I was rather surprised that it also indicated that mine was unique ..
I simply run Firefox 24 on Linux, with no scripts and cookies turned
off .. I would have thought that to be relatively common among
security conscience Linux folks.

R.M.

I'm just guessing that these data are being probed via the CSS
@font-face feature somehow(?). Panopticlick is unable to query
System Fonts data from my system, and I'm pretty sure it's because I
have NoScript's 'Forbid @font-face' control enabled (Preferences,
Embeddings, Forbid @font-face).

I note:
http://hackademix.net/2010/03/24/why-noscript-blocks-web-fonts/

I'm getting...

"Within our dataset of several million visitors, only one in 56,746
browsers have the same fingerprint as yours. ... Currently, we
estimate that your browser has a fingerprint that conveys 15.79 bits
of identifying information."

Firefox 24, noscript, self-destructing cookies

Turning on scripts for eff.org, I'm much more identifiyable

"Your browser fingerprint appears to be unique among the 3,461,492
tested so far. ... Currently, we estimate that your browser has a
fingerprint that conveys at least 21.72 bits of identifying
information."

Of course, who's taking this test? People like us.

All,

On Sun, Oct 6, 2013 at 11:07 PM, Eugen Leitl <***@leitl.org> wrote:
] Who's got a browser that comes up reasonably generic on Panopticlick,
] and what did you do?

On Mon, 07 Oct 2013 13:20:09, Stephan Neuhaus <***@tik.ee.ethz.ch>:
] Firefox with NoScript and Ghostery. About 10 bits of entropy. Not
] perfect, but not bad either.

Useful. Thank you.

With those two, I was able to get my number down to:
...only one in 203,627 browsers have the same fingerprint as yours
(Whereas before, I was "unique among the 3,461,672 tested so far".)

Going further, using NoScript, Ghostery, *and* User Agent Switcher
0.7.3, aiming for the "middle of the population bulge" by selecting:
Browsers - Windows > Firefox 21.0.1 (Win 8 64)
(even though I'm running Iceweasel under Debian), I was able to get my
Panopticlick number down to:
...only one in 8,088 browsers have the same fingerprint as yours

One can fetch the large list of user agents I used for this experiment
from this page of the author of User Agent Switcher:
http://forums.chrispederick.com/discussion/7/a-large-regularly-updated-import-list-of-user-agents
where he mentions (points to):
http://techpatterns.com/forums/about304.html
The file there is useragentswitcher.xml and can be imported directly by
User Agent Switcher (Tools > Default User Agent > User Agent Switcher >
Options... > Import/Export > Import...).

Regards,
Eric
--
"Whereas economic man maximises, selects the best alternative from among
all those available to him, his cousin, administrative man, 'satisfices',
looks for a course of action that is satisfactory or 'good enough'. Be-
cause he treats the world as rather empty and ignores the interrelated-
ness of all things (so stupefying to thought and action), administrative
man can make decisions with relatively simple rules of thumb that do not
make impossible demands upon his capacity for thought." --Herbert Simon

Eric De Mund
***@ixian.com

Or maybe not :)

Sunday - front page of the NY Times:

It has truly reached a point where there awt to bealaw.



http://www.nytimes.com/2013/10/06/technology/selling-secrets-of-phone-users-to-advertisers.html?_r=0

Selling Secrets of Phone Users to Advertisers
By CLAIRE CAIN MILLER and SOMINI SENGUPTA

SAN FRANCISCO — Once, only hairdressers and bartenders knew people’s
secrets.

Now, smartphones know everything — where people go, what they search
for, what they buy, what they do for fun and when they go to bed. That
is why advertisers, and tech companies like Google and Facebook, are
finding new, sophisticated ways to track people on their phones and
reach them with individualized, hypertargeted ads. And they are doing it
without cookies, those tiny bits of code that follow users around the
Internet, because cookies don’t work on mobile devices.

Privacy advocates fear that consumers do not realize just how much of
their private information is on their phones and how much is made
vulnerable simply by downloading and using apps, searching the mobile
Web or even just going about daily life with a phone in your pocket. And
this new focus on tracking users through their devices and online habits
comes against the backdrop of a spirited public debate on privacy and
government surveillance.

On Wednesday, the National Security Agency confirmed it had collected
data from cellphone towers in 2010 and 2011 to locate Americans’
cellphones, though it said it never used the information.

“People don’t understand tracking, whether it’s on the browser or mobile
device, and don’t have any visibility into the practices going on,” said
Jennifer King, who studies privacy at the University of California,
Berkeley and has advised the Federal Trade Commission on mobile
tracking. “Even as a tech professional, it’s often hard to disentangle
what’s happening.”

Drawbridge is one of several start-ups that have figured out how to
follow people without cookies, and to determine that a cellphone, work
computer, home computer and tablet belong to the same person, even if
the devices are in no way connected. Before, logging onto a new device
presented advertisers with a clean slate.

“We’re observing your behaviors and connecting your profile to mobile
devices,” said Eric Rosenblum, chief operating officer at Drawbridge.
But don’t call it tracking. “Tracking is a dirty word,” he said.

Drawbridge, founded by a former Google data scientist, says it has
matched 1.5 billion devices this way, allowing it to deliver mobile ads
based on Web sites the person has visited on a computer. If you research
a Hawaiian vacation on your work desktop, you could see a Hawaii ad that
night on your personal cellphone.

For advertisers, intimate knowledge of users has long been the promise
of mobile phones. But only now are numerous mobile advertising services
that most people have never heard of — like Drawbridge, Flurry, Velti
and SessionM — exploiting that knowledge, largely based on monitoring
the apps we use and the places we go. This makes it ever harder for
mobile users to escape the gaze of private companies, whether insurance
firms or shoemakers.

Ultimately, the tech giants, whose principal business is selling
advertising, stand to gain. Advertisers using the new mobile tracking
methods include Ford Motor, American Express, Fidelity, Expedia, Quiznos
and Groupon.

“In the old days of ad targeting, we give them a list of sites and we’d
say, ‘Women 25 to 45,’ “ said David Katz, the former general manager of
mobile at Groupon and now at Fanatics, the sports merchandise online
retailer. “In the new age, we basically say, ‘Go get us users.’ “

In those old days — just last year — digital advertisers relied mostly
on cookies. But cookies do not attach to apps, which is why they do not
work well on mobile phones and tablets. Cookies generally do work on
mobile browsers, but do not follow people from a phone browser to a
computer browser. The iPhone’s mobile Safari browser blocks third-party
cookies altogether.

Even on PCs, cookies have lost much of their usefulness to advertisers,
largely because of cookie blockers.

Responding to this problem, the Interactive Advertising Bureau started a
group to explore the future of the cookie and alternatives, calling
current online advertising “a lose-lose-lose situation for advertisers,
consumers, publishers and platforms.” Most recently, Google began
considering creating an anonymous identifier tied to its Chrome browser
that could help target ads based on user Web browsing history.

For many advertisers, cookies are becoming irrelevant anyway because
they want to reach people on their mobile devices.

Yet advertising on phones has its limits.

For example, advertisers have so far had no way to know whether an ad
seen on a phone resulted in a visit to a Web site on a computer. They
also have been unable to connect user profiles across devices or even on
the same device, as users jump from the mobile Web to apps.

Without sophisticated tracking, “running mobile advertising is like
throwing money out the window. It’s worse than buying TV
advertisements,” said Ravi Kamran, founder and chief executive of
Trademob, a mobile app marketing and tracking service.

This is why a service that connects multiple devices with one user is so
compelling to marketers.

Drawbridge, which was founded by Kamakshi Sivaramakrishnan, formerly at
AdMob, the Google mobile ad network, has partnerships with various
online publishers and ad exchanges. These send partners a notification
every time a user visits a Web site or mobile app, which is considered
an opportunity to show an ad. Drawbridge watches the notifications for
behavioral patterns and uses statistical modeling to determine the
probability that several devices have the same owner and to assign that
person an anonymous identifier.

So if someone regularly checks a news app on a phone in bed each
morning, browses the same news site from a laptop in the kitchen, visits
from that laptop at an office an hour later and returns that night on a
tablet in the same home, Drawbridge concludes that those devices belong
to the same person. And if that person shopped for airplane tickets at
work, Drawbridge could show that person an airline ad on the tablet that
evening.

Ms. Sivaramakrishnan said its pinpointing was so accurate that it could
show spouses different, personalized ads on a tablet they share. Before,
she said, “ad targeting was about devices, not users, but it’s more
important to understand who the user is.”

Similarly, if you use apps for Google Chrome, Facebook or Amazon on your
cellphone, those companies can track what you search for, buy or post
across your devices when you are logged in.

Other companies, like Flurry, get to know people by the apps they use.

Flurry embeds its software in 350,000 apps on 1.2 billion devices to
help app developers track things like usage. Its tracking software
appears on the phone automatically when people download those apps.
Flurry recently introduced a real-time ad marketplace to send
advertisers an anonymized profile of users the moment they open an app.

Profiles are as detailed as wealthy bookworms who own small businesses
or new mothers who travel for business and like to garden. The company
has even more specific data about users that it does not yet use because
of privacy concerns, said Rahul Bafna, senior director of Flurry.

Wireless carriers know even more about us from our home ZIP codes, like
how much time we spend on mobile apps and which sites we visit on mobile
browsers. Verizon announced in December that its customers could
authorize it to share that information with advertisers in exchange for
coupons. AT&T announced this summer that it would start selling
aggregated customer data to marketers, while offering a way to opt out.

Neither state nor federal law prohibits the collection or sharing of
data by third parties. In California, app developers are required to
post a privacy policy and to clearly state what personal information
they collect and how they share it. Still, that leaves much mystery for
ordinary mobile users.