Am I Unique?
Yes, I’m unique. At least I am when I’m browsing the web. And that’s not a good thing because it means that I can be identified and tracked online. You can too.
The problem with browser and device fingerprinting is that it doesn’t depend upon any cookies stored on your device. You and I can’t defend against it by blocking or deleting cookies.
In my last post — What’s My Fingerprint? — I began looking at browser and device fingerprinting by reviewing test results from EFF’s Panopticlick. In this post, I’ll look at another snapshot of my Chrome browser’s fingerprint on my Mac, this time examining test results from the website AmIUnique?
AmIUnique? is a project of a team of European researchers who are studying software diversity on the web. It’s funded by the DIVERSIFY European project and is hosted at the INRIA Rennes Bretagne-Atlantique research center. Which is to say that this project is legit.
Just like EFF’s Panopticlick, AmIUnique? provides users with basic information about their configuration and how trackable it is. AmIUnique? runs its own set of tests. Some are the same, some are different, some are the same type of test implemented in a different way. When I run AmIUnique?, it gives me these results:
Are you unique?
Yes! (You can be tracked!)
38.68 % of observed browsers are Chrome, as yours.
1.XX % of observed browsers are Chrome 62.X, as yours.
13.65 % of observed browsers run Mac, as yours.
0.XX % of observed browsers run Mac 10.1X, as yours.
63.51 % of observed browsers have set “en”as their primary language, as yours.
X.XX % of observed browsers have UTC-X as their timezone, as yours.
However your full fingerprint is unique among the 5XXXXX collected so far.
These results accord with Panopticlick’s, which reports that Chrome on my Mac reveals 19 bits of information, meaning that it likely can be picked out from a half million devices (2¹⁹ = 524,288).
Let’s look closer at AmIUnique’s results.
1. Canvas fingerprint (< 0.1%)
According to Panopticlick, canvas fingerprinting is the item that’s most powerful in identifying a browser and device. AmIUnique? agrees.
Panopticlick says that canvas fingerprinting reveals 10 bits of information. In other words, according to Panopticlick, fewer than 0.1% of other devices share the canvas fingerprint of Chrome on my Mac. AmIUnique? concurs, reporting that my similarity ratio is less than 0.1%.
The ingenuity behind AmIUnique’s canvas fingerprinting test is impressive.
Like other such tests, AmIUnique?’s canvas fingerprinting test tells the browser to render the same pangram twice in different fonts. For the first line, the test tasks the browser to use a non-existent font with a made-up name. That causes the browser to use a fallback font, which differs depending upon the device and OS. For the second line, the test directs the browser to use Arial, which is commonly found across devices and operating systems. Because different devices and operating systems render the identical text in the identical font slightly differently, the test can detect subtle yet stable differences that can be used to identify and track a device and its user. For the final character of each line, the test tells the browser to render an emoji of a smiling face with an open mouth. Since the depiction of the same emoji with the same Unicode value varies among devices, manufacturers, operating systems and even versions of the same OS, including emoji in this test is a powerful technique to fingerprint browsers and devices.
2. User Agent (< 0.1%)
Panopticlick reports that the User Agent is the second most powerful item. AmIUnique? agrees. In fact, according to AmIUnique?, the User Agent is tied for being the most powerful item.
Panopticlick says that the User Agent reveals 9 bits of information, which means that fewer than 0.2% of browsers share the User Agent of Chrome on my Mac. AmIUnique? believes the User Agent is even more powerful, reporting that my similarity ratio is less than 0.1%, which is the equivalent of 10 bits of information.
3. List of Plugins (0.15%)
Panopticlick reports that Browser Plugin Details comprise the third most powerful item. AmIUnique? agrees again.
According to Panopticlick, my Browser Plugin Details convey 8 bits of information, meaning that fewer than 0.4% of browsers share these plugin details. AmIUnique? reports that the List of Plugins is even more powerful, stating that my similarity ratio is 0.15%, which translates to approximately 9 bits of information.
4. HTTP_Accept Headers (8.XX%)
Panopticlick says that HTTP_Accept Headers are the fifth most powerful item, revealing 6 bits of information, meaning that meaning that 1.5% of browers share the same headers as Chrome on my Mac.
AmIUnique? ranks HTTP_Accept Headers as the fourth most powerful item, calculating that my similarity ratio is approximately 8%, which is roughly equivalent to 4 bits of information.
Interestingly Panopticlick and AmIUnique? report different HTTP_Accept headers for Chrome on my Mac. Panopticlick reports:
text/html, */*; q=0.01 gzip, deflate, br en-US,en;q=0.9However, AmIUnique? and WhatIsMyBrowser? report:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 gzip, deflate, br en-US,en;q=0.9Looking into this, I see that Panopticlick (at least in 2010) did not implement testing for “variation in HTTP Accept headers across requests for different content types.” That may explain the difference. That also suggests that the inability of sites such as Panopticlick and AmIUnique? to capture the full range of fingerprinting techniques used in the wild means that their results likely represent a floor for fingerprinting, rather than a ceiling.
5. Remaining Items
The remaining items in AmIUnique?’s test results largely mirror those of Panopticlick.
One exception is WebGL fingerprinting. After analyzing 40,000 fingerprints, the AmIUnique? research team concluded that a WebGL test requiring the browser to draw three objects — a sphere, a cube and a Taurus knot — was too unreliable. In its place, AmIUnique? instead collects the WebGL vendor (such as NVIDIA or Intel) and the WebGL renderer (such as GeForce GTX 650 Ti/PCIe/SSE2 or Intel HD Graphics 5000 OpenGL Engine). Interestingly, while some browsers such as Firefox block these requests, Chrome freely provides this information.
Another exception involves items such as selecting English as the content language selection in the HTTP_Accept headers or selecting a time zone in the U.S. AmIUnique? views those selections possessing greater discriminatory power than Panopticlick. This undoubtedly is due to the fact that AmIUnique?’s research team is European and its website likely draws a greater proportion of European users and a smaller proportion of American users when compared to Panopticlick.
All in all, AmIUnique? reinforces Panopticlick’s results: even without cookies, it’s easy to identify and track devices and users on the web. In my next post, I’ll look at two more fingerprinting test sites by Inria research teams that are companion projects to AmIUnique?: the Cross-Browser Fingerprinting Test and the Browser Extension and Login-Leak Experiment.
