the problem, for those tracking and using uniqueness tied to tech as a measure (as opposed to uniqueness tied to identity), is not that it is easy to change you to be non-unique, it is that you will probably be a different "unique" user in a few days.

If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.

on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.

They will fuzz your uniqueness into a profile no matter how many times it changes. There’s enough there to identify you based on your fingerprint and behavior.

right, but it is most powerful if they can combine unique fingerprint with identity fingerprint via login over time, so as to build up a long term behavioral profile. Identity is not good enough because you will sometimes not be logged in, fingerprint via uniqueness may not be enough because your behavior may change in different environments.

I assure you it’s enough even without a login

One can be uniquely identified but the info gathered can be made pretty useless (at least for commercial purposes). The State spying on one is another matter altogether, one has to assume one is then petty transparent.

For example, my default mode is no JS. If JS must be used then cache, cookies, history, etc. are erased by default (usually they are anyway). I use multiple machines and they have multiple browsers (there's five on this phone alone), and if I think it's important I'll change browsers between sessions for a given site—that also means an IP address change (router reboots, etc.). On Android, remove all Google apps, have no Google account, use a firewall and only allow apps from F-Droid to have internet access.

Can't say I've clicked on an add in 20 years unless accidentally, and anyway I see them very rarely sans JS. If I do I never linger over them to give the impression I'm reading them.

Browsers have block lists some very extensive (e.g. Privacy Browser), so do OSes' hosts files, location is off, etc. There's other stuff too but you get the gist.

Why bother you ask. Before the internet I could look at adds in magazines, buy something without giving name, rank and serial number, and or my address, or phone number and so on and be pretty certain manufacturers and advertising agencies weren't tracking me.

In short, I had some autonomy I could call my own.

So why is it now a prerequisite to give all that personal stuff away just because I've joined the internet? That wasn't the plan when the internet was devised.

I see what I do as basic self protection.

A final point: what the internet desperately needs is a JavaScript engine that users can tailor to their individual needs. Randomize, machine details, cookie info, and so on. A well designed engine could feed copious junk info back to websites and spoof itself as a 'genuine' engine to the extent that websites wouldn't know what's genuine and what's not.

Widespread use of such a JS engine could do considerable damage to these snooping bastards. The big question is why the hacking community hasn't yet come up with one.

Obviously it would be statistically enough, but logically I find the assurance not convincing enough for all users and cases.

More please

There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.

But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?

”NVIDIA Corporation” is a rare vendor because most browsers (Chrome, Edge, Firefox on Windows) use ANGLE and will report ”Google Inc. (NVIDIA Corporation)” as a vendor.

Basically, ”NVIDIA Corporation” means you are Firefox on Linux with an NVIDIA GPU — or Firefox on macOS with an NVIDIA GPU, which is probably even rarer.

0.74% does seem a bit low, but most people browse the web on mobile phones, so knock off 50-70% immediately, then of the remaining most will be integrated GPUs from Intel or AMD in laptops. Take away Macs and you’re basically just left with gaming PCs, and laptops where the browser decided the task was difficult enough to spin up a discrete nVidia GPU.

My vendor “Apple Computer, Inc” was less than 10% (I’m on iPhone) so I suspect HN crowd probably uses unusual hardware.

While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.

It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.

Mine says zero percent match for everything, and claims I have a NaN % overall match. Does this site work?

Definitely works for me although it was rendering the result a lot faster six hours ago.

Hn referrer already up to almost half a percent of their database at the time of writing. Either a lot of lurkers followed your link or a lot of bots crawl this site.

> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.

I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:

* User agent

* Accept

* Content encoding

* Upgrade Insecure Requests

* User agent

* Platform

* Cookies enabled

* Navigator properties

* BuildID

* Product

* Product sub

* Vendor

* Vendor sub

* Java enabled

* List of plugins (note that plugins were deprecated by major browsers years ago)

* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)

* Audio formats

* Audio context

* Frequency analyser

* Audio data

* Video formats

* Media devices

The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.

Content language

Timezone

Content language

These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.

Canvas

* List of fonts (JS)

* Use of Adblock

* Hardware concurrency

* Device memory

* WebGL Vendor

* WebGL Renderer

* WebGL Data

* WebGL Parameters

* Keyboard layout

These are basically screen dimensions but repeated several times:

* Screen width

* Screen height

* Screen depth

* Screen available top

* Screen available Left

* Screen available Height

* Screen available width

* Screen left

* Screen top

These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.

* Permissions

* Use of local storage

* Use of session storage

* Use of IndexedDB

These basically boil down to "whether you're using a phone, laptop, or desktop"

* Accelerometer

* Gyroscope

* Proximity sensor

* Battery

* Connection

The last few seem related to flash but since that's been deprecated years ago they're non-issues.

Did not the EFF have a long time ago a fingerprint analysis that showed how unique a user profile is.

You really can't put too much faith into the "you're unique!!" conclusions that fingerprinting sites give out. The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best. Most (all?) also take into account volatile attributes like the version number, which makes the previous problem worse by further reducing the actual sample size.

Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".

To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.

You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community. Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.

> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable

Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.

>You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community.

They theoretically could but which sites are actually doing this?

>Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.

That basically boils down to what phone model you have. The number of iPhone 16 users (for instance) in a given city isn't exactly small.

>Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.

If you read the comment more carefully you'd understand that it was toy example to prove a point, not a claim that you can only be fingerprinted by those attributes. I even specifically prefaced it with "suppose".

> The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best

Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.

> so any conclusions that you're "unique" (in the world?)

I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.

I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.

Yea, and it was effectively a lie.

I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)

Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.

Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)

Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.

I wouldn't call it a lie. The canvas jitter for each iPhone 15 Pro will be different. Different battery ages, different lifetime workloads. And no manufacturing process currently results in identical CPU performance.

That results in different nanosecond ranges of performance, for your canvas.

It is lie. They're making up stuff to spin their position

> The canvas jitter for each iPhone 15 Pro will be different.

There is no such thing. I write tests for GPUs and iPhones in particlar. They don't produce different results

> Different battery ages, different lifetime workloads.

This is not something you can check from a webpage on an iPhone

> That results in different nanosecond ranges of performance, for your canvas.

There is no nanosecond measurement you can use to generate a fingerprint in a browser. All you'll get is noise which will give you a different fingerprint.

Maybe if you ran for several minutes with a frozen page doing nothing but timing could tease some signal out but no sites are doing that. No one would continue to use a site that froze for seconds every time they visited.

That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.

No one enjoys a conversation with a blank wall.

>That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.

It doesn't look like you read the comment you're replying to either, because you failed to respond to any of the specific objections that were raised. Let's try again with the first one: do you have any proof that "canvas jitter" as you described it (ie. it varies between devices of the same model) actually exist?

Have you bothered to look, yet? It's been in use since 2012. Responding to specifics, when someone is acting out of bad faith, isn't generally a good idea. But fine.

> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits. This is so even though the user population in our experiments exhibits little variation in browser and OS.

https://hovav.net/ucsd/dist/canvas.pdf

https://securehomes.esat.kuleuven.be/~gacar/persistent/the_w...

https://doi.org/10.14722%2Fndss.2022.24093

https://web.archive.org/web/20141228070123/http://webcookies...

https://www.torproject.org/projects/torbrowser/design/#finge...

> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits

The claim being disputed was "canvas jitter for each iPhone 15 Pro will be different", not the broader claim of whether canvas fingerprinting exists at all. 116 unique fingerprints out of 294 doesn't really prove the former is true, especially when you consider that people on Mechanical Turk are probably all on laptops/desktops, which have more hardware diversity compared to smartphones. Moreover if the claim is that every (?) iPhone of the same model has different canvas outputs because of "canvas jitter", wouldn't we expect far more unique fingerprints?

When that was the first attempt, over a decade ago? No.

But as these things don't sit still, a small perusal of any of the above links would give you the information you seek.