This tool is deeply flawed. Fingerprinting protection is sometimes done by binning, which this tool rewards, and is sometimes done by randomizing, which this tool harshly punishes. The net result is it generally guides you away from the strongest protection.

The flip side of this, having the complementary flaw of testing only persistence, not uniqueness, is (warning, real tracking link) fingerprinting.com/demo. You can try resetting your ID and seeing if it changes here. Since tracking requires (a degree of) uniqueness AND (a degree of) persistence, the danger signal is only failing both the EFF test and this test.

Failing both is a requirement to derive meaning, not being lax: measuring only uniqueness would fail a random number generator, and measuring only persistence would fail the number 4.

You make an interesting point on binning vs randomization. I'm not an expert but to me your point is consistent with Tor having the "best protection" according to the website, because I know that Tor's strategy is binning. However, this is what actually makes sense for many variables though. For example, font sizes come in integers. If you're trying to be clever by "randomizing" and claiming to use decimal-sized, you might be the only person in the world to do so and immediately fingerprinted. So I think that randomization might indeed be a bad idea in many cases.

Your link doesn't work though. I just get "file not found".

Sorry, fixed link: https://demo.fingerprint.com/playground.

I agree on randomization, but there are other places where it doesn’t stick out like that. I’ll look up specifics if I find the time, but I think reading canvas data without permission is one place it’s utilized, including by Tor.

It seems to reward totally unique randomized fingerprints also, which is maybe not great.

Regular OS X safari: Our tests indicate that you have strong protection against Web tracking.

>Your browser fingerprint has been randomized among the 378,837 tested in the past 45 days. Although sophisticated adversaries may still be able to track you to some extent, randomization provides a very strong protection against tracking companies trying to fingerprint your browser.

>Currently, we estimate that your browser has a fingerprint that conveys at least 18.53 bits of identifying information.

Anyway, this test doesn't really communicate the results very well. Yes, Tor browser stands out. No, it's not easy to differentiate between different Tor browser users via this kind of fingerprinting.

Huh, I use a "stock" (I think?) MacOS Safari and got "Your browser has a nearly-unique fingerprint" and "Partial protection" for ads and invisible trackers.

Did you change a setting or add an ad blocker or something?

edit: I feel like someone with a username "monerozcash" must have some customization to your browsing experience, that maybe you don't even remember doing...

No, on this device literally the only customization I have is the RECAP browser extension. And even RECAP only runs on whitelisted websites.

It’s probably precisely because his browser is not customized that it’s not easily fingerprintable, because stock Safari has privacy protections and users generally don’t change anything.

I got a very similar result on unmodified iOS Safari, randomized among 380k users and conveying 15.5 bits of information. I only have the Dark Reader extension.

The randomisation features were significantly improved in Safari 26. Is that the version you have?

Could you clarify if that's with or without JS?

I have not disabled JS or made any other configuration changes on this device. Entirely stock Safari and entirely stock MacOS.

That's not really believable. I'm starting to think this website isn't very reliable.

No, it's believable. All this website is communicating to us that most MacOS Safari installs look the same.

It's not "install" that matter here. If two people have the same "install" but their browser windows have different sizes, they'll be distinguishable. Or any perperty that can be queried via JS.

Let me rephrase it: you believe it, I don't believe.

Browser window size and timezone are basically the only identifying details the page gets besides the fact that I use Safari on MacOS

For window size only 1 in 380326.0 browsers has this value.

For example, what does the section "time zone" and "time zone offset" read for you? You have JS on, so what did JS return on that point?

I'm downloading safari right now.

EDIT: just saw I need to download playonlinux or wine. Forget about it.

It gets my correct timezone.

> For window size only 1 in 380326.0 browsers has this value.

Sorry, who concluded that this is fingerprintin resistant? Does the website tell you that, or was this your conclusion? Because my reading is with a number that small, you're almost uniquely identifiable. Is it possible you're misunderstanding what the report is showing?

Would you be assed to continue this conversation elsewhere? I'd like to get to the bottom of this?

That's the website output.

Those two values are the only ones returned by the browser which are useful for fingerprinting beyond "stock safari". Window size being the biggest part of that, but window size tends to change fairly regularly.

Tor Browser tries to widen the fingerprint buckets you can get put into by eg rounding off canvas sizes. The widest bucket and unavoidable is “Tor (browser) user”.

Visiting this site with a freshly installed, stock Tor browser (therefore with JS enabled, no settings changed from defaults) on Debian stable gives me:

"Our tests indicate that you have strong protection against Web tracking."

"Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 301.9 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 8.24 bits of identifying information."

Interestingly, increasing the Tor Browser Security level from Safe to Safer actually increased the bits of identifying information and reduced the anonymity:

"Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 832.32 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 9.7 bits of identifying information."

And at the Safest Security level (i.e. with JS diabled) the identifying bits and anonymization appear to be at their best:

"Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 261.41 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 8.03 bits of identifying information."

I'm also on Debian 13 stable, that's definitely not what I get with JS. Weird.

Tor without JS is still subject to some degree of fingerprinting through CSS (media queries, caching) and tracking methods through mouse (without JS).

> and tracking methods through mouse (without JS).

How?

Hovering can trigger network request

You can even track people by favicon which bypasses incognito mode. Another part is hiding font urls in css with more tracking...

Was incognito mode ever meant to prevent tracking? I thought it was for porn, I mean buying surprise presents on a shared computer.

You're correct, incognito mode never has been for privacy protection from websites, ISPs, etc.

it's commonly used for checking how sites look when not logged in, without logging out, or logging in as another user temporarily.

While this was possible in the past, I believe it got patched and is impossible today.

Interesting, Chrome failed but Firefox and Brave "have strong protection against Web tracking."

In iOS embedded WebView: “strong protection against Web tracking”, and a fingerprint of ~20 bits.

A basic Brave install: "strong protection against Web tracking" / 18.58 bits