      1      connection speed
      5      connection type
   1280      display horz resolution
   1024      display vert resolution
    664      browser window horz width
    707      browser window vert height
      0      dial-up pop ID
 5.05.11     EarthLink browser version
     --      not used

So . . . we know that this guy was using a nice display with 32-bit color and a resolution of 1280 by 1024. His browser window occupied a little more than half of his screen's width and about 3/5ths of its height. He was not a dial-up user, probably connecting through DSL or cable modem, and he was using the latest version of EarthLink's software, v5.05.11.

What Does It Mean?
It means that EarthLink's custom browser tag was designed to broadcast those bits of information to the world. Since they were encoded in a non-standard, not previously published, and non-obvious format, the tag was clearly meant for EarthLink's private internal consumption.

(It is, however, perhaps unfortunate that every web server on the planet is sent this information for every request made by any EarthLink user.)

But, it also certainly means that this is not a deliberately nefarious "unique ID tag" designed for tracking users around the Internet. It could best be described as "relatively static but not unique." And now that we know exactly what all the little bits mean, the entire world knows how to read and interpret it.

What Does EarthLink Say?
EarthLink's Vice President & Chief Privacy Officer and I have swapped eMail and chatted on the phone. (Happily, this was a much nicer conversation than those I had with Real Networks' privacy officer last year.) In addition to providing the tag field layout shown above, Les Seagraves brought up these additional points:

They do not currently, and never have, used this information in any way.
They plan to someday use this information to tailor their web site presentations to best match the user's environment.
They would not ever use this information to identify an individual user or for any other purpose than to deliver a customized web site.
They are considering proposing this header structure as an optional enhancement to the public HTTP specification.

What is Your Browser Transmitting?
Whether or not you are using an EarthLink browser, you are welcome to use a feature of our second-generation ShieldsUP! system to examine the "HTTP Request Headers" being sent by your browser. Keep an eye out for anything that looks like a "serial number" which your browser might be transmitting over the Internet with every request it issues.

Click the link below for ShieldsUP!, click the "Proceed" button to enter, then select "Browser Headers" from the ShieldsUP! Services menu:

Use our ShieldsUP! system to
Check Your Browser's Headers



So There You Have It

Users of EarthLink's custom web browser are sending this data-tag to every web server their browser touches for any reason. Some people might argue that any information leakage from their browser should be avoided, whereas others would shrug and figure that they have bigger things to worry about.

I would prefer not to use a browser that sends out unnecessary — and never used — information about my system's configuration, but we all know that I'm pretty much a knee-jerk privacy fanatic, so you should certainly decide for yourself.

The only possible negative I could imagine about what EarthLink's browser is doing, by providing additional system-level information about its users, would be that Internet tracking companies could, theoretically, incorporate this data into their profiling databases as one more "fuzzy-logic tag" for helping to confirm the identity of an otherwise anonymous web and Internet user.

At least now you have all the facts, so you can make an informed decision. A puzzle has been solved, and this bit of a wild goose chase over the weekend has resulted in a deeper understanding about what's going on as we surf the web.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: Nov 24, 2003 at 12:17 (3,799.48 days ago)Viewed 70 times per day