We investigate the degree to which modern web browsersare subject to \device ngerprinting” via the version and con guration information that they will transmit to websites upon request. We implemented one possible ngerprinting algorithm, and collected these ngerprints from a large sample of browsers that visited our test side, panopticlick.eff.org. We observe that the distribution of our ngerprint contains at least 18.1 bits of entropy, meaning that if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its ngerprint. Among browsers that support Flash or Java, the situation is worse, with the average browser carrying at least 18.8 bits of identifying information. 94.2% of browsers with Flash or Java were unique in our sample. By observing returning visitors, we estimate how rapidly browser ngerprints might change over time. In our sample, ngerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a ngerprint was an \upgraded” version of a previously observed browser’s
ngerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.
We discuss what privacy threat browser ngerprinting poses in practice, and what countermeasures may be appropriate to prevent it. There is a tradeo between protection against ngerprintability and certain kinds of debuggability, which in current browsers is weighted heavily against privacy. Paradoxically, anti- ngerprinting privacy technologies can be self- defeating if they are not used by a su cient number of people; we show that some privacy measures currently fall victim to this paradox, but others do not.
Some self explanatory results (Click on the Image to enlarge) :