Slashdot Mirror
Tracking Browsers Without Cookies Or IP Addresses?
Peter Eckersley writes "The EFF has launched a research project called Panopticlick, to determine whether seemingly innocuous browser configuration information (like User Agent strings, plugin versions and fonts) may create unique fingerprints that allow web users to be tracked, even if they limit or delete cookies. Preliminary results indicate that the User Agent string alone has 10.5 bits of entropy, which means that for a typical Internet user, only one in about 1,500 (2 ^ 10.5) others will share their User Agent string.
If you visit Panopticlick, you can get a reading of how rare or unique your browser configuration is, as well as helping EFF to collect better data about this problem and how best to defend against it." I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others.
I compared between IE, Firefox, Chrome and Opera. Both IE and Firefox were completely unique even with the user agent because of the .NET versions there. Opera and Chrome were quite genetic.
Plugins were also completely unique and really easy to detect in any other browser than IE8. Interestingly IE's plugin list was really small and not at all so unique. IE's top "warning" bar asked me if I want to run specific plugins (probably to detect them). System fonts were completely unique and looks like easy to detect.
Remember that this is info that for example Google gets all over the internet via Analytics - they don't even need those tracking cookies because your browser leaves so much unique data behind it that it doesn't matter. And so does every website owner.
Another thing people usually forget about when clearing cookies is that Flash has cookies too and they don't clear along. When have you last time cleared them? Probably never. You can use BleachBit" to clear those along with other software, history and temp data.
I'm glad they gave me some new ideas for tracking.
Warning: mysql_connect() [function.mysql-connect]: Can't connect to MySQL server on 'db' (4) in /www/panopticlick.eff.org/docs/config/db.inc.php on line 3
/www/panopticlick.eff.org/docs/config/db.inc.php on line 4
/www/panopticlick.eff.org/docs/config/db.inc.php on line 4
Warning: mysql_select_db() [function.mysql-select-db]: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2) in
Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in
Has the site been just slashdotted ?
Don't you know it is now both immoral and criminal to think beyond the next quarterly report?
in the market research industry.
Unless you are one of the 100,000 using any particular Dell/HP/Apple default install on your pc.
2 ^ 10.5 is lost of combinations , but is bet there are lots of spikes on some.
Cruise TT
You'd think that the EFF would know how to run a website that doesn't shit itself as soon as it hits slashdot...
If patriotism is racist, is racism patriotic?
Researches have found a way to track web sites based on the MySQL errors they produce when they're slashdotted.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Panopticlick 0.01
>"Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /www/panopticlick.eff.org/docs/common.inc.php on line 163
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /www/panopticlick.eff.org/docs/common.inc.php on line 163
Warning: Division by zero in /www/panopticlick.eff.org/docs/common.inc.php on line 173
Within our dataset of visitors, one in 0 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys INF bits of identifying information."
Now that's an unique fingerprint.
The site says Only anonymous data will be collected by this site. Yet they are collecting data to see how un-anonymous you actually really are! :)
This is nothing new. RSA has been using this to detect fraud for quite a while now.
Cookies, Plugins, User Agents, Timezone, Browser, detectable browser settings, etc.
They easily make up a very accurate fraud detection system.
By subtly changing where the errors occur (and which ones are reported), they can correlate your slashdot post with the attempted page fetch...
I think nobody guessed anyone would care about visiting a website of a non-profit organization?
http://laxu.de/useragent.php test it ... a bit out of date (thinks arora is googlebot), but its still working good for the most common browsers.
We are all V
or
We are all Zero
Choice will of course depend on if you are a V for Vendetta or Code Geass fan. It will aso decide which mask you should wear when the revolution comes.
We could also use;
Ninjas (should Ninjas be blank?)
Pirates
Once we get IPv6 everywhere, most ISPs will simply assign each user a fixed subnet, since that is so much easier and more efficient than keeping track of dynamic assignements. Same for large networks that currently use NAT.
So the vast mayority of users will have a unique non-changeable ID, making cookies or this kind of tracking obsolete.
Browser Characteristic : User Agent
bits of identifying information : 11.09+
one in x browsers have this value : 2183
value : Lynx/2.8.5rel.1 libwww-FM/2.14FM SSL-MM/1.4.1 OpenSSL/0.9.7d-dev
(Course, i'm also two minor releases behind...but still, 1 per 2000 is more common than I would've guessed)
As a graphic designer, suppressing the font list would help. Why is it even needed?
Woho!
"Your browser fingerprint appears to be unique among the 3,026 tested so far."
3026 is a super small sample though.
Belief is the currency of delusion.
It doesn't seem to work that well. I know for sure that my browser's UA string is globally unique - and am still
told that one in 4316 browsers will have that UA string.
Your browser fingerprint appears to be unique among the 5,465 tested so far.
Oh my browser is unique just like me.
The web site says I am unique (well I knew that). I'm still running WIN7 RC.. Maybe I should change the ver to WIN98ME. Then I would be unique and certifiable.
Sorry, but gray text on gray background is making my eyes bleed.
roughly one in five browsers has javascript disabled.
Then again, that's probably artificially high based on what circles this story has been circulating in.
My desktop environment is so far unique over 2,357 samples, and my iPod Touch is unique over 2,239 samples. Interesting. I know I have some interesting pieces to my desktop, but 1/2357 surprised me. My iPod Touch being unique, on the other hand, just tells me more about who they've sampled so far than about the uniqueness of the test.
Lets see whose tracking what :P
Somebody write a firefox plugin that changes "Fingerprints" to "DropDB" statements
Write a browser plug-in that randomly mangles these bits of information into to other valid values before passing them to the website, in known "good" combination. You'll start to look like other random people on each request.
Your browser fingerprint appears to be unique among the 6,764 tested so far.
Your browser fingerprint appears to be unique among the 7,335 tested so far.
slashwhat?
And further reloading is a good way to make your browser readings more popular and thus less unique ;-)
Those people who have tons of fonts installed because they design logos and banners and stuff will have the most unique fingerprint of them all, because not all designers install the same font packs.
That and everyone who has a font of their handwriting on their computer, made with Fontifier or whatnot. They'll have unique fingerprints too, unless they distribute the font to friends or family.
I have my handwriting as a font. I'm going to be a unique browser fingerprint for as long as this test is carried out. I guarantee it.
I look at user agents from time to time, and it blows my mind how much stuff some programs are permitted to put in there. It seems like every toolbar, add-on, and browser re-branding these days wants to put itself in you user agent.
I wonder what the longest non-fake user agent is these days? I recall there was a problem a while back on the Mozillazine forums because it records user agent strings for support purposes, but only allocated so many characters. Thanks to some new toolbars and such some people couldn't post because their user agent string was to long.
I don't think people realize that what some programs can add to their user agent sting can potentially be a privacy issue.
Really, even with a most basic user agent string there is, arguably, still information that probably doesn't need to be there any more. Do web sites really need to know your specific Windows version? CPU Type? Rendering engine version? Browser minor revision? And what is with all the MS .Net verison info anyway? It just seems like a lot of detail.
Each click halves the "uniqueness" so while I started as unique among the 2500 captures and 12.5 bits of id, after 10 clicks I was about 1 in 40 and about 5 bits.
Revealing 10.5 bits of information about yourself will place you in one of roughly 1500 groups, not in a group of size 1500. With more than 1.5 billion internet users, you are "identified" as being in a group of 1 million.
unique so far?
There is an option for privacy enhanced web browsing: IE compatibility test virtualization images. A very common OS packaged with a vanilla install of a very common browser, neatly resettable in a virtual machine. Thank you, Microsoft.
When I went to their site to find out how "unique" I was, the site launched a java applet. This isn't tracking browsers at this point, it's tracking JVM's too. If you're allowed to have the browser launch a third party application, then might as well launch an .exe that scours your hard drive and does an HTTP call back to the EFF.... at that point, might as well just say every system is unique.
I did not realize that my plugins list was the largest source of fingerprint data. I didn't even know it was listed.
I imagine many people use Opera at my screen resolution, but I'd be interested in seeing how many people shared my particular combo of data (aside from the plugins list).
With javascript disabled, they said my browser was 1 in 140.
With javascript enabled, they said my browser was unique among all browsers seen so far.
NoScript is so great.
Your browser fingerprint appears to be unique among the 10,808 tested so far.
I just realised that the fact that I turn off all my plugins(and java) and have multiple languages enabled, probably gives a completely unique fingerprint to automated stalkers like google.
Fresh install of Firefox for windows from getfirefox.com rendered me unique out of 9608. A fresh install in wine, that is.
Panopticlick says I am a unique snowflake, but here on slashdot, I'm just an AC.
Funny thing is, my browser is unique every time I go there, thanks to Firesomething.
Nevermore.
"I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others."
Mr Taco must have laughed the laugh of a naive person.
These people made a /statement/, /trading/ this little aspect of their privacy in the process. Seeing they were at least smart enough to see there is a thorny privacy issue with the user agent string, it's also logical to assume they were very much aware of this trade.
From the Ubuntu Live CD, I'm unique among 14998 people.
This is an unmodified Live CD running default everything.
I'M BEHIND SEVEN PROXIES!!!!
What will happen when 'they' identify me and fail to correlate my purchase history with the ads I have been served?
"Oh jeez, another one who buys the same groceries every week, drives an old car and wears £3 Asda clothes until they fall to pieces!"
"Another windows 2000 user?"
"Yeah!"
"Dammit, just stop serving him any pages at all and put him on the 'to kill' list."
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
I got my entropy up to 14+ by becoming a Mozilla/4.78 (Macintosh; U; PPC).
"I remember laughing years ago when I would see users who had modified their user agent string with some sort of defiant pro-privacy message, without realizing that their action made them uniquely identifiable out of hundreds of thousands of others."
Editor is a complete moron. What were they trying to be private about? Did you talk to them? Self-centered moron who both created and destroyed /.
When people modified their user agent back in the day when it was commonplace, it wasn't much about being tracked on an individual basis. It was about keeping the site and web people from trying to make their sites browser, platform, or even plugin specific. Back then, IE was huge, and sites were going IE specific, even to the point of locking out browsers.
Modifying the user agent meant, generally, the site didn't have a clue what browser the person was using, and couldn't craft the content and layout. These were the days when sites wouldn't even render if you were using something other than IE, or Netscape. It was commonplace then, as it is now, to require a browser, as now it is to require a plugin (like Adobe Flash, that piece of shit).
It was all for naught, as sites now have gone nearly all Flash, or the layout is browser specific, or lots of JS use. A lot of content is just a mess, not looking the same from one browser to another, and the content writers have overtaken the user experience so much so that single clicking on icons don't even work so much anymore because of a embedded Flash or JS.
To say that people were not protecting their privacy--well, jackass, did you know what browser they were using? Or not? I doubt you did, so man up, you're laughing at your stupidity in analyzing and understanding the situation about what the users were doing. They were trying to keep the web true to its original intent of being open to all comers and having pages standardized, something /. obviously does not believe in given their own site design (as I wait 15 seconds for the captcha to "load").
I just ran this test, and I was horrified to discover that every font I have installed on my system shows up! I had no idea the browser (Firefox v. 3.5.7 with NoScript) leaks this kind of information. I do graphic design work and I have a huge number of fonts on my system, some of them unusual. I certainly don't want nor need to have them all available to my web browser, and I certainly don't want my web browser to be broadcasting this list to the world. Does anyone know if I can configure Firefox to use only the "standard" fonts? I really don't think it's anyone else's business which fonts I have installed.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
My Mozilla browser crashed after I hit the TEST button. Any other crashers out there?
With noscript enabled I came up as one out of around 1400, with noscript disabled I was completely unique out of the 19000 tests done so far. I'm special.
I noticed this years ago, when I noticed that compiling Firefox puts the exact date and time in your user-agent. The user-agent also contains the usual things like the OS, architecture, &c.. So how likely is it that someone else with the exact same system configuration and compiled the exact same version of Firefox at the same time? Probably zero.
Liberty in your lifetime
I tested my three browsers (Opera 10.10, Firefox 3.5.7, Chromium 5.0.306.0) on Ubuntu 9.10, and all three were rated "unique" among 18100 to 18200 signatures. In fact, they were all unique on browser plug-ins alone, and Firefox was also unique in its reported set of system fonts. This is troubling.
On other items, they were not unique, but often in a small set. The combination of a few rare settings could easily make the browser nearly unique in a far larger set. Chromium was nearly unique in fonts (2 browsers with the same set) and in user agent (about 10 browsers with the same user agent string). On screen size, about 9 browsers reported 3840x1080x24 resolution, and 3 of them were probably mine...
So, cleaning cookies and temporary files and flash droppings regularly may no longer be enough. [donning a tinfoil hat] do we have to install or remove some fonts every day, or change screen resolution and user agent string every few hours?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
I guess I'm somewhat paranoid/security conscious, e.g., I do clear out things like Flash cookies, and I block sites like Google Analytics. What surprised me was that Firefox, a browser I originally chose in part for its reputation of having better security and privacy settings than certain other browsers, seems to be broadcasting a signature that tells any site I visit all of the plug-ins I am using. This not only uniquely identifies me, it also paints a huge target if any of those plug-ins is found to have a security hole. This information should never have been broadcast publicly, and it should certainly be blocked by a patch in the immediate future!
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
You can change the user_agent string in Firefox in about:config.
All three of the browsers on my system (Firefox 3.6, Opera 10.x and IE8) show as unique, and I do have Noscript enabled on Firefox.
The irony is that the site uses cookies to determine if you are unique to the site or have been there before.
Deleting the cookie (and maybe changing your IP address) and revisiting would introduce spurious duplicates into the database.
Hello,
I would like to refer to an old project of mine. browserrecon is an implementation which uses application fingerprint techniques to identify web clients:
http://www.computec.ch/projekte/browserrecon/
Bye, Marc
Apparently My browser's UA was the first of its kind after 25,430 visitors ;-) My guess is that it has to do with the Chrome build number.
Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.43 Safari/532.5
14.63 bits of entropy and shrinking!
I got the SAME results using Firefox vs Safari in private mode? Look for yourself http://phatanium.com/firefox-vs-safari.png
That I am unique among all the browsers tested! Awesome!!! That's pretty good, right?
the button to start the test is an image without alt text or other controls.
eff, please make the site usable without loading images.
thanks.
signed : gprs and other crappy internet connection users worldwide.
Rich
User Agent Switcher: https://addons.mozilla.org/en-US/firefox/addon/59
That way all 2 of them look alike in their headers while petitioning and supporting Lesbian rights. We've known about the uniqueness of client web browsers passing information to servers for quite some time now. They've been using the Dillo web browser for most of their neeeeeds, and don't need to take turns when they use the same IP address.
With NoScript blocking eff.org, I was unique to about 1:7000. Once I allowed eff.org on NoScript, I came up as completely unique - Fonts and Plugins seemed to be the most unique factors (as you might expect).
To be honest, if I was using this as a tracking tool I'd probably not put a lot of stock in Useragent, but instead on more unique things like fonts and plugins. Useragents can be spoofed easily, and are generally not that unique. Fonts and plugins, on the other hand, are less likely to be spoofed and are a lot more unique to the user. A lot of people have installed or deleted at least one font on their system, and that's a relatively unique fingerprint.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
If you do any graphic design work at all, odds are extremely strong that you will have a very distinctive set of fonts installed. My Firefox installation was a 1-of due to not only fonts but the particular mix of add-ons I am sporting. Interestingly enough my Chrome was unique for plug-ins--and not fonts, and IE was unique for (surprise!) the USER AGENT details. Go figure.
... are doing this for quite a while now
I appear to be the one user to hit the EFF site with a fully-updated HTC Magic with stock firmware from Rogers in Canada, so far. Wonder how many other sites I browse on this thing where I'm the only one with it.
"and huge loss for torbutton with scripts off"
On the official Tor (or-talk) mailing list (found at torproject.org when you click Docs and scroll down the page),
people have asked the Torbutton author to update the user agent string more often, complained it stood out,
and even suggested he IMPROVE upon Torbutton by (A) Allowing the user to specify a UAS, (B) Providing a default
set (3 or more) of choices for the user to switch between should they choose, (C) Updating the default UAS with
each release of Torbutton, (D) and so on
The Torbutton author FAILED to respond to these suggestions on or-talk in Dec-2009, perhaps he was on holiday, but I doubt it. Making these improvements to Torbutton would remove the want/need for the Tor+Torbutton user to install ANOTHER untrusted addon for the single purpose of changing the user agent.
In short, thank you Torbutton author for not reading Dec-2009's loud and clear call for improvements.
PS / Slashdot : I simply LOVE the Invalid form key message, it's great when the You Can't Post To This Page message isn't displayed. I have to resubmit the post and hope YCPTTP or IFK doesn't show up, yup, it's a joy to post when using Tor.
Mix the following for a nice, tasty, warm stew:
1. Tor
2. Web Proxy #1
3. Web Proxy #2
4. A touch of SSL
5. A sprinkle of VPN
6. More Web Proxies to taste
7. A dash of SSH
8. Randomized User Agents either timed or manually switched
9. Noscript and/or Proxy with custom/paranoid settings
10. VM and or LiveCD with no HDD drives or other writable medium plugged in
And the user agent string at the end is useless! You're no longer identified as a tor exit node, either.
Attacks against Torbutton (see recent Defcon and elsewhere) and other browser plugins are cropping up, we need a browser to do it all, remove the need for addons and a scrubbing proxy, but no one seems to be up to the task (there's a few torifed browser projects but no all-in-one solution).
Shouldn't EFF be working on something more interesting? Maybe a browser for Tor which removes the need for Proxy/Plugins with Tor? No, instead we get this project which may result in a broken link in X amount of months or years when people forget about it.
Since tor.eff.org was shuffled off, I've been waiting for something equally interesting, like torbrowser.eff.org.
That's a pointless waste of time. Such manipulations can just be filtered out later. But hey, feel free to act like an ass.
There is, however, a very, very high correlation between Slashdot visits and cuteoverload.com on single-user computers over 3 years old. Not sure what that says about your thesis.
I checked with Mozilla 3.6, Mozilla with Noscript blocking Javascript, and IE. There are now 44000 users.
The tricky bit was that my fonts include the corporate-logo font for $DAYJOB, and I guess none of my coworkers have tried the system or have an earlier edition of the corporate-IT-installed vanilla fonts. (My laptop trashed itself last week, so it's running a vanilla image as of Monday, and I'll have to go reinstall those cool programmer-oriented monospaced fonts and Elvish and such.)
Are there any privacy extensions or options to Mozilla to tell it to only advertise boring fonts, or advertise your favorite choices of fonts so web pages display things the way you want?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You don't have to disable Javascript everywhere; you can use NoScript to enable it for sites you trust (or don't trust but want to get full functionality anyway). And most of the tracking seems to happen on tracker-company sites that the content-provider sites use, so you can use NoScript to block the ones that Adblock doesn't already block.
However, I recently installed Ghostery, and even with NoScript blocking popular trackers, there's apparently still a bunch of Javascript dreck on many popular web sites, especially blogger services and news sites, so I'm now using that to block more stuff.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It should make you more unique - but if it's actually different every time, you should be less trackable, because each time the web server sees a User Agent that it's never seen before, so you look like a different stranger every time.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Your browser fingerprint appears to be unique among the 46,001 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 15.49 bits of identifying information.
My list of plugins and my list of fonts are both unique in 46001. Interestingly, only 61 people ran the test in my timezone. But, I'm curious about the "bits of identifying information". Both fonts and plugins give 15.49 bits of info. Wouldn't their results combined give more "bits"?
How many more years will slashdot have an off-by-one error on your Score in your profile?
I am worried.
How much more information can they get from our browser?
Where to find out what these kind of information and ways to protect ourselves from the potential malicious data miners?
I tried the test - getting a ton if PHP errors... Seems the EFF needs a few more programmers... where
is John Gilmore?
16.11 unique bits.
I suspect mainly because I have Quake Live installed.
I am also running Firefox Portable on Windows Server R2.
R2 should report the same as window 7 does, and firefox portable should not be able to be distinguishable from Firefox.
My resolution of 1680x1050 may also be less common.
After turning off JS, it became more interesting.
Still 10 unique bits, and only 1 in 1093 other browers did one have the same fingerprint.
I guess my firefox portable is giving off a unique string.
If you ignore ACs because they are anonymous - you're an idiot.
I claim prior art!
My first program:
Hell Segmentation fault
Out of the first 76,633 users, I'm the only person with my plugin selection and my available fonts.
Using Midori for the browser and Mandriva for the OS was a good start, obviously. The User-Agent string doesn't mention the distro name, though. It just says it's under X on Linux on an i686. One in every 25544.33 people (so two others) submitted to the test with Midori on Linux.
Having commercially-licensed fonts that don't come bundled with any OS helps, and how many people have identical sets of plugins?
When I'm really so worried about privacy, I'll be sure to use a browser that reports exactly what a stock XP or Win7 system would report. There's nothing in the world that forces your browser to tell the whole truth about what it can do.
User Agent 14.77/27936.67 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; en) Opera 10.01
HTTP_ACCEPT Headers 9.22/594.4 - text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 iso-8859-1,
utf-8, utf-16, *;q=0.1 deflate, gzip, x-gzip, identity, *;q=0 en-US,en;q=0.9
Browser Plugin Details 2.5/5.67 - no javascript
Time Zone 2.49/5.63 - no javascript
Screen Size and Color Depth 2.49/5.63 - no javascript
System Fonts 2.5/5.64 - no javascript
Are Cookies Enabled? 2.99/7.92 - No
Limited supercookie test 2.49/5.63 - no javascript
The only question is, is it good to be unique here? Being unique, as to what I am drawing from this article's conclusion, actually harms one supposedly. It's espousing the "security-by-obscurity" principal. Hiding via "security-by-obscurity" does help. After all, look @ the *NIX variants out there using it due to less market share & use overall worldwide vs. Windows NT-based OS by comparison. In turn, they get less victimized online via maliciously coded pages or adbanners or bogus servers because of it, as they present less of a target to hit. This is how/why being less used helps though, not exactly unique identifiers, however, it does tend to illustrate the benefits of being less used via exemplifying the "security-by-obscurity" principal in computer security at least.
Posting as an AC because I was always too paranoid to create an /. account -- how's that for irony!
Anyway, there are two configuration I use commonly at home: the text-based w3m, and Firefox.
At first thought one would think that w3m--a little-used browser--would be much more unique. After all, how many people use it, as compared to firefox?
But on reflection, this is actually not the case. Sure, w3m isn't very widely used, but without javascript support there is little of its customization that can be remotely quereied (beyond _ACCEPT and USER_AGENT and the like). So I decided to test both and see if in fact the more rare browser was also more anonymous. And it was:
W3M: "Within our dataset of about ten thousand visitors, only one in 46,065 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 15.49 bits of identifying information."
Firefox: "Your browser fingerprint appears to be unique among the 92,923 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 16.5 bits of identifying information."
Of course, now I've just given away who I am!
Without Tor I'm unique with my fonts and browser plugins. With Tor I'm more generic in every category except screen resolution! Tor randomizes screen resolution but the res it gave me was very weird, and hence unique. I think reporting a generic screen res like 1024x768 would probably be more helpful than reporting weird resolutions.
Time makes more converts than reason
Back in the mid-90s (before cookies) this is exactly how I tracked sessions for log analysis. It may be a bit dicey for apps but for anything else it just works.
my iceweasel on debian: unique
my iphone: like any other iphone...
Your browser fingerprint appears to be unique among the 589,355 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 19.17 bits of identifying information.
FUUUUUUUUU-