On Sat, 9 Jun 2012 22:20:31 -0700 Mike Perry mikeperry@torproject.org wrote in another thread:
Thus spake Katya Titov (kattitov@yandex.com):
- https://panopticlick.eff.org/ - one in 223,553, 17.77 bits of identifying information
Great test url, Katya. We have issues with how Panopticlick is run, though. It has inherent bias against any change from established norms, even if that change is in the direction of uniformity amongst a population.
I must admit that I'm not overly sure that the "1 in [x]" and "[x] bits of identifying information" are of use in an of themselves (e.g. my browser now "conveys at least 21.09 bits of identifying information" whereas it was only 17.77 just a few hours ago) but I thought I'd experiment with testing over time and see how the numbers change. I do like the table of browser characteristics. This could be useful to track over time, so maybe I should report the full table in future.
In particular, the largest sources of entropy in Panopticlick come from our solutions to fingerprinting issues. The largest source of bits (screen resolution) come from what is perhaps our most effective reduction in information available to the fingerprinter: https://trac.torproject.org/projects/tor/ticket/4810#comment:3
Hmmm ... could you report a standard desktop resolution? Maybe the standard resolution just higher than the current window size? Will this impact the browsing experience? I imagine that this is used by a website when it wants to open a pop up window ... what's the impact of opening what the site thinks is a full-size window with a smaller resolution than the actual desktop size?
It's interesting to note that by far the largest screen resolution is "no javascript":
https://trac.torproject.org/projects/tor/attachment/ticket/4810/panopticlick...
That and similar data would be useful to track what they are seeing, and maybe feed into what TBB should be reporting.
Perhaps we should ask EFF to provide us with the Panopticlick source code or so we can run a unique instance to evaluate TBB users only?
I've created this ticket for that: https://trac.torproject.org/projects/tor/ticket/6119
If you have any comments or suggestions wrt the above, please comment on the bugs or create a new tor-qa thread rather than reply here.
Happy to help test when/if you get a TBB instance up and running.
Thus spake Katya Titov (kattitov@yandex.com):
On Sat, 9 Jun 2012 22:20:31 -0700 Mike Perry mikeperry@torproject.org wrote in another thread:
Thus spake Katya Titov (kattitov@yandex.com):
- https://panopticlick.eff.org/ - one in 223,553, 17.77 bits of identifying information
Great test url, Katya. We have issues with how Panopticlick is run, though. It has inherent bias against any change from established norms, even if that change is in the direction of uniformity amongst a population.
I must admit that I'm not overly sure that the "1 in [x]" and "[x] bits of identifying information" are of use in an of themselves (e.g. my browser now "conveys at least 21.09 bits of identifying information" whereas it was only 17.77 just a few hours ago) but I thought I'd experiment with testing over time and see how the numbers change. I do like the table of browser characteristics. This could be useful to track over time, so maybe I should report the full table in future.
Yeah.. This stuff is all fungible and dependent upon a few factors. Maybe a bunch of people showed up from some other mention of the Panopticlick url and altered the distribution. It's really hard to say.
In particular, the largest sources of entropy in Panopticlick come from our solutions to fingerprinting issues. The largest source of bits (screen resolution) come from what is perhaps our most effective reduction in information available to the fingerprinter: https://trac.torproject.org/projects/tor/ticket/4810#comment:3
Hmmm ... could you report a standard desktop resolution? Maybe the standard resolution just higher than the current window size? Will this impact the browsing experience? I imagine that this is used by a website when it wants to open a pop up window ... what's the impact of opening what the site thinks is a full-size window with a smaller resolution than the actual desktop size?
These are all topics for #4810. I think all of them have already been mentioned there actually, unless I'm reading you wrong.
It's interesting to note that by far the largest screen resolution is "no javascript":
https://trac.torproject.org/projects/tor/attachment/ticket/4810/panopticlick...
That and similar data would be useful to track what they are seeing, and maybe feed into what TBB should be reporting.
Yeah, this "no javascript" data point is really a shortcoming of the panopticlick test, unfortunately.
You get the exact same data from CSS, plus quite a bit more: https://developer.mozilla.org/En/CSS/Media_queries
Perhaps we should ask EFF to provide us with the Panopticlick source code or so we can run a unique instance to evaluate TBB users only?
I've created this ticket for that: https://trac.torproject.org/projects/tor/ticket/6119
If you have any comments or suggestions wrt the above, please comment on the bugs or create a new tor-qa thread rather than reply here.
Happy to help test when/if you get a TBB instance up and running.
Actually, I think a useragent-based filter could go a long way to making the existing panopticlick data more useful:
https://trac.torproject.org/projects/tor/ticket/6119#comment:1
https://trac.torproject.org/projects/tor/ticket/4810#comment:3
Hmmm ... could you report a standard desktop resolution? Maybe the standard resolution just higher than the current window size? Will this impact the browsing experience? I imagine that this is used by a website when it wants to open a pop up window ... what's the impact of opening what the site thinks is a full-size window with a smaller resolution than the actual desktop size?
These are all topics for #4810. I think all of them have already been mentioned there actually, unless I'm reading you wrong.
Yes. I must remember to engage brain in future when reading ... ;-)
It's interesting to note that by far the largest screen resolution is "no javascript":
https://trac.torproject.org/projects/tor/attachment/ticket/4810/panopticlick...
That and similar data would be useful to track what they are seeing, and maybe feed into what TBB should be reporting.
Yeah, this "no javascript" data point is really a shortcoming of the panopticlick test, unfortunately.
You get the exact same data from CSS, plus quite a bit more: https://developer.mozilla.org/En/CSS/Media_queries
Nice!
Perhaps we should ask EFF to provide us with the Panopticlick source code or so we can run a unique instance to evaluate TBB users only?
I've created this ticket for that: https://trac.torproject.org/projects/tor/ticket/6119
If you have any comments or suggestions wrt the above, please comment on the bugs or create a new tor-qa thread rather than reply here.
Happy to help test when/if you get a TBB instance up and running.
Actually, I think a useragent-based filter could go a long way to making the existing panopticlick data more useful:
https://trac.torproject.org/projects/tor/ticket/6119#comment:1
Certainly would. I like the idea of TBB defaulting to whatever is the most common user agent, but also allowing users to choose from a list of other common user agent strings. Assuming you've got access to the Panopticlick database then I imagine that the common strings could be pulled out automatically at build time and populated within TBB.
Thus spake Katya Titov (kattitov@yandex.com):
Actually, I think a useragent-based filter could go a long way to making the existing panopticlick data more useful: https://trac.torproject.org/projects/tor/ticket/6119#comment:1
Certainly would. I like the idea of TBB defaulting to whatever is the most common user agent, but also allowing users to choose from a list of other common user agent strings. Assuming you've got access to the Panopticlick database then I imagine that the common strings could be pulled out automatically at build time and populated within TBB.
From a purely information-theoretic sense, individual choice is extremely bad for anonymity (more choices -> more entropy -> more identifying bits). Sorry all you DIY anarcho cypherpunks. You either need to make your voices heard so we can hit consensus on this, or surrender to the Identified Internet. Them's the breaks.
From a practical perspective, there is no hiding the fact that you're a Tor Browser user. Even if you could hide the fact that you're a Tor user by some dark magic, any solutions we take to solve these problems will automatically make you stand out from "normal" anyhow.
Here's a real world analogy: Right now, browser privacy can give you a mask. You won't look a damn thing like normal, but if we can get these damn masks to look enough like each other, and enough people use the masks, that's better than status quo.
So the only remaining choice we have is to make every one of our user's mask try to look the same. This also means that as we iterate, previous masks won't look like the newer, more uniform masks. In an ideal world, this means everyone needs to upgrade at once, and be re-measured somehow to verify the improvement. We've obviously got a few more steps to get to that point.
Later, when technology advances, we can think about making shape-shifting masks that look like the other mask of your choice. But holy face dancers, batman, that will be tricky.
So yeah, we need useragent-specific Panopticlick results, as well as the ability to add our own tests to Panopticlick. Perhaps if we get EFF to publish the Panopticlick source, this will happen organically? Maybe it already is published, and I missed it. I've Bcc'd Peter on most of these emails, just in case. Peter, you probably can't reply to this list directly without someone approving your mails.
-
Katya Titov -
Mike Perry