User feedback:

Dear eff,

I want to recommend a useful Feature for the fingerprint test: please make the fingerprints browsable in a way how one can keep some values fixed (e.g. iOS Apple mobile safari) and list the variations in other entropy elements, e.g. Screen size. Some settings in iPhone seem to change fingerprint, and I want to find out how my iPhone is different from other iphone of same model. So one could find uncommon settings active..

We currently say things like:

Your browser fingerprint appears to be unique among the 808,147 tested so far.

But it would be less confusing and more informative to say

Your browser fingerprint appears to be unique among the 808,147 tested in the past N months?

N=3 IIRC?

I think the fingerprinting Info could be improved by ignoring the OS Version Number in the User Agent. A real tracking company would also ignore it, because it changes frequently. For me it always shows a high uniqueness, but that’s only the case because I updated to the newest version and the website didn’t see many devices on that version yet.

Please replace all eff.org/pb links (and anything of the sort like eff.org/privacybadger) with https://privacybadger.org/

Can't access the Web Page, I've been trying with Brave, Firefox and Chrome on both mobile and desktop but I always get

"Invalid domain. Please check your config settings."

Which seems to be this line
https://github.com/EFForg/panopticlick/blob/1826b7972c79e3ef65c60cd81325d621a6cd9ae5/main.py#L156

Subject: Browser Uniqueness paper on Cover Your Tracks is a dead link
From:
Date: Thu, 4 Mar 2021 12:25:18 -0500
To: [email protected]

Hello,
The link to the 2010 paper
(https://coveryourtracks.eff.org/browser-uniqueness.pdf) that
published the initial findings of Cover Your Tracks (then
Panopticlick) is dead. I remember it used to work when the project was
still named Panopticlick.
It would be great if you could fix it, I was hoping to use the paper
as a source in a paper of my own.

1 performance of js engine (see papers by mowery and shacham) and gpu rendering (http://arxiv.org/pdf/1503.01408)
2 enabled ciphersuites
3 speech synthesis engines #8 #9
4 webaudio devices list #12
5 endianess #11
6 canvas text measuring API (in the published on github version of fingerprinter I rounded the measurement to integer to store it in typed array, but I shouldn't have done that, and now I can't reverse that because it would change the fingerprints, but when implement you should preserve fraction part)

Privacy Badger fails the DNT test in Chrome and Firefox. (This isn't new behavior, I think it's been broken for a while.)

From the report:

And with uMatrix-Standard-Settings (1st party * allow), this test failed in Tracking-Protection, and reveal many System-Information.

OS: Debian Jessie
Browser: Firefox 45 ESR / Firefox 48
Extensions: uBlock / uMatrix only

Checking for GPC would be a useful way of gaining a more in depth fingerprint.

I wanted to see how 'private' a default TOR Browser is, so I accessed panopticlick.eff.org with a Tor Browser whose configuration was not modified from the defaults. I was advised to install Privacy Badger and enable Do Not Track. I did both, closed TOR browser, started TOR browser and went back to panopticlick.eff.org to re-run the tests

I still got the same advice:

Is there anything I'm missing?

The fingerprinting test does not seem to finish with the “CanvasFingerprintBlock” extension installed in chrome (which says it blocked 20 potential canvas fingerprinting attempts by panopticlick).

Loading gif continues to display, but results never appears.

Currently hidden by css on line 363-5 of _pages.scss:
#acceptable_ads_tr{
display: none;
}

We should not be recommending Privacy Badger to Tor users:

It is strongly discouraged to install additional add-ons, and the Tor Project will not offer support for these configurations.

-- https://tb-manual.torproject.org/plugins/#browser-add-ons

Running tests in a new, all-defaults Chrome profile reports "partial protection". This seems to be a bug caused by SameSite cookie changes in Chrome, where now cookies are denied in third-party contexts unless sent over https with SameSite=None.

Refer to redmine ticket #21904

I'm cloning the repo and will send a PR.

Are well-behaved independent tools (such as a script that runs once per session to warn a site visitor if they are vulnerable to tracking) allowed to use the eviltracker.net domain?

When I pull and build the current extension code (v 2016.5.24), it fails the panopticlick fingerprinting test. Is this a 'priming' issue? Is there a different way to test this from source?

Most of the entropy comes from:

Hash of canvas fingerprint    12.69     6594.2
System Fonts                  16.01     65942.0

https://eviltracker.net/ seems to serve the same Cover Your Tracks app, but when navigating to /kcarter it gives the following error

Invalid domain. Please check your config settings.

It works as expected on the eff subdomain

We could give people a heads up that IE<9 isn't safe, and potentially redirect them to another site after the alert.

Social share icons should display under these conditions:

If 1, 2 (and 3 if we do it) are all yes: “Yes! You have strong protection against Web tracking. Please share this site on social media.”
if 1 and 2 but not 3: “Yes! You have strong protection against Web tracking, though your software isn’t checking for Do Not Track policies. Share this site on social media”.

Additional item to test for: Google Chrome has an experimental user classification feature called "Topics API" which can be detected from JavaScript.

https://github.com/patcg-individual-drafts/topics#the-api-and-how-it-works

This is currently being deployed to a few percent of Google Chrome users, and not to those who have turned off third-party cookies.

"Topics API" is promoted as an advertising-related feature, but may end up being more commonly applied in personalized pricing and other areas.

Tested with:
Firefox 76
NoScript 11.0.26

Visiting https://panopticlick.eff.org and running the test with NoScript enabled causes a redirect to:

https://firstpartysimulator.org/tracker-nojs

Which is a 404.

https://github.com/EFForg/panopticlick/blob/cb55726d6047350a9a44964cbb63f0d2398bfcf9/templates/kcarter.html#L65

@gorhill I could not open this on https://github.com/gorhill/uBlock/issues/new because

An owner of this repository has limited the ability to open an issue to users that have contributed to this repository in the past.

but this is a uBlock Origin issue.

Scenario

Install uBlock origin, and visit the EFFs PanoptiClick site: https://panopticlick.eff.org/.

Click on the uBlock Origin icon and disable for this site. Click Test Me.

Result

The result shown is partial protection for blocking ads and trackers.

Expected Result

The expected result should show no protection against ads and trackers.

Explanation

Panopticlick is built to support addons like uBlock Origin as well as heuristic blockers such as Privacy Badger. The way this works is that it forwards the user through a number of first-party domains that include third-party trackers, in order to trigger the heuristic 'learning' of Privacy Badger.

At the end of the test, the results page communicates with the third-party trackers via the postMessage API to determine which first party domains were loaded. Since uBlock Origin has not disabled all the interstitial first-party domains, the third parties report that they were loaded only on https://panopticlick.eff.org/, since they were blocked on the other domains.

Further Complication

If a user runs the above scenario with Privacy Badger installed alongside uBlock Origin, uBlock Origin blocks the third party resources from loading on all interstitial first parties, thus never giving Privacy Badger the oppportunity to do heuristic learning. This gives a weaker result than expected.

Proposed Solution

Make uBlock Origin aware of first-party groupings of domains. When a user disables the extension on https://panopticlick.eff.org/, they probably intent to disable it for the entirety of the PanoptiClick site. This includes these other first-party domains:

1. firstpartysimulator.org
2. firstpartysimulator.net

as the title, running pipenv install results in error for gunicorn:

admin1@admin-Virtualbox:~/cover-your-tracks-master$ pipenv install
Installing dependencies from Pipfile.lock (20783f)…
  🐍   ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 19/19 — 00:00:02
An error occurred while installing -e git+https://github.com/benoitc/gunicorn.git@ff58e0c6da83d5520916bc4cc109a529258d76e1#egg=gunicorn! Will try again.
Installing initially–failed dependencies…
  ☤  ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 0/1 — 00:00:00
ERROR: Invalid requirement: 'gunicorn --hash=sha256:9dcc4547dbb1cb284accfb15ab5667a0e5d1881cc443e0677b4882a4067a807e  --hash=sha256:e0a968b5ba15f8a328fdfd7ab1fcb5af4470c28aaf7e55df02a99bc13138e6e8'

please kindly tell me how i can resolve it?

Some canvas fingerprinting blockers such as CanvasBlocker for Firefox randomize the result of canvas fingerprinting. This makes the result of canvas fingerprinting look more unique than it actually is.

One way to mitigate this is to test for the canvas fingerprint twice, and see if there is a difference. If there is, report the canvas fp to be "unknown"

We've had various reports of the tests not finishing with various different addon combinations. Creating a master ticket for this.

I would be interested to see the number of randomized results (defined here) in the final report. Also, terming a fingerprint that is randomized but where the number of randomized_results < 4 as unique might be misleading... (cf. Tor Browser 10.0a6).

Since version 2020.10.7 of Privacy Badger, the Panopticlick tests in Firefox 82.X are stating that there are no active protections against anything and recommending to install Privacy Badger.

I also tested this with a complete fresh Firefox profile and got the same result. The tracking protection of Firefox itself was inactive for the tests. Privacy Badger does work on other websites, though. And the Chromium-Edge with Privacy Badger and same settings doesn't show this behaviour.

User feedback:

As a first time user on your site, and as a person who just started to get interested in privacy/security, I would really love some more information on what’s a good result and what’s a bad result on your page. Why not color code the results and give some context to each result, so that a new user can somewhat understand what is a bad or a good result?

For example, I got a (red) No on the Do not track question. What does that mean? Am I not being tracked, am I not not being tracked? In that case, how do I fix that? I think your site would be much more useful if you gave some hints on how to solve any problem, otherwise it is just a site for experts.

What does X bits of information mean? Is that good or bad? Should I aim for a low number or a high number? Same thing for the number of browsers with the same fingerprint…

I don’t even know if I should fix anything, or how, after trying out you site… ☹

Specifically, Intl.DateTimeFormat().resolvedOptions().timeZone

When we last did a development push on the fingerprinting metrics, browsers lacked support for "computed timeZone"

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat/resolvedOptions

Hi,

You're likely aware of this, but the value result for time zone currently
displays an integer (240), which is the UTC offset in minutes. Wouldn't
the fingerprinting test have more specificity if it used
intl.datetimeformat().resolvedoptions().timezone (when supported) since
the result (America/New_York) is a string identifying a city?

Instead of offering the direct download/extension store listing link on Panopticlick, we should simply have the big "Get Privacy Badger" button link to https://privacybadger.org/.

We should avoid reimplementing privacybadger.org's browser detection logic, and instead rely on Privacy Badger's homepage to direct the user to the appropriate destination.

Canvas fingerprinting blockers on Firefox can cause the fingerprinting test to fail, if the addon overwrites the toDataURL()-function.
It causes a "TypeError: canvas.toDataURL is not a function".
Catching the error fixes this issue, however further notifications for the test that canvas-fingerprinting has been blocked might be necessary.
I opened up a pull request at #14.
Hopefully this is all to this problem.

When sending the following POST request:

URL: https://coveryourtracks.eff.org/api/v1/whorl-uniqueness
Data: {"name": "video","value": "1920x767x24" }

the server returns an Internal Server Error.

Expected Behavior:
The server either returns the entropy information (bits, one_in_x) or the Status "Error: that value has not yet been recorded for 'video'".

The same happens for:

• {"name": "video","value": "1920x766x24" }
• {"name": "video","value": "1920x769x24" }
• {"name": "video","value": "1920x770x24" }
• {"name": "video","value": "1920x771x24" }

In the "strong protection" result summary, "you have" is duplicated.

When the UA string check detects a browser not supported by Privacy Badger, link to the following recommendations:
iOS Safari -- AdBlock
Safari desktop -- AdBlock
Android Chrome -- Disconnect, AdAway (requires root)
Android Firefox -- AdBlock Plus
Internet Explorer -- Enable tracking protection list

Text should read "We are sorry, but right now Privacy Badger does not support your browser.

We recommend you consider installing one of the following:"