Panopticlick: You Are A Beautiful And Unique Snowflake

We all like to think we’re unique, but when it comes to remaining anonymous online that’s probably not such a good idea. By now, it’s common knowledge that advertising firms, three-letter agencies, and who-knows-who-else want to know what websites you’re visiting and how often. Persistent tracking cookies, third-party cookies, and “like” buttons keep tabs on you at all times.

For whatever reason, you might want to browse anonymously and try to plug some of the obvious sources of identity leakage. The EFF and their Panopticlick project have bad news for you.

The idea behind Panopticlick is simple: to try to figure out how identifiable you are even if you’re not accepting cookies, or if you’ve disabled Flash, or if you’re using “secure” browsers. To create a fingerprint of your browser, Panopticlick takes all the other little bits of identifying information that your browser gives up, and tries to piece them together.

For a full treatment of the project, see this paper (PDF). The takeaway from the project is that the information your browser gives up to servers can, without any cookies, specifically identify you.

fooFor instance, a server can query which plugins your browser supports, and if you’ve installed anything a tiny bit out of the ordinary, you’re fingerprinted. Your browser’s User Agent strings are often over-specific and tell which browser sub-sub-sub version you’re running on which OS platform. If you’re running Flash, it can report back which fonts you’ve got installed on your system. Any of these can be easily as rare as one-in-a-million. Combining them together (unless they’re all highly correlated) can fingerprint you uniquely.

You can’t necessarily win. If you disable Flash, the remote site doesn’t get your font list, but since only one in five browsers runs with Flash disabled, you’re still giving up two bits of information. If you run a “privacy-enhancing” niche browser, your chances of leaving a unique fingerprint go through the roof unless you’re also forging the User Agent strings.

I ran the Panopticlick experiment twice, once with a Firefox browser and once with an obscure browser that I actually use most of the time (dwb). Firefox runs a Flash blocker standard, so they didn’t get my font list. But still, the combination of browser plugins and a relatively new Firefox on Linux alone made me unique.

It was even worse for the obscure browser test. Only one in 1.4 million hits use dwb, so that alone was bad news. I also use a 4:3 aspect-ratio monitor, with 1280×1024 pixels at 24-bit color depth, which is apparently a one-in-twenty-four occurrence. Who knew?

fooFinally, I tried out the Tor browser, which not only routes your traffic through the Tor network, but also removes a lot of the specific data about your session. It fared much better, making me not uniquely identifiable: instead only one in a thousand. (Apparently a lot of people trying out the Panopticlick site ran Tor browser.)

If you’re interested in online anonymity, using something like Tor to obscure your IP address and disabling cookies is a good start. But Panopticlick points out that it may not be enough. You can never use too many layers of tinfoil when making your hat.

Try it out, and let us know in the comments how you fare.

42 thoughts on “Panopticlick: You Are A Beautiful And Unique Snowflake

      1. Fonts are the one that fingers me, and last time I checked there wasn’t a way to tell Mozilla what fonts to advertise besides “everything”. My work laptop has a $DAYJOB-specific font installed in Windows so it can render the $DAYJOB corporate logo correctly, and my random collection of fonts accumulated over time have enough uniqueness to differentiate me from any of my coworkers who’ve checked out Panopticlick.

      1. possible. try saving the fingerprint it displays, and compare it. I guess you’ll have to get a new IP before that, and delete the session cookie. Otherwise they’ll know its you again ^^
        Maybe 2 equal fingerprints are just too insignificant?

      2. Chrome/chromium downloads a blacklist of known malicious URLs every 30 minutes (and sends your IP to google) so it may update some version number or somesuch and change the fingerprint slightly.

    1. I just tried this with Google Chrome on my Arch install. I have done nothing special with this browser, except installing Adblock and hiding stupid social buttons. Still, I see this:

      “Your browser fingerprint appears to be unique among the 5,598,499 tested so far.”

  1. Hello,
    You may be interested in my publically available course “Web Identity Hacks”, available at : http://opensecuritytraining.info/WebIdentity.html . In addition to the panopticlick tool, the course first discusses other ways that web servers can identify you, such as using ip geolcation to identify where you are physically located, etc. Then, the course talks about ways of obfuscating the identification techniques that are employed, including tor, but also other techniques. Finally, the course talks about forensics, which is to look after an event has happened and you want to try to identify who visited a web server. Links to ~ 3 hours of video of me presenting the course is available, as well as a lab portion of the class.

  2. Just change your user agent string. Changing mine from the one that ships with Iceweasel (a debian specific version of Firefox) to the agent string from TBB ‘Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0’ moved me from 1 in over a million to just one in less than 5,000.

    Of course as soon as you enter a zipcode anywhere though you’re quite unique.

    1. According to the jcarlosnorte web pages, the getClientRects() function is a real fingerprint problem. Meanwhile, the Tor project thinks the getImageData() function (for the HTML5 canvas) – is the most significant fingerprinting threat out there. I have put my thoughts at: https://programmingmiscellany.wordpress.com/rust-never-sleeps/a-tangled-web/

      On that page I describe some useragent string changes, and how changing only the useragent string but not the other related strings in a simultaneous fashion actually makes things worse. Much worse …

  3. Personally, on the ‘optimistic’ side, I wonder if this is a ‘bad thing’– I mean we are all members of a society, are we not ? Or I just think of all the lame trolls. I mean I started out on BBS and all that anonymity was kind of ‘fun’, but you get older, wiser. At the same time, if you are a responsible individual, who wants ‘big brother’ over your back ? And I did severely get hacked on Tumblr once.

    Thus I guess my question is, why do we feel we can ‘say’ so much online, feeling ‘hidden’ behind aliases, but not in ‘real-life’ ? At the same time, no one has the right to pry ‘further’ than that– It is pretty close to ‘rape’.

    1. >>why do we feel we can ‘say’ so much online, feeling ‘hidden’ behind aliases, but not in ‘real-life’ ?
      Because we’re typically typing responses in our own homes, wearing nothing but our underwear for other people in their own homes in nothing but their underwear to read. You’d get mad if someone burst into your house during a private party and began recording all the conversations going on.

      >>It is pretty close to ‘rape’.
      Violating someone’s 4th Amendment / Article 12 right’s is magnitudes different, and generally vastly less intimate than violating someone sexually.

      1. Well it doesn’t even apply to most of us here, anyway; in most countries, males cannot legally be raped unless they are penetrated, ie you cannot legally be raped by a female. It’s “sexual assault” at best.

        Except people are crying about their stupid chain emails being scanned for keywords, rather than crying about our archaic backwards, and often biased laws.

  4. I ask this: Why does the remote need to know ANYTHING about my browser whatsoever??!! Give me the raw data and let whatever browser I choose render it. Needing a pre-format server side just introduces more bugs anyways so make it double blind and you have more secure content transactions and less server side load.

    1. They surely need to know. There’s a truckload of differing browser configurations, from text-only interfaces to full 4k quad-monitor setups. If the remote server does not know, it can send full HD videos to a text browser running on a 320×200 Nokia LCD on an Arduino, and a text-only interface to a full color 8k pixels projection screen.

      If you don’t support Java, they can use Flash. If you don’t support it either, they can send you HTML5 if available. They can choose between ogv, RealVideo, divx, 3gp, mp4, wmv or ASCII-art for video, depending on your configuration.

      And, of course, they can detect what plugin versions you have and deliver you customized exploits.

    2. Your basically asking them to send every version/combo to you which would swap server processing for bandwidth use instead.

      Also, remember, its not just about your specific session. Without any feedback on what people are actually using site makers wouldn’t have a clue what to support or deprecate. I run a silly little site to generic random bad fanfics (www.fanficmaker.com)
      When I started I had no idea how much traffic would come from mobile platforms – in turns out a lot.
      Therefor I now know I should spend my precious time to ensure those platforms stay just as well supported as PC.

      Now expand this to every website maker online over the last few decades. Would we have ever switched from IE6 if website owners couldn’t see a downturn in users and a upturn in alternative browsers?

    3. The SGML markup languages (and its successors HTML and XML) were designed with a model that said that the document author’s job was to mark up information content in the documents (like “This is a paragraph” or “this is an H2 header”), and the browser’s job was to display that in some user-equipment-appropriate manner, which isn’t under control of the document author because people might be reading on all kinds of different devices, whether that’s a 24×80 monochrome wrist display or a high-res graphic screen or black ink on paper.

      It’s entirely not the same as a display description language like PDF, which is a model for how to draw ink marks on specific sizes and shapes of dead tree media so the document looks the way you want, like that portrait-mode 8.5×11 two-column journal article you’re reading on your landscape-mode laptop screen.

      By the late 80s, we were having standards-committee fights with the kind of people who want to be able to specify that an H2 header is 14-point bold-face font and that documents always render page numbers that match the master document. HTML moved all of this into a client-server model, so 15 minutes after the first corporate marketing person told their advertising department to start putting their brand stuff on the World-Wide-Web, the same fights reappeared over here, but this time the wrong people won, and hey, advertising’s where most of the money that drove the 1990s Internet boom business was supposed to come from. CSS helps us get back a bit of what HTML was about, but basically web servers want to know any detail they can get about the browser, whether it’s for dynamic display generation or for user tracking and monetization.

      And they especially need to know something about the browser if they want to send it singing dancing Javascript/Flash/etc. content and not just, y’know, actual information, though browsers’ User Agent strings have been total fakes for years to deal with broken assumptions by lots of broken servers.

      1. I was distinguishing between tin and alumin(i)um.

        I originally had “(or aluminium for you non-Americans)” but deleted it before posting. I regret that decision.

        1. The reason tin-foil hats don’t work these days is precisely because they’re made of aluminum (or aluminium), and it’s NOT THE REAL THING. Why can’t you get real tin foil any more? BECAUSE OF THE CONSPIRACY!

  5. Panopticon is a simple indicator of how uinique your computer may be – it does not really evaluate how easy it would be to track you.

    Tracking, even by ‘just spam companies’ – is very soophisticated at this point. they are desperate to know who every last person is, and they use nefarious means to do so.

    Panopticon is interesting, but, it is barely a security tool.

    1. They may not be able to “track” you, but if Big Brother seizes your PC, they may be able to convince a jury that your computer was the one that went to all the nefarious websites.
      “The computer, and the browser settings indicate that only 1 in 12 million computers would match it.”

  6. I am using uMatrix (GPL, available for chromium and Firefox), to choose to who (whom?) the website I browse can talk to, to block “mostly useless” scripts such as google analytics (and google in general (duckduckgo is better, anyways), except on youtube), the “like buttons”, some cookies… it takes a bit of work, but it works really well, it is quite powerful. It also does user agent spoofing.
    According to the EFF, I am very common, about one out of three everywhere (thanks uMatrix!). Except html accept headers (what does the language id in this means? preferred languages with rating? keymaps?), someone know how to change that? Maybe at least something like update-alternative to select zip or 7zip instead of gzip (because with a windows user agent, it is quite unique indeed…)?
    Also, this does not test the canvas stuff, does it?

    uMatrix links:
    https://github.com/gorhill/uMatrix
    https://addons.mozilla.org/en-US/firefox/addon/umatrix/

    1. gzip for ‘accept’ headers refers to the specific compression algorithm rather than the file type. Even IE has been able to accept gzip since 4.0. So… not unique at all.

  7. I am not sure this is as useful as it seems.

    Surely if your just worried about “one session” a simple image being cached can be used no? (then time the image loading – if it loads instantly you know it was cached earlier).

    They can whip their cache between sessions, of course, but in that case your probably going to change the fingerprint anyway no?
    The more precise a fingerprints analytically data the more quickly it will change. Look how often chrome updates.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.