[tor-talk] Spoofing a browser profile to prevent fingerprinting

Seth David Schoen schoen at eff.org
Tue Jul 29 19:54:14 UTC 2014

Joe Btfsplk writes:

> I'm no expert on fine details of this, but over a long time of
> checking TBB, Firefox, JonDo Fox, etc., on multiple test sites, it's
> always clear that far more info is available when JS is enabled.
> The EFF says ~ 33 bits of identifying info (ii) are needed to
> accurately identify the same browser / machine at multiple sites.

Strictly speaking, the 33 bits figure refers to identifying a _person_,
and comes from Arvind Narayanan, who calculated it by rounding down the
base 2 logarithm of the world's human population.  (If you can ask
33 perfectly independent and identically distributed yes-or-no questions
about a person, the set of answers to those questions will be completely

There are probably fewer Internet-connected browser instances than
living people, so less information might suffice to distinguish them.

If you're using EFF's Panopticlick page, you should be aware of some
limitations about the measurements it gives you.  One is that it doesn't
measure all possible measurable attributes of a browser -- people doing
user tracking may have additional measurement techniques that aren't
included in Panopticlick.  Another is that the "bits" of information
that you get from measuring each attribute don't actually add linearly
(and there's no direct way of adding them without knowing more about
the population statistics and how the attributes interact).  So if you
get an estimate that your Foo browser feature contributes 6 bits of
identifiability and your Bar browser features contributes 5 bits, you
can't necessarily conclude that together they contribute 11 bits.
(Another limitation that Peter Eckersley, the developer of Panopticlick,
pointed out to me is that the sample of fingerprints in Panopticlick's
database isn't very current or very representative of a larger population
of user-agents that are getting used in 2014.)

You're definitely right that Javascript is an important part of many
browser fingerprinting techniques and that browser fingerprinting will
work much less well without it.

Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107

More information about the tor-talk mailing list