Rewrite Browser Fingerprinting section

[Mikaela]

Description

• https://www.privacytools.io/browsers/#fingerprint

I am under impression that even Tor Browser users get unique fingerprints on Panopticlick at times and that it doesn't tell the full story and at times makes people investigate fingerprint randomizers or trying to lessen their fingerprint which may have the opposite effect?

[blacklight447]

While I agree that the unique fingerprint is no longer really useful, its still a good tool for seeing what your browser sends out. I recall talking about this before, but maybe we can can make a fingerprint page on the ptio website ourselves, not to test "entropy" like panopticlick, but just to show the user what his general fingerprint looks like.

[Thorin-Oakenpants]

I think you should still have a FP section: but almost everything currently in there is just sooooo wrong. I can explain in further detail at some point: and I'm not saying that randomly raising entropy is not a valid technique (that's not what I meant when I said wrong).

This is one section I would like to re-write for you. People, in general, just don't understand how FP entropy works, or information paradoxes, or even what's possible: and the internet is so full of misinformation on this

I have been interested in device/browser FPing for about 8 years or more, since Ekersley's paper. I've followed developments, researched, and read hundreds of papers, thesis's (or whatever the plural of that is), PhD's, studies, and so on, in that time. IN the last 8 months I've actually been doing more in this area.

Disclosure: I have been working with (or badgering) the Tor Uplift guys (well, Tom Ritter mainly: he has a special inbox for my emails, lol) for years, and have recently been to meetings with the tor project and Mozilla guys specifically for my FP'ing knowledge (I guess they deemed me worthy: I don't think that highly of myself or anything special TBH).

but just to show the user what his general fingerprint looks like

No need to re-invent the wheel. But I can talk more about this later. PS: I know you said not to include entropy figures (because that's probably too hard to implement), but those figures are all BS

[Thorin-Oakenpants]

I am under impression that even Tor Browser users get unique fingerprints on Panopticlick

I'll just address this quickly, so people are informed. Yes, they may get a once-in-a-while unique from Panopticlick: but they are not unique.

You can't really look at all visits to Panopticlick, you need to look at Tor Browser users only (or the enclosed set being protected such as RFP users). It is trivial to detect Tor Browser.

Excluding leaks that haven't been patched, if any: math and science will tell you that the TZ (timezone) is immaterial is a moot point: because everyone is the same. So that TZ entropy figure does not apply. Math and science will tell you that the user agent and navigator properties and Firefox version number = 4 different buckets or FP's (the distribution of those 4 would determine the entropy, but it's not high at all). So Panopticlick's figures are not correct in this sense.

It is precisely because Panopticlick is trying to provide entropy for everyone, that it fails. Because it isn't everyone. This is just the nature of the site: not a design issue per se. It was designed to show users that FPing is a real thing.

• The data sets are very small
• The data is epoched now to 45 days from memory (it wasn't always), but the time frame isn't good science (IMO)
• The tests can be flawed (at least one is)
• The tests are very limited (there are many more in the wild)
• The data is tainted by the nature of the visitors: that is, it is not a real world sample - it only attracts those interested in FP'ing
• The data is tainted by repeat visits from said visitors: as they try to lower their entropy
• The data is tainted: especially the higher value items (such as canvas) because like a self-fulfilling prophesy, these will be the first items they will want to lower. Some of the entropy figures here are really appalling when compared to some larger real world studies
• I have more points, but I'll stop

Again, this is not a criticism of Panopticlick (well, maybe a little): it is a criticism of how people perceive it. It's great for showing what values your browser returns on certain metrics, but that's it. Panopticlick's purpose is to scare and inform people: and that it achieves.

[blacklight447]

That was exactly my thought as well, is great to see what values your browser gives away, which is why I wonder if we should consider to make our own fingerprint scanner, your knowledge of fingerprinting techniques would be especially helpful.

[beerisgood]

I find this test more useful:
https://www.bromite.org/detect

[blacklight447]

@Thorin-Oakenpants do you still want to explain why it would be a bad idea?

[Thorin-Oakenpants]

I'll give just one reason for starters

• it's a waste of resources
  • I'd rather you guys & gals focused on what you do already
  • re-inventing the wheel is redundant
  • getting it right and maintaining it is a lot of work
  • making it multi-browser is even more work
  • it's probably a steep learning curve if you're going to offer anything new: most of the others just cover some really basic shit, and even then they get stuff wrong (Panopticlick incorrectly finds some fonts). I'm talking about the AIO (all in one) pages, not specific tests like browserleaks

I guess it depends on what you want to actually provide. If all you want to do is return some basics (full proper webgl FPing is not basic though) like Pantopticlick (without the 3rd party tracking BS) or amiunique, then you can probably get away with it - but I fail to see why re-doing it all and maintaining it is any better than just pointing at the site itself - e.g amiunique was created by Pierre who knows what he's doing.

[csagan5]

I collected some resources here on Bromite's wiki: https://github.com/bromite/bromite/wiki/Fingerprinting (might benefit from some updates)

I still suggest https://browserleaks.com/ considering the data collection policies and purposes of the other websites.

[Thorin-Oakenpants]

Who are you bumping?

Sorry for not re-reading at what is currently on PTIO ... but I see so many people on reddit in r/privacy, r/firefox, and r/privacytoolsio trying to get their FP down on sites like panopticlick and amiunique - when the whole thing is flawed, and they get some really bad advice/answers from some people who just don't know better. Even tor users get all this shit wrong, but at least on r/tor system33- (that's Matt Traudt from the US Navy Research ) and a few others, seem to handle misconceptions - e.g by pointing to this - scroll down to "Testing your fingerprint"

On anonymity scores: Matt doesn't work on device/browser FPing, but he's on the right track and while his comments in his article are spot on: they are really just a bunch of questions - not actual answers or reasons why. I would go further than that and actually say why they are ALL unreliable (I have about 10 to 12 reasons)

So yeah, I'd be nice to see something drafted, but IDK if I'll get time.

PS: another thing to add is that tests should be done with JS, iframes, images, css, service workers etc all allowed: as this gives you the worst case scenario of what you leak. So often I see people on reddit (or 4chan lulz) bragging how they got down to 7.5 or 8.5 or something on panopticlick - and they post a screenshot, and JS is disabled: that's not real world for anyone (except maybe Stallman )

PPS: @blacklight447-ptio If I draft something up and you go with it, I'd like to also be able to publish it elsewhere - so none of that copyright BS - kay?

PPPS: here's a little something I've been working ... <snip> <image removed>

[Mikaela]

The bumb is likely related to this being resurfaced in the forum [Requesting Help] Battle against Fingerprinting - How to get good results on fingerprinting tests with commons browsers? where it was cross-posted from Reddit.

My comment linking here.

PPS: blacklight447-ptio If I draft something up and you go with it, I'd like to also be able to publish it elsewhere - so none of that copyright BS - kay?

The main cite is CC0 / public domain, so I don't know what you mean exactly. https://www.privacytools.io/LICENSE.txt

I would say that PRs are welcome, I don't know if anyone in the team is currently up to taking this as there are all the other issues (CoI/Whistleblower policy and I think blacklight said to take over https://github.com/privacytoolsIO/privacytools.io/issues/1430 on https://github.com/privacytoolsIO/privacytools.io/issues/1704#issuecomment-585317355) and I am not sure what the rest of the team is currently doing.

Personally I am informally away and not making editorional decisions until I feel better about it (if you haven't seen my mental health problems and burnout and issues, you are lucky) and I have been assured that PrivacyTools won't fall apart if I am not there to label every issue and comment on everything regardless of how dis/interested I am in it. See also https://github.com/privacytoolsIO/privacytools.io/issues/977

PS. I think you marked some of your comments as off-topic above so I did that to the comments relating to it. I think if it was a team member, they would have done that.

Edit/PPS. I marked the bumb as spam so future readers don't have to read it and I think it's more appropiate label than off-topic while I don't consider it as spam entirely either.

[Thorin-Oakenpants]

so I don't know what you mean exactly

OK. I need to think about this. Because I also can't have future edits by anyone distorting my word. I had already planned to write something like this, attributed to me. And then this issue popped up. I still plan to do it, independently, but it's not high priority. So maybe the easiest and cleanest way is for me to publish it, and then the one at PTIO links to it as a source, and summarizes it

I think you marked some of your comments as off-topic

I did. I didn't want to discuss what would lead to me pointing at you-know-what because I don't want to deal with "people" about you-know-what - at least not until you-know-what is ready/finished. Not trying to hide it, just making an effort not to mention it

if you haven't seen my mental health problems and burnout and issues, you are lucky

I was going to share something about being there, done that .. but I just backspaced it all. Just know that you're unique (not in a fingerprintable way) and the world is better for having you around. And ...: You don't owe anyone anything. Do what you want, especially do the things you love - and I'm not talking about just on here: I mean life in general. Don't take any shit from anyone. And if anyone around you is negative all the time (always complaining, telling lies, stressing you out), then cut them out of your life :)

PS: This : unless you've been through it, you can't really understand it. I understand it, I know where you're coming from.

Edit: ❤️

[Thorin-Oakenpants]

re this ptio forum thread

amiunique is flawed: you will always be unique (per session) on Firefox if you have media devices enabled, because the devices IDs are not persisted across restarts. Anyway, the whole thread is just so wrong: not just the measurements, but the methodology and actually understanding what the threat model is

Edit: He must have fixed that by omitting it from the "uniqueness" score. I just tested twice with a restart in between. Both tests had different device ids as unique, but the results at the top changed from unique to almost (but only 1 browser in x)

[blacklight447]

@Thorin-Oakenpants about the draft, sure! All the things we post on ptio and this repo are CC-0, so everyone is free to copy and repurpose it as they wish. :)

[dngray]

I'm going to be working on this along with #1328 and #1430.

[dngray]

I think you should still have a FP section: but almost everything currently in there is just sooooo wrong. I can explain in further detail at some point: and I'm not saying that randomly raising entropy is not a valid technique (that's not what I meant when I said wrong).

I'm inclined to agree. It's one of the parts of the site that has needed redoing in a while.

This is one section I would like to re-write for you. People, in general, just don't understand how FP entropy works, or information paradoxes, or even what's possible: and the internet is so full of misinformation on this

Very much so, we'd also very much appreciate that if you're still interested. I agree it is out of date.

So yeah, I'd be nice to see something drafted, but IDK if I'll get time.

It would probably take you a lot less time than us, given your background, experience and history over the years in this area.

OK. I need to think about this. Because I also can't have future edits by anyone distorting my word.

However you do it, we won't edit it. I am thinking maybe a quotation style, with your pseudonym as a source.

I consider you to have valuable insight based on specific experience, (that would be hard for us to replicate) supported by research and experiments of your own.

I'm thinking the way we should go forward maybe is explain what fingerprinting is, but not mention Panopticlick specifically?

I'd certainly like it to be a part of #2081

[Thorin-Oakenpants]

This is just like so much work for me, and I want to do it in my own time. I have plans to add a arkenfox/blog repo so I can just point to the articles and not have to keep explaining the same things over and over. I plan to add occasional pages linking to specific tests at TZP: standalone ones listed in the TZP index: and create posts such as

• why randomizing sucks (I can almost always tell when you're lying: language, OS, timezone, canvas, domrect, textmetrics, and more: WIP)
• why "stealth" randomizing sucks (they can be bypassed if not with mathematical proofs, then by a simple cross-origin check)
• why using extensions for anti-FPing suck (limitations, plus I can tell you're lying anyway: see point one)
• why randomizing sucks and is no better than lowering entropy and is in fact risky as fuck
• why persistent randomizing per eTLD+1 per session sucks (e.g. Brave) and is flawed (they gave you a unique ID by raising entropy which can now 100% link repeat visits per session: IANAE, but it would also break Tor's circuits: changing middle/exit relays by allowing linking per session)
• why entropy tests are BULLSHIT : see here
• information paradoxes suck

lots of suck entries :)

Edit: don't take my made-up-title-examples literally: they need deserve proper analysis and explanation

[dngray]

I have plans to add a arkenfox/blog repo so I can just point to the articles and not have to keep explaining the same things over and over.

This would actually be really good. We could then use it as a reference.

[Thorin-Oakenpants]

article 1 would be defining what privacy, anonymity and security (security in the context of the other two) mean: you know, my analogy of old-timey vs digital

[dngray]

article 1 would be defining what privacy, anonymity and security (security in the context of the other two) mean: you know, my analogy of old-timey vs digital

This actually ties heavily into #1760

[IacobusKopiirefuto]

If Panopticlick will still be included in the new rewrite, we probably should reflect its rebranding by EFF. The new name is Cover Your Tracks and the URL was changed as well to https://coveryourtracks.eff.org/.

The URL for the article How Unique Is Your Web Browser? Peter Eckersley, EFF was also changed to https://coveryourtracks.eff.org/static/browser-uniqueness.pdf.

The https://panopticlick.eff.org/ links redirects to the new site just fine so far, but we should probably use the new links.

[gary-host-laptop]

@IacobusKopiirefuto As far as I know the idea was to left behind all the fingerprinting idea since it wasn't so good at describing how it affects one's privacy, so I doubt that will still be included.