[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] panopticlick data



On 10/1/2013 12:48 AM, Andreas Krey wrote:
On Mon, 30 Sep 2013 21:08:58 +0000, Joe Btfsplk wrote:
...
No cookies are set, so that doesn't affect outcome.  In fact, the "bits
of identifying information" shown in results chart largely remain
identical (except screen size sometimes changes), but their estimate of
"One in X browsers have the  same fingerprint as yours," keeps going
down dramatically - each time I re run the test.
How do you expect them to identify repeat visitors as opposed to
counting them as separate incarnations, thus lowering the uniqueness?

Not sure I understand the question in this context. Without cookies, I don't expect them to identify repeat visitors. I read their full paper on how they use the data collected https://panopticlick.eff.org/browser-uniqueness.pdf

Me visiting 2 - 4 more times, or even the other site visitors - *in the same 2 - 4 min. span*, wouldn't (actually) affect the statistics & lower their reported uniqueness estimate by factors of 2, 3 or more.

Repeating the test 4 times, almost immediately (clearing cache between), out of an existing data base of millions of other site visitors, wouldn't lower my uniqueness from 1 in 1.7 million, then to 1 in 700,000, to 1 in 500,000.

I checked regular Fx again today & my uniqueness just keeps dropping w/ each test. If I'd kept going, it may have gotten to, "One in 100 browsers have the same fingerprint."

Nothing changed about my browser between "tests," so those huge decreases in my uniqueness would be statistically impossible, unless they had MANY millions of other visitors in the same few minutes I was testing - which they didn't.

Just now (10/1/2013), I checked both TBB 2.3.25-12 (& Firefox 23 - showing it's true useragent info). Panopticlick showed TBB was over 3 times LESS unique than regular Fx. TBB: 1 in 689,000 vs Fx 23: 1 in 203,000, at least in one test. That may not be statistically meaningful, but it's a concern. Most of the difference came from TBB reported screen size (which showed the correct screen width of my monitor), where Panopticlick shows regular Fx 23 screen width as 256 px LESS than TBB. Not sure how that's possible for width.

The bigger point is, uniqueness values for either browser keep dropping *dramatically*, repeating the test a few times in just 2 - 3 minutes, when browser characteristics didn't change. Making the value of their estimates questionable. I may contact them to see if they have an explanation for this.

Possible solution to make fingerprinting more difficult: An extension or TBB design that regularly or randomly changes / spoofs values for some of the data used to "calculate" uniqueness. There are extensions that change some (like useragent), but don't change it repeatedly. To avoid tracking Tor users from entry to exit, some browser characteristics would have to change rapidly & often.

I have no idea if the current consensus is that trackers could identify a user from ONE request or a SINGLE entry / exit in the Tor network (making it hard, but not impossible to intentionally change browser characteristics during that short time). Or... if they'd need to observe several entries / exits (or several requests & receipts involving same relays) to conclude with high confidence that it is the same browser.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk