I’ve been experimenting with ways to reduce my browser fingerprint and exploring techniques to anonymize fingerprint data.
So I built this.
This is kind of like a lighter, more thorough version of CreepJS but entirely client side. I don’t maintain massive lists of time zones or do server-side comparisons to calculate uniqueness. Instead, it automatically surfaces everything a browser exposes, explaining each item in detail.
I'm really frustrated with these types of websites because they tell me nothing.
What I'd love for these sites to do is help me understand where I am distributionally. How unique am I? On what? Help me understand what needs to be fixed and what my threat vector is.
The problem with these is that I'm always unique. Doesn't matter what browser I'm on or what. If I am unique on a clean Apple laptop in either Safari or Chrome then it is essentially meaningless. I got controlled hardware and vanilla software, how else do you blend into the crowd?
But in the wild sites aren't always implementing all these features. So I want to see if I'm unique to standard site or even one that is a bit more heavy. Importantly HOW unique am I? What things am I not unique, how unique am I, and what are the most unique things about me?
Having that information gives me the ability to do something about it. Without that information then this is just like any other website where essentially the message is "be scared! People can track you on the internet and there's nothing you can do about it!"
> What I'd love for these sites to do is help me understand where I am distributionally. How unique am I? On what? Help me understand what needs to be fixed and what my threat vector is.
To critique that (and maybe suggest what OP can do to make theirs better) is that there's poor visualization. What's great is that it tells me there right in center
> Our tests indicate *that you have **strong protection against Web tracking***.
> Blocking tracking ads? Yes
Blocking invisible trackers? Yes
Protecting you from fingerprinting? Your browser has a nearly-unique fingerprint
But give me some visualization. Sentences like
Bits of identifying information: 6.76
One in x browsers have this value: 108.61
Are not super helpful, though they should exist. Showing a density plot[0] is very useful[1]. It gives the user more information, telling them where they need to go. Even a simple replacement to
One in *108.61* browsers have this value
Makes things easier to read.
In an ideal setting I think the site should suggest to users what they should change and show them where they could be with the new settings. Letting them play around and adjust a some settings.
I know I'm being nitpicky here and to be honest I think the EFF version is "good enough" but I still think adding such visualizations and letting users "see" the results makes things easier to understand and can help them know what to do.
[1] In this case it isn't going to be continuous since I pulled from the User agent so this will have more discrete bins. Helping inform the user would be seeing the proportion of those other bins. That way they know what to change their user agent to!
You're 100% right. The raw fingerprint dumps alone are not actually useful unless you can compare them to a population.
And creating that comparison is far harder than people think. To answer "How unique am I?" I need a large, representative dataset of fingerprints collected over time and ideally weighted by how often real websites use each feature. That would require running an backend and database.
It’s something I’d like to build eventually, but only in a privacy-preserving, opt-in way that aligns with the spirit of the project.
I know I'm criticizing, but I do also want to make sure to say good job. I don't want to make it seem like I'm unhappy, if that makes sense.
For privacy prevention, maybe you can help me understand something better then. I was under the impression that for the most part, each fingerprinting technique itself was not enough to identify someone, but it is the collection of them. So in that setting, would not showing the distribution of the individual metrics likely preserve privacy? I can certainly see some subtle naive trap existing here that I'm not aware of but do you know of one? I at least would think things such as agent, dark mode, and some other things shouldn't risk deanonymization. Though clearly things like coordinates, unique fingerprints, and probably even the canvas fingerprinting shouldn't be shared. As long as each data point isn't associated with others and you have a decent sample size. But also I'd love to learn if I'm missing something important.
Hi, thank you for going through the trouble of putting this together. This sort of service is invaluable as it allows us clueless people to be mindful about something that negatively impacts our life.
Here's a suggestion: it's important to show us that our browser footprint allows us to be positively identified and tracked, but it only alerts us to a problem. It would be very useful if the site also provided some tips to improve anonymity, particularly if it's low-effort changes such as tweaking a couple of config changes.
It's not zero pieces of info but it's also not close to as bad as it looks. Effectively, everyone who has, say an NVidia GPU, will likely have the same list of features and limits.
As a more general example: The number is just a flat out wrong
> Unique to 1 in 2,147,483,648+ devices.
No, I have an iPhone Pro and am in the PST time zone, set to English. It has the exact same finger print as millions of other devices among the 40 million people in the PST time zone. In general, The only things different between 2 iPhones of the same model are time-zone, laguange setting, and font size.
Beyond the obvious IP address difference, there are other way to fingerprint you, see
https://coveryourtracks.eff.org/
which will actually provide details about how you're a special snowflake, tracked by advertisers.
> No, I have an iPhone Pro and am in the PST time zone, set to English. It has the exact same finger print as millions of other devices among the 40 million people in the PST time zone.
Your IP address, ASN, and location make this not true.
Is it possible and cost-covering to create an ad-sponsored service that discloses what ad networks collect about users - i.e. age, location, preferences, interests, pregnancy, illnesses etc?
Because let’s be honest - all of us know that a lot of data points are being collected about us, countless articles have been written about the insanity of cookie and user-data monetization networks - still it appears to be a privilege to few to tap into that data trove.
I personally haven’t seen an effort to try and make this transparent. Efforts like this page are commendable and informative, much like amiunique or other services - still they lack the tangible information that sharing this information with “the world” reveals about an affected individual.
Why hasn’t this been done yet? Why is this seemingly not trivial?
I'm not sure how that would work from an ad-buying perspective, from what I understand you essentially choose which buckets you'd like to show ads to? Like I don't think ad-buyers get the whole dossier for the person they're showing ads to, the platform just decides "from what you've told us, this person seems likely to like your ads"
If you reload the page a few times, and you're using a modern browser, you'll almost certainly find it's a different fingerprint every time. Most modern browsers add in a randomization so that fingerprinting cannot be used for tracking.
So yes, your fingerprint is unique, but it's a different unique every time, making it pretty useless for anything.
Seems right, I'm on "Mozilla/5.0 (X11; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0" and reloading the page I get a new fingerprint each time. "Unique Fingerprint ID" seems to be the only attribute that changes each reload, but it isn't clear how that's derived.
Edit: Ah, turns out "Unique Fingerprint ID" is just the same fingerprint ID printed at the top, it isn't one of the attribute used for calculating the ID, it is the ID. Guess I got confused by the placement of it.
It's highly unlikely they obtained 17 billion samples, so they're likely guesstimating it by assuming each attribute is independent, and summing the entropy of all attributes. That's obviously incorrect, both because attributes are inevitably going to be correlated (eg. ip geolocation correlated with time zone), and that two identical devices (eg. 2 iPhones) will have identical fingerprints.
I would love to be able to toggle an attribute off/on to see what affect each has on the uniqueness of my fingerprint. My guess is that there are a handful of _very_ unique things, that if obscured, would make one less recognisable.
that site has the same issue. It will give ridiculous and easily provably false results for iPhones.
There are ~40 million in the PST time-zone. Some percent have smartphones (80%+), ~50% of those are iPhones (16 million). Of those, the majority are set it English (80%+), and are divided into screen sizes. But basically, if you have an iPhone, you have the same fingerprint has at least a million other other people in the PST time size. You are at best, 1 of 100, not 1 of x,xxx,xxx,xxx.
You might be x,xxx,xxx,xxx of people who visited that unpopular site but no one needs tracking on an unpopular site. On a popular site you will not have a unique finger print.
What we need is VPB. Virtual Private Browser like VPNs. Essentially standardised cloud browsers that can execute your requests and send you back the result as bitmap buffers.
Not all websites work well, and you get a lot of captchas last time I tried it. From memory the way they make this work is pretty cool though, they capture Skia draw commands and send those over the network and use a wasm library to replay them.
Great idea! How to make sure that the users data stays private without the cloud knowing where the user is surfing. And I wonder how to monetise it? Subscription?
I get a new fingerprint id everytime I refresh the page (firefox, linux) -- so that might be sampling a tiny bit too much.
audio and canvas fingerprint are constant though so it's probably plenty enough...
Yet on the flip side, if I’m trying to auto identify my own phone for a login-less private app i tried to build I couldn’t get to reliably generate a consistent fingerprint on safari private mode, it regenerates 50% of the time, I’ve tried several libraries like fingerprintjs and co..
Fwiw, I use Tailscale/wireguard and take care to ensure the source IP gets fed to apps properly. This makes it easy to guarantee I have a reliable way to identify myself on my webapps and auto-auth.
When I see discussion around browser fingerprinting, the proposed defense generally seems to be that you should blend into the crowd by aquiring a common fingerprint.
I wonder how difficult to implement a solution where instead you randomly adjust your fingerprint as you move between sites would be.
The main "Fingerprint ID" on this site seems to be a direct combination of all values, so if even a single one changes it'll act like the only conclusion is this is an entirely different fingerprint. Actual fingerprinting is a bit smarter, but it's not really possible to demonstrate that in a single clientside scripted static web page.
The more important bit to see from this tool is probably "this is an example of how much information which can aid in identification your browser exposes".
I tried with Windows 7 (Firefox 115) and it reports Windows 7.
It seems though that it cannot distinguish between Windows 10 and Windows 11, so, without looking further, I suppose the detection is based on the User-Agent string? (The OS version browsers report on Windows is frozen, so Windows 10 and Windows 11 have the same version there.)
Yeah but several of those will also be the same if you have the same iPhone model and iOS. Safari browser updates are installed as part of iOS update. So anyone with the same iOS version has the same version of Safari.
But to what extent should we care for such a small website? The AI witch hunt won't get us too far, and this new way of producing is only getting started. The loss of control to a non-deterministic black box is worrysome, but at some point non-vibe coded (hard coded? brain coded?) software might become less error-prone that vibe-coded
The currency and telephone number prefix info is highly misleading. Those are being assumed based on my IP, not being reported by the browser. Knowing some of this data is fabricated like this makes the site seem less credible.
I believe this comes from the (browser self-reported) navigator.platform, which is reported as MacIntel on all Chrome for Mac versions including Apple Silicon.
this seems incredibly variable as to be almost useless as any type of "fingerprint" - running the latest version of Chrome on Android, the ID at the top of the page changes each reload.
Thanks! The Unique Fingerprint ID is basically a hash of all the collected fingerprint fields. [1]
The Canvas Deep Fingerprint Hash is higher entropy and includes baseline shapes, emoji rendering, winding rules etc. [2]. It’s meant to capture subtle rendering differences between systems.
For example, in the DRM section, they extract the Security Level, like L3 – Software Decode (SW_SECURE_DECODE).
Their WebRTC test is also unique: they utilize a TURN server as a feedback mechanism. That means even if you tamper with WebRTC JS in the browser (like some extensions do), it can still expose your real IP by leveraging UDP and bypassing the proxy altogether.
https://scrapfly.io/web-scraping-tools/webrtc-leak
This is useless. I think you misunderstand the point of fingerprinting. A powerful fingerprinting algo should strive to detect you as the same person (aprox) while you use two different browsers. A more powerful one will detect you while you use another device. This only detect your current refresh.
Thanks for pointing this out. At first, I was concerned – “Unique to 1 in 2,147,483,648+ devices” – but, my fingerprint ID changes with each page refresh, so there's no tracking possible. I'm using Brave on iOS.
I’ve been experimenting with ways to reduce my browser fingerprint and exploring techniques to anonymize fingerprint data.
So I built this.
This is kind of like a lighter, more thorough version of CreepJS but entirely client side. I don’t maintain massive lists of time zones or do server-side comparisons to calculate uniqueness. Instead, it automatically surfaces everything a browser exposes, explaining each item in detail.
What I'd love for these sites to do is help me understand where I am distributionally. How unique am I? On what? Help me understand what needs to be fixed and what my threat vector is.
The problem with these is that I'm always unique. Doesn't matter what browser I'm on or what. If I am unique on a clean Apple laptop in either Safari or Chrome then it is essentially meaningless. I got controlled hardware and vanilla software, how else do you blend into the crowd?
But in the wild sites aren't always implementing all these features. So I want to see if I'm unique to standard site or even one that is a bit more heavy. Importantly HOW unique am I? What things am I not unique, how unique am I, and what are the most unique things about me?
Having that information gives me the ability to do something about it. Without that information then this is just like any other website where essentially the message is "be scared! People can track you on the internet and there's nothing you can do about it!"
This EFF tool does this https://coveryourtracks.eff.org/
To critique that (and maybe suggest what OP can do to make theirs better) is that there's poor visualization. What's great is that it tells me there right in center
But give me some visualization. Sentences like Are not super helpful, though they should exist. Showing a density plot[0] is very useful[1]. It gives the user more information, telling them where they need to go. Even a simple replacement to Makes things easier to read.In an ideal setting I think the site should suggest to users what they should change and show them where they could be with the new settings. Letting them play around and adjust a some settings.
I know I'm being nitpicky here and to be honest I think the EFF version is "good enough" but I still think adding such visualizations and letting users "see" the results makes things easier to understand and can help them know what to do.
[0] https://seaborn.pydata.org/generated/seaborn.kdeplot.html
[1] In this case it isn't going to be continuous since I pulled from the User agent so this will have more discrete bins. Helping inform the user would be seeing the proportion of those other bins. That way they know what to change their user agent to!
And creating that comparison is far harder than people think. To answer "How unique am I?" I need a large, representative dataset of fingerprints collected over time and ideally weighted by how often real websites use each feature. That would require running an backend and database.
It’s something I’d like to build eventually, but only in a privacy-preserving, opt-in way that aligns with the spirit of the project.
For privacy prevention, maybe you can help me understand something better then. I was under the impression that for the most part, each fingerprinting technique itself was not enough to identify someone, but it is the collection of them. So in that setting, would not showing the distribution of the individual metrics likely preserve privacy? I can certainly see some subtle naive trap existing here that I'm not aware of but do you know of one? I at least would think things such as agent, dark mode, and some other things shouldn't risk deanonymization. Though clearly things like coordinates, unique fingerprints, and probably even the canvas fingerprinting shouldn't be shared. As long as each data point isn't associated with others and you have a decent sample size. But also I'd love to learn if I'm missing something important.
Here's a suggestion: it's important to show us that our browser footprint allows us to be positively identified and tracked, but it only alerts us to a problem. It would be very useful if the site also provided some tips to improve anonymity, particularly if it's low-effort changes such as tweaking a couple of config changes.
https://webgpureport.org/
But, they are bucketed
https://www.w3.org/TR/webgpu/#privacy-considerations
It's not zero pieces of info but it's also not close to as bad as it looks. Effectively, everyone who has, say an NVidia GPU, will likely have the same list of features and limits.
As a more general example: The number is just a flat out wrong
> Unique to 1 in 2,147,483,648+ devices.
No, I have an iPhone Pro and am in the PST time zone, set to English. It has the exact same finger print as millions of other devices among the 40 million people in the PST time zone. In general, The only things different between 2 iPhones of the same model are time-zone, laguange setting, and font size.
Please STOP EXAGGERATING!
Your IP address, ASN, and location make this not true.
you walked right by the chance to call it WeirdoJS
Because let’s be honest - all of us know that a lot of data points are being collected about us, countless articles have been written about the insanity of cookie and user-data monetization networks - still it appears to be a privilege to few to tap into that data trove.
I personally haven’t seen an effort to try and make this transparent. Efforts like this page are commendable and informative, much like amiunique or other services - still they lack the tangible information that sharing this information with “the world” reveals about an affected individual.
Why hasn’t this been done yet? Why is this seemingly not trivial?
https://myadcenter.google.com/controls
I'm not sure how that would work from an ad-buying perspective, from what I understand you essentially choose which buckets you'd like to show ads to? Like I don't think ad-buyers get the whole dossier for the person they're showing ads to, the platform just decides "from what you've told us, this person seems likely to like your ads"
Or more like "on ad network X you match for keywords A, B, F, G"?
So yes, your fingerprint is unique, but it's a different unique every time, making it pretty useless for anything.
Edit: Ah, turns out "Unique Fingerprint ID" is just the same fingerprint ID printed at the top, it isn't one of the attribute used for calculating the ID, it is the ID. Guess I got confused by the placement of it.
The fingerprint should really only use stable features that don’t fluctuate between reloads. That way it’s consistent for the same device.
I think it even included if your computer was on a desk or moving / shaking, I really want to re-find that.
I know many things have changed with browsers auto sending data, some things are more private and many things are less private.
Someone collab with me on a couple of blog posts about then vs now and examples of what could be inferred by combing data.
No idea how representative either tool is.
For me it says 1 in 17,179,869,184+, but scrolling through all the variables, the vast majority should be the same for any MacBook Chrome user.
It would be great to see the stats of each individual characteristic.
There are ~40 million in the PST time-zone. Some percent have smartphones (80%+), ~50% of those are iPhones (16 million). Of those, the majority are set it English (80%+), and are divided into screen sizes. But basically, if you have an iPhone, you have the same fingerprint has at least a million other other people in the PST time size. You are at best, 1 of 100, not 1 of x,xxx,xxx,xxx.
You might be x,xxx,xxx,xxx of people who visited that unpopular site but no one needs tracking on an unpopular site. On a popular site you will not have a unique finger print.
If the fingerprint ID is unique every time, there is zero possibility of using it for identification.
Or did I misunderstand you?
The more important bit to see from this tool is probably "this is an example of how much information which can aid in identification your browser exposes".
I tried with Windows 7 (Firefox 115) and it reports Windows 7.
It seems though that it cannot distinguish between Windows 10 and Windows 11, so, without looking further, I suppose the detection is based on the User-Agent string? (The OS version browsers report on Windows is frozen, so Windows 10 and Windows 11 have the same version there.)
My iPhone is allegedly unique to 1 in 2,147,483,648+ devices.
But I wonder how true that is, given how many people use the same model and iOS version as me.
And if every option cuts the user base in half, becoming unque is a matter of 33 such options.
Browser type and version
Screen resolution
Installed fonts
Browser plugins and extensions
Canvas fingerprinting data
WebGL (graphics hardware info)
Time zone
Language settings
IP address
HTTP headers
Touch support
Device type
AudioContext
Am I missing something? That doesn’t math the way math should math.
But to what extent should we care for such a small website? The AI witch hunt won't get us too far, and this new way of producing is only getting started. The loss of control to a non-deterministic black box is worrysome, but at some point non-vibe coded (hard coded? brain coded?) software might become less error-prone that vibe-coded
Did you mean more instead of less?
Also I think somebody on HN recently pointed out that the language accept header can be used to fingerprint chromium users.
The Canvas Deep Fingerprint Hash is higher entropy and includes baseline shapes, emoji rendering, winding rules etc. [2]. It’s meant to capture subtle rendering differences between systems.
1. https://github.com/neberej/exposedbydefault/blob/main/src/mo...
2. https://github.com/neberej/exposedbydefault/blob/main/src/mo...
I just get approximate location from your public IP address via an external IP geolocation API (ipapi.co), which usually gives city-level accuracy.
> Impossible to "expose"
The perks of disabling JS on every site!
For example, in the DRM section, they extract the Security Level, like L3 – Software Decode (SW_SECURE_DECODE).
Their WebRTC test is also unique: they utilize a TURN server as a feedback mechanism. That means even if you tamper with WebRTC JS in the browser (like some extensions do), it can still expose your real IP by leveraging UDP and bypassing the proxy altogether. https://scrapfly.io/web-scraping-tools/webrtc-leak
So instead I wonder if we could build an open database of “identities” that our browsers could clone.
That is your browser deliberately reports the whatever is currently the most popular of a set of general identities.
It's important to point out fingerprinting, yet no ordinary user cares.