I heard about a new browser fingerprinting software in Techlore’s most recent Surveillance Report podcast. This software claims to be 99.5% accurate in tracking users, somehow keeping tracks of apps they have installed?
I’m not sure about the specifics, but they have a demo they can run on your browser (fingerprintjs.com/demo) which gives you a unique identifier which can be used to track your across sites and even browsers.
I decided to test whether the identifier provided in the demo could track me across various instances of a Tor Browser (AnonDist) running off a whonix-ws-15-dvm template.
I first began testing a single instance of the browser DispVM.
Test 1: I went to the above link to the demo and disabled HTML canvassing as soon as the icon popped up in the address bar, and I got this identifier (scrambled for this post because why not): UH0L8FDA6TQNVA3PPBV7
Test 2: After using Tor Browser’s “New Identity” feature, and visiting the demo site, and disabling HTML canvassing as soon as the icon popped up, I got a new identifier: GS2H8RFCFLA1JGSMVJEV
, meaning a website implementing this fingerprinting software would not be able to use the identifiers it provided to correlate my “previous identity” visit to the site with my “new identity” visit (assuming finerprint.js is not lying about the efficacy of their demo to Tor exit node).
Test 3: I then tried to see how effective using the “New Circuit” or simply refreshing the webpage would be. These are not effective. I was given the same identifier 9JBEFLKLZZ1FQYI3YSWM
after both using the “New Circuit” feature and refreshing the webpage (I wouldn’t expect simply refreshing to have an effect).
Test 4: I then tried to see how effective the software would be with HTML canvassing enabled. Even with canvassing enabled, the software did not provide the same identifier across “New Identities,” leaving this feature as the most effective feature to prevent tracking in a single instance of a Whonix VM. There was no change regarding a “New Circuit” or refreshing the page (the identifier was the same, meaning I was still tracked).
Side Note: the software listed by browser as a Firefox on Windows 10 (LOL). I’m not sure if it’s the way my laptop screen renders images or some peculiar trait of Tor or Whonix, but congratulations to whoever managed to convince this company I’m using Windows.
Bonus Test: I fired up another Tor Browser (AnonDist) from the whonix-ws-15-dvm template and visited the demo website leaving almost no time gap between each instance. I first disabled HTML canvassing, and got different identifiers in each instance of the Browser (really, OS). I then gave each browser a “New Identity” and enabled HTML canvassing, and I still got different identifiers in each browser instance.
Conclusions: it seems that fingerprint.js has a difficult time tracking Tor Browsers which are part of a Whonix VM. I would really love to have some people test this on other Tor Browsers running in Qubes, other GNU/Linux distros, as well as Mac and Windows.