Interesting counterpoint to people who claim that turning off Javascript is just another data point. I use Firefox with a decent amount of tracking protection turned on. With Javascript, I leak about 16 bits of identifying information. Without, I leak about 7.
You want to take that with a grain of salt, because I don't think Panopticlick is a perfect tool to measure this stuff. For one thing, I suspect that Panopticlick is highly influenced by the people who visit it -- being posted on HN probably means there are more data points for me to hide in than usual.
For the other thing, there are measurements that Panopticlick doesn't include, and there's no way for Panopticlick to track disinformation and false data. For example, you could still get my screen size without Javascript via just CSS. Are most tracking sites doing that? No, it would be a massive pain to do, and it would force you to ship giant CSS blobs everywhere. But it's still possible.
But, this does still strengthen my conviction that turning off Javascript by default _probably_ helps avoid tracking on most sites, and it's surprisingly feasible to do. A lot of content-sites work without Javascript.
I recommend UMatrix if you want to go down that route, since it lets you create very precise exceptions relatively easily when you need them.
I agree, panopticlick is not really good as a measuring point. I am randomizing most of metrics it is using and even if it detects my browser as unique, this will always be true as my data are fake and randomized each time browser tab is opened. Sure you can track me for the time tab is beeing alive, but on next visit, the results are going to be 90% different (including webgl fingerprinting) and there is no way it could correlate me with my previous visit. For it I am always a new visitor, never seen before. I could try to blend in, but why?
Another thing is "not blocking sites that honor DNT". I am sorry but I dont trust anyone based on fact web users were lied just too many times. Once DNT will be tied to hefty fines, I might reconsider, untill than everything will be blocked.
(And it is highly tasteless that eff is offering links to promote panopticlick on worse web tracking facilities of the internet - fb, google+ and twitter.)
For everyone wondering: Firefox extension Chameleon randomly spoofs your user agent. However, I would highly recommend NOT using this extension, or randomizing your user agent whatsoever - it only raises your entropy and makes you easier to track. You should be trying to make your browser look identical to everyone else's, not different.
This can by partially achieved by setting privacy.resistFingerprinting to true in Firefox's about:config. This won't stop Panopticlick from fingerprinting you. If you really want to reduce your fingerprint, try using the ghacks user.js [1]. If you want to make fingerprinting completely impossible, use the TOR browser [2].
Most users don't need to worry about this - uBlock origin blacklists most fingerprinting efforts by default.
You're assuming that trackers account for a changing UA. Are there trackers doing that? I suppose a deliberate or malicious attempt to identify me and isolate my machine could account for a randomly spoofed UA. But if I am trying to hide in plain sight from tracking software, isn't this method of UA spoofing enough to misplace my machine into different tracking categories or throw them off my scent entirely? When I run Panopticlick, UA is usually among the highest number of bits of identifying information, the rest of the identifying settings and preferences are more likely to be shared, which makes a particular device blend in.
It's very hard to fake an OS or pretend to be a separate browser. If you're focusing on disinformation, you should probably be focusing on disinformation that's harder to detect.
Fair point, that probably lowers the odds of recognition a bit, but the UA stands out because of the multiple variables that it reports in one header. At least when I ran Panopticlick a few times with various configurations, that was always the factor which gave up the most bits of identifying info.
There is also master switch to wholly disable JavaScript on per-site basis in uBlock Origin[1], which I think is a more user-friendly approach for whoever wants to experiment with toggling on/off JavaScript easily.
You want to take that with a grain of salt, because I don't think Panopticlick is a perfect tool to measure this stuff. For one thing, I suspect that Panopticlick is highly influenced by the people who visit it -- being posted on HN probably means there are more data points for me to hide in than usual.
For the other thing, there are measurements that Panopticlick doesn't include, and there's no way for Panopticlick to track disinformation and false data. For example, you could still get my screen size without Javascript via just CSS. Are most tracking sites doing that? No, it would be a massive pain to do, and it would force you to ship giant CSS blobs everywhere. But it's still possible.
But, this does still strengthen my conviction that turning off Javascript by default _probably_ helps avoid tracking on most sites, and it's surprisingly feasible to do. A lot of content-sites work without Javascript.
I recommend UMatrix if you want to go down that route, since it lets you create very precise exceptions relatively easily when you need them.