
Am I Unique? - csomar
https://amiunique.org/
======
kelnos
It really bothers me that all this information is available through JS (no,
please don't suggest I disable it). Why does a website need to know the list
of installed fonts? Why can they enumerate the list of "videoinput" and
"audioinput" devices before they've asked for video/microphone permission? Why
is information about how I've set various permissions (prompt vs. allow vs.
deny) available? Exposing the visibility of menu/tool/personal/status bar is
just weird (though for me all of them say "Visible", which isn't the case, so
I guess Firefox is lying).

~~~
mnm1
I have JS turned off and still have plenty of other factors that make me
unique so it's not just JS. My question is why is the rest of the information
available / given, especially the user agent? The other headers mostly make
sense. I can see the argument to turn 'do not track' off. But user agent? I've
been making websites and apps for almost a quarter century and have never even
read of a good use for that outside the tracking industry, let alone seen a
good use of it.

~~~
jefftk
I've written code several times that relies on user agent parsing to know
whether it needs to work around a bug:

* Chrome on iOS started sending "webp" on it's Accept header when it didn't support inline webp yet.

* Firefox would take CSPs applied to same-origin IFrames and additionally apply them to the parent document.

* Edge wouldn't accept data URLs for IFrames that were more than 4096 characters.

In all of these cases the bug was eventually fixed, but we needed to work
around the bug in the meantime. UA parsing to say "if it's Edge < v76" or
whatever was the best way to do this.

~~~
heavenlyblue
Why the hell do you need data URLs for iframes?

~~~
jefftk
If you want to render untrusted content, cross-origin IFrames are a great way
to do it. A data: url gives you an cross origin context without a network
round trip and with fewer issues than using the sandbox attribute.

------
michaelhoffman
The irony in using the "Do Not Track" attribute to track users is delicious.

~~~
Nursie
That flag was hilarious and pointless from day 1.

So we're going to ask the profit-motivated bad-actors across the web to
pretty-please exempt us from your tracking because we asked nicely?

And we need to hide this away in settings and have it default-off because
otherwise how will they know we really meant it?

It's like it was designed by someone with an early 90s understanding of the
web, and no comprehension whatsoever of just how awful marketing can be.

Tracking should never be opt- _out_ in the first place, and it needs to be
fought with technological and legal measures, not silly http request flags.

~~~
TeMPOraL
It achieved something: it serves as evidence that companies absolutely need to
be beaten into submission with heavy-handed regulation of data collection,
because they can't play nice on their own.

~~~
oehpr
Honestly, I had always suspected a long term game like this was the actual
intent. The EFF wants to say "SEE? They can't claim ignorance, they know
people's intent and they're depraved in their indifference!". No one earnestly
believed this would directly enhance privacy.

But frankly, all of this is just trying to negotiate with black hats. Any
company actually acquiescing to rules for privacy will find themselves out-bid
by companies who can claim they have better data by operating outside the law.
These protocols are using the general public's privacy as sacrificial fuel to
accomplish their impossible aims. It's a whole lot of wasted effort.

I wish the EFF would figure this out, It's impossible to law away a
technological reality.

------
abjKT26nO8
I'd suspected that having JS completely disabled would make my fingerprint
more distinct, since presumably few people have it disabled. However, on
visiting the page with JS enabled I received a 100% unique fingerprint. Any
one of the following identifies me uniquely: WebGL Renderer, List of fonts
(JS), Media devices. Then there is a long list of properties which can be
sniffed with JavaScript that identify me with >99.9% accuracy. When I disable
JS, there are 108 browsers with the exact same fingerprint as mine.

That prompts me to reconsider my policy of blocking JS. Until now, I've been
blocking only third-party JS. Now I am considering blocking all JS by default.

~~~
dmje
Um..how’s your web browsing experience with no JS...?

~~~
tonyedgecombe
Fast?

~~~
neuronic
Of course it's fast if you remove any sort of functionality from the net.

~~~
account42
Mostly unwanted functionality.

------
Santosh83
Fingerprinting needs the active effort of browser vendors to tackle. Otherwise
no amount of blocking will help as it will either identify you more uniquely
or cripple browsing the web to such an extent that almost no one will opt for
it. Browser vendors should implement a resist fingerprint mode where browsers
respond with a set of standard, agreed-upon values, or completely random ones
for those that can't have a standardised value. This will probably break
browsing to some extent but not as much as the 'nuclear', disable Javascript
option that everyone suggests whenever this discussion comes up.

But of course most browser vendors don't have an incentive to resist
fingerprinting. And if only one vendor does this then the anti-fingerprinting
is likely to be less effective, as the pool of browsers is much smaller.

~~~
tln
Chrome is making user-agent non trackable (in some time)..

[https://www.zdnet.com/article/google-to-phase-out-user-
agent...](https://www.zdnet.com/article/google-to-phase-out-user-agent-
strings-in-chrome/)

I think there are actually plenty of examples where the browser vendors are
doing this.

Google gets so much free tracking from analytics, ads, and OpenID, I don't
think they really need to resist privacy oriented browser changes.

They might resist some privacy changes, idk, and are probably trailing safari
and firefox and brave etc

~~~
Angeo34
Brave is easier to fingerprint than Internet Explorer

------
darkkindness
I use Firefox on Android with NoScript and an adblocker.

Yet I'm uniquely identifiable. One culprit is screen size putting me at
<0.01%.

Does that make defeating fingerprinting on mobile hopeless for the casual
user?

Edit: more info. All JS is blocked, and I have privacy.resistFingerprinting.
The page doesn't detect my adblocker. Still, there are just too many things I
can't change:

\- hardware concurrency: 1.7%

\- audio formats: 0.2%

\- navigator properties: 0.2%

\- audio data: 0.1%

I was surprised at this one:

\- Media devices: Unique

What are media device identifiers for, exactly? Why does the browser supply it
without JS?

~~~
dorgo
If I disable Javascript (or don't enable it) I see everywhere 'NA' (except for
HTTP headers) and no similarity rates are shown. Are you sure your Javascript
is disabled?

~~~
jokoon
What is the best way to disable javascript on firefox? Is there an addon that
can whitelist certain websites to not disable javascript everywhere, while
turning it of by default?

EDIT: I just discovered ublock origin can disable js by default. Now I wish I
could change the user agent...

------
anidea01
Great idea! Targeted advertising is really upsetting. If we take it one step
further:

1\. Find out the top non-unique fingerprint [of the year.]

2\. Create a Firefox add-on (or modify Firefox source if an add-on is not
powerful enough), which uses the most non-unique fingerprint [this year.]

3\. Targeted advertising ends for those who use the plug-in/add-on.

It's a cat and mouse game as fingerprint parameters keep increasing, but I
think it's possible to win this one.

~~~
MivLives
The problem with this is the less unique you are, the more you start looking
like a bot. The more you look like a bot the more times you have to do things
to prove you aren't, like captchas

~~~
twelvechairs
This is Google's strategy to defeat privacy in a nutshell

~~~
TTPrograms
A better solution would be to scramble parts of this fingerprint for each
domain.

------
hmexx
My fonts alone makes me pretty unique it seems (<0.01%). 180 or so fonts that
the browser is happy to share with the world. Does seem a little unnecessary.

~~~
Jonnax
I can't remember which but either Firefox or Chrome only send a standard list
of fonts.

~~~
systoll
Safari does that.

Firefox has an about:config preference that would let you set up a font
whitelist yourself, but it doesn’t have a standard set.

~~~
cpeterso
Firefox's preference is "font.system.whitelist". You can specify a list of
which fonts are exposed to web content (such as the default set shipped with
your OS). The preference is used by the Tor browser.

[https://bugzilla.mozilla.org/show_bug.cgi?id=1121643](https://bugzilla.mozilla.org/show_bug.cgi?id=1121643)

Does Safari actually do something similar? On my Mac, amiunique.org reports
344 fonts in Safari, 331 in Firefox (not using "font.system.whitelist"), and
309 in Chrome.

------
Mirioron
I am unique through the useragent. Apparently Brave and Chrome both put the
device model of your phone into the useragent string. It also contains your OS
version and Chromium version. I guess those three points alone are able to
very significantly narrow you down.

~~~
asdfasgasdgasdg
I am really skeptical about the UA uniqueness fraction. I am on the latest
version of Chrome on Windows and it claims that 0.17% of the people visiting
the site have the same UA string. Mine is:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/79.0.3945.130 Safari/537.36

for what it's worth. Can it really be that only two in a thousand people
visiting the site in the last seven days have the latest version of Chrome? Or
does Chrome just update so often that very few people tend to have the same
version at any one time. (If the latter, that suggests that maybe it's not a
very strong tracking signal.) It seems more likely to me that the data is just
stale but I guess I don't know much about the true distribution of Chrome
useragents.

~~~
zuppy
Same for me, it says <0.1%

I’m using the current iPad mini, which is 10 months old, with the current os
version. I highly doubt I’m that unique.

------
mikenew
Apparently I'm the only person in the world using linux-5.4.14-zen with a
Radeon VII. Which would be kinda cool if that information wasn't being
broadcast to every site I visit.

~~~
BenjiWiebe
And I'm the only person using the materialistic app (HN reader) on Android 5.1
on a 1st gen Moto X. That I can believe...

~~~
MH15
Hello from a Materialistic on Pixel user!

------
notatoad
What does it mean when i load the test, and it says i'm unique, and then i go
back five minutes later without changing anything and it says i'm still
unique?

are they tracking that i've run the test before, verifying that i'm me, and
telling me i'm still unique, or is my fingerprint differing between two
subsequent tests?

also, i'm suspicious about some of these values - only 0.13% of people have a
querty keyboard layout? Only 7% of tests have no gyroscope? That doesn't sound
right.

~~~
cperciva
The number which seemed strangest to me is that my up-to-date pixel 3a phone
has a user agent shared with only 0.01% of browsers.

~~~
clSTophEjUdRanu
Up to date Chrome Pixel 4 here, same. I'm really the only Pixel 4 that ran
this?

~~~
skygazer
Since users of evergreen browsers will have frequently changing version number
strings, the history of snapshots of these fingerprints is time sensitive.
This serves to artificially inflate the uniqueness, as an identical device
using the same evergreen browser 1 month, or 2 week ago, will not match you
now, but would match if they revistited with their now updated browser.

To be useful, fingerprinting techniques need to somehow be robust against
always increasing version numbers of evergreen browsers in ways that this
website is not.

------
kelnos
I was surprised that being in the US Pacific time zone was only shared by
2.25% of their data set. Assuming users are evenly distributed across time
zones, it'd be 4.2%; but of course they aren't evenly distributed, and I'd
expect the west coast of the US to have a disproportionately large number of
internet users as well as people who would visit a website like this.

(Though, to be fair, they go by UTC offset, so it's only UTC-8 for a few
months of the year due to DST. That probably affects the number; maybe the
percentage is higher for UTC-7.)

~~~
Izmaki
There’s a lot more Asians/TZ than Americans/TZ

------
ggreer
Sites like this and the EFF’s panopticlick err on the side of saying you can
be tracked when that might not be true.

For example: I visited this same site a while ago with the same device, and
both times it has said I was unique. A new version of iOS came out, so my user
agent changed. Unless sites are also storing unique data on your machine
(through cookies or localstorage), browser fingerprinting is a crapshoot. This
goes double for mobile devices.

~~~
segfaultbuserr
Another unusual circumstance is when you're the first users who have just
installed the latest software update, a fingerprint testing website will
identify you as an unique user. But you won't be unique anymore within a few
days.

It happens a lot in the Tor mailing list. Often, a new major release of Tor
Browser comes out, a user is shocked by the upgrade, "OMG! I'm unique and
trackable!". Don't panic, just keep using it.

------
CapacitorSet
All the fingerprinting tools I've seen so far do not include JA3 signatures,
which in my opinion make for an interesting bit of information - they
introduce few bits of entropy since they depend on the TLS implementation, but
for the same reason they can't be easily spoofed.

Plugging in an article and demo I wrote some time ago:
[https://jwlss.pw/ja3/](https://jwlss.pw/ja3/)

~~~
GordonS
I was going to mention the lack of TCP and TLS fingerprinting too - I wonder
if those are actually used by rogue advertisers?

Also, I guess TLS fingerprints would change over time, with browser upgrades,
although I'd expect changes to be relatively infrequent.

------
cnst
> WebGL Renderer

Wait, any website knows what sort of graphics card I have?! Or how many CPUs?
That's just ridiculous!

No wonder folks can write and target exploits so perfectly nowadays! If it's
an integrated graphics, you have the processor family, easy. Wow.

Why would any random site need to know this sorts of information when all I'm
trying to do is read text and view images?

~~~
segfaultbuserr
> _when all I 'm trying to do is read text and view images? _

Often, the "images" on the web are increasingly becoming 3D graphics
dynamically generated and rendered by OpenGL on-the-fly, perhaps real-time
ray-tracing is coming soon... You can see a lot of applications of in-browser
3D graphics on data visualization websites, for example. And naturally, the
program needs these information to render graphics, but it can be repurposed
as a tracking tool.

I disable WebGL manually, and use it only when it's necessary. There are a few
plugins that allow you to manage it as well, for example, NoScript, but it's
overkill to use it just for this single task.

I think the solution should be an opt-in option. WebGL shouldn't be activated
unless the user gives the permission to a specific, first-party website.

~~~
cnst
Thanks for the idea, I just toggled the "webgl.disabled" switch in
about:config; we'll see what difference it makes; I would only assume that my
browsing will become faster now and will crash less frequently.

Is there a list of these useless things that any sane user should disable? I
already have had fonts disabled with "gfx.downloadable_fonts.enabled" toggled
away from the default; any other useless attack vectors with buffer overflows
could likewise be disabled?

~~~
mirimir
Yeah, I always disable WebGL.

I was really freaked to discover that all Debian family VMs on a given
VirtualBox host have the same WebGL fingerprint. Same for all Windows VMs, all
Red Hat family VMs, etc.

But then you can't see all the cool WebGL stuff that gets posted here.

------
wink
I switched to 30d because with browser update cycles "all time" is kinda
useless, imho.

> Content language 31.51% en-US,en;q=0.5

This is a default Firefox. I didn't change anything. Surely there's probably
only Chinese that has more users of this language?

I'm not even an American or in the US... (all time it was just below 30%, not
teal-colored, but already orange..)

Also why is the JS result for Content language 35.40%?

Whereas my list of plugins is 46.2% (higher value seems better) - but I'm
absolutely sure there's at least one uncommon one among them...

Hardware concurrency 16 is really interesting, 3.32%, probably all fellow
Ryzen users.

TLDR: Surely there are some of those properties where it absolutely makes
sense to avoid the uniqueness, but others seem a bit like bullshit metrics.

But on the other hand, my user agent (OS+Browser) = 7.37% is a really good
sign for me. I find this a very, very high percentage. (Ok, it's
Win10+Firefox, but still...)

~~~
1_player
Agreed, some of those stats are questionable.

A basic Microsoft Edge installation with en-GB content language header has a
similarity ratio of 0.18% -- really?

Java enabled: true -- 0.26%

Java enabled: false (on Brave) -- 8.75%

~~~
wolco
They make sense.

en-GB would start below 5%, having en-GB on edge means someone would have to
be using edge (under 1%) and not on the mobile for a mobile first site.

Keeping a current java version enabled is difficult. Each browser update, each
java update disables java by default now.

Could be a small Brave sample size.

------
dang
A thread from last year:
[https://news.ycombinator.com/item?id=19212123](https://news.ycombinator.com/item?id=19212123)

------
jammygit
What terrible browser design to send all that data. I would never have
imagined my computer was sending all that off 10 years ago

~~~
gowld
It's doesn't "send the data" so much as "a general purpose UI platform cannot
work unless a program knows the configuration of the UI". The idea that your
complex computing environment could have an arbitrary complex conversation
with an app, and not expose its identity, while perhaps desirable, it
impractical.

You can browser behind a generic user-agent firewall, but you'll get a
severely degraded experience that treats an Apple watch the same as a desktop
workstation.

~~~
skybrian
Standardization on only a few design variations might fix this? People would
complain about monocultures, though.

~~~
dkarras
It's not just about design. For instance there is Canvas and WebGL for
interactive content. Different GPU's draw things slightly differently. Someone
creates a canvas in the background, draws stuff, reads it back and since your
machine has a particular way of drawing things (because of GPU design,
drivers, different browser implementations of the painting stack) you can be
tracked. Same goes for audio capabilities. If you don't want multimedia, then
fine, it is slightly easier. Then the server can probably try to track you
with your upload / download speed, ping etc. They can tax your cpu to see how
fast it is. Then they get your browser width / height. Combine them and you
can be tracked pretty accurately. There are countless avenues for
fingerprinting.

~~~
skybrian
Well, sure, but at the hardware level, more standardization is possible too.
If you have a popular model of computer and it's the same as everyone else's
computer, it's hard to get much out of identifying it. This is kind of what
Apple does by offering a limited number of models.

Another approach would be to use standardized VPN's that hide client machine
differences.

There are downsides, of course. I'm not sure people care about fingerprinting
enough to do all that.

------
cle
Is there something actionable I can take based on the results of this page?
E.g. is there some Firefox add-on that obfuscates attributes used for
fingerprinting?

------
air7
Something here doesn't add up. I'm unique even on my standard Samsung S10e
with up-to-date Chrome or the stock browser. My screen height has a similarly
ratio of 0.11%. My user agent is <0.01%.

Perhaps their data is under-representing mobiles?

I can see how fingerprinting would work on a Windows PC with its vast number
of possible combinations of cpu/gpu/installed system fonts/add ons etc. But
how would this works on mobile?

~~~
Tagbert
Yea, I’ve gone there using a stock iphone and a stock iPad both using Safari
and neither one with custom fonts, plugins, etc. iPhone: only 48 browsers have
exactly this fingerprint IPad: only 14 browsers have this fingerprint.

My list of fonts is only 0.55% similar And user agent is only 0.34% similar

Those are hard to believe on a device where these things really don’t get
customized.

------
jdc
Is it just me or would people rather be able to spoof or disable these fields
without drudging through thousands of lines of C++ code?

~~~
jedimastert
For some, no it would not really be possible.

The Canvas fingerprint is the biggest one, as it relies on different forms of
hardware acceleration which is based on GPU+CPU+configs for your computer and
browser.

~~~
Deukhoofd
Can't be that hard, considering Firefox allows for blocking Canvas
fingerprinting in its settings, and the site indeed shows that my canvas data
is shared with around 6% of the users, so definitely not unique.

------
codingmess
What I don't understand that the user agent for the latest version of Firefox
(on Windows 10) has a similarity rating of just 0,31%.

~~~
rgoulter
That's across "all time", not just the last 7 days.

But for the last 7 days, Firefox has over 300%, and Windows over 285%. Gecko
is over 700%. Screen left of 0 is 250%. -- I'm guessing some kind of
calculation error?

------
londons_explore
I doubt the accuracy of this fingerprint.

It claims my user agent (the latest stable Google Chrome - default browser -
on a stock Umidigi android device) is unique.

Considering there are probably 5 million people worldwide with my setup, I am
surprised it's unique.

~~~
suixo
Keep in mind that those 5 million people did not submit their fingerprint on
this website, so they are not "known" by this tool.

------
ropiwqefjnpoa
TOR browser on highest security level, javascript disabled and windowed
returns: Almost! (You can most certainly be tracked.)

~~~
segfaultbuserr
I tried it myself in Tor Browser, and I think this conclusion "You can most
certainly be tracked" is highly misleading. Without JavaScript, the only
information collected by the website is the headers sent by the browser,
listed below...

> _User agent: Mozilla /5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
> Firefox/68.0 (all time: 2.19% / 30 days: 10.80%)_

> _Accept: text /html,application/xhtml+xml,application/xml;q=0.9,_/ _;q=0.8
> (all time: 52.15% / 30 days: 37.04%)_

> _Content encoding: gzip, deflate, br (all time: 66.35% / 30 days: 92.02%)_

> _Upgrade Insecure Requests: 1 (all time: 27.33% / 30 days: 85.86%)_

> _Referer:[https://amiunique.org/](https://amiunique.org/) (all time: 16.55%
> / 30 days: 60.97%)_

> _JavaScript disabled (all time: 4.70% / 30 days: 14.09%)_

Surely, there are ways to track users without JavaScript, but none of them is
inspected by the website. The website only inspects the headers, and from the
listed information above, the tracker doesn't learn anything more than "This
user is running the latest release of Tor Browser with JavaScript disabled",
and at least 100,000 people are doing it right now.

But because the sample size of this website is limited, it only sees the fact
that these attributes seem to be a very small percentage of the overall
traffic, while ignoring the fact that these headers are generic, it makes the
conclusion.

> _" You can most certainly be tracked"_

Which is misleading. A Tor Browser with JavaScript disabled is still one of
the most difficult browsers to track.

The website actually tells you that,

> _But only 1440 browsers out of the 1560340 observed browsers ( <0.01 %) have
> exactly the same fingerprint as yours._

If you are the only person using the latest version of Tor Browser to access
this website with JavaScript disabled, yes, you can be tracked as a "Tor user
without JavaScript", and if you enter personal information, your identity can
be crosstracked between websites (if you are still the only Tor user with
JavaScript disabled). Otherwise, not much.

Interestingly, when a new Tor Browser release comes out, there will always be
an user to upgrade the browser before everyone else, then goes to a
fingerprint testing website, tests the browser, and says "OMG! I'm unique and
trackable!". In this case, don't panic, just keep using it, you won't be
unique anymore within a week.

~~~
FabHK
Worth noting that by default, the Tor Browser has JavaScript enabled (only
disabled on non-HTTPS sites).

------
chx
Is this dataset correct?

The accelerometer, gyroscope and proximity sensor has a ~9% false ratio here
which I intepret as 9% laptops/desktops and 91% phones. That's a bit too many
phones. But use of Adblock is over 34%. Also, I see 15.36% Chrome PDF Plugin
and 23.81% Native Client both which only exist on PCs and again doesn't really
mesh with only 9% non-phone. What's going on...? Are there laptops with all
three things listed...?

Also, everything else puts Chrome market share above 60% these days, only 38%
here.

~~~
XelNika
> The accelerometer, gyroscope and proximity sensor has a ~9% false ratio here
> which I intepret as 9% laptops/desktops and 91% phones.

Some of the stats are clearly broken. For the 7 day duration, those stats are
closer to 95% false. For the 90 days duration, I see values like

    
    
      Platform       153.00% Linux x86_64
      Screen height  253.53% 1080
      Media devices  159.95% Timeout
    

> Also, I see 15.36% Chrome PDF Plugin and 23.81% Native Client

I don't see PDF reader stats at all.

> Also, everything else puts Chrome market share above 60% these days, only
> 38% here.

Easily explained by bias if it's even correct. The kinds of people who would
try this service are also the kinds of people who would use a niche browser.

------
verst
What is most surprising to me:

Apparently my content language (JavaScript) alone is already unique (en-
US,en,de,zh-CN,zh). Being a native German speaker who speaks American English
(I live in the US) and Chinese and actually has those languages enabled in
their operating system.

Without JavaScript enabled the HTTP header for Content language is <0.01% --
(en-US,en;q=0.9,de;q=0.8,zh-CN;q=0.7,zh;q=0.6)

Is there any way to have a language installed in the operating system without
leaking that information to the browser?

~~~
vdfs
I've changed my language to only "en-US,en;q=0.9" and it show as 8.05%

You can do that in Chrome from Settings > Languages, remove what you don't
need, but i guess you will lose auto-correct for those languages

------
proidgeree1
Honest question here about the risk of being “unique”...:

If my unique identifier changes with each browser version + os version +
timezone + build id + fontpack + screen size... am I really trackable through
this vector? Those things change all the time for me at least. Seems like a
very short term method of tracking at best. Why should we be afraid of these
things? I had the same question about panopticlick (or whatever EFF called
it).

~~~
mobjack
Fingerprinting has lots of flaws like you mentioned.

Too many people have similar devices for it to be the primary way to track
people.

It is really a backup method of tracking that works some of the time based on
a probabilistic match.

Your IP address is also a big factor in finding a match.

------
floatingatoll
It accurately identifies my model of iPhone and that I’m running an iOS beta,
but it doesn’t appear to know anything that isn’t “I am an iOS developer”.
That’s probably still something that can be tracked, but it boils down
entirely to User-Agent which will vary weekly in lockstep with thousands of
others.

I am hesitant to extend the result that I can be uniquely tracked to category
“iOS developers” beyond that.

~~~
segfaultbuserr
Having a billion people using the exact same model of a computer (iPhone),
with almost identical hardware, software, peripherals, and system
configuration, is surely an advantage in terms of anti-tracking.

I recommend you to try visiting the same page on your computer, the slightest
variation of your hardware or software configuration will pinpoint your
identity to 99% certainty: What is the position tolerance of your canvas? What
is the list of fonts or browser plugins you have installed? What is the
latency of your audio interface?

~~~
floatingatoll
I use an Apple computer, too, and I only use the system fonts, don’t use
adblockers in any browser, and don’t use plugins either.

(Yes, I know how tracking works. It’s ironic to watch people realize that all
their protest actions are tracking beacons. I wish it was more widely
understood that being obvious is a consequence of being obviously different.)

------
winrid
This includes battery level which I think is pretty weird.

~~~
xyzzy_plugh
Agreed, that was the only thing which stood out to me as a surprise. Why would
any website need to know my battery level, without an explicit permission?
Seems like a gross oversight.

~~~
winrid
Well that, and it makes you appear more unique than probably desired (to the
site).

------
mirimir
Browser fingerprints being so unique cuts both ways.

So if I hit this site from the VM that one of my evil twins uses, _its_
Firefox fingerprint will _also_ be ~unique.

And I can have lots of VMs. Maybe not all running at once, but still. And
yeah, they use different exit VPNs.

------
XCSme
I have multiple attributes that are each unique: * Content language (HTTP
header) * Content language (JS) * List of fonts (JS) * Media devices

A bit surprised that it doesn't even need to do any fancy combinations of
identifiers to get a uid in my case.

~~~
hollander
Remember that you are unique in the list of visitors to this website. That is
a limited group. You are probably unique anyway, but the numbers here are not
acurate.

------
ff7c11
The results on [https://panopticlick.eff.org](https://panopticlick.eff.org)
seem much more accurate. Probably since Panopticlick by EFF is more well-known
and therefore has better data.

~~~
ac130kz
They also recommend to install Ublock botnet (not Ublock Origin) and to enable
DNT (a well-known way to track), I wouldn't trust those guys

------
milofeynman
Alright, so how do I fix the unique ones like Canvas?

Edit: To block canvas fingerprinting I set `privacy.resistFingerprinting` to
true in Firefox's about:config. Now I am trying to figure out how to disable
the font list and Media devices, etc.

~~~
gavreh
I am looking into this too. Looks like it's `font.system.whitelist` but I'm
not sure of a "generic, common" list to add there.

------
bdz
>ANGLE (NVIDIA GeForce GTX 1070 Direct3D11 vs_5_0 ps_5_0)

Wow I didn't know it reveals the GPU

------
nneonneo
The Media Devices query might always return "unique" on some browsers (e.g.
Firefox). Firefox, for example, returns a random string which persists for
that origin across a single browsing session (but which is different after the
browser is restarted, for example).

It's therefore like a cookie, but weaker in that it gets cleared on browser
restart (and, in private browsing, it's always changing). So it's not very
useful for tracking, since a site could just use a cookie instead.

If that's your only Unique attribute, then your browser might be less unique
than the website claims.

------
mattmein
What does it mean that I have a unique user agent? I just use normal brave
browser.

~~~
mynegation
I hope it is a joke (pretty good one if it is), but on an off-chance it is
not: it is entirely plausible that you are the first Brave browser user to
visit the site (or at least Brave of that version).

~~~
thatcat
Not a joke, panopticlick by eff does this too and explains how it works.

------
c3534l
No one has the same fonts I do, apparently. You could also probably infer my
occupation from my preponderance of monospaced fonts.

I'm surprised to find that simply by having Ubuntu that I tweaked to my liking
and a laptop, you can uniquely identify me by how much screen space I have
left.

Can anyone give me an explanation of how the media devices thing works,
though? Is video in and audio in given some random hash which websites can
then use as the random hash which identifies me?

------
cyphar
It's a bit strange that they recommend using the Tor Browser, but the Tor
Browser is shown as being "unique" using their fingerprinting setup.
Presumably this is just a lack of data rather than a real claim that browsers
like the Tor Browser are actually not sufficiently resisting fingerprinting
(after all, apparently 55% of people they've got data for use Linux and 41%
use Firefox!).

~~~
FabHK
FWIW, my Tor Browser also shows up as unique. Just the fonts alone are <0.01%.

------
qwerty456127
How do I configure Chrome spell checking dictionaries without letting it
inform the websites about the languages I use? The set of languages makes me
unique.

------
daniel_iversen
Would I be right in saying that if you use iOS safari (which a decent number
of mobile users use) you are not very unique at all and any tracking based on
browser fingerprinting is pretty useless? (Or is it the combination of a non
unique browser fingerprint with a slightly more targeted origin IP address
from the ISP) that makes it almost worth/possible trying to identify a person
without cookies?

~~~
PebblesHD
I was quite surprised that on my iPhone 8 Plus with iOS 13 I was totally
unique apparently. How exactly could that be possible if this is a device
where I cannot install any plugins, change fonts, or really do anything to
make it more or less different to another iPhone?

------
dmje
Read this, did it, felt vaguely appalled.

But: seems to me that if you do something unusual (turn off JS, use weird and
wonderful browser, hide _browser stuff_ from The Internet) then you make
yourself even "more unique". Turning JS off still doesn't really help - and
more to the point makes the modern web basically unusable.

I ended up with: meh, nothing anyone can do, why worry?

~~~
enriquto
> Turning JS off still doesn't really help - and more to the point makes the
> modern web basically unusable.

I have the opposite experience. Turning JS off makes the modern web much more
usable!

Regarding "uniqueness", if you browse from a fixed IP address then you are
unique anyway and your browser fingerprint does not really matter.

------
simias
The site tells me that 41% of users share my web browser, that is Firefox.
That seems insanely high given the general market share of FF. Any idea why
it's so popular on this website? Of course I would expect privacy conscious
people to be more likely to use FF but 40+% seems unbelievably huge especially
when you factor mobile browsers and the like.

~~~
vdfs
Probably because must of that website users worry about their privacy and use
Firefox instead of Chrome But Chromium show as 0.66% share and Chrome show
38.28% usage share

------
0xff00ffee
Funny, this website has been posted over a dozen times on HN since 2014, and
only recently has it broken above 10 points to 512!

Look at this link:

[https://news.ycombinator.com/from?site=amiunique.org](https://news.ycombinator.com/from?site=amiunique.org)

------
leoh
"(<0.01 %) have exactly the same fingerprint as yours."

If Apple cares about privacy, they need to get on this in mobile Safari ASAP.

~~~
acdha
That made me want to see whether the calculations have some assumptions about
variables being independent: it seems unlikely that the default browser on an
OS shipping in 7+ volumes has various headers, fonts, etc. which are so
identifying. I could believe some hardware variation with canvas/WebGL but the
iOS font list wasn’t even customizable until 13.

------
robocat
Browsers could defend against this (especially in combo with central malicious
site protection) : no legitimate page should be using many of these features,
and certainly not the combination of features.

Also turning JavaScript off helps (although that becomes a signal too, just
like DNT).

------
NicoJuicy
All time : However, your full fingerprint is unique among the 1556046
collected so far.

Android - default Chrome.

\---

Fyi, this whole tracking thing isn't that hard to circomemvent. You only need
one parameter to change to generate a unique hash.

With all the parameters they include, this should be done fairly easy.

------
sergioro
my user-agent (in particular my Linux distribution) was making me unique. To
be "less unique" i went to about:config and created these preferences:

    
    
        general.useragent.override: "user_agent"
        general.useragent.overridepreference: "user_agent"
    

replace user_agent the UA of your choice. This made me less trackable
according to [https://panopticlick.eff.org](https://panopticlick.eff.org) and
[https://amiunique.org](https://amiunique.org)

------
mNovak
Qwerty keyboard layout yields 0.7% uniqueness? Do other browsers just not
declare this?

~~~
toxicFork
In my Firefox it says "Not supported"

~~~
1_player
Not supported is 3.96%

So anything that's not QWERTY nor "unsupported" makes up the remaining ~95%?

------
smoyer
I am unique! It looks like the main culprit is that I'm running Firefox
Developer Edition so my reported version is a tiny percent of all users and
combined with Linux, Firefox, UTC-5 and en, that makes me one in 1561147.

------
longtom
This misses innerHeight, availHeight etc. which are also highly idiosyncratic
due to different settings of the dock/task bar size, installed browser plug-
ins, opened bookmark side windows and bars etc.

------
michael-ax
However, your full fingerprint is unique among the 1545859 collected so far.

------
emmanueloga_
Reminds me of evercookie. Previously, in HN ... [1] (10 years ago!)

1:
[https://news.ycombinator.com/item?id=1714446](https://news.ycombinator.com/item?id=1714446)

------
crorella
Why not intercept the different system calls and randomize their outputs?

------
hacker_9
Hang on, how is this unique:

    
    
        Keyboard layout 0.09% Qwerty
    

Is this saying less than 1% of users use a Querty keyboard? I must be living
under a rock if that's the case.

------
tinco
My fingerprint is unique apparently. Some water got in my main phone, so now
I'm using an older Android 7.0 phone with Firefox. Just that fact got me to
0.02% of all users.

------
Tomte
Over the last seven days, 109,5 percent of all users have been using my
operating system, and 129,86 percent of users have been using my web browser?
I think not.

------
nebulous1
This is great. I knew fingerprinting in this fashion was possible, but seeing
the actual figures attached to some of these headers and attributes is a real
eye-opener.

------
axegon
Though I'm not surprised by the results, the one that sticks out most to me is
the content language:

> Content language <0.01% en-US,en,bg,es

Bruh... 0.01%?!!? Seriously?!?!?

~~~
oneeyedpigeon
I’m en-gb alone and that’s only 0.69%. By comparison, 0.01% for the _highly_
specific combination of languages you have set doesn’t seem that strange.

------
zamadatix
Interestingly this led me to notice Firefox limits hardware concurrency to a
max of 16, changeable in about:config via the key dom.maxHardwareConcurrency

------
32gbsd
I am pretty sure I am going to be unique browsing on a version of chrome which
is 65 versions old so I am not even going to jump into that pool.

------
wholeness
How much of this requires JS to detect and then send to the server? as opposed
to can be processed entirely server-side?

------
bhrgunatha
Given the number of ways of fingerprinting, how can we reduce our uniqueness?
Is it even possible not to be unique?

------
muxator
Only 4% of the users who visited this test page use Ubuntu. Linux on the
desktop is really not a thing.

~~~
clarry
Where does it say your distro?

For me, it just detects that it's Linux (all time: 8.15%), while Platform is
Linux x86_64 (all time: 10.93%). Kinda funny that there are more x86_64 Linux
users than Linux users. Makes me wonder whether Ubuntu users are considered
Linux users at all..

------
tmoravec
> 30 days : But only 40 browsers out of the 10774 observed browsers (<0.01 %)
> have exactly the same fingerprint as yours.

Updated iPhone Safari. En locale. I have hard time believing it's that unique.

------
droithomme
The above site beachballed and was nonfunctional for me.

A better site with similar functioning is:
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
fnord77
panopticlick said my chrome browser was not unique.

this tool said it is.

~~~
tialaramex
Panopticlick is interested in solving a problem (and considerable progress has
been made on that), this site is as it's name suggests here to sell you on a
belief.

It'll cheerfully tell an unlimited number of identical browsers that they're
"unique" because that's the message it is here to sell.

If it gave these supposedly "Unique" browsers an actually unique identifier
they'd be able to compare it and see that they're not so "unique" as claimed
or _worse_ that the same browser gets different "unique" identifiers and so
they aren't identifiers at all. So that's why it doesn't do that.

------
duck
How can the percentage be greater than 100%?

------
quotz
How to protect?

------
runninganyways
Good news! I am unique. My experience is valid. I really needed to hear this.

