I wasn't sure if a topic like this goes here at this forum, but here it is anyway. Does anyone know of the various ways that websites that you visit spy on you? Now I know the basic ways that websites spy of you, such as cookies, spyware, malware, viruses, and trojan horses, etc. And I know not to set things up where you are automatically logged into a website when you visit it. And I generally know how to prevent or delete cookies, spyware, and viruses and the like(and I basically use Sandboxie to prevent them in the first place), but what are the slyer, more insidious ways that websites spy on you, and without you knowing about it? Also, I use NoScript where I have to give permission to allow certain sites such as facebook, twitter, googleapis, googlesyndication, doubleclick, etc to run scripts. And unfortunately, sometimes the site you're at doesn't function properly unless you allow some or all of these sites permission to run scripts. But I was wondering if doing so, if one's IP address get's plugged into these websites. And from there, they aggregate(or even individualize) your IP address' internet activity from other sites that you visit, which also have the same site scripts running. Okay, now am I making sense, or am I pretty off as to how the process works? Also, I know that VPNs are suppose to be pretty helpful in providing users with internet privacy, however, I still have a lot to learn about VPNs and other privacy protections. Any thoughts?
RCGuy I think at least part of your concerns come under the topic of " Browser Fingerprinting". Any website that does this can "see" what your browser settings / options/ add-ons are. In other words .... do you stand out from the "herd" .... and how much ? For a good explanation of this ( and an anonymous test of your browser ) have a look at https://panopticlick.eff.org/ From The Electronic Frontier Foundation https://www.eff.org/about
Use VPNs. Compartmentalize: vLANs, machines, VMs, VPNs, Tor, etc. Fragment into multiple personas, and blend each into some suitable crowd.
So I take the tracking test and it says my fingerprint is unique among 5 million tested so far. Then I take it again with a slightly different configuration and the results are, shall we say, half as unique... one in 2.5 million. Which result is better from a tracking standpoint? The more unique, the more trackable?
Yes, more unique = more trackable. There's also IP address, of course. The Tor browser, for example, is designed for all installs to look the same. Even on Linux, websites see you as using Firefox on Windows, or at least as the Tor browser impostor of that. Until you change window size, anyway
I'd be interested in what result others get when checking out the site posted by quietman, in particular the browser fingerprint uniqueness. https://panopticlick.eff.org/
https://panopticlick.eff.org/ and a lot of other things from EFF ( https://www.eff.org/code ) are great. It's what I use anyway. https://www.eff.org/privacybadger is in beta, but I've never had much issue with it. Worth checking out. And then, also something I put in my signature, https://prism-break.org/ It's a great collection of stuff to check out.
Don't read too much into the results you see there. That site takes a small fraction of the variables and tracking/fingerprinting methods into consideration. The results don't reflect reality. Example, I can reduce my "uniqueness" as they measure it by not sending plugin information, user agent, etc. If I send nothing at all, then there's nothing unique in my fingerprint. Unfortunately, my lack of a fingerprint becomes a fingerprint in itself that is probably very unique. Some additional factors that haven't been mentioned in this thread that are also useful for tracking/fingerprinting purposes: Connections to other sites such as ads, trackers, Google links, Facebook, Twitter, etc buttons. Are all 3rd party links blocked or just some of them? What is and isn't blocked can point to what if anything you use to control these connections, eg Ghostery, Request Policy, etc. That pattern can be part of an overall fingerprint. The Canvas fingerprinting issue from July of last year. The results or lack of them is an identifiable characteristic. ETags can be unique identifiers/trackers. Only a small percentage of users block them. Doing so is part of your fingerprint. I suspect that if someone takes the time to assemble all of the fingerprintable characteristics that are possible, every user will appear unique.
Here are results using Tor browser bundle. First, with Javascript blocked by NoScript ... ... and then with Javascript allowed ...
No. Blocking Javascript reduces uniqueness, as the site measures it. With Javascript blocked, ~9500 out of five million have the same fingerprint as mine. With Javascript allowed, only ~4 out of five million do. But that's just because the site needs Javascript to see stuff. I'm not sure what that means in practice.
I'm just speculating here. The people that test with Panopticlick are not typical of most internet users. They're part of the small percentage that values their internet privacy enough to try to test it. Panopticlick's numbers are not taken from a random sample of users by any means. You mentioned javascript. Using it as an example, the vast majority of users don't disable javascript. Most of them don't even know what it is, let alone how it can be used to track people or invade their privacy. The majority don't seem to care about these things or have no idea how to deal with them. Disabling javascript puts you into a very small category of users. That in itself is an identifiable characteristic. In many ways it's a tradeoff. On one hand, it puts you into a group that's a small percentage of users. On the other, it prevents javascript being used to get more detailed information about you and your system. Their test results are comparing your system to those of other privacy conscious users. The results are just a representation of how much identifiable information your system reveals when compared to like minded users. Use the results of Mirimir's first test for instance. A browser/system that only reveals 9.04 bits of identifiable information is not normal. Only a very small percentage of users will go to that extreme. Those results are very identifiable and trackable, just because they give no information. If you want to truly "blend in", your browser and OS need to be a total spy and snitch. The typical system tells sites, trackers, etc most everything that they want to know. Browsers and the internet are deliberately designed that way and are getting worse.
I am in trouble now. If I test at Panopticlick with Js enabled by browser is UNIQUE: Your browser fingerprint appears to be unique among the 5,209,316 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 22.31 bits of identifying information. When I disable js: Within our dataset of several million visitors, only one in 651,165 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 19.31 bits of identifying information. How should I try to fix it? I guess part of the problem is the many extensions I have, maybe these give a unique configuration.
Yes, that's probably it. The solution, I think, is to use Tor when you want to blend in, and VPNs with locked-down/tooled-up browsers when you want to be pseudonymous and maximally secure.
Thank you for you replies everyone. There were a lot of interesting and helpful information provided. Plus, there was the opening of a few cans too. Also, I will be replying to individual posts as needed. Thank you.
Mirmir, do you know if VPN software can be purchased at brick and mortar stores? The reason why I ask is because even though protection software companies are suppose to be on your side, I still feel that purchasing from them online is a privacy indicator. Even though, I do admit that I purchase from amazon.com and other online merchandise vendors all the time. However, I kind feel like that's not the same thing. Also, I looked up what Tor is, and is having Tor as good as having VPN software?(Plus, I noticed that Tor is free.) Or in other words, can you have one or the other, or is having both of them better? Plus, are VMs virtual machines? And is using the Sandboxie program sufficient enough? Or are you talking about something else? Additionally, are you recommending all of the items that you mentioned in your post, or would only some of them be sufficient? Also, you said to: "Fragment into multiple personas, and blend each into some suitable crowd." Now if you're talking about having something like multiple email addresses and multiple internet forum accounts and screen names, then I am already doing that. But if you are talking about something else, could you please explain.
I clicked on the panopticlick site before, and it looks like I got similar java and non-java results as everyone else(while sandboxed), but couldn't printscreen them. But when I tried reversing NoScript for that site, it stalled and wouldn't open. Also, my NoScript says "Forbid about:neterror" for that site. But I closed my broswer and deleted my sandbox session, but then after opening up a new window and logging back into Wilders again, I clicked on panopticlick and had the same result, even though deleting the previous sandbox session should have cleared everything that I did with NoScript. Can anyone else get through to panopticlick?
Your browser fingerprint appears to be unique among the 5,212,045 tested so far. ^ oh well, what i need to do ?
I guess my problem (and maybe yours too ) is also due to uMatrix's Agent Spoofing. Basically uMatrix spoof it to an old version of browsers, (like Chrome 37 or 3. This is unlikely, for most users they get updated automatically. EDIT: not true. Tested Chrome in incognito mode. Same results. Tested Firefox with pretty standard add-ons, actually AdGuard only. Same results (plus a couple of warning from FF due to outdated plug-ins).
Guys, you're not going to get past Panopticlick (or similar tracking methods) on your daily machine (at least not to the extent you'll blend in with a common unigue setup). You'd have to use, as mirimir also said, the Tor browser or https://tails.boum.org/ The only other solution I'd see is if someone made a Android tablet distro catered to a very select few tablet models, and they all forced the same software. Cause then you'd have possibly a few thousand users with the same setup all over the globe. But, you'd be sacrificing your customization of course.
One can receive similar results on this test without using Tor browser bundle and NoScript. Not exactly the same, but very close.
I'm sure. But please give examples I picked Tor browser because my browser setups are generally unique Too many add-ons However, my various VMs, through laziness over time, are different distros/versions, with different browsers with different sets of add-ons, which have different VPN exits. Each one is unique, but they're probably not the same. For Mirimir, that's all that matters.
I like Tor just no more a fan of Firefox. Add-ons whether plugins or extensions can be giveaway and correct me If I'm wrong depending on what you use is not recommended while using Tor. TBB haven't used for sometime now, but recall it was bundled with NoScript and HTTPS Everywhere extensions. Have used both before. I currently use Pale Moon on Windows. Linux is currently on hold but if you have a good recommendation on browser and distro that I can dual boot then I'm open to suggestions. The test at Panopticlick was done using Pale Moon with no plugins or extensions & JavaScript disabled. There were about:config settings changed that are same as TBB. (e.g. user agent string was modified)