Panopticlick Hyperbole


Pantopiclick is an Electron Frontier Foundation website intended to show you how easy it is to track you on the internet. As part of this it creates a browser fingerprint. In other words it looks at all the various pieces of info a browser makes available that might be different with your computer vs other computers and turns them into a signature.

Examples include your User Agent string (how the browser shows which version of which browser you're using), a canvas finger print in which the fact that different computers/GPUs/browser might render the canvas slightly differently and those differences can be used to tell one from another. There's screen size. Your machine might be 1280x720 and someone else's might be 1920x1080 or whatever. Yet another is your time zone. The time zone itself is not available but your computer's local time is which means they can derive your time zone. There's what headers your browser sends. There's also a WebGL finger print which is similar to the canvas finger print. WebGL has many queriable features like how many textures it can use, what extensions are available, etc that are different for different drivers/GPUs/OSes. You also have a language preference which the site can use to give you a webpage in your desired language. Also what fonts are available can be checked if you have flash enabled and to some degree even if you don't. It can also check which plugins you have installed.

The site takes all of that info, makes a siganture, and then tells you how unique your browser is.

In my case it claims my Mid 2014 MacBook Pro is nearly 1 in a million. To put that in perspective it's claiming for basically all of Japan there are at most 14 other people that have the same machine using the same setup (Chrome, Language = English, Timezone = Japan, Screen = 1680x1050, certain fonts, etc.)

That may be true. I have no idea but it seemed a little fishy.

So I thought let's try my iPhone. I did this originally with my iPhone6S+ but it really doesn't matter. Checking with my iPhone X using Safari in Los Angeles with the language set to English it tells me that my browser is one of 493332.5 browsers.

Well let's analyze that number.

First it knows my time zone is Pacific Standard Time (PST). Other than that 100% of all the other info should match every iPhone X in the Pacific Standard Timezone. You can't install plugins on iPhones so the plugins list will be the same for every phone. The screen size is the same for every iPhoneX. The canvas and WebGL signatures will be the same for every iPhoneX. You can't install fonts either so the font list will be the same for every iPhoneX. Similarly the User Agent will be the same or at least the same for everyone on the same version of the OS.

Checking various info we can make a conservative estimate there are at least 53 million people in the PST as it includes cities like Los Angeles, San Diego, Seattle, San Fransico, Portland and others. According other stats at least 50% of those people own a smartphone. According to more stats iPhone has at least a 20% market share in the PST. People upgrade iPhones pretty quickly but let's assume conservatively that only 10% of those people that have an iphone have an iPhoneX. That means there are at least 53,000,000 * 50% * 20% * 10% or 530,000 iPhoneXs in the PST. That doesn't seem like an unreasoable number.

And yet based on Pantopticlick it's telling me I'm one out of 493332.5. In other words it's telling me that in all of the PST there are only at most 10 (ten) iPhoneXs. That's it. 10 phones! Clearly that's pure BULLSHIT!

In their defense they're claiming it's one of 493332.5 in their database. Their database is rotated every 3 months so if no other iPhoneXs have visited their site from the PST then yes the number might be accurate. But that's an irrelevant point. If a company wants to track people across sites it wants to track lots of people across lots of sites. Each site will have 1000s or millions of visitors. All 500k plus iPhoneX users in the PST are indistguishable by fingerprint across all of those sites so using this figureprint will not help them track those users in the least.

I'm all for the EFF warning people about the issues of tech. I'm a sponser of the EFF giving a not so small donation each year. But COME ON! Exaggerating these issues does nothing to help the EFFs case. Instead it makes the EFF seem unstrustworthy. If I can poke huge holes in this how do I not know that all the EFFs other press releases and issues are not similarly exaggerated.

EFF, please stop this hyperbole. You're only hurting your own cause.

Apple Privacy Snafu
Why I Hate Software Dev