[tor-talk] panopticlick data

Joe Btfsplk joebtfsplk at gmx.com
Tue Oct 1 16:06:15 UTC 2013 

On 10/1/2013 12:48 AM, Andreas Krey wrote:
> On Mon, 30 Sep 2013 21:08:58 +0000, Joe Btfsplk wrote:
> ...
>> No cookies are set, so that doesn't affect outcome.  In fact, the "bits
>> of identifying information" shown in results chart largely remain
>> identical (except screen size sometimes changes), but their estimate of
>> "One in X browsers have the  same fingerprint as yours," keeps going
>> down dramatically - each time I re run the test.
> How do you expect them to identify repeat visitors as opposed to
> counting them as separate incarnations, thus lowering the uniqueness?
>
Not sure I understand the question in this context.  Without cookies, I 
don't expect them to identify repeat visitors.  I read their full paper 
on how they use the data collected 
https://panopticlick.eff.org/browser-uniqueness.pdf

Me visiting 2 - 4 more times, or even the other site visitors - *in the 
same 2 - 4 min. span*, wouldn't (actually) affect the statistics & lower 
their reported uniqueness estimate by factors of 2, 3 or more.

Repeating the test 4 times, almost immediately (clearing cache between), 
out of an existing data base of millions of other site visitors, 
wouldn't lower my uniqueness from 1 in 1.7 million, then to 1 in 
700,000, to 1 in 500,000.

I checked regular Fx again today & my uniqueness just keeps dropping w/ 
each test.  If I'd kept going, it may have gotten to, "One in 100 
browsers have the same fingerprint."

Nothing changed about my browser between "tests," so those huge 
decreases in my uniqueness would be statistically impossible, unless 
they had MANY millions of other visitors in the same few minutes I was 
testing - which they didn't.

Just now (10/1/2013), I checked both TBB 2.3.25-12 (& Firefox 23 - 
showing it's true useragent info).  Panopticlick showed TBB was over 3 
times LESS unique than regular Fx.  TBB:  1 in 689,000 vs Fx 23:  1 in 
203,000, at least in one test.  That may not be statistically 
meaningful, but it's a concern.
Most of the difference came from TBB reported screen size (which showed 
the correct screen width of my monitor), where Panopticlick shows 
regular Fx 23 screen width as 256 px LESS than TBB.  Not sure how that's 
possible for width.

The bigger point is, uniqueness values for either browser keep dropping 
*dramatically*, repeating the test a few times in just 2 - 3 minutes, 
when  browser characteristics didn't change.  Making the value of their 
estimates questionable.  I may contact them to see if they have an 
explanation for this.

Possible solution to make fingerprinting more difficult:  An extension 
or TBB design that regularly or randomly changes / spoofs values for 
some of the data used to "calculate" uniqueness.  There are extensions 
that change some (like useragent), but don't change it repeatedly.  To 
avoid tracking Tor users from entry to exit, some browser 
characteristics would have to change rapidly & often.

I have no idea if the current consensus is that trackers could identify 
a user from ONE request or a SINGLE entry / exit in the Tor network 
(making it hard, but not impossible to intentionally change browser 
characteristics during that short time).  Or... if they'd need to 
observe several entries / exits (or several requests & receipts 
involving same relays)  to conclude with high confidence that it is the 
same browser.

More information about the tor-talk mailing list