You really can't put too much faith into the "you're unique!!" conclusions that fingerprinting sites give out. The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best. Most (all?) also take into account volatile attributes like the version number, which makes the previous problem worse by further reducing the actual sample size.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community. Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
>You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community.
They theoretically could but which sites are actually doing this?
>Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
That basically boils down to what phone model you have. The number of iPhone 16 users (for instance) in a given city isn't exactly small.
>Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
If you read the comment more carefully you'd understand that it was toy example to prove a point, not a claim that you can only be fingerprinted by those attributes. I even specifically prefaced it with "suppose".
> The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
> so any conclusions that you're "unique" (in the world?)
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.