Yes, but it takes more than removing most of the identifying information.
First, the precise browser version and OS can probably always be identified by checking for supported features, bugs etc. even if the extreme measure would be taken to remove the user agent string.
Add the screen resolution, IP, timing and request patterns (+) and we are all screwed.
(+) e.g. rule out users that are using other sites at the same time. Note that it would be possible to determine if a page is in the currently focused and visible browser tab and forward that information to the tracker.
Yes, but it takes more than removing most of the identifying information.
The trick is not to remove information, but to poison it.
For example, Panopticlick sees that I have dozens of "system fonts", enough to stand out. I want my browser to lie about the fonts I have, based on settings I choose.
There are many details about my browser and system that are irrelevant to what most sites need to do so lying about them should not interfere with viewing a site.
This is a great point. I totally agree, if you adjust simple things on each visit, then you can use their extra bits of identification against them, in a very obscure way, without limiting the actual checks of functionality that the sites use.
I don't want to provide less, but still accurate, data, I want to introduce suspect data. The end result should be that anyone collecting data on me without my consent should have no idea which of it are accurate such that all of it becomes useless.
Force them to do detailed packet timing and their costs will go up, and it will become less economical for black hats to play around with your personal data.
I don't know if nuking the user agent string is a horrible idea, but it's less of a problem today than it was 5 years ago: today, a website can assume all browsers conform pretty closely to a standard. Only really advanced features require user agent sniffing (arguably, if you're sniffing the UA you're doing it wrong).
I think we should make that kind of fingerprinting opt-in, not opt-out.
First, the precise browser version and OS can probably always be identified by checking for supported features, bugs etc. even if the extreme measure would be taken to remove the user agent string.
Add the screen resolution, IP, timing and request patterns (+) and we are all screwed.
(+) e.g. rule out users that are using other sites at the same time. Note that it would be possible to determine if a page is in the currently focused and visible browser tab and forward that information to the tracker.