Slashdot Mirror
EFF Launches Panopticlick 2.0 (eff.org)
Peter Eckersley writes: The EFF has launched Panopticlick 2.0. In addition to measuring whether your browser exposes unique — and therefore trackable — settings and configuration to websites, the site can now test if you have correctly configured ad- and tracker-blocking software. Think you have correctly configured tracker-blocking software? Visit Panopticlick to test if you got it right.
Think you have correctly configured tracker-blocking software? Visit Panopticlick to test if you got it right.
DISCLAIMER: Visiting Panopticlick means you did not get it right.
2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat. second, they encourage users to allow ads from websites that purport to respect Do Not Track. there's no way to know if they actually respect it, and companies like google and facebook have been bald face liars in saying they respect it when they actually don't.
requires you to allow scripting and cookies ... so turn off your security so we can analyze your security. nice idea; bad implementation
The site doesn't work at all for me. Presumably, it requires javascript, which is exactly what nobody should be enabling by default. Javascript has been one of the largest exploit vectors of the modern web. It should at best be whitelisted on a very, very few sites such as trusted banking and finance sites. But absolutely not enabled in general - that's a big part of how people's systems end up severely jacked.
Use different browsers for different web sites. I use firefox, seamonkey, chromium, konqueror, each one for a different kind of browsing (banking & bill payments vs. shopping vs. videos, etc.) At most they can figure out only a quarter of what I do online.
Nice. I just had an SELinux popup saying that plugin-container was trying to do something... also a pop-up about "fonts" trying to run so I said "nope."
I should put something clever here. Maybe someday.
It would be more interesting if they would suggest configuration changes to produce a non-unique fingerprint. Their only suggestion is to use an extension like NoScript, which they admit is impractical.
I can see ways to make fingerprinting less effective, at least among privacy oriented individuals, but it needs something like Panopticlick to collect and analyze data in order to recommend optimal, non-unique fingerprints. In some cases this can be handled by browser settings. In other cases, it may require some sort of add-on. Yet it should be possible to create non-unique combinations.
The best that I can do with the present setup is to guess how to configure to my browser to make it less unique. For individual parameters, it is quite effective. Yet the only way to create a unique fingerprint is by sheer luck.
See subject: No javascript active (globally by default via Opera's preferences, & when I need it? I do a BySite exception) in Opera 12.17 64-bit (best browser ever made - most flexible for security purposes by far & options other browsers need plugins for, it already has natively built-in).
No java, javascript, cookies, plugins (active ONLY on demand option), frames/iframes either...
* :)
(Between that measure noted above + custom hosts files created by "yours truly" via -> APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o... ? No tracking is possible...)
APK
P.S.=> "Accept NO substitutes"... apk
Already armed with illegal pedophile dick.
It's been running for a good 5 minutes now, with a small section at the top wanting to run Java, which just ain't happening.
Beware what you say, you might be being tracked right now, as we speak... are you sure you want people to record that you are considering incarcerating someone without due process?
Because of what you said, I did a little search to check whether the USA abides by the Universal Declaration of Human Rights and found this page:
http://www.cartercenter.org/news/documents/doc1369.html
Americans surely took their own sweet time to ponder about whether to sign it or not. Also, again Mr. Carter. Let me profit the occasion to thank you again, Jimmy, for a life full of doing The Right Thing (TM).
I'm sure that, were you in power at this moment, the US, Russia, China and India would be working together, in what could bootstrap UN 2.0 in the not so near future. I also hear you're solving some of your health problems. Congrats on that, too.
And a very Merry Christmas for you and all the ones you love!
http://ip-check.info/
Just try it and compare - this one has better tests imo.
It's good for Tor users.
Time to present a limited set of fonts and plugins to untrusted urls?
As always, all IMO. Insert "I think" everywhere grammatically possible.
I believe a 'limited set' would be just as obvious / identifying as a large set. You would probably be one of the few people with only 2...3...4 fonts, etc. The best you are likely to do is find out what the largest category is, and be one of those. ...or just change everything randomly all the time. Then you would still be unique...but you'd be "Unique person A" today, "Unique person B" tomorrow, "Unique person C" for the day after that, etc.
Its a trap!
Mine came out much less unique than previous versions, because I had NoScript blocking much of it (even after I temporarily allowed evil-tracker.com and do-not-track.com or whatever their domains were called. User agent string was fairly unique. In the past, fonts have been the big surprise information leaker - my work machines all have a font loaded on them that's used to get $COMPANY_LOGO to render correctly, aside from any other fonts I've randomly added over the years.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Unless you're using Tails and keeping your identities separate, you're trackable. Even if you do, there are still good ways to track you if someone is so inclined.
At my company, a major online retailer, we use EverCookie to redundantly persist user ids on the frontend across the different browsers on your machine, Etag tracking to match sessions on the backend when JavaScript is disabled, device fingerprinting / panopticlick methods to track any users who've successfully blocked all of the above, and Signal TAG to stitch those identities together and exchange them with data partners server-side so that consumer privacy measures can't disrupt our data collection. For the rare cases where all of that fails, partners like Experian Advertising and SimilarWeb get data from the major ISPs on what pages you're actually visiting and fill in the gaps in our advertising dataset.
Projects like Panopticlick are doing a great job at public education about privacy issues and informing the global debate. But, make no mistake about it, we're in a global arms race between ad tech and privacy tech that can't truly be won, given the pace at which these technologies evolve. Disabling JavaScript, installing ad blockers, enabling do-not-track, private browsing, using multiple browsers, etc won't do much more than make you *feel* safer; advertisers and publishers can and will continue collecting and sharing data for profit, regardless of what privacy settings you have on your browser or OS.
The way this battle is won, to everyone's benefit, is through education and public policy / industry standards. Consumers need to understand the limitations of their privacy online, the legitimate cases where advertisers need to track them, and how everyone wins in a world with *some* tracking under specific use-cases; advertisers, publishers and exchanges will continue to track to the greatest extent of their abilities so long at that remains profitable, which means industry standards and/or government policy will need to be put in place to impose costs on the cost-benefit analysis of tracking.