
Panopticlick – How Unique, and Trackable, Is Your Browser? - X4
https://panopticlick.eff.org/
======
neeee
Previous submissions:
[https://news.ycombinator.com/item?id=1082464](https://news.ycombinator.com/item?id=1082464)
[https://news.ycombinator.com/item?id=1081309](https://news.ycombinator.com/item?id=1081309)
[https://news.ycombinator.com/item?id=1087975](https://news.ycombinator.com/item?id=1087975)
[https://news.ycombinator.com/item?id=1085217](https://news.ycombinator.com/item?id=1085217)
[https://news.ycombinator.com/item?id=2699576](https://news.ycombinator.com/item?id=2699576)
[https://news.ycombinator.com/item?id=1614022](https://news.ycombinator.com/item?id=1614022)

~~~
theoh
Amen. And wouldn't it be more informative to be told how many browsers were
found to be indistinguishable from the user's? Pretty sure my iPhone is
completely generic. That should be a detectable category for them by now.

------
AshleysBrain
This could also be extended to include WebGL extensions/capabilities. Lots of
data there: [http://webglstats.com/](http://webglstats.com/) \- various WebGL
extensions, stats like max texture size, max varyings etc. dependent on
hardware.

I wonder how it would fare if it included WebGL stats but excluded all plugin
data, e.g. stuff from Java or Flash. Seems to be a direction browsers are
moving in.

~~~
commenting12345
[http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf](http://www.w2spconf.com/2012/papers/w2sp12-final4.pdf)

------
logicallee
It's not very trackable - I've replaced my user agent string with my full
name, which is very unique.

This way nobody even knows if I'm on Firefox or Chrome.

~~~
conductor
> It's not very trackable - I've replaced my user agent string with my full
> name, which is very unique.

The more unique, the more trackable.

~~~
tjic
You missed his (pretty funny) joke.

~~~
conductor
Yes, I'm afraid I did. The "my full name" part should have been an indicator,
but I missed it :)

------
nikcub
There is a big flaw in using browser information as an identification token in
this way as _browsers change_.

I visit this site at least once a month and every time it picks me as
'unique'. That is because each time i've either installed a plugin, installed
a font, my browser version changes every 5 days with automatic updates,
installed a new browser, installed a different browser, am using multiple
browsers, am accessing from my phone, ipad, work computer, etc.

This makes it useless for actually tracking people.

To make browser fingerprinting anything more than useless in tracking you need
an algorithm that fingerprints but doesn't capture everything - such as how
hardware-locked licensing works and Windows Genuine Advantage - you can change
your soundcard or any minor device and your overall ID/fingerprint is still
the same (i'm struggling to remember what this technique is called).

When reading the NSA revelations I dug through everything with an eye on
wanting to know if they used browser or machine fingerprints to track users.
They don't. There is enough unique information in IP address, cookies and
email accounts alone.

And I bet most people who are concerned by tacking online and impressive demos
like this are still using their real IP address online, still accepting
cookies, etc.

~~~
mjolk
>And I bet most people who are concerned by tacking online and impressive
demos like this are still using their real IP address online,

How would one use a 'fake' IP address and expect traffic to make it back to
him/her?

~~~
tghw
[https://www.torproject.org/](https://www.torproject.org/)

~~~
mjolk
Tor isn't secure, nor is it really anonymous for these purposes.

------
itafroma
A couple of years back, I remember arguing with the moderators at Stack
Overflow who wanted to implement this to combat sock-puppetry:
[http://meta.stackoverflow.com/questions/113394/implement-
som...](http://meta.stackoverflow.com/questions/113394/implement-some-form-of-
browser-fingerprinting-to-help-suss-out-socks/113398#113398)

Back then, the proponents of that plan insisted the privacy concern was
largely academic. I somewhat wonder what would've happened post-PRISM leak had
they ever implemented it.

~~~
darth_aardvark
Wouldn't switching browsers/adding a plugin get around the block really
easily?

~~~
itafroma
The response to that concern at the time was that most of the people who would
know how to get around it wouldn't need to sockpuppet[1]. I suspect, if it
were ever implemented, there'd be some attempt to obfuscate or hide what was
actually tracked like they do for their other fraud algorithms. But issues
like that and the privacy issues were pretty indicative of its lack of value
and it doesn't surprise me it was never implemented and didn't even warrant a
response from an SE employee.

[1]: [http://meta.stackoverflow.com/questions/113394/implement-
som...](http://meta.stackoverflow.com/questions/113394/implement-some-form-of-
browser-fingerprinting-to-help-suss-out-socks/113398#comment294757_113394)

------
conductor
> one in 506 browsers have the same fingerprint as yours.

So is this good or bad?

Some time this year, I'm planning to write a browser add-on which will send
random (legitimate, from real browser versions) header combinations of the
user agent (+OS) and accept headers. It can be semi-random, e.g. send the same
headers to the same host during one visit. Combine it with the NoScript addon,
use the RequestPolicy addon, block 3-rd party cookies, tell the browser to
delete the cookies and local storage on exit, use plugins only in "on-click"
mode (or don't use plugins), don't send "referer"s (or send fake "referer"s),
use Tor for HTTPS sites (and sites that don't need authorization), and this
will make hard to track you.

~~~
tjic
> I'm planning to write a browser add-on

Do it for chrome.

...and let me send you money.

~~~
X4
Save your money, the people who released this solve the problem:

Go here =>
[https://stopfingerprinting.inria.fr/](https://stopfingerprinting.inria.fr/)
Chrome + Firefox add-on.

EDIT: solved->solve, they didn't solve it yet, but this add-on helps them
solve it.

~~~
conductor
Thank you for this link. So, currently, it does nothing to protect, it only
collects information and sends to them for future analyzing.

~~~
X4
Correct, they are researching ways to fight against tracking, this helps the
researchers to do just that and stop future tracking attempts.

------
wusatiuk
Here are some further ideas, how to do it:
[http://www.scatmania.org/2012/04/24/visitor-tracking-
without...](http://www.scatmania.org/2012/04/24/visitor-tracking-without-
cookies/)

or simply enhance the mentioned method my HTML5 / CSS3 support (e.g. through
[http://modernizr.com/](http://modernizr.com/)) and you will get even much
better results as shown in this study ([https://panopticlick.eff.org/browser-
uniqueness.pdf](https://panopticlick.eff.org/browser-uniqueness.pdf)).

~~~
hayksaakian
would 301 abuse work for IMG tags as well? or is the caching exploit specific
to JS?

~~~
X4
that reminds me to the css :visited browser history hack. I wonder if that
still works, or if it could be replaced by your IMG approach. I fear yes.

The next ugly site could steal your browser history that way and show which
porn sites you've visited, in example.

------
dictum
Even trying to be less trackable makes you more unique.

~~~
logn
Yep. And I didn't know that our browser sends plugin info to websites. Wonder
if there's a plugin to turn that off :P

~~~
X4
I found this site, that way :)

Go here =>
[https://stopfingerprinting.inria.fr/](https://stopfingerprinting.inria.fr/)
Chrome + Firefox add-on.

~~~
e40
I installed it and the uniqueness didn't change in the OP's test.

~~~
X4
You're right. The website claims:

For the moment, there is no protection from fingerprinting. Browser extensions
that change some of the parameters of your browser’s snapshot make you even
more identifiable because there are often other ways to check the values of
these parameters. However, some of your parameters change by themselves, for
example, after your web browser updates, or simply when you travel or use
external monitors. Panopticlick does not take it into account, however
effective fingerprinting libraries are able to identify you because they
monitor your consequent visits to the websites.

~~~
ds9
"Browser extensions that change some of the parameters of your browser’s
snapshot make you even more identifiable because there are often other ways to
check the values of these parameters."

For example, use Useragent Switcher in FF, this is effective as long as you
keep JS off. With JS the site can interrogate the client and report and any
discrepancy would be found, and distinctive.

I've been looking at this from the avoiding-tracking and from the server side
(identifying clients independently of cookies). The client is very limited in
options with JS on. Users need more control of this in the browser.

In an application you could in principle track users even across some changes
with a sort of "preponderance of the signals" confidence value - weighting
several things like Ip, platform etc..

------
beloch
I tested the browser I normally use for untrusted sites, which has adblock,
ghostery, and lots of other custom components bolted odd. Unique.

Next, I tested the browser I never use: IE10. It was installed with the OS. I
presume it's been kept up to date, but I haven't used it let alone modified it
in any way. Also unique.

This is fishy.

\----------------

Update:

Okay. It makes sense now.

Part of this test gathers a list of system fonts installed. I have some pretty
weird ones installed which seem sufficient to uniquely identify me.

System fonts can betray your identity online... Who knew?

~~~
teeja
First of all, when you get a 'unique', turn off javascript, then go back and
click the 'Test Me' button again. You'll see much of your 'uniqueness' go
away, and many boxen say 'no javascript'... no plug-in or font details sent.

Get a user-agent switcher and try several different browsers. (Use the 'Test
Me' button after switching.) In the past I found IDing as IE8 made my browser
1 in 3000 or so.

Another good site for testing your settings security is grc.org.

~~~
kleiba
_First of all, when you get a 'unique', turn off javascript, then go back and
click the 'Test Me' button again._

Then, look for a new way to get information as the web has become almost
unusable for you in 2013.

~~~
ronaldx
I've found a strong correlation between sites which _require_ javascript, and
sites which I should be spending a minimal amount of time on.

~~~
iampims
Sites like gmail.com?

~~~
ronaldx
Gmail doesn't, in fact, require javascript.

------
X4
My designer friend was watching a livestream, where he clicked a link that
infected his OSX Computer at work. He was worried and asked me to inspect the
payload, which was funny, because I only got a blank page. Only modifying my
UA-String gave me access to the java exploiting payload, but imagine how they
could go undetected by sniffing for more than just the UA-String!

After some investigation I found out that one guy has infected many thousand
OSX and Windows PCs and turned them into drones. Now I know how they make
money, selling their bot-nets. Kinda disappointed, I thought there is more
thought and work required. But you see the point, anybody with enough patience
can do that today, the tools are available.

~~~
meowface
You might be surprised to hear that many tens of thousands of clueless kids,
teenagers, and adults pay for all-in-one kits that host Java drivebys
(malicious self-signed Java applets, and Java exploits), redirect visitors of
compromised sites to one's Java driveby, infect them, and manage such botnets
through fancy Web 2.0 interfaces.

And they don't even need (and often do not have) a shred of basic IT knowledge
to do any of this, let alone programming knowledge.

------
robgering
Wow, I had no idea that my system fonts were trackable with Flash. That's like
an instant fingerprint, as many developers and designers have at least a few
custom fonts installed -- if not a few dozen.

~~~
0x0
You can probably do something similar with javascript, either by comparing a
<span>'s width, or by using canvas etc sampling pixels, to see if a given font
is installed or not. You'd need a pretty long list of fonts to check, though.

Flash makes it easier since you can simply enumerate all the fonts.

------
kristopolous
I'm unique again every time I've come here (probably 12 times over 3 years).
I've never been not unique. I don't think that's very trackable if I appear to
always be a new person every time.

~~~
jwegan
I've had the same experience. My guess is it is good for short term tracking
(days, weeks), but not longer term (months, years).

------
bcoates
These numbers don't make much sense to me. Only 2.5% of the site's users are
running 1920x1080x32? Only 4% of people going to an EFF website are in the
Pacific timezone?

~~~
brigade
Well, only 14% of the US's population is in the Pacific time zone [1], so that
would imply that about 2/3 of the visitors are non-US, which seems reasonable.

And yes, 1080p is still a fairly uncommon resolution in this laptop era.
StatCounter estimates 7-8%, and it's somewhat likely that StatCounter and EFF
are going to have different skews [2]

[1]
[http://www.newtimezones.com/pdfs/current_economic_crisis.pdf](http://www.newtimezones.com/pdfs/current_economic_crisis.pdf)

[2] [http://gs.statcounter.com/#resolution-na-
monthly-201302-2013...](http://gs.statcounter.com/#resolution-na-
monthly-201302-201307)

------
bitbiter
I am unique among the millions so far.

It took me a moment to realize that means I am completely trackable.

A little surprising since I just built this computer from scratch a couple
weeks ago. I'll take this more as a commentary on the popularity of Windows 8
more than anything.

~~~
incongruity
For me, without a doubt, it's my fonts and one or two other things that make
me unique.

------
Fuzzwah
_Your browser fingerprint appears to be unique among the 3,229,638 tested so
far._

I'm a snowflake!

~~~
cLeEOGPw
Sadly, me too...

~~~
chmars
Me too, unique … users of Chrome dev versions are obviously not that common.

------
javajosh
Chrome in Incognito Mode is still highly trackable using this method.

~~~
dllthomas
My Firefox, too.

------
mkohlmyr
Surely if you want to track users over a much longer (obviously this works
very well for even a large number of sessions) period of time you wouldn't
rely on plugin and web-font data staying the same.

I suppose you might have a confidence equation based on overlap, since changes
would likely be small and gradual.

------
DocG
Fun fact: If you test it in normal mode and then incognito, you are no longer
unique

Also, it might mess with overall statistics

------
conradev
I have always wondered if there is a "master list" of things that can be used
to uniquely fingerprint a browser. For example, I don't see system time
offsets[1] being used here.

[1] An example of this can be seen here: [http://time.is](http://time.is)

~~~
oftenwrong
[http://browserspy.dk/](http://browserspy.dk/) has a good list

------
graue
FYI Mozilla has a tracking bug for making their browser less trackable:

[https://bugzilla.mozilla.org/show_bug.cgi?id=572650](https://bugzilla.mozilla.org/show_bug.cgi?id=572650)

See the bugs under "Depends on" for examples of changes they've made, or Dave
Garrett's comment #59.

I've seen this link several times before and it always says I'm unique. A new
discovery this time: Ubuntu is patching Firefox to gratuitously add itself to
the user agent string, giving it more visibility, but also making all Linux
users more trackable. That's pretty shitty, and they seem to do the same thing
to the packaged version of Chromium. I don't know what to do about it, so I'm
afraid my complaint isn't actionable.

~~~
eli
Make your user agent whatever you want it to be:
[https://addons.mozilla.org/en-us/firefox/addon/user-agent-
sw...](https://addons.mozilla.org/en-us/firefox/addon/user-agent-switcher/)

------
flavio87
Is there anything preventing a website that has access to your email address
or name for that matter (ie because you created an account on that site) to
sell the information between email and browser fingerprint to advertising
networks?

~~~
Routinism
Nothing at all. Working with the data industry, I've been blown away by the
links every advertising network is trying to make between the crumbs we leave
all over the place. Expect your TV (not even a smart TV) to be displaying ads
based on your browsing history in the near future, all linked by your IP
address. The data industry will absolutely whore your data all over the place.
Datalogix, BlueKai, and many others have raised millions to do exactly this
sort of thing.

~~~
X4
whoa, I didn't think of that! It's true and that must be the reason why all
the European ISPs try to sell you

3in1 Internet Bundles coming with:

    
    
        * Wiretapped VoIP
        * Censored and Tracked Internet
        * Browser History based TV Programs and Ads
    
        (Online-Shops already do income based pricing)

------
1337biz
Is there already a fix for that? Just a plug in that blocks all unique
identifiers and responds with a windows-out-of the box configuration should
solve the problem.

~~~
_delirium
For me, the list of installed plugins is by far the most unique bit of
information, so just blocking that would be helpful.

~~~
X4
Go here =>
[https://stopfingerprinting.inria.fr/](https://stopfingerprinting.inria.fr/)
Chrome + Firefox add-on.

~~~
_delirium
Thanks!

As a side note, I've been impressed with French academia lately. Between INRIA
and IRCAM, I see a lot of quite practical stuff that I like coming from there.

~~~
X4
Glad to help. Yes so do I, I've seen a lot of INRIA projects that stunned me.
I didn't know about CCRMA, would you mind sharing some stuff you found over
there?

~~~
_delirium
Hah sorry, I edited my comment before you replied, but I got a brain mix-up
between the international computer-music centers' acronyms: CCRMA is an
American one at Stanford, but I meant IRCAM, the French one at Centre
Pompidou. The third of the "big three" is CNMAT at UC-Berkeley. All are
5-letter acronyms, so it is a bit easy to confuse...

It will not be very interesting if you don't care about computer music, but
IRCAM has an ethos of producing many projects in that area. For example, the
Max system that later became Max/MSP (and later the open-source version, Pd)
was originally an IRCAM project. They also have a Common Lisp based visual-
score system
([http://repmus.ircam.fr/openmusic/home](http://repmus.ircam.fr/openmusic/home)),
a system for data-based resynthesis using musical corpora
([http://imtr.ircam.fr/imtr/CataRT](http://imtr.ircam.fr/imtr/CataRT)), and a
number of other things, including many projects more on the music/composition
side.

------
chayesfss
We use this concept for low friction enterprise authentication at SecureAuth.
Sure as hell beats rsa tokens or anything related to a phone.

~~~
0x0
What? Wow, that sounds really dangerous. The same fingerprint is available to
any site out there, so anyone could just capture it and try to replay it on a
"SecureAuth" service, no?

~~~
samweinberg
Hopefully that isn't the only mean of authentication.

~~~
0x0
What is it then? What if I upgrade the browser, will it accept whatever other
auth factor I present (a password?) anyways? What's left then?

------
Hannelore
I clicked [Test Me] from FF 19.0 with Ad Block Plus, Ghostery, and Request
Policy installed… It crashed FF.

------
raycmorgan
I know a couple groups that use this technique to track iOS app downloads.
Although iPhones aren't very unique, looking at the somewhat unique
fingerprint + timeframe from browser to app d/l works out pretty well.

------
helloNSA_
Just use NoScript. [you should have been using it for a long time now
anyway...]

------
X4
This post gives me the impression that it's self-fulfilling.

The more info you share here, the more dangerous it gets and the more people
are aware of the danger it could pose, when used by the wrong hands.

------
auston
I came across this research when I was trying to fingerprint mobile devices.
Apple has a seriously tight handle on making sure its iPhone users are not
uniquely identified via mobile safari.

------
rotskoff
1 in 3.2 million doesn't really seem that unique to me. Once the sample size
is larger by a factor of 10 - 100, I think this will be more valuable.

~~~
igravious
From what I gather going by this site that I consulted
([http://www.m-w.com/dictionary/unique](http://www.m-w.com/dictionary/unique))
it seems that anything less than 2 would qualify you as unique.

You may feel that as the sample set grows others may join your party but you
have not told us why you believe this to be the case. I wouldn't be too sure,
I would be more hesitant in reaching that conclusion.

As it stands you are a unique snowflake and so am I.

------
Qantourisc
Why do browsers for example allow so many things ? I mean someone has to put
in the god dam code to make it have those "features" ?

------
vxcvcx
System fonts are used to identify us. My browser was also unique.

Very good to know... will get plugin to alter browsers identifying
information.

------
roborovskis
The fact that they can see what plugins I have makes uTorrent wanting a
browser plugin make total sense. Just thinking.

------
qwerta
> Your browser fingerprint appears to be unique among the 3,242,704 tested so
> far.

I guess it is good choice to disable JS by default

------
joelhaasnoot
I've heard BTW that Comscore advocates this as a way to get the same tracking
without using tracking cookies...

------
Raphmedia
I should install a bunch of fonts that say "f __* you, don 't track me." and
the like.

------
Radle
Is there any way to hide things like Browser Plugin Details and System Fonts?

~~~
icebraining
Yes, disable JavaScript.

~~~
Radle
I did the test afterwards again, Panopticlick can use the information anyways.

------
tmp3123
if we can't hide the plugin info, can we instead generate some random string
to cause this fingerprint to be unique (and different) on every http request?
(e.g. fake font, fake plugin name)

------
Vektorweg
i have a unique user agent. i'm absolutely trackable. :p

~~~
solistice
Well, I seem to be unique as well, but I have nothing to hide...on this
machine.

------
sehugg
So far Safari on iPad is my least unique browser (13 bits).

------
AndyKelley
I just did it twice and it said I was unique both times.

------
6d0debc071
My browser is apparently unique among all those tested so far (around 3
million) and gives you, with all the odd setup options, a little bit under 22
bits of information.

Okay... so what does that actually mean to you?

Perhaps the best way to proceed here is by comparison:

To pick out one person uniquely among the 7 billion people on Earth requires
~33 bits of information.

Each bit of information divides the search space in two, (just like with
computers =p )

Which is why you can just go:

log2(searchspace) = required bits

You can also work the idea backwards. (i.e. 2^(available bits of info)) to
find out what size of search space you can be found in.

It so happens I give up about 22 bits so... I can be found in a population of
about 4 million.

Put another way, there are, best case scenario assuming that the distribution
is random (which in practice it almost certainly isn't), around search space /
uniquely identifiable pool people with a similar fingerprint to myself.

In this case we're dividing seven billion by 4 million which should give you
around 1,750 similar people to myself.

So... that's pretty darned accurate - but not that worrying yet perhaps. At
least if you needed to uniquely identify me.

But I'd bet a heck of a lot they do have other info.

Every bit of information under that needed to identify you uniquely in the
search space doubles the potential group size you have to hide within. Every
bit of extra information they have, halves it.

Not everyone in the world is online. Only 39% were predicted to be so this
year, I believe.

Suddenly you're looking at only having 683 people like you on earth.

And it gets worse.

The really relevant search pool is going to be how many people connect to the
sites they know about - which are probably going to be multiple sites since
they can store and trade your IP address which probably isn't going to change
that often. I bet most of the sites I connect to don't get anywhere near 39%
of the world's population connecting to them.

How unique am I for the sites I visit? The sites I visit, if they're niche
like HN, probably gives a HECK of a lot of info on me. To the point where I
suspect I can be absolutely uniquely identified here by my browser
fingerprint. You'll notice that of the 3 odd million people on the EFF site I
provide more than enough info to be uniquely identified.

And even if they don't, the cumulative probability is the product of the sum
of the individual probabilities. If someone goes on two niche sites, or
three... The search space gets cut up again. Snipety snip.

So, yeah, in connection with other databases and the usual attack vectors
people use when they start getting info on you - targeted adds, security
profiling etc, that's pretty worrying. It's especially worrying for
applications where people aren't going to have a high cost from hitting the
wrong target.

------
AsymetricCom
Isn't Javascript wonderful?

