Hacker News new | past | comments | ask | show | jobs | submit login
Panopticlick (eff.org)
248 points by kick on Oct 27, 2019 | hide | past | favorite | 82 comments



Interesting counterpoint to people who claim that turning off Javascript is just another data point. I use Firefox with a decent amount of tracking protection turned on. With Javascript, I leak about 16 bits of identifying information. Without, I leak about 7.

You want to take that with a grain of salt, because I don't think Panopticlick is a perfect tool to measure this stuff. For one thing, I suspect that Panopticlick is highly influenced by the people who visit it -- being posted on HN probably means there are more data points for me to hide in than usual.

For the other thing, there are measurements that Panopticlick doesn't include, and there's no way for Panopticlick to track disinformation and false data. For example, you could still get my screen size without Javascript via just CSS. Are most tracking sites doing that? No, it would be a massive pain to do, and it would force you to ship giant CSS blobs everywhere. But it's still possible.

But, this does still strengthen my conviction that turning off Javascript by default _probably_ helps avoid tracking on most sites, and it's surprisingly feasible to do. A lot of content-sites work without Javascript.

I recommend UMatrix if you want to go down that route, since it lets you create very precise exceptions relatively easily when you need them.


I agree, panopticlick is not really good as a measuring point. I am randomizing most of metrics it is using and even if it detects my browser as unique, this will always be true as my data are fake and randomized each time browser tab is opened. Sure you can track me for the time tab is beeing alive, but on next visit, the results are going to be 90% different (including webgl fingerprinting) and there is no way it could correlate me with my previous visit. For it I am always a new visitor, never seen before. I could try to blend in, but why?

Another thing is "not blocking sites that honor DNT". I am sorry but I dont trust anyone based on fact web users were lied just too many times. Once DNT will be tied to hefty fines, I might reconsider, untill than everything will be blocked.

(And it is highly tasteless that eff is offering links to promote panopticlick on worse web tracking facilities of the internet - fb, google+ and twitter.)


For everyone wondering: Firefox extension Chameleon randomly spoofs your user agent. However, I would highly recommend NOT using this extension, or randomizing your user agent whatsoever - it only raises your entropy and makes you easier to track. You should be trying to make your browser look identical to everyone else's, not different.

This can by partially achieved by setting privacy.resistFingerprinting to true in Firefox's about:config. This won't stop Panopticlick from fingerprinting you. If you really want to reduce your fingerprint, try using the ghacks user.js [1]. If you want to make fingerprinting completely impossible, use the TOR browser [2].

Most users don't need to worry about this - uBlock origin blacklists most fingerprinting efforts by default.

Please read: https://www.privacytools.io/browsers/#fingerprint

[1] https://github.com/ghacksuserjs/ghacks-user.js [2] https://www.torproject.org/

More Firefox privacy extensions: https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1-Exte...


You're assuming that trackers account for a changing UA. Are there trackers doing that? I suppose a deliberate or malicious attempt to identify me and isolate my machine could account for a randomly spoofed UA. But if I am trying to hide in plain sight from tracking software, isn't this method of UA spoofing enough to misplace my machine into different tracking categories or throw them off my scent entirely? When I run Panopticlick, UA is usually among the highest number of bits of identifying information, the rest of the identifying settings and preferences are more likely to be shared, which makes a particular device blend in.


If you don't mind, how are you randomizing these metrics?



If you're primarily worried about privacy, I recommend against spoofing your user agent unless you're only changing superficial details. See https://bugzilla.mozilla.org/show_bug.cgi?id=1404608

It's very hard to fake an OS or pretend to be a separate browser. If you're focusing on disinformation, you should probably be focusing on disinformation that's harder to detect.


the useragent is far from being the only metric used by panopticlick


I know that, but the UA does provide the highest number of bits of identifying information.


is that still true since operating systems and browsers automatically update themselves now?


Fair point, that probably lowers the odds of recognition a bit, but the UA stands out because of the multiple variables that it reports in one header. At least when I ran Panopticlick a few times with various configurations, that was always the factor which gave up the most bits of identifying info.


Please tell me that there is an extension with which you randomize this data? I want it as well!


that'd be nice but I don't think that there is one so I don't think that he is doing what he is claiming.


> I recommend UMatrix

There is also master switch to wholly disable JavaScript on per-site basis in uBlock Origin[1], which I think is a more user-friendly approach for whoever wants to experiment with toggling on/off JavaScript easily.

[1] https://github.com/gorhill/uBlock/wiki/Per-site-switches#no-...


"Does your browser unblock 3rd parties that promise to honor Do Not Track?"

"No" comes with a red X like if it's a bad thing, but... Is it?


I found the stats for DNT interesting. 1 in 1.92 have DNT header enabled. So having it as False gives more bits of info. Presumably that's just stats for folks using panopticlick, so heavily skewed towards folks who know about privacy.

> DNT Header Enabled? | 0.94 | 1.92 | True


It's not, hence the push from browsers to remove Do Not Track.


Really? Firefox now enables the DNT header by default. If all Firefox users have DNT enabled, then it can't be used as a data point.

I don't like DNT, and I don't like that the EFF pushes for it. Users shouldn't have to ask to not be tracked - websites should respect your privacy by default, and if they don't, users should take control with tools such as uBlock Origin.

Also, privacy means different things to different people. Two of the most privacy advocating websites in existence, eff.org and privacytools.io, think it's OK to collect anonymous stats on site usage. Yet the authors of EasyPrivacy (a filterlist enabled by default in uBlock Origin) make no exceptions and block both of those sites from collecting data.


Safari has removed it, as websites wouldn’t respect it.


"17.63 bits of identifying information" for me.

Strange, that they do not make use of the fact that browsers leak your local ip:

https://browserleaks.com/webrtc

This is one of the most glaring privacy holes build right into the browsers.

On the other hand, I am surprised they correctly identify my "platform" as "Linux x86_64". Even though I used a windows user agent. How do they do that?

Also: What does the "Share on Google+" button do? It prompts me to log into Google. What would happen if I do?


>On the other hand, I am surprised they correctly identify my "platform" as "Linux x86_64". Even though I used a windows user agent. How do they do that?

probably because your user agent faker only fakes the http header and not the javascript environment.

try printing out the value of navigator.userAgent or navigator.platform in the developer console.


Aha, it is in navigator.platform!

There is even more stuff in navigator, that should not be accessible to the website. For example how much ram my machine has in navigator.deviceMemory, how many cpu cores in navigator.hardwareConcurrency and so on.


I can see the use for that information, but I don’t like it being broadcast like that


The value of it is very high since it allows download pages to show you the correct info for your OS.


It seems that if you set Firefox's privacy.resistFingerprinting to true, it fills those with fake data.

    >>> navigator.deviceMemory
    undefined
    >>> navigator.hardwareConcurrency
    2


privacy.resistFingerprinting has a bunch of useful features (this, letterboxing, etc) that I wish were available under their own dedicated about:config options. I don't want to enable resistFingerprinting because I value being able to use dark mode more.


I just found out that the game Dead by Daylight seems to collect your font list if you install it. Surely this data goes to some tracking company for fingerprinting...


You can pull os multiple ways including looking at the packets and tcp headers. Also installed fonts will give away OS.


To be fair, your IP address cannot be used to track you much [1]. If you are using a VPN anyways, you can (and should) disable WebRTC (the website you linked shows you how).

[1] https://www.privacytools.io/providers/vpn/#info


Using the CanvasBlocker and WebRTC Control add-ons with Firefox means that the two most unique information points the test extracts from my browser, the hash of canvas and WebGL fingerprints, which are unique for 1 in 200,000 users, changed each time I run the test. Presumably it ought to run several times to check that the data it receives is the same for each test run. I don't currently have a UA switcher, but those would also help reduce the uniqueness of data points only across multiple tests


Between the hash of the canvas fingerprint, and the hash of the webgl fingerprint, unique identification seems inescapable. The reason I don't run additional plugins is because (at least conceptually) the plugin presence itself would be identifying. Given you only need a few relatively low entropy data points (or one or more highly diverse ones) for a huge likelihood of linking a given browser between sites, identifying the presence of any identifiable plugins at all should be sufficient with another factor to ID someone.

If I were running 3rd party javascript in multiple places, I could build a pretty unique personal profile of someone. If I were looking for technical people using Tor, even moreso.

I'm not in ad tech, so am naive to this. The biggest myth on the internet is that nobody actually cares enough to watch what you in particular are doing, when in fact, this changes from nothing to almost total prediction of consumer and political behaviour as soon as someone at a platform company becomes interested.


Now that canvas, webgl, audio is starting to get blocked the most creative solution I have seen so far is css3 transforms with long floating point numbers, seems to create unique values for bounding boxes etc! I spend too much time with fingerprinting because I find it fascinating.

Also maybe sad to point out something far worse if someone chose to track you specifically, if one were to get bid stream data (or even a 1% sample), they would see virtually every website you visit. Sure your cookie/ip/geo/ua etc are less entropy than JS fingerprint (though 1st party google cookie surely knows who most are). this exposes the very core of who you are, what porn you watch and everything.


I laughed out loud when I saw the buttons to share my results on Facebook/Twitter/Google+


"What butt-- oh they're blocked."


After a couple of reloads it finally got stuck on https://trackersimulator.org/tracker-reporting-nojs which seems to be offline. I'm on Firefox 70 with NoScript defaults (all blocked) for panopticlick.eff.org.

EDIT: Whoops, I had it blocked in /etc/hosts:

    # [EFF Tracker Detection]
    0.0.0.0 trackersimulator.org
    0.0.0.0 eviltracker.net
    0.0.0.0 do-not-tracker.org
(still, I had to allow scripts for eff.org to see the results)


In my case it wasn't blocked by the hosts file(the test ran fully in another browser) but uBlock decided to step in and block access. Can't complain.


Same behavior here, and same configuration. I guess we'll never know.


Panopticlick is hyperbole. Yes you can be tracked and you should be worried about it but the stats they report are not valid.

Take an iPhone10 in California and visit the site. They'll tell you you're in a million in 1 or one in 500k people.

All iPhone10s have exactly the same signature. They only differences at most are region settings and time zone. If you're in california those are likely the same for 95%? 90%? 80%? I doesn't matter to my point.

How many iPhones10s are there in that time zone? I think there are like 55million people in that time zone (Seattle + Portland + Bay Area + Los Angeles + San Diego). How many of those own an iPhhone10? Let's be what I think is conservative and pick 1 million. Now compare that number to the number you go from panopticlick and you'll see their stats are off by several orders of magnitude.

Their excuse is they don't get that many visitors but it's only useful to track you on popular sites with lots of visitors. If you go to a site with few visitors then you're already unique. Any sight with lots of visitors will have lots of iPhone10 users in the same time zone with the same region settings and so tracking you is much harder.

Of course I'm not saying you shouldn't be worried about tracking and if you're on Windows/Linux/Mac/Android your device is likely much more unique. My only point is that it exaggerates given that there is popular hardware that has the same signature it should be reporting different numbers for those devices.


Panopticlick’s stats are definitely biased by the kind of people who visit, and who visit multiple times etc.

But it is a very useful way to get us all to think about tracking. The kind of techies who discover the problem by reading about it on HN might very well be the kind of techies to make the next stride in defeating it.


> All iPhone10s have exactly the same signature.

Not quite, this varies depending on the browser app used, zoom level set, language set, other accessibility settings, etc. etc.


>Not quite, this varies depending on the browser app used

Most users either use safari or chrome. Maybe 2 bits of entropy at best.

>zoom level set [...] other accessibility settings, etc. etc.

95% (random guess) of users don't have these changed from the default because they don't have vision problems or other accessibility needs.

>language set

The parent post said it was in California, so en-US is a pretty safe assumption.



Good to know but irrelevant to my point.

My point was panopticlick says some iPhone10 in the PST time zone set to en-US running Safari is one in 500k. If there are 55million people the PST timezone then panopticlick is basically saying there are only 110 iPhone10s set to en-US in all of the PST time zone. That's clearly false.


Dang it. I noticed that my user agent was one of the biggest identifiers for me (1 in 200 users), and I realized it was because I was still on Chrome 76 while most users were on Chrome 77. So, I finally restarted my browser to allow the update to happen.

Well, apparently I leap-frogged to Chrome 78, which even fewer people are on. Now my user agent is shared by just 1 in 1400 users, and my fingerprint went from nearly-unique to unique. Go figure. :P


How does UA string having the exact number of the browser version in help the user? I'm guessing it doesn't, shouldn't the UA just say "Chrome". I guess it serves Google well though.


It's helpful in web development, it allows you to target specific browser versions. For example if I use a new feature on my website which is only supported by recent browser versions, I can inform the user about the incompatibility and prevent complains.

I also don't think Google needs that info, there's a million things to criticize them for but this is a bit silly.


Feature detection is more reliable than version checking, as it can more correctly support a wider range of browsers (that you didn't think to version-test for). There might be some cases where that's tricky, but it's generally straightforward. Tools like https://modernizr.com/ can help with that.


You don't think Google do browser fingerprinting? As a sibling comment suggests: feature detection seems superior.


If a server know the client's browser version, it can serve JS polyfills to older clients and smaller files without the polyfills to more recent clients. Here is a polyfill service hosted and maintained by the Financial Times: https://polyfill.io/v3/


Apart from IE5.5 I've only used polyfills against major browser number, do current polyfills really look at minor browser number?


It's the biggest and most obvious thing to fix (especially with JS disabled), so clearly it's silly to worry about.


Chrome with version is enough not the rest of the stuff.


That's not so bad. Only 1 in more than 200,000 have my browser's user agent (emacs-w3m).

I wonder what the most common user agent is.


Chrome 77 on Windows



I share a fingerprint with 1 in 25k browsers, so why do I have to worry? Is it because of temporal analysis, which is good enough to whittle that down to uniquely tracking me between sites?


TLDR; you can be tracked in almost all practical cases.

Temporal and spatial; when you’re browsing, where you’re browsing, and how you’re browsing. We can predict future non-unique (unknown) browsing behavior by training on your past unique, known, behavior. It is a common misconception, by those that are not in adtech (e.g. your typical software dev), that a fairly non-unique rating on sites like these will correlate with being difficult to track (not saying this is necessarily you).


I’d love to have a copy of this data about my browsing history.

I naively thought it might be buried in Google Takeout somewhere, their facility for downloading all your data from Google.

I didn’t see it. Perhaps (1) it doesn’t legally belong to me; or (2) the fuzziness of the fingerprint allows for sufficient deniability that the adtracking data is actually tied to my Google account?

But I’ve certainly browsed other sites while having a Google cookie which is pretty unambiguously identifying me, so maybe they don’t literally just don’t have a log of which sites I’ve visited?

What adtech tracking data about me can I see?


Having multiple languages in your accept headers will make you totally unique. Especially when combined with even just your user agent.


Keep in mind that this is just about users visiting panopticlick. The statistics don't necessarily reflect rewl life analytics unless the rest of your country are also visiting this website.

Other bits of entropy are relevant though (such as canvas fingerprints etc.)


Brave on iOS doesn’t do anything in response to clicking the test button, and I can’t decide if that’s encouraging or disappointing.


Safari on iOS with BlockBear and Firefox Focus as content blockers ends up blocking the page after I click the Test button. I tried both with real tracker and not. Also not sure that’s good or bad?


Apparently trackersimulator.org is on the mozilla disconnect blocklist. It prevented me from getting the final results. I'm not saying this is good or bad but I'm a bit surprised as to why it's on there. Maybe I'm overlooking something.

I'm running openwrt with the adblock service on my router.


Probably in opposition to many opinions here, I think Google coming out with IDFA for browsers and verifying against their user data for fraud (and of course for them to sell improved targeting/fraud) would actually be better for privacy than current system AND ad fraud/id on the buy side.


G could make the spec,sure. But some other fully independent entity should manage the data.


Apparently by far the most identifying information my browser is leaking is... my language preference.

So I need to stop reading the internet in my native spoken language to hide from evil tracking and only consume things in english.

That doesn't seem like progress.


An interesting case is Firefox Focus which passes all the anti-tracking but fails completely on the fingerprint where you're totally unique (1/200000)


I tried tried running this test with my iPhone both connected to home wifi with a Pi-Hole and on wireless. I received the same result. Should I be surprised ?


What do you think is going to change about your web browser's fingerprint by using a DNS filter list?


Not if you’re using the same browser along with the same settings.


I don’t understand how my iPhone 7+ can be so identifiable. There’s a kazillion jillion iPhones on the market.

I am disappointed :(


Anyone have recommendations for reducing the uniqueness of the screen size and fonts metrics?


>the uniqueness of the screen size

privacy.resistfingerprinting.letterboxing=true on firefox


Unfortunately, that still gives a far worse result than when just using a common value like 1920 x1080 x 24. I get that it's good to not report exact window size when the window's been resized, but a maximized window on a full-HD or 1366×768 screen should be common enough in order to let the actual value through.


It navigates to different domains, that wouldn’t be acceptable in real world scenarios.


I think they're doing that to test that your fingerprint remains the same across multiple domains. They don't have to do that to fingerprint you; just to make sure that you don't have any anti-fingerprinting going on.


Most comments here seem to be missing the point of the title, which is excellent IMO (after Foucault's panoptican, go read Wikipedia if you don't know what it is): just knowing you're being watched (tracked) causes behavior to change usually to conform to social expectations.


Foucault did not come up with the idea of the panopticon. The credit for it goes to Jeremy Bentham, who died nearly a hundred years before Foucault was born.


oops indeed. I get them mixed up since I learned about them at the same time.

I still think panopticlick is an excellent title choice. Isn't it (behavioral modification because of tracking) the real hack at work here, not just how many bits are leaked by your browser?


Would be nice to add a dns prefecth test.


Why put the version on title? I thought it was new version of Panopticlick, but it's not. https://archive.ph/vB3XA


OK, we took 3.0 out of the title above.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: