Panopticlick: EFF's tool for telling you how unique your browser profile is

Electronic Frontier Foundation staff technologist Peter Eckersley has published some new research showing that individual browsers can be identified to a high degree of accuracy without cookies or other tracking technology. EFF has produced a tool called "Panopticlick" that tests how unique your browser is, and they're using the results from it to further their research:
Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies.

Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web.

Only anonymous data will be collected by this site.

Panopticlick Help EFF Research Web Browser Tracking (explanation)

52

  1. Unique among 27,450.

    I’m guessing the most identifiable pieces of information are the installed fonts. Given the amount of custom fonts available, having even a few extra fonts installed is probably enough to differentiate someone from most other users.

  2. Yeah, mine was entirely unique, but it appears based on the over 1,000 fonts I have installed. Even on incognito mode, it still ID’d the fonts, which I would think would be the most unique thing anyway,.

  3. A few hours ago, when the link first showed up on /., I tried it and it said my browser was unique. About half an hour ago I tried it again — after their database had approximately doubled — and it said I’m one in 9,150 or some such. I then disabled a bunch of browser plugins, thinking that would make me more anonymous — presto, I’m unique again.

  4. In my case, it’s the UA string that’s unique. I’m using firefox on linux, which differentiates me from 99% of browsers to begin with; on top of that, I’ve got a (relatively uncommon) firefox plugin (FirePHP) that identifies itself in the UA string so the server half of the plugin knows to respond with additional data.

  5. I tried it on Firefox (noscript and adblock plus) and Opera (custom css and no images), Opera turned to be unique, while Firefox was pretty common (1 in 147 or something like that), this sounds interesting (i´m a web developer) and probably tying it to IP address regions (to avoid problems with dynamic addresses) would make it pretty useful. A bit creepy tho.

  6. Fonts and plugins made me unique.

    Interestingly, Chrome on Ubuntu is only 1/176 browsers. There must be a lot of nerds visiting the EFF (duh)

  7. Ditto on the fonts, unique among some 31k. I’ll have to try this when I get home, and see what I come up with there.

  8. The easiest solution to that problem would be plug in that randomly generates some additional values everytime you restart the browser. Like Fonts no website will ever ask for.

    1. Good suggestion! EFF lists some tentative steps that can be taken already and gives some suggestions for the future here: http://panopticlick.eff.org/self-defense.php
      Quoting one close to your idea:
      “One solution would be to add a “debugging” mode to browsers, and to round version numbers off when the browser is not in debugging mode. Another solution would be to improve the “private browsing” modes that are already present in most modern browsers, so that when the mode is active, User Agent, navigator.plugins and font lists take on standardized values (or, perhaps, normalized values).”

  9. “Your browser fingerprint appears to be unique among the 34,726 tested so far.”

    Fancy fonts, I haz them.

  10. Yep, I’m among the unique folks, out of 35K+. Anybody got a Greasemonkey script that could boggle this sort of thing, and make me unique every session?

  11. Unique among 36,199 tested so far. Probably the Firefox on a Mac with the fancy scripts, as with other users.

  12. Wow. Firefox on a Mac with minimal plugins and system fonts is entirely unique out of 36k+. Perhaps there have been relatively few people from the mountain time zone so far, or else most people have their browsers tricked out more than mine

  13. I’m with Mr. Z., above… the first thing I thought was “add or remove fonts each time I launch, automatically”. This looks like it would create enough noise that tracking using a font based fingerprint would be very difficult.

  14. All information that I don’t care AT ALL if a website collects from my broswer. I’m in the ‘300’ time zone? Who cares? So are about a billion other people. ‘Unique’ with both IE 8 and Chrome (out of ~35k). Another interesting note: My default installation of IE 8 shows 6 browser plugins, and my default installation of Chrome shows, well, a lot more: http://tinypic.com/view.php?pic=os93lu&s=6

    So what does this test really prove?

    1. It’s not the information itself that is important but the unique fingerprint generated by combining all the differences between the information on your machine and that of others. Read up on the information theory link provided on the Panopticlick results page.

      Whether you are concerned about that fingerprint being used to track you as a unique browsing entity and your habits across the web is another question.

    2. The issue is not what sites can learn about you based based on your timezone, choice of browser plugins, font preferences and so on per se. The point is rather that you’re trackable via the browser fingerprint. Imagine that someone leaks info about some evil stuff done by the corporation he works for. He posts it to some online forum. Some corporate goons get their hands on the forum logs. But the leaker took care to post while connected through free, public wifi so ip-tracing is of no help. But then they compare the browser fingerprint from the forum log with the corporation intranet logs – bingo!

  15. Adding random fonts or plugins could make you unique, but a bad guy could filter out noise by disregarding unrecognized fonts or plugins.

  16. I am down to 1 in 636 by using:

    Firefox 3.6 with:

    Noscript
    RequestPolicy
    Permit Cookies
    And User Agent Switcher sending ‘Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7’

    Remember to lock your filthy Flash cookies directory so Adobe can’t set invisible cookies without your consent.

  17. Hm, another font tart here, unique among 30,000-odd. That’s pretty eye-opening. Post-privacy, we has it.

    But hang on a sec, if you had a completely turnkey, non-customizable device like, say, an iPad, that’d only be a member of its class, neh? ;)

  18. I implemented a unique hashing algorithm of these sorts of things on my pron website a few years ago. Its fairly accurate. We just use it to fight credit card fraud though, so nothing too nefarious.

    Keep in mind that doing all those tests takes seconds to load in your browser, so I really don’t think its something that you’ll suddenly see identifying you all over the web.

  19. Logging in via my T-Mobile G1, which is running CyanogenMod, was unique… but there was practically no identifying info beyond the user agent.

    Chrome on my work machine is unique, or if I use incognito, matched only one other. Incognito mode was really not that effective.

  20. @25 “Chrome on my work machine is unique, or if I use incognito, matched only one other.”
    …You!

  21. Meh. Seems like this info would only be useful for tracking someone for a short period of time. Once you install/remove a plugin, font, etc., your fingerprint changes and anyone tracking you is back to square one.

  22. Is there a firefox plugin to hide non-typical fonts? The chances that Helvetica will be replaced by “Terminator Bold” instead of, say, Arial, seems unlikely, so may as well hide it.

  23. Your browser fingerprint appears to be unique among the 59,372 tested so far.
    System fonts and browser plugins for the most part it seems.

  24. Your browser fingerprint appears to be unique among the 61,690 tested so far.

    Hrmm…. don’t love that.

  25. Your browser fingerprint appears to be unique among the 66,693 tested so far.

    Oh, dear.

    Of course, the browser info features are mostly leftovers from the research web. These holes could be closed.

  26. Mine said I was unique among 68,000. It added that I seemed really cool and asked if I wanted to go out for a beer.

  27. “Unique in 76,888″….

    Crap. I’d rather be 1 in 800 or something so I’d have some plausible deniability. You guys make it sound like being identifiable is a good thing.

    While I have unique fonts, what really surprises me is that I’m apparently unique in screen size and color depth, considering its one of the defaults for my HDTV on my Mac mini.

  28. Wait, i’m confused here. I thought the higher the number the better? Surely then you’re lost amongst the masses of other browsers. So the lower the number is the better?

    1. @ politeruin
      Correct. It’s a ratio of your browser footprint (including others just like it) to total number of visitors. The nearer it gets to 1/1, the less unique and less likely to be trackable you are.

      1. Thanks.

        Though it’s a bit disconcerting when the first time i try this on a PC with Firefox 3.5, AdblockPlus, BetterPrivacy, NoScript, RequestPolicy, Flashblock and it’s 1 in 90k or so.

        Yet, i try it on a machine with Firfox 1.5, NoScript, Flashblock and it’s down to 1 in 18k.

        What’s that all about?

  29. Very simple to fool this site. A few mozilla plugins and it says I am using ELinks web bowser on Linux when I am using mozilla on windows.

  30. I’m not sure this thing is working. I tested my browser yesterday and got a result of “Your browser fingerprint appears to be unique among the 47,321 tested so far” and today I tested it again (using the same machine/browser) and got “Your browser fingerprint appears to be unique among the 123,807 tested so far.” Assuming nothing has changed my fingerprint (I haven’t installed/removed any fonts, plugins, etc.), shouldn’t my visit from yesterday have made today’s visit non-unique?

    1. shouldn’t my visit from yesterday have made today’s visit non-unique?

      It doesn’t count you twice because it knows that it’s you. Did you change your IP since yesterday?

  31. Your browser fingerprint appears to be unique among the 125,767 tested so far.

    argh!!! plugins and fonts… mainly fonts… I’ve got fonts from an old commercial wordprocessor app on my Linux box… plus a load from an old windows graphics package and some fonts which came from an old printer bonus disk as well… plus several freebies I’ve downloaded from some font of the day page of a commercial font house…

  32. last night: unique among 61-odd thousand. Today lunchtime: unique among the 129,960 tested

    (fonts baby – the drawbacks of being a graphic design geek – and more browser plugins than I ever remember installing, including one for *netscape*, for chissakes)

    well, at least I’m unique.

    …wait, how can I be unique when I’ve done it twice without a single font change, browser mod, or computer update in the meantime?

  33. Ah, shiznit! 1 in 133,131. Damn you fonts I don’t care about from autocad and arcgis! And damn you Adobe Acrobat version 7.? (? added by panopticlick).

  34. Am I really the first to comment on a post by a prize winning novelist to the effect that there are no degrees to uniqueness? really? seriously? do i need to explain why not?

    and commentators, that includes ‘entirely’ and ‘completely’ unique.

    yes it’s slightly pedantic of me to point out but this error is unbelievably widespread. I was looking at buying one of the flight jackets from Pattern Recognition, until i saw it was ‘one of the most unique’ jackets out- using a novelist’s name for promotion alongside!

    ARG

    1. There are elements of uncertainty in our judgment of the state of the world. Your “unique”, for example, would be “I haven’t seen or heard of its like”. I suppose you could technically just say that it was unique, but that would be stating a degree of certainty that you do not possess. Using a modifier for certainty/likelihood is not unreasonable for an absolute statement.

      There are also, say, for jackets, dozens of ways that a jacket could be different in design from another jacket. Each pattern varies in some ways, and is the same in others. One that is unique in twelve ways is “more unique” than one that is unique in three.

  35. Am I really the first to comment on a post by a prize winning novelist to the effect that there are no degrees to uniqueness? really? seriously? do i need to explain why not?

    The site doesn’t describe degrees of uniqueness, it tells you if your stats are unique among the people tested so far, and if not, among what ratio of people you share a trackable identity.

  36. @arkizzle #49 The site doesn’t describe degrees of uniqueness but the headline implies them.

    That’s why a correct headline would read ‘Panopticlick: EFF’s tool for telling you if your browser stats are unique among the people tested so far, and if not, among what ratio of people you share a trackable identity’

    Or for brevity ‘Panopticlick: EFF’s tool for telling you how distinctively unique your browser profile is’

    There is no charge for this service.

  37. ommm,

    You’re totally right, I missed the headline connection to what you were saying. My apologies.

  38. @CHRS #47 No, my “unique” means the only one of its kind. If I say my browser profile is unique but I am wrong, the browser is not ‘less unique’ but ‘not unique’.

    ‘More’ and ‘less’ are not modifiers for certainty/likelihood.

    Both your hypothetical jackets are unique to the same and indeed only degree. The first is unique in more ways to the second.

Comments are closed.