245 comments

[ 4.6 ms ] story [ 114 ms ] thread
What does it mean that I have a unique user agent? I just use normal brave browser.
I hope it is a joke (pretty good one if it is), but on an off-chance it is not: it is entirely plausible that you are the first Brave browser user to visit the site (or at least Brave of that version).
Not a joke, panopticlick by eff does this too and explains how it works.
Most likely that it isn't very common. Mine said <0.01% for the Brave user-agent.
Firefox developer edition / windows ranks at 0.02% :)
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0" (mainline Firefox) is apparently 0.02% as well.
Are you sure you're looking only the "User Agent"? The text at the top is describing your entire "browser fingerprint." It includes everything the server could gather from you. Including cookies, browser version, width/height of the window, etc.

In case it's not clear, uniqueness should be seen as bad in this case. It means you can be tracked.

I'm also getting unique useragent with Brave.
I'm using Brave and my useragent is not unique.

Version 1.2.43 Chromium: 79.0.3945.130 (Official Build) (64-bit)

No idea what it means, but I am also curious. I literally just installed Brave on IOS before checking it out, so I tried it on IOS Chrome and the fingerprint was still unique.

I think it might just mean that we leak waaaay more data than most of us realize...

My user agent also says 0.16% similarity and I’m just using safari on an iphone. How can that be?
There's more than one iPhone, more than one IOS version and more than one version of safari. Multiply the odds of someone having your exact setup AND browsing this site.
I get just 0,31% similarity rating with the latest Firefox.
Good news! I am unique. My experience is valid. I really needed to hear this.
The above site beachballed and was nonfunctional for me.

A better site with similar functioning is: https://panopticlick.eff.org/

panopticlick said my chrome browser was not unique.

this tool said it is.

Panopticlick is interested in solving a problem (and considerable progress has been made on that), this site is as it's name suggests here to sell you on a belief.

It'll cheerfully tell an unlimited number of identical browsers that they're "unique" because that's the message it is here to sell.

If it gave these supposedly "Unique" browsers an actually unique identifier they'd be able to compare it and see that they're not so "unique" as claimed or worse that the same browser gets different "unique" identifiers and so they aren't identifiers at all. So that's why it doesn't do that.

Interestingly this led me to notice Firefox limits hardware concurrency to a max of 16, changeable in about:config via the key dom.maxHardwareConcurrency
The irony in using the "Do Not Track" attribute to track users is delicious.
I appreciate that you pointed this out, I would have missed it.

Brilliant and terrible.

I think that I am still going to keep it enabled, as a matter of principles.
That flag was hilarious and pointless from day 1.

So we're going to ask the profit-motivated bad-actors across the web to pretty-please exempt us from your tracking because we asked nicely?

And we need to hide this away in settings and have it default-off because otherwise how will they know we really meant it?

It's like it was designed by someone with an early 90s understanding of the web, and no comprehension whatsoever of just how awful marketing can be.

Tracking should never be opt-out in the first place, and it needs to be fought with technological and legal measures, not silly http request flags.

It achieved something: it serves as evidence that companies absolutely need to be beaten into submission with heavy-handed regulation of data collection, because they can't play nice on their own.
Honestly, I had always suspected a long term game like this was the actual intent. The EFF wants to say "SEE? They can't claim ignorance, they know people's intent and they're depraved in their indifference!". No one earnestly believed this would directly enhance privacy.

But frankly, all of this is just trying to negotiate with black hats. Any company actually acquiescing to rules for privacy will find themselves out-bid by companies who can claim they have better data by operating outside the law. These protocols are using the general public's privacy as sacrificial fuel to accomplish their impossible aims. It's a whole lot of wasted effort.

I wish the EFF would figure this out, It's impossible to law away a technological reality.

From what I understand GDPR was supposed to guarantee opt-out by default and this is widely adopted. Instead of having stupid popups on every single website asking us to agree to their tracking policies, wouldn't it make more sense to enforce a law that says they should respect the setting expressed in the header and users must not be bothered?
I think we'll probably see a wave of enforcement actions at some point that address some of this stuff.

There are still companies that hide the opt-outs in places I can't find after a lot of poking around (Oath, I'm looking at you), and a lot who will make the 'no tracking' button on their pop-up small and greyed out, and then ask you to confirm it using weird language like a link saying "Leave" that actually takes you back to what you were trying to read.

This makes me curious; has anyone tried making an extension to randomly choose for each request whether or not to send "Do Not Track"? There are probably a lot of other settings that similarly don't affect the page in any visible way that could also be randomized as well. I doubt I'm the first person to think of this!
Unless everyone was doing this, it'd be worse as you'd be in the few who have this extension (which sounds like it can trivially be tested by a webpage making a couple of requests).

Better remove the DNT header from this point of view.

Is it just me or would people rather be able to spoof or disable these fields without drudging through thousands of lines of C++ code?
Most of these fields you don't want to disable or spoof because either it breaks your web experience (imagine images randomly not loading because you spoofed your headers and the server thinks your browser supports .whatever or because you emptied the list and the server doesn't know what to send) or because it makes you unique (having your build id be "" is certainly more unique than whatever others actually use).

The tests you can spoof like the canvas fingerprinting where it doesn't break the canvas and the results are already so spread out being unique isn't an identifier itself are already built into a lot of browsers. The site doesn't really acknowledge this though, it just says "you're unique" without checking if it's a different unique value each time in which case it doesn't identify you at all.

For some, no it would not really be possible.

The Canvas fingerprint is the biggest one, as it relies on different forms of hardware acceleration which is based on GPU+CPU+configs for your computer and browser.

Can't be that hard, considering Firefox allows for blocking Canvas fingerprinting in its settings, and the site indeed shows that my canvas data is shared with around 6% of the users, so definitely not unique.
However, your full fingerprint is unique among the 1545859 collected so far.
Great idea! Targeted advertising is really upsetting. If we take it one step further:

1. Find out the top non-unique fingerprint [of the year.]

2. Create a Firefox add-on (or modify Firefox source if an add-on is not powerful enough), which uses the most non-unique fingerprint [this year.]

3. Targeted advertising ends for those who use the plug-in/add-on.

It's a cat and mouse game as fingerprint parameters keep increasing, but I think it's possible to win this one.

The problem with this is the less unique you are, the more you start looking like a bot. The more you look like a bot the more times you have to do things to prove you aren't, like captchas
True.

But I only care about filling captchas on say banking websites, which is approximately happens once a month.

The rest, I just close the tab: the content never worth it.

The most obnoxious ads don't care about captchas, they just blast you with ads from your previous search keywords/browsing history.

p.s. Would the amount of captchas reduce if we take not the top most non-unique fingerprint, but say "slightly below average"? It will be still severely non-unique for ads purposes.

This is Google's strategy to defeat privacy in a nutshell
A better solution would be to scramble parts of this fingerprint for each domain.
especially if it was additive: Add fake extras to the content encoding, permissions, audio formats etc.

Although that doesn't fix everything

If everyone looks like a bot, then nobody's a bot, and they can go fuck off.
> It's a cat and mouse game as fingerprint parameters keep increasing, but I think it's possible to win this one.

I don't think it's possible to win this one without dramatic changes to the web (e.g. abandon JS). Panopticlick was started 10 years ago, fingerprinting was pretty well known about back then, and though browser vendors have started adding defenses, it has evidently done nothing as the amount of data you can gather via scripts keeps only increasing and blocking some vectors would break some sites.

The situation was dire 10 years ago, it hasn't gotten better, it's not getting better. If anything it's now just worse because of so many idiots writing sites that don't really work at all with JS disabled.

The most practical approach I can think of that you could employ right now is to move browsers to run on headless servers (instead of the user's computer) and let them stream the rendered page to your client. It's still got plenty of issues, and javascript is making it hard to do it right and have a good UX. Fuck javascript and everyone who uses it without degrading gracefully.

What terrible browser design to send all that data. I would never have imagined my computer was sending all that off 10 years ago
It's doesn't "send the data" so much as "a general purpose UI platform cannot work unless a program knows the configuration of the UI". The idea that your complex computing environment could have an arbitrary complex conversation with an app, and not expose its identity, while perhaps desirable, it impractical.

You can browser behind a generic user-agent firewall, but you'll get a severely degraded experience that treats an Apple watch the same as a desktop workstation.

Using the user agent string for this is not needed and is not common now for new projects.
Indeed, I didn't write "user agent string"; I wrote "user agent".
Standardization on only a few design variations might fix this? People would complain about monocultures, though.
It's not just about design. For instance there is Canvas and WebGL for interactive content. Different GPU's draw things slightly differently. Someone creates a canvas in the background, draws stuff, reads it back and since your machine has a particular way of drawing things (because of GPU design, drivers, different browser implementations of the painting stack) you can be tracked. Same goes for audio capabilities. If you don't want multimedia, then fine, it is slightly easier. Then the server can probably try to track you with your upload / download speed, ping etc. They can tax your cpu to see how fast it is. Then they get your browser width / height. Combine them and you can be tracked pretty accurately. There are countless avenues for fingerprinting.
Well, sure, but at the hardware level, more standardization is possible too. If you have a popular model of computer and it's the same as everyone else's computer, it's hard to get much out of identifying it. This is kind of what Apple does by offering a limited number of models.

Another approach would be to use standardized VPN's that hide client machine differences.

There are downsides, of course. I'm not sure people care about fingerprinting enough to do all that.

I didn't sign up for "a general purpose UI platform". I got on board when it was a hypertext publication system. They've been boiling this frog for 25 years.

Every year, I'm less and less convinced that JavaScript is desirable to have in a web browser.

I've heard of a similar phenomenon where hackers probing a system can fingerprint different software stacks based on what they get as responses to different "undefined behavior" inputs. Anything that communicates with the outside world is intrinsically giving up some information about itself.
It was worse when flash and java were in common use.
Alright, so how do I fix the unique ones like Canvas?

Edit: To block canvas fingerprinting I set `privacy.resistFingerprinting` to true in Firefox's about:config. Now I am trying to figure out how to disable the font list and Media devices, etc.

I am looking into this too. Looks like it's `font.system.whitelist` but I'm not sure of a "generic, common" list to add there.
I am unique through the useragent. Apparently Brave and Chrome both put the device model of your phone into the useragent string. It also contains your OS version and Chromium version. I guess those three points alone are able to very significantly narrow you down.
Im unsure why all that data is needed when i simply visit a website to read stuff or watch stuff on youtube. Is it really necessary?
Chrome published an intent to freeze the user-agent string:

https://groups.google.com/a/chromium.org/forum/#!msg/blink-d...

And replace it by Client Hints. How does that prevent fingerprinting?
In a nutshell, to my best understanding;

User-Agent is divulged publicly with all requests to all sites, so no protections exist around using it, because it is freely offered up by the user without requiring consent.

Client Hints have to be specifically requested by the remote website, which demonstrates intent to collect data, and thus falls under data collection laws.

> User-Agent is divulged publicly with all requests to all sites, so no protections exist around using it, because it is freely offered up by the user without requiring consent.

This seems like an argument you'd lose if your website failed to respond to requests that were missing the User-Agent.

Perhaps, but I know of no case law precedence one way or the other with respect to User-Agent.
Forcing fingerprinters to switch from passive methods to active methods means you can apply a privacy budget: https://github.com/bslassey/privacy-budget

Then sites that need some information can get it, but won't be allowed to get so much identifying information that you're unique.

(Disclosure: I work for Google)

I am really skeptical about the UA uniqueness fraction. I am on the latest version of Chrome on Windows and it claims that 0.17% of the people visiting the site have the same UA string. Mine is:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36

for what it's worth. Can it really be that only two in a thousand people visiting the site in the last seven days have the latest version of Chrome? Or does Chrome just update so often that very few people tend to have the same version at any one time. (If the latter, that suggests that maybe it's not a very strong tracking signal.) It seems more likely to me that the data is just stale but I guess I don't know much about the true distribution of Chrome useragents.

Same for me, it says <0.1%

I’m using the current iPad mini, which is 10 months old, with the current os version. I highly doubt I’m that unique.

What does it mean when i load the test, and it says i'm unique, and then i go back five minutes later without changing anything and it says i'm still unique?

are they tracking that i've run the test before, verifying that i'm me, and telling me i'm still unique, or is my fingerprint differing between two subsequent tests?

also, i'm suspicious about some of these values - only 0.13% of people have a querty keyboard layout? Only 7% of tests have no gyroscope? That doesn't sound right.

It says they set a cookie for 4 months.
Open a private tab and the cookie is not there.
Your username leads me to believe you're browsing from an IP address within the GDPR. Accept cookies and try again.

'AmIUniqueId', expires Mon, 25 May 2020 12:28:29 GMT

(comment deleted)
The number which seemed strangest to me is that my up-to-date pixel 3a phone has a user agent shared with only 0.01% of browsers.
that doesn't sound too far out of whack to me, considering the user-agent string changes every time your OS version and your browser version increment.
Why would the most recent version Google makes available to my Pixel 3a phone be different from the most recent version Google makes available to anyone else?
It wouldn't be, they're almost certainly doing something wrong on the back end. I sent identical requests on multiple IPs spaced out over some time, and each one of them returned as being "unique". Even though the e.g. UA values were in fact the same. I suspect some kind of aggressive dedupe of things that look too similar, or some such.
Up to date Chrome Pixel 4 here, same. I'm really the only Pixel 4 that ran this?
Since users of evergreen browsers will have frequently changing version number strings, the history of snapshots of these fingerprints is time sensitive. This serves to artificially inflate the uniqueness, as an identical device using the same evergreen browser 1 month, or 2 week ago, will not match you now, but would match if they revistited with their now updated browser.

To be useful, fingerprinting techniques need to somehow be robust against always increasing version numbers of evergreen browsers in ways that this website is not.

Is there something actionable I can take based on the results of this page? E.g. is there some Firefox add-on that obfuscates attributes used for fingerprinting?
What I don't understand that the user agent for the latest version of Firefox (on Windows 10) has a similarity rating of just 0,31%.
That's across "all time", not just the last 7 days.

But for the last 7 days, Firefox has over 300%, and Windows over 285%. Gecko is over 700%. Screen left of 0 is 250%. -- I'm guessing some kind of calculation error?

TOR browser on highest security level, javascript disabled and windowed returns: Almost! (You can most certainly be tracked.)
I've just tried the same, but the HTTP header user agent and the javascript one are different. Maybe TOR varies some attributes?
I tried it myself in Tor Browser, and I think this conclusion "You can most certainly be tracked" is highly misleading. Without JavaScript, the only information collected by the website is the headers sent by the browser, listed below...

> User agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 (all time: 2.19% / 30 days: 10.80%)

> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 (all time: 52.15% / 30 days: 37.04%)

> Content encoding: gzip, deflate, br (all time: 66.35% / 30 days: 92.02%)

> Upgrade Insecure Requests: 1 (all time: 27.33% / 30 days: 85.86%)

> Referer: https://amiunique.org/ (all time: 16.55% / 30 days: 60.97%)

> JavaScript disabled (all time: 4.70% / 30 days: 14.09%)

Surely, there are ways to track users without JavaScript, but none of them is inspected by the website. The website only inspects the headers, and from the listed information above, the tracker doesn't learn anything more than "This user is running the latest release of Tor Browser with JavaScript disabled", and at least 100,000 people are doing it right now.

But because the sample size of this website is limited, it only sees the fact that these attributes seem to be a very small percentage of the overall traffic, while ignoring the fact that these headers are generic, it makes the conclusion.

> "You can most certainly be tracked"

Which is misleading. A Tor Browser with JavaScript disabled is still one of the most difficult browsers to track.

The website actually tells you that,

> But only 1440 browsers out of the 1560340 observed browsers (<0.01 %) have exactly the same fingerprint as yours.

If you are the only person using the latest version of Tor Browser to access this website with JavaScript disabled, yes, you can be tracked as a "Tor user without JavaScript", and if you enter personal information, your identity can be crosstracked between websites (if you are still the only Tor user with JavaScript disabled). Otherwise, not much.

Interestingly, when a new Tor Browser release comes out, there will always be an user to upgrade the browser before everyone else, then goes to a fingerprint testing website, tests the browser, and says "OMG! I'm unique and trackable!". In this case, don't panic, just keep using it, you won't be unique anymore within a week.

Worth noting that by default, the Tor Browser has JavaScript enabled (only disabled on non-HTTPS sites).
(comment deleted)
Sites like this and the EFF’s panopticlick err on the side of saying you can be tracked when that might not be true.

For example: I visited this same site a while ago with the same device, and both times it has said I was unique. A new version of iOS came out, so my user agent changed. Unless sites are also storing unique data on your machine (through cookies or localstorage), browser fingerprinting is a crapshoot. This goes double for mobile devices.

Another unusual circumstance is when you're the first users who have just installed the latest software update, a fingerprint testing website will identify you as an unique user. But you won't be unique anymore within a few days.

It happens a lot in the Tor mailing list. Often, a new major release of Tor Browser comes out, a user is shocked by the upgrade, "OMG! I'm unique and trackable!". Don't panic, just keep using it.

Of course most sites that try to track you are also storing cookies or local storage. It only takes one to tie your two unique fingerprints together... of course your IP address might suffice. Or account/email address, if you're logged into a site that shares data with third parties and use the same address.

I'm sure someone's also devised a way to guess how to bind two fingerprints together when OS or browser updates but many other parameters (timezone, ip, language, screen size, fonts, etc) remain similar enough.

Would I be right in saying that if you use iOS safari (which a decent number of mobile users use) you are not very unique at all and any tracking based on browser fingerprinting is pretty useless? (Or is it the combination of a non unique browser fingerprint with a slightly more targeted origin IP address from the ISP) that makes it almost worth/possible trying to identify a person without cookies?
I’m surprised at how low the percentages are on my iPhone. It says only ~35 other people have had the same fingerprint as me.

I’m running safari, private mode, plus a single content blocker app.

I was quite surprised that on my iPhone 8 Plus with iOS 13 I was totally unique apparently. How exactly could that be possible if this is a device where I cannot install any plugins, change fonts, or really do anything to make it more or less different to another iPhone?
>ANGLE (NVIDIA GeForce GTX 1070 Direct3D11 vs_5_0 ps_5_0)

Wow I didn't know it reveals the GPU

My fonts alone makes me pretty unique it seems (<0.01%). 180 or so fonts that the browser is happy to share with the world. Does seem a little unnecessary.
I can't remember which but either Firefox or Chrome only send a standard list of fonts.
Doesn't seem to be the case. I tried both browsers and got the same result, i.e. 180+ fonts sent (<0.01% match)
Safari does that.

Firefox has an about:config preference that would let you set up a font whitelist yourself, but it doesn’t have a standard set.

Firefox's preference is "font.system.whitelist". You can specify a list of which fonts are exposed to web content (such as the default set shipped with your OS). The preference is used by the Tor browser.

https://bugzilla.mozilla.org/show_bug.cgi?id=1121643

Does Safari actually do something similar? On my Mac, amiunique.org reports 344 fonts in Safari, 331 in Firefox (not using "font.system.whitelist"), and 309 in Chrome.

My list of fonts includes OpenDyslexic and OpenDyslexicMono and puts me at < 0.01% as well.
(comment deleted)
Qwerty keyboard layout yields 0.7% uniqueness? Do other browsers just not declare this?
In my Firefox it says "Not supported"
Not supported is 3.96%

So anything that's not QWERTY nor "unsupported" makes up the remaining ~95%?

AZERTY gave me 0.03%, even though France and Belgium together have >1% of the world population, and definitely more than one percent of all internet users.
Apparently I'm the only person in the world using linux-5.4.14-zen with a Radeon VII. Which would be kinda cool if that information wasn't being broadcast to every site I visit.

    user_pref("webgl.enable-debug-renderer-info", false);
for Firefox.
The problem is that even if you can disable this one, it's enabled by default and browserv vendors keep adding this shit without any concern for the privacy impact.
And I'm the only person using the materialistic app (HN reader) on Android 5.1 on a 1st gen Moto X. That I can believe...
Hello from a Materialistic on Pixel user!
It's not that you're special for running Linux, it's just that it's very easy to be unique!

I'm running a stock Windows 10. Microsoft Edge with Ublock Origin as only browser extension.

Software installed is Visual Studio, Visual Studio Code, NVidia CUDA development System, Erlang Dev System, and Microsoft Office. That's it.

You'd think there would at least be "dozens" of us. Nope:

> Your full fingerprint is unique among the 1572109 collected so far.

User Agent is < .01%

> Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4023.0 Safari/537.36 Edg/81.0.396.0

and my fonts are < .01%

> Agency FB, Aharoni, Algerian, Arial, Arial Black and 171 others

Other < .01% are "WebGL Parameters", "Connection" and "Navigator Properties"

I'm on an iPhone 11 Pro Max and I'm unique, apparently due to my language and time zone.
I have multiple attributes that are each unique: * Content language (HTTP header) * Content language (JS) * List of fonts (JS) * Media devices

A bit surprised that it doesn't even need to do any fancy combinations of identifiers to get a uid in my case.

Remember that you are unique in the list of visitors to this website. That is a limited group. You are probably unique anyway, but the numbers here are not acurate.
Same for me. Content languages are all unique. Same for fonts and media devices.

Really wonder how I can hide that information from my browser...

I switched to 30d because with browser update cycles "all time" is kinda useless, imho.

> Content language 31.51% en-US,en;q=0.5

This is a default Firefox. I didn't change anything. Surely there's probably only Chinese that has more users of this language?

I'm not even an American or in the US... (all time it was just below 30%, not teal-colored, but already orange..)

Also why is the JS result for Content language 35.40%?

Whereas my list of plugins is 46.2% (higher value seems better) - but I'm absolutely sure there's at least one uncommon one among them...

Hardware concurrency 16 is really interesting, 3.32%, probably all fellow Ryzen users.

TLDR: Surely there are some of those properties where it absolutely makes sense to avoid the uniqueness, but others seem a bit like bullshit metrics.

But on the other hand, my user agent (OS+Browser) = 7.37% is a really good sign for me. I find this a very, very high percentage. (Ok, it's Win10+Firefox, but still...)

Agreed, some of those stats are questionable.

A basic Microsoft Edge installation with en-GB content language header has a similarity ratio of 0.18% -- really?

Java enabled: true -- 0.26%

Java enabled: false (on Brave) -- 8.75%

They make sense.

en-GB would start below 5%, having en-GB on edge means someone would have to be using edge (under 1%) and not on the mobile for a mobile first site.

Keeping a current java version enabled is difficult. Each browser update, each java update disables java by default now.

Could be a small Brave sample size.

I fired up Chrome (I'm a Firefox user too), and for content-language it showed "en-US,en;q=0.9" (FF is q=0.5), so I guess each language is broken down into a few buckets.