[tor-talk] panopticlick data
joebtfsplk at gmx.com
Tue Oct 1 16:06:15 UTC 2013
On 10/1/2013 12:48 AM, Andreas Krey wrote:
> On Mon, 30 Sep 2013 21:08:58 +0000, Joe Btfsplk wrote:
>> No cookies are set, so that doesn't affect outcome. In fact, the "bits
>> of identifying information" shown in results chart largely remain
>> identical (except screen size sometimes changes), but their estimate of
>> "One in X browsers have the same fingerprint as yours," keeps going
>> down dramatically - each time I re run the test.
> How do you expect them to identify repeat visitors as opposed to
> counting them as separate incarnations, thus lowering the uniqueness?
Not sure I understand the question in this context. Without cookies, I
don't expect them to identify repeat visitors. I read their full paper
on how they use the data collected
Me visiting 2 - 4 more times, or even the other site visitors - *in the
same 2 - 4 min. span*, wouldn't (actually) affect the statistics & lower
their reported uniqueness estimate by factors of 2, 3 or more.
Repeating the test 4 times, almost immediately (clearing cache between),
out of an existing data base of millions of other site visitors,
wouldn't lower my uniqueness from 1 in 1.7 million, then to 1 in
700,000, to 1 in 500,000.
I checked regular Fx again today & my uniqueness just keeps dropping w/
each test. If I'd kept going, it may have gotten to, "One in 100
browsers have the same fingerprint."
Nothing changed about my browser between "tests," so those huge
decreases in my uniqueness would be statistically impossible, unless
they had MANY millions of other visitors in the same few minutes I was
testing - which they didn't.
Just now (10/1/2013), I checked both TBB 2.3.25-12 (& Firefox 23 -
showing it's true useragent info). Panopticlick showed TBB was over 3
times LESS unique than regular Fx. TBB: 1 in 689,000 vs Fx 23: 1 in
203,000, at least in one test. That may not be statistically
meaningful, but it's a concern.
Most of the difference came from TBB reported screen size (which showed
the correct screen width of my monitor), where Panopticlick shows
regular Fx 23 screen width as 256 px LESS than TBB. Not sure how that's
possible for width.
The bigger point is, uniqueness values for either browser keep dropping
*dramatically*, repeating the test a few times in just 2 - 3 minutes,
when browser characteristics didn't change. Making the value of their
estimates questionable. I may contact them to see if they have an
explanation for this.
Possible solution to make fingerprinting more difficult: An extension
or TBB design that regularly or randomly changes / spoofs values for
some of the data used to "calculate" uniqueness. There are extensions
that change some (like useragent), but don't change it repeatedly. To
avoid tracking Tor users from entry to exit, some browser
characteristics would have to change rapidly & often.
I have no idea if the current consensus is that trackers could identify
a user from ONE request or a SINGLE entry / exit in the Tor network
(making it hard, but not impossible to intentionally change browser
characteristics during that short time). Or... if they'd need to
observe several entries / exits (or several requests & receipts
involving same relays) to conclude with high confidence that it is the
More information about the tor-talk