
Panopticlick - kick
https://panopticlick.eff.org/
======
danShumway
Interesting counterpoint to people who claim that turning off Javascript is
just another data point. I use Firefox with a decent amount of tracking
protection turned on. With Javascript, I leak about 16 bits of identifying
information. Without, I leak about 7.

You want to take that with a grain of salt, because I don't think Panopticlick
is a perfect tool to measure this stuff. For one thing, I suspect that
Panopticlick is highly influenced by the people who visit it -- being posted
on HN probably means there are more data points for me to hide in than usual.

For the other thing, there are measurements that Panopticlick doesn't include,
and there's no way for Panopticlick to track disinformation and false data.
For example, you could still get my screen size without Javascript via just
CSS. Are most tracking sites doing that? No, it would be a massive pain to do,
and it would force you to ship giant CSS blobs everywhere. But it's still
possible.

But, this does still strengthen my conviction that turning off Javascript by
default _probably_ helps avoid tracking on most sites, and it's surprisingly
feasible to do. A lot of content-sites work without Javascript.

I recommend UMatrix if you want to go down that route, since it lets you
create very precise exceptions relatively easily when you need them.

~~~
stiray
I agree, panopticlick is not really good as a measuring point. I am
randomizing most of metrics it is using and even if it detects my browser as
unique, this will always be true as my data are fake and randomized each time
browser tab is opened. Sure you can track me for the time tab is beeing alive,
but on next visit, the results are going to be 90% different (including webgl
fingerprinting) and there is no way it could correlate me with my previous
visit. For it I am always a new visitor, never seen before. I could try to
blend in, but why?

Another thing is "not blocking sites that honor DNT". I am sorry but I dont
trust anyone based on fact web users were lied just too many times. Once DNT
will be tied to hefty fines, I might reconsider, untill than everything will
be blocked.

(And it is highly tasteless that eff is offering links to promote panopticlick
on worse web tracking facilities of the internet - fb, google+ and twitter.)

~~~
kokx
Please tell me that there is an extension with which you randomize this data?
I want it as well!

~~~
OrgNet
that'd be nice but I don't think that there is one so I don't think that he is
doing what he is claiming.

------
glandium
"Does your browser unblock 3rd parties that promise to honor Do Not Track?"

"No" comes with a red X like if it's a bad thing, but... Is it?

~~~
saagarjha
It's not, hence the push from browsers to remove Do Not Track.

~~~
temp128349
Really? Firefox now enables the DNT header by default. If all Firefox users
have DNT enabled, then it can't be used as a data point.

I don't like DNT, and I don't like that the EFF pushes for it. Users shouldn't
have to ask to not be tracked - websites should respect your privacy by
default, and if they don't, users should take control with tools such as
uBlock Origin.

Also, privacy means different things to different people. Two of the most
privacy advocating websites in existence, eff.org and privacytools.io, think
it's OK to collect anonymous stats on site usage. Yet the authors of
EasyPrivacy (a filterlist enabled by default in uBlock Origin) make no
exceptions and block both of those sites from collecting data.

~~~
saagarjha
Safari has removed it, as websites wouldn’t respect it.

------
TooCreative
"17.63 bits of identifying information" for me.

Strange, that they do not make use of the fact that browsers leak your local
ip:

[https://browserleaks.com/webrtc](https://browserleaks.com/webrtc)

This is one of the most glaring privacy holes build right into the browsers.

On the other hand, I am surprised they correctly identify my "platform" as
"Linux x86_64". Even though I used a windows user agent. How do they do that?

Also: What does the "Share on Google+" button do? It prompts me to log into
Google. What would happen if I do?

~~~
gruez
>On the other hand, I am surprised they correctly identify my "platform" as
"Linux x86_64". Even though I used a windows user agent. How do they do that?

probably because your user agent faker only fakes the http header and not the
javascript environment.

try printing out the value of navigator.userAgent or navigator.platform in the
developer console.

~~~
TooCreative
Aha, it is in navigator.platform!

There is even more stuff in navigator, that should _not_ be accessible to the
website. For example how much ram my machine has in navigator.deviceMemory,
how many cpu cores in navigator.hardwareConcurrency and so on.

~~~
jammygit
I can see the use for that information, but I don’t like it being broadcast
like that

~~~
jdnenej
The value of it is very high since it allows download pages to show you the
correct info for your OS.

------
proactivesvcs
Using the CanvasBlocker and WebRTC Control add-ons with Firefox means that the
two most unique information points the test extracts from my browser, the hash
of canvas and WebGL fingerprints, which are unique for 1 in 200,000 users,
changed each time I run the test. Presumably it ought to run several times to
check that the data it receives is the same for each test run. I don't
currently have a UA switcher, but those would also help reduce the uniqueness
of data points only across multiple tests

~~~
motohagiography
Between the hash of the canvas fingerprint, and the hash of the webgl
fingerprint, unique identification seems inescapable. The reason I don't run
additional plugins is because (at least conceptually) the plugin presence
itself would be identifying. Given you only need a few relatively low entropy
data points (or one or more highly diverse ones) for a huge likelihood of
linking a given browser between sites, identifying the presence of any
identifiable plugins at all should be sufficient with another factor to ID
someone.

If I were running 3rd party javascript in multiple places, I could build a
pretty unique personal profile of someone. If I were looking for technical
people using Tor, even moreso.

I'm not in ad tech, so am naive to this. The biggest myth on the internet is
that nobody actually cares enough to watch what you in particular are doing,
when in fact, this changes from nothing to almost total prediction of consumer
and political behaviour as soon as someone at a platform company becomes
interested.

~~~
dillondoyle
Now that canvas, webgl, audio is starting to get blocked the most creative
solution I have seen so far is css3 transforms with long floating point
numbers, seems to create unique values for bounding boxes etc! I spend too
much time with fingerprinting because I find it fascinating.

Also maybe sad to point out something far worse if someone chose to track you
specifically, if one were to get bid stream data (or even a 1% sample), they
would see virtually every website you visit. Sure your cookie/ip/geo/ua etc
are less entropy than JS fingerprint (though 1st party google cookie surely
knows who most are). this exposes the very core of who you are, what porn you
watch and everything.

------
foreigner
I laughed out loud when I saw the buttons to share my results on
Facebook/Twitter/Google+

~~~
pfundstein
"What butt-- oh they're blocked."

------
wumms
After a couple of reloads it finally got stuck on
[https://trackersimulator.org/tracker-reporting-
nojs](https://trackersimulator.org/tracker-reporting-nojs) which seems to be
offline. I'm on Firefox 70 with NoScript defaults (all blocked) for
panopticlick.eff.org.

EDIT: Whoops, I had it blocked in /etc/hosts:

    
    
        # [EFF Tracker Detection]
        0.0.0.0 trackersimulator.org
        0.0.0.0 eviltracker.net
        0.0.0.0 do-not-tracker.org
    

(still, I had to allow scripts for eff.org to see the results)

~~~
alpaca128
In my case it wasn't blocked by the hosts file(the test ran fully in another
browser) but uBlock decided to step in and block access. Can't complain.

------
greggman2
Panopticlick is hyperbole. Yes you can be tracked and you should be worried
about it but the stats they report are not valid.

Take an iPhone10 in California and visit the site. They'll tell you you're in
a million in 1 or one in 500k people.

All iPhone10s have exactly the same signature. They only differences at most
are region settings and time zone. If you're in california those are likely
the same for 95%? 90%? 80%? I doesn't matter to my point.

How many iPhones10s are there in that time zone? I think there are like
55million people in that time zone (Seattle + Portland + Bay Area + Los
Angeles + San Diego). How many of those own an iPhhone10? Let's be what I
think is conservative and pick 1 million. Now compare that number to the
number you go from panopticlick and you'll see their stats are off by several
orders of magnitude.

Their excuse is they don't get that many visitors but it's only useful to
track you on popular sites with lots of visitors. If you go to a site with few
visitors then you're already unique. Any sight with lots of visitors will have
lots of iPhone10 users in the same time zone with the same region settings and
so tracking you is much harder.

Of course I'm not saying you shouldn't be worried about tracking and if you're
on Windows/Linux/Mac/Android your device is likely much more unique. My only
point is that it exaggerates given that there is popular hardware that has the
same signature it should be reporting different numbers for those devices.

~~~
bowmessage
> All iPhone10s have exactly the same signature.

Not quite, this varies depending on the browser app used, zoom level set,
language set, other accessibility settings, etc. etc.

~~~
gruez
>Not quite, this varies depending on the browser app used

Most users either use safari or chrome. Maybe 2 bits of entropy at best.

>zoom level set [...] other accessibility settings, etc. etc.

95% (random guess) of users don't have these changed from the default because
they don't have vision problems or other accessibility needs.

>language set

The parent post said it was in California, so en-US is a pretty safe
assumption.

~~~
bowmessage
[https://www.worldatlas.com/articles/the-most-spoken-
language...](https://www.worldatlas.com/articles/the-most-spoken-languages-in-
california.html)

~~~
greggman2
Good to know but irrelevant to my point.

My point was panopticlick says some iPhone10 in the PST time zone set to en-US
running Safari is one in 500k. If there are 55million people the PST timezone
then panopticlick is basically saying there are only 110 iPhone10s set to en-
US in all of the PST time zone. That's clearly false.

------
oxguy3
Dang it. I noticed that my user agent was one of the biggest identifiers for
me (1 in 200 users), and I realized it was because I was still on Chrome 76
while most users were on Chrome 77. So, I finally restarted my browser to
allow the update to happen.

Well, apparently I leap-frogged to Chrome 78, which even fewer people are on.
Now my user agent is shared by just 1 in 1400 users, and my fingerprint went
from nearly-unique to unique. Go figure. :P

~~~
pbhjpbhj
How does UA string having the exact number of the browser version in help the
user? I'm guessing it doesn't, shouldn't the UA just say "Chrome". I guess it
serves Google well though.

~~~
Dumbdo
It's helpful in web development, it allows you to target specific browser
versions. For example if I use a new feature on my website which is only
supported by recent browser versions, I can inform the user about the
incompatibility and prevent complains.

I also don't think Google needs that info, there's a million things to
criticize them for but this is a bit silly.

~~~
allannienhuis
Feature detection is more reliable than version checking, as it can more
correctly support a wider range of browsers (that you didn't think to version-
test for). There might be some cases where that's tricky, but it's generally
straightforward. Tools like [https://modernizr.com/](https://modernizr.com/)
can help with that.

------
karanlyons
Oh, neat:
[https://github.com/Valve/fingerprintjs2/issues/491](https://github.com/Valve/fingerprintjs2/issues/491)

------
gorgoiler
I share a fingerprint with 1 in 25k browsers, so why do I have to worry? Is it
because of temporal analysis, which is good enough to whittle that down to
uniquely tracking me between sites?

~~~
herewego
TLDR; you can be tracked in almost all practical cases.

Temporal and spatial; when you’re browsing, where you’re browsing, and how
you’re browsing. We can predict future non-unique (unknown) browsing behavior
by training on your past unique, known, behavior. It is a common
misconception, by those that are not in adtech (e.g. your typical software
dev), that a fairly non-unique rating on sites like these will correlate with
being difficult to track (not saying this is necessarily you).

~~~
gorgoiler
I’d love to have a copy of this data about my browsing history.

I naively thought it might be buried in Google Takeout somewhere, their
facility for downloading all your data from Google.

I didn’t see it. Perhaps (1) it doesn’t legally belong to me; or (2) the
fuzziness of the fingerprint allows for sufficient deniability that the
adtracking data is actually tied to my Google account?

But I’ve certainly browsed other sites while having a Google cookie which is
pretty unambiguously identifying me, so maybe they don’t literally just don’t
have a log of which sites I’ve visited?

What adtech tracking data about me can I see?

------
Jonnax
Having multiple languages in your accept headers will make you totally unique.
Especially when combined with even just your user agent.

~~~
jeroenhd
Keep in mind that this is just about users visiting panopticlick. The
statistics don't necessarily reflect rewl life analytics unless the rest of
your country are also visiting this website.

Other bits of entropy are relevant though (such as canvas fingerprints etc.)

------
rrsmtz
Brave on iOS doesn’t do anything in response to clicking the test button, and
I can’t decide if that’s encouraging or disappointing.

~~~
rubyfan
Safari on iOS with BlockBear and Firefox Focus as content blockers ends up
blocking the page after I click the Test button. I tried both with real
tracker and not. Also not sure that’s good or bad?

------
nocturnial
Apparently trackersimulator.org is on the mozilla disconnect blocklist. It
prevented me from getting the final results. I'm not saying this is good or
bad but I'm a bit surprised as to why it's on there. Maybe I'm overlooking
something.

I'm running openwrt with the adblock service on my router.

------
dillondoyle
Probably in opposition to many opinions here, I think Google coming out with
IDFA for browsers and verifying against their user data for fraud (and of
course for them to sell improved targeting/fraud) would actually be better for
privacy than current system AND ad fraud/id on the buy side.

~~~
edoceo
G could make the spec,sure. But some other fully independent entity should
manage the data.

------
izacus
Apparently by far the most identifying information my browser is leaking is...
my language preference.

So I need to stop reading the internet in my native spoken language to hide
from evil tracking and only consume things in english.

That doesn't seem like progress.

------
dwd
An interesting case is Firefox Focus which passes all the anti-tracking but
fails completely on the fingerprint where you're totally unique (1/200000)

------
mikerg87
I tried tried running this test with my iPhone both connected to home wifi
with a Pi-Hole and on wireless. I received the same result. Should I be
surprised ?

~~~
Jonnax
What do you think is going to change about your web browser's fingerprint by
using a DNS filter list?

------
forrestthewoods
I don’t understand how my iPhone 7+ can be so identifiable. There’s a
kazillion jillion iPhones on the market.

I am disappointed :(

------
kevlar1818
Anyone have recommendations for reducing the uniqueness of the screen size and
fonts metrics?

~~~
gruez
>the uniqueness of the screen size

privacy.resistfingerprinting.letterboxing=true on firefox

~~~
ahje
Unfortunately, that still gives a far worse result than when just using a
common value like 1920 x1080 x 24. I get that it's good to not report exact
window size when the window's been resized, but a maximized window on a full-
HD or 1366×768 screen should be common enough in order to let the actual value
through.

------
tinus_hn
It navigates to different domains, that wouldn’t be acceptable in real world
scenarios.

~~~
oxguy3
I think they're doing that to test that your fingerprint remains the same
across multiple domains. They don't have to do that to fingerprint you; just
to make sure that you don't have any anti-fingerprinting going on.

------
marmaduke
Most comments here seem to be missing the point of the title, which is
excellent IMO (after Foucault's panoptican, go read Wikipedia if you don't
know what it is): just knowing you're being watched (tracked) causes behavior
to change usually to conform to social expectations.

~~~
pmoriarty
Foucault did not come up with the idea of the panopticon. The credit for it
goes to Jeremy Bentham, who died nearly a hundred years before Foucault was
born.

~~~
marmaduke
oops indeed. I get them mixed up since I learned about them at the same time.

I still think panopticlick is an excellent title choice. Isn't it (behavioral
modification because of tracking) the real hack at work here, not just how
many bits are leaked by your browser?

------
jakeogh
Would be nice to add a dns prefecth test.

------
dikiaap
Why put the version on title? I thought it was new version of Panopticlick,
but it's not. [https://archive.ph/vB3XA](https://archive.ph/vB3XA)

~~~
dang
OK, we took 3.0 out of the title above.

