EFF launches Panopticlick 2 with new tracking and fingerprinting tests
Panopticlick 2.0 is a new version of the tracking and fingerprinting tool that ships with new tests and capabilities.
Whenever you connect to an Internet site, you reveal information to that site. Depending on how well your browser is configured, you may reveal little information or a lot of them.
For instance, if you don't take precautions at all, a site has access to your computer's IP address, your browser name and version, the screen size, operating system, and the site you came from among other things.
These information alone can be extended through tools and services, for instance to look up the IP address to find out where you are connecting from.
Other technologies are commonly used to increase what sites know about you. They may use some form of local data storage to track you across browsing sessions, or use advanced fingerprinting options like Canvas Fingerprinting in addition to that.
We reviewed the first version of Panopticlick back in 2010, and found it to be an interesting, but somewhat limited, privacy tool. It helped raise awareness for what browsers reveal about your computer and you though and that is a good thing.
The new version of Panopticlick adds additional tests to the online tool that improve its value. The following tests have been added to the new version:
- Canvas Fingerprinting test.
- Touch-capability test.
- Whether you are protected from tracking by ads or by invisible beacons.
- Do Not Track Compliance.
The test works in most cases, but may fail if security software or browser add-ons are installed that block certain technologies from working on the site. If you run NoScript for instance, you won't be able to complete the test unless you whitelist the main site, and even then, you are protected from some of the tests.
The new results page displays an overview at the top. It highlights the following information:
- If the browser blocks tracking ads.
- If the browser blocks invisible trackers.
- Whether the browser unblocks third-parties that promise to honor Do Not Track.
- If the browser protects against fingerprinting.
You may open detailed results to get results for each of the tests conducted by the service.Here is a quick overview of all tests run by it:
- Supercookie test
- Canvas Fingerprinting test.
- Screen Size and Color Depth.
- Browser Plugin details.
- Time Zone.
- Do Not Track Header enabled.
- HTTP Accept Headers.
- WebGL Fingerprinting.
- System Fonts.
- User Agent.
- Touch Support
The addition of new tests make sense, but there are still tests missing. Panopticlick does not test for WebRTC leaks for instance.
Panopticlick 2.0 may suggest tools depending on the scan results. According to the EFF, it may suggest tools such as Privacy Badger, Adblock or Disconnect depending on platform and test results.
Now You: How does your browser test?
Yes, Yes, No, No
My browser fingerprint appears to be unique among the 6,167,144 tested so far.
Currently, they estimate that my browser has a fingerprint that conveys at least 22.56 bits of identifying information.
Well what do you know.
Frankly, being recognized doesn’t bother me as long as I’m not tracked. To what point am I not tracked, in other words, to what point am I, tracked? No idea.
To be frank further even, I don’t get hysterical about being tracked or not as long as it has no impact on my life.
I try to take the means to be the less tracked as possible, that is to block analysis data performed by one site and stuck in my computer to be later on retrieved by another site and combined with new data and get the profile, mine, thickened.
This attitude is more pragmatic than demagogic : as long as my profile is not used against me, let them play with it.
They won’t send me targeted ads because I block all ads, targeted or not.
I’m not listed as a public enemy and I’m not listed by enemies as being their hunter. I avoid providing true email addresses because spam is bad for my health,
I avoid history on a computer to make the inquisitors’ life a bit less fun, but it doesn’t make me believe I’d be half-way between Superman and James Bond.
The world is information. You have to play the game and at the same time avoid being over-zealous.
I forgot to mention that I happen to provide disinformation when I have no alternative. Ok : sometimes even when I have the choice not to, but not often. Live and let live, jackasses included.
For me FF and uBlock already doing an fantastic job and since FF43 we get another great integrated list and several security fixes, so I don’t know what this complaining want from us or tell us with all of these ‘uniqueness’.
Uh, I don’t think you understand.
Based on the size of the screen and a lot of other data a unique id can be assigned to a user which in turn allows to track their internet activity. And it’s not just the screen size, but also browser windows size, which is a lot more unique (themes, different taskbar settings.)
In my case, the fonts alone provide enough information to make me unque among over 6 million other people who have taken the panopticlick test; and that’s regardless of the type of browser I use, as long as I stay on the same system. I’m guessing that even if some information changes (some fonts are installed/uninstalled, for example) there are ways to keep me tracked through cookies that link seemingly separate ids. And, well, I won’t completely disable cookies or delete all of them between sessions to not completely cripple my browsing experience, just like I can’t disable JS through which all that information becomes available.
Whether all that is something that we should fear, well… They say that as long as you don’t do anything wrong, you’ve nothing to worry about, right? But then, some also used to say, ‘Show me the man and I’ll find you the crime.’
And btw, this could very well be an ad tracker. Whether companies are sophisticated enough to employ such a method of tracking remains unknown.
The point is to allow the JS etc to run to show a worst case scenario. The fact that you block XSS thru uBO etc is good, if you block all cookies by default and only allow some, that’s good. If you block scripts left right and center – that’s good. And so on. You can help reduce your fingerprint. If you use a VPN or TOR then that helps. And good OpSec also helps.
The number of data points that can be collected is astronomical now – there is almost no way to stop it. And all it takes is one or two sites or a slip n your execution, and the dots are joined. The key word here is entropy. And unfortunately, such things as screen res (with and without task bars) + browser res + inner browser window alone are probably enough to pinpoint most people – going fullscreen can help. But once you start adding in fonts (enumerated in order of install date if thru flash), then it’s pointless. This is why we have things like Tails & TBB.
Anyway .. gotta run.
PS: This was on the old panoptic and was a while ago. They clearly don’t test that many parameters.
“Within our dataset of several million visitors, only one in 4,753 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 12.21 bits of identifying information.”
I can’t do the new one just yet – something is blocking it and it aint uBO or Noscript or privoxy or anything I can think of – the JS just idles.
That’s really weird, I got the same numbers as the two testers above, so I’m very unsure about any accuracy with these tests.
People who visit a site like ghacks.net are more likely to have some tracking protection on their computers than people who do not visit a site like ghacks.net. Make sense? We are a biased sample. Most of us have “unique” computers because we have spent some time configuring them.
Hmmm…I remember on the Adblock plus blog, they said its filter protected against canvas fingerprinting. It seems to not make any difference with fingering according to the result maybe b/c the scripts aren’t coming from established ad networks, but from the EFF which is a respected privacy advocacy site, and probably whitelisted by Adblock filters.
On a side note, if noscript isn’t you cup of tea to make sure, you could you this Firefox addon
I tested it, and the test couldn’t even complete so I guess it works, not sure how it affect the functionality of other sites though. For Chrome I am sure there are other addon if you look for them.
I use CanvasBlocker Firefox add-on as well and the Panopticlick test ran flawlessly, and will show different values for ‘Hash of canvas fingerprint’ and for ‘Hash of WebGL fingerprint’ each time, but be sure to set CanvasBlocker’s Block Mode to ‘fake readout API’ which lets the Canvas peek carry on but with fake results (hence different on every test). To be noted that nevertheless this trick won’t fool Google Maps and that ‘google.com/maps/’ and ‘,google.[your TLD]/maps/’ needs to be added to CanvasBlocker’s White List.
I just installed Canvasblocker. Using the “fake API” setting Panopticlick ran the full test. I ran the tests twice and got different canvas and WebGL fingerprints both times. I like Canvasblocker.
I ALSO GOT SAME RESULTS AS ALL ABOVE
THIS TEST IS LAME
I got the exact same results. Talk about a useless information
Me also – same exact results! 6,167,144 and 22.56
I found the test to be interesting. The result was, “Within our dataset of several million visitors, only one in 3088282.5 browsers have the same fingerprint as yours.” I suspect I’m trackable.
Interesting, the test didn’t detect the DOM storage that Firefox creates each time it starts. However, I may misunderstand the result. Still more to learn. Always more to learn.
I get to wonder if God stopped knowing everything the day Internet started :)
“only one in 3088282.5” .. maybe you “duplicated” yourself – most people above seem to be unique at 1 in 6million. You pop up with 1 in 3million. If you visit tomorrow, maybe you’ll be 1 in 1.5million. etc
Also, since we’re faking our canvas fingerprint each time (blocking it doesn’t allow the tests to complete and results to display), we should be unique. We’re not – I come in at around 1 in 440k. Some of the new metrics added are not being used in the algorithms .
Actually you’re right. After I installed Canvasblocker, I reran the test and came in at “one in 1034049.66667” and I’m down to “19.98 bits of identifying information.”
No, no, no and no !
Same result as the others however… they recommend the use of their addon Privacy Badger (is it effective?).
Thanks Neal & Tom Hawack for the tip related to CanvasBlocker.
I’m getting the same results as the rest of you, but let’s analyze them a bit more carefully, shall we?
First of all, the 22.56 bits of data are only meaningful if your browser actually tells the truth. Mine does not. ;) In fact Panopticlick got the wrong data in all but one category. A lot of the data it got will actually just rotate to something new in a few minutes. So Panopticlick *thinks* it can track me, but in fact it cannot. This demostrates why it is important to look beyond a single metric (“22.56” or “6,167,144”) and understand the underlying details.
Secondly, as I wrote a bit hastily in a reply above, those of you complaining about the accuracy of the test should consider the sample. We ghacks readers are a biased sample. We are not representative of Panopticlick’s 6 million test subjects. For example, there is probably a high proportion of Linux users here – much higher than in the general population. There is surely also a high proportion of users with security addons that customize the browser. All of this stuff affects the results; all of it makes your computer a bit more unusual. If your configuration is unusual enough, you will be labeled “unique”. Congratulations. It may or may not actually mean something. (See my first point.)
Don’t lose sight of why Panopticlick was created. It serves two functions: (a) to give the technologically-ignorant masses a wake-up call about the nature of the internet, and (b) to allow researches to model tracking techniques based on the test results. In these respects it is a useful tool. The one thing that Panopticlick was definitely *NOT* designed to do was to provide ghack.net readers with a strictly accurate summary of every single method that could possibly be used to track them. There will always be subtle and clever tricks that are not covered by tools like Panopticlick. (An example was given by Martin a few days ago. See here: https://www.ghacks.net/2015/12/14/firefox-addon-detector-identifies-installed-firefox-add-ons/).
You suggest â€œfalse-positivesâ€ resulting from customization. That is probably true and I think Panopticlick recognizes that problem even with its â€œgeneral populationâ€ tests. I retested this morning on a second computer and had a number of N/Aâ€™s in the results. I found the following note at the bottom of the resultsâ€¦
â€œN/A: Not enough information to calculate these results. The more data points we have, the better the results will be. Share this on social media below.â€
When you look past its current limitations I believe, like you, that Panopticlick â€œis a useful tool.â€
Indeed. If everyone is spitting out a fake canvas fingerprint, then you’re more likely to be unique each visit – well, you should be unique, but I’m not (I currently come in at one in 442827 browsers), so I don’t think that the canvas fingerprint metric is being totally honest here – I don’t believe it’s used in the calculations yet. I had canvas blocker set to block rather than fake, but the tests wouldn’t complete – I now have it set to fake which is probably better, and I am 1 in 443K, not 6million).
I can actually get it way lower by faking my time zone which is a false sense of security since I’m not using a VPN and instead my IP address range/country + timezone would actually make me unique. I can also fake my screen res, but they only check (i think) for one resolution metric – and the other metrics I can’t spoof yet. I have been as low as one in 4,753 browsers
The other thing to consider here is that the test data used has been collected over a long time (3? 4? years), so things like user agent stats quickly become out of date. AND … by retesting yourself time and time again like I have over the years, you can, if not careful, perpetuate your own duplicity (eg first visit, 1 in 8million, 2nd visit, 1 in 4million, 3rd visit, 1 in 2million etc)
>> “I don’t believe it’s used in the calculations yet”
Agreed. If it were being used, I probably wouldn’t have the same 22.56-bit number being returned by both panopticlick v1 and v2.
> “by retesting yourself time and time again like I have over the years, you can, if not careful, perpetuate your own duplicity”
Yes, I’m guilty of that one too. That’s the problem with these sites being used for reserch purposes – people like you and me are bound to throw a wrench in the results.
FWIW, I found a fingerprinting test at amiunique.org that is perhaps more interesting. The site attempts to show you a time-stamped history of all the tests you have performed across browser sessions over time. You can use this to see if your computer eventually becomes “known”.
amiunique.org – yeah, I use that as well. I used it to work out what agent to fake as – but in the end decided to always just use the latest FF ESR – a lot of faking requires others metrics such as language, locales etc and more times than not, you actually end up making yourself unique. Even trying to fake your OS is pointless if they can work out you have webdings font and there are dozens of other ways to work out your OS or browser brand. So I stick with Win FF but spoof the release version to ESR’s stable number. I guess you could do one of two things: static fake to lower entropy, or dynamic fake to raise entropy and hide in the noise.
There’s also JonDonym ( http://ip-check.info/?lang=en ) which won’t give you stats but is a nice profile check. Then there’s also a bunch of tests here at https://www.browserleaks.com/ , here at http://browserspy.dk/, and I have a whole lot more for specific individual tests – I gave Martin a list a few days ago which he’s gonna to use and add to for a post that the ghacks community can build on
Yeah same results here but then I read Ghacks:) and also have been using CanvasBlocker for a while now.
FYI: Something interesting I just read
“For illustration, let’s perform a back-of-the-envelope calculation on the number of anonymity sets for just the resolution information available in the window and window.screen objects. Browser window resolution information provides something like (1280-640)*(1024-480)=348160 different anonymity sets. Desktop resolution information contributes about another factor of 5 (for about 5 resolutions in typical use). In addition, the dimensions and position of the desktop taskbar are available, which can reveal hints on OS information. This boosts the count by a factor of 5 (for each of the major desktop taskbars – Windows, OSX, KDE and Gnome, and None). Subtracting the browser content window size from the browser outer window size provide yet more information. Firefox toolbar presence gives about a factor of 8 (3 toolbars on/off give 23=8). Interface effects such as titlebar fontsize and window manager settings gives a factor of about 9 (say 3 common font sizes for the titlebar and 3 common sizes for browser GUI element fonts). Multiply this all out, and you have (1280-640)*(1024-480)*5*5*8*9 ~= 229, or a 29 bit identifier based on resolution information alone.”
I’ve been looking at spoofing resolution data. It’s complex. We not only have window outer + inner widths + heights, but screen widths & heights and available screen widths & heights, not to mention mozInner, mozOuter complications and zoom. And screenX/Y and scroll X/Y .. and availLeft / availRight. My head is spinning a little. Tor seems to have the best method of resizing the browser on startup so that the inner measurements are multiples of 50 pixels (this basically only allows a pretty small set of predetermined sizes). It then spoofs everything (screen, available screen, browser, and inner browser) to read as the inner browser measurements. This then means that anything rendered is positioned/sized in the display area correctly, or any code relying on precise measurements (eg pagination, floating elements etc – basically so sites will not break).
I wish the comprehensive patches/code Tor make for fixing issues like windows.name, locale+timezone, resolutions, timing attacks to name but a few, would just be incorporated into FF with an on/off switch, or at the very least added to private windows by default. Until it becomes more popular, any tinkering is likely to just make you more unique.
Can you imagine how much my head is spinning after reading this. Very interesting though.
Thanks Pants for your always knowledgeable comments.
This reminds me of the hardware hash created by Win XP to keep down piracy. It allowed the OS to identify the machine on which it was installed and to shut itself down if too many hardware or BIOS changes were detected.
It seems to me that trying to consistently track people based on any screen resolution other than the maximum or minimum resolution available to the computer would be impossible. It would make more sense to track the graphics source (motherboard or card). If I was going to track someone, Iâ€™d want something more persistent than a changeable resolution.
As a postscript: I wonder if Win10’s telemetry is sending a hardware hash.