Join 3,436 readers in helping fund MetaFilter (Hide)


Your browser fingerprint appears to be unique.
January 27, 2010 2:10 PM   Subscribe

In another of their many efforts in the field of digital rights and laws surrounding them, the Electronic Frontier Foundation has released Panopticlick, a tool to analyze the information your browser shares, revealing how personally identifiable your browser's footprint is.

The theory behind it.
posted by flatluigi (50 comments total) 11 users marked this as a favorite

 
Well that was damn good for crashing firefox every time I tried it.
posted by Navelgazer at 2:18 PM on January 27, 2010


"Your browser fingerprint appears to be unique among the 38,980 tested so far."

Lovely.
posted by brundlefly at 2:19 PM on January 27, 2010


Crashed Safari every time. The theory is very interesting however, never occurred to me the heuristics that could be used to track browsers/users like this.
posted by george_morgan at 2:20 PM on January 27, 2010


"Your browser fingerprint appears to be unique among the 38,980 tested so far."

Yeah, I got ratted out by my super-rare list of installed fonts.
posted by GuyZero at 2:22 PM on January 27, 2010 [6 favorites]


Your browser fingerprint appears to be unique among the 39,295 tested so far.

Woo-hoo!

Wait, that's bad.
posted by jquinby at 2:22 PM on January 27, 2010


We're all special unique snowflakes.
posted by fixedgear at 2:24 PM on January 27, 2010 [5 favorites]


Anyone not unique yet?
posted by muddgirl at 2:26 PM on January 27, 2010


Your browser fingerprint appears to be unique among the 39,659 tested so far.
YESSS!!!!

Currently, we estimate that your browser has a fingerprint that conveys at least 15.28 bits of identifying information.


Damn.
posted by hal_c_on at 2:26 PM on January 27, 2010


What is the deal with using an older version of Java? This happened to me last night as I was running a scan that promised to test for unpatched version of various software products (Acrobat, Flash, Java) and check for security vulnerabilities. It said 'you'll need to use an older version of Java to run this test.' I click OK, run the test and get 'you are using an older version of Java.' No shit?
posted by fixedgear at 2:28 PM on January 27, 2010 [1 favorite]


Your browser fingerprint appears to be unique among the 39,960 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 15.29 bits of identifying information.


Firefox gave up 15.28 bits of data...safari gave up .01 more. Interesting.
posted by hal_c_on at 2:29 PM on January 27, 2010


I was unique out of 36Ksomething. Um, not yay.
posted by rtha at 2:29 PM on January 27, 2010


Your browser fingerprint appears to be unique among the 40,030 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 15.29 bits of identifying information.


Yay! I, um... win? (so far)

It's the addons.
posted by Emperor SnooKloze at 2:30 PM on January 27, 2010


UNIQUE!!!!!!
posted by Think_Long at 2:30 PM on January 27, 2010 [1 favorite]


I tried it a few minutes ago and was not unique (1 in 172), and now I am unique (among the 40,831 tested so far.) I wonder what changed?
posted by gingerbeer at 2:36 PM on January 27, 2010 [1 favorite]


Oh shit! I didn't realize that every site I visited knew that I had Akzidenz-Grotesk BQ Super installed.
posted by horsemuth at 2:43 PM on January 27, 2010


So, is this just interesting because the EFF is doing it and logging how many unique combinations there are? Because scripts like this have existed for a while.

Interesting to note is this test, which can check if you've visited certain websites recently. I was expecting something more along those lines from the EFF test. Calling the HTTP_ACCEPT headers "bits of identifying information" seems a bit misleading.

And for the sake of it:
Your browser fingerprint appears to be unique among the 41,552 tested so far.
posted by notnamed at 2:46 PM on January 27, 2010


Firefox gave up 15.28 bits of data...safari gave up .01 more. Interesting.

Probably because the number changes depending on how many people have visited.

This concept is genius. Are they releasing it so I can scan my logs to figure out which regular user is also the nefarious troll that's causing me grief?
posted by DU at 2:47 PM on January 27, 2010


Firefox gave up 15.28 bits of data...safari gave up .01 more.

Probably because there had been more browsers tested between the times you tried them (or the one more from your test alone pushed it up).

If your browser is unique among N tested, then it's giving up at least log2N bits of information.
posted by DevilsAdvocate at 2:50 PM on January 27, 2010


Currently, we estimate that your browser has a fingerprint that conveys at least 15.28 bits of identifying information.

Wow... almost two bytes.
posted by Ratio at 2:58 PM on January 27, 2010 [1 favorite]


Calling the HTTP_ACCEPT headers "bits of identifying information" seems a bit misleading.

That includes the Accept-Language header. Knowing which language(s) somebody speaks would add several bits.
posted by reynaert at 3:10 PM on January 27, 2010


Wow... almost two bytes.

Two out of the roughly four bytes it takes to uniquely identify you. Are you sure you understand how this entropy thing works?
posted by effbot at 3:13 PM on January 27, 2010 [3 favorites]


They're using the word 'bits' in an information theoretic sense, which is a bit technical for most people. Basically it amounts to how many bits it would take to store the information if you applied maximum compression to it.

For something like a browser user agent, there are only so many variations, so you could assign a number to each variation, and it would only take the number of bits needed to store that number to encode the user agent.
posted by delmoi at 3:19 PM on January 27, 2010 [2 favorites]


1/4915 - 12.26bits of identifying info.

Um, I don't really know what that means. It seems like this is aimed at (and comprehensible by) the people who don't need it.
posted by Solon and Thanks at 3:21 PM on January 27, 2010 [1 favorite]


And they called me crazy for randomly installing and uninstalling fonts every 17 minutes. Who's crazy now?
posted by MetaMonkey at 3:28 PM on January 27, 2010 [6 favorites]


I do NOT like that my browser potentially tells any site what fonts I've got installed. Why did I build custom fonts named after my social security number and international banking codes? Seemed so smart at the time.
posted by damehex at 3:48 PM on January 27, 2010 [11 favorites]


With my normal settings, I seem to be one of the more anonymous people here:
Within our dataset of about ten thousand visitors, only one in 762 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 9.57 bits of identifying information.
But, oddly, if I block all cookies globally:
Within our dataset of about ten thousand visitors, only one in 3,269 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 11.67 bits of identifying information.
Seems to me that it ought to move the other way, but apparently not?

EDIT: wooops, tried to post before I re-allowed cookies globally.
posted by paisley henosis at 3:49 PM on January 27, 2010 [1 favorite]


Seems to me that it ought to move the other way, but apparently not?

You tested two configurations. Cookies + Everything Else and No Cookies + Everything Else. It turns out that it's pretty uncommon for people to disable cookies, since they're on by default and pretty useful for most people. By disabling them you've actually made yourself less anonymous because so few people block cookies.
posted by jedicus at 3:54 PM on January 27, 2010 [6 favorites]


By disabling them you've actually made yourself less anonymous because so few people block cookies.

Yeah, I noticed this and had to laugh. If you set yourself up with a bunch of paranoid settings and/or special anonymizing plugins you are actually MORE trackable.

The only solution is to not broadcast this information to every site you visit. I know at least some of it can be blocked and/or deliberately falsified. Kind of a hassle though, as a lot of site functionality often depends on know things like what browser you are using, what versions of HTML you accepts, etc.
posted by DU at 4:03 PM on January 27, 2010 [1 favorite]


How strange that this would appear today.

While looking over today's Metatalk thread on favorites posted by taff, it occurred to me that Matt might conceivably benefit from instituting a second layer of favorites chosen by people who are looking at the site but are not logged in.

After all, they are the only ones who see almost all the ads, and are therefore the ultimate source of ad revenue from this site. Favorites from them would be a good indicator of just which members are good contributors to ongoing revenue, and Matt might find it useful to be able wave the favorites totals around under the advertisers noses to let them know just how much their audiences like what they see here.

Nonmembers could possibly get a sense of participation and ownership currently denied them.

Also, if the nonmember favorites totals were visible only to those not logged in, I'd bet that most of us would not be able to resist the temptation to log out and see how we (and everybody else) were doing, and that would make the members potential contributors to ad revenue in a way we are not now.

The only drawback I could see to this scheme was that you'd probably have to have a pretty good way of preventing people from gaming the system by favoriteing thousands of posts or the same post over and over again.

And that would require being able to identify surfers pretty uniquely from the information websites get when someone simply looks at a page.

I thought you could probably do it with cookie profiles or some such, but I don't know anything about stuff like that, the whole thing started to seem too hand-wavy at that point, and I decided not to post.
posted by jamjam at 4:12 PM on January 27, 2010


Well, I am wearing UNIQLO jeans...
posted by flapjax at midnite at 4:17 PM on January 27, 2010 [1 favorite]


It said my configuration was the same as muddgirl's. It even used her name.
posted by cjorgensen at 5:21 PM on January 27, 2010 [2 favorites]


Your browser fingerprint appears to be unique among the 51,064 tested so far.

Currently, we estimate that your browser has a fingerprint that conveys at least 15.64 bits of identifying information.


oops. i guess i need to circle the wagons a bit better. preferably with many other wagons that look exactly like mine.
posted by batmonkey at 5:27 PM on January 27, 2010 [1 favorite]


jamjam: Nonmembers could possibly get a sense of participation and ownership currently denied them.

Also, if the nonmember favorites totals were visible only to those not logged in, I'd bet that most of us would not be able to resist the temptation to log out and see how we (and everybody else) were doing, and that would make the members potential contributors to ad revenue in a way we are not now.


But if non-members wanted to be a part of the site…wouldn't they become members?

For the second idea: a combination of Ad-Block if I log out, and Greasemonkey which would surely keep me from having to do.
posted by paisley henosis at 5:30 PM on January 27, 2010


Ok, seriously why do I care? I mean I can be somewhat of a privacy nut, but in a lot of ways I don't care.

See that down there, that's my real name. You click it and you get my real picture on my profile page which links to all kinds of other real things I do and places I can be found.

The worst thing I can see anyone doing with this is targeting ads toward me that might be more sophisticated because some sites might do some data mining on who I am and where I am from. I already get some pretty stupid ads based on the block of IPs my ISP use, so I can't see the ads becoming more effective because they can tell it's me coming to their site.

If the ads were actually of interest to me I wouldn't mind so much.

I let google have a lot more information than this on a daily basis. I'm an open book. What do you want to know?
posted by cjorgensen at 5:31 PM on January 27, 2010 [1 favorite]


What do you want to know?

Capitol of Nebraska!


Too slow.
posted by flapjax at midnite at 5:44 PM on January 27, 2010 [1 favorite]


gaddam Os and As...
posted by flapjax at midnite at 5:45 PM on January 27, 2010


Ok, seriously why do I care? I mean I can be somewhat of a privacy nut, but in a lot of ways I don't care....I let google have a lot more information than this on a daily basis. I'm an open book. What do you want to know?

Maybe you don't and that's OK. Just don't let this morph into "the only people who care are people who have something to hide".
posted by DU at 5:49 PM on January 27, 2010 [1 favorite]


Eh, I love this just because I love information theory. I like seeing it crop in more places because it's such a useful concept. But it's not something very many people are going to be familiar with. Not by a long shot :P

Thing is it's not even very hard to understand, you just need to know logarithms and multiplication and some basic probability. This wikipedia page seems to do an OK job of explaining it.
posted by delmoi at 5:51 PM on January 27, 2010


notnamed : So, is this just interesting because the EFF is doing it and logging how many unique combinations there are? Because scripts like this have existed for a while.

The EFF has done it for two reasons, both more useful than the various no-supporting-data "unique visitors scripts" you mention .

First, they did it to raise awareness of just how much info your browser really leaks. Hell, as a greyhat coder and with every privacy setting FireFox makes tweakable set to maximum privacy, it still surprised me how much info they could get about my setup. I could have told you about any one of those points, but seeing it all put together like that... This should bother you.

And second, hinted at above, no one (who published the info) really has a hard data set on just how "uniquely" the available information points to you as a specific human (or at least, your specific machine). If only the 15.?? bits it says I exposed, no worries, it makes me effectively one in 16K. But as others have pointed out, a lot of us show up as unique out of 40+k visitors, suggesting more information than the minimum entropy implies. That said...


DevilsAdvocate : If your browser is unique among N tested, then it's giving up at least log2N bits of information.

True for unique among N otherunique visitors. Given a (large) number of identical visitors with you as the "unique" one - That still carries only one bit of information.


cjorgensen : Ok, seriously why do I care? I mean I can be somewhat of a privacy nut, but in a lot of ways I don't care. See that down there, that's my real name. You click it and you get my real picture on my profile page which links to all kinds of other real things I do and places I can be found.

Ever admitted to something online you might not want to come up in a job search? Congrats, you'll never work again (without having a damned good explanation). Ever worried about the growing acceptance of (constitutionally verboten) ex post facto laws? Oh, you didn't know back in 2010 that posting to a blog using white text on blue would violate the 2019 "Think of the Children website design" law? Enjoy your cell, you commie bastard. Or perhaps you currently live under an oppressive regime, or a normally-sane one with a few quirks (sex offender list for Simpsons slashpics? Time to flee Oz, mate!). Or perhaps you just don't want that moment of youthful indiscretion twenty-some years ago, about which you foolishly bragged at the time, coming up as the first hit for your name on Google.

I can think of no good reasons to make it easy to ID me online, and million to use at least a thin veil of anonymity.
posted by pla at 5:55 PM on January 27, 2010 [1 favorite]


Ok, seriously why do I care? I mean I can be somewhat of a privacy nut, but in a lot of ways I don't care....I let google have a lot more information than this on a daily basis. I'm an open book. What do you want to know?

Hypothetically speaking, do you think that people who browse WebMD a bunch (or visit some specially tailored innocuous "Symptoms of Disease X" honeypot site for search engine users) might statistically cost an insurance company more than the average person?

Their actuaries would rub their hands in glee to obtain some out-of-band data that identifies potential "high-cost" customers in a manner that can feed into an automated rate-setting or accept/deny system.

Whether or not that's an issue for you personally, do you think that's an ok thing for the society you live in? Because that's absolutely what this kind of data will be used for. Cross-correlated databases are already used to drive advertising to you based on the car you own and the groceries you buy and the neighborhood you live in. That's just the tip of the iceberg.
posted by argh at 6:23 PM on January 27, 2010 [4 favorites]


The number of bits isn't determined by the number of visitors, but by the number of unique fingerprints. I reveal 15.77 bits, as I'm unique among 55789 tested thus far. 2^15.77 = 55789, or log2 55789 = 15.77.

I too was certainly outed by my awesome fonthavingtude.
posted by rlk at 6:51 PM on January 27, 2010


I don't think the EFF is trying hard enough. How come they can only determine 15.83 bits about me when other *ahem* sites seem to be able to locate the hot chicks in my town?
posted by digsrus at 7:47 PM on January 27, 2010 [1 favorite]


Should we care??

First of all ... any information about anything researched/browsed/downloaded from any computer does not necessarily have to belong to one person (ever heard of shared computers? households? guests?). And - even more to the point - we commie revolutionaries know that when reactionaries move in they never need real "evidence" anyway.

Sigh. There are billions and billions of bits of info flying through the net every second. I feel about my privacy in the same way I feel about filing taxes ... pity for the one who has to read all that stuff.

And ... I'm not an idiot, but all of "the results" (above) is pure gibberish. Repost this when someone makes a program that has a clear "pink or blue" result that anyone can understand.
posted by Surfurrus at 11:27 PM on January 27, 2010


Unique in over 80,000. The scary part is that this is my work PC, and although we're allowed to set them up largely as we like I really haven't added that much to Firefox, so it's pretty nearly on default settings. I don't think we have particularly strange fonts here either. Of course, compared to the size of the internet as a whole 80,000 isn't a particularly large n, but even so...
posted by ZsigE at 5:32 AM on January 28, 2010


Prisoner 1:
"Yeah, my browser had a fingerprint that conveyed at least 16.46 bits of identifying information."

Prisoner 2:
"Damned Comic Sans will get you every time. Nobody in the intelligentsia uses that font, man!"

Prisoner 1:
"They caught up with me pretty quickly, threw my ass into the descenders of the Ministry of Typelove."
posted by Blazecock Pileon at 6:20 AM on January 28, 2010


"And ... I'm not an idiot, but all of "the results" (above) is pure gibberish. Repost this when someone makes a program that has a clear "pink or blue" result that anyone can understand. "

Mmm. Unique/not unique, that is the pink/blue. The rest can be safely ignored if it confuses you, but the lower the bit number the better.
posted by jaduncan at 6:22 AM on January 28, 2010


This is interesting, but it doesn't seem that the entire fingerprint is useful for uniquely identifying a browser, at least not over any period of time. Lots of information here changes unpredictably, and the information that seems most unique (fonts and plugins) is also that which is most likely to change.

Plugins in many cases automatically update themselves, and people who have more unusual fonts installed (mostly designery types) are also the ones who are most likely to install more fonts on a regular basis.
posted by Joakim Ziegler at 10:31 AM on January 28, 2010


Mahalo, jaduncan I got a very high number. Still not sure why that is bad, though.

(What Joakim said)
posted by Surfurrus at 3:08 PM on January 28, 2010


Ever admitted to something online you might not want to come up in a job search?

About every day, but then I don't want to work for a place that cares about such things.

I just don't see a reason to live a life of fear or shame. If more people were less concerned about what others knew about them, less people would have to be concerned.

If every high school teacher had a facebook picture hoisting a beer, no high school teachers would be fired for hoisting beers on facebook. If normal behavior is shown as normal everyone wins.

DU:Maybe you don't and that's OK. Just don't let this morph into "the only people who care are people who have something to hide".

Oh, absolutely. I don't care what you care about. I was asking why I should care.
posted by cjorgensen at 6:25 PM on January 28, 2010


...unique among the 166,859 tested so far... more importantly, is there any way of blocking the amount of information sent out without kind of crippling yourself, ie slowing down browsing, disabling java script etc. which will be a pain on many website, etc.?
posted by blue shadows at 6:39 PM on January 28, 2010


« Older WORK HARD PLAY HARD - Vice Magazine presents a men...  |  Oil City Confidential is a new... Newer »


This thread has been archived and is closed to new comments