[1vuio0pswjnm7]

Regarding "redirect tracking" why not just disable (HTTP) redirects? Is that possible in Firefox?

Out of curiousity, what is the "threat model" when using Panopticlick? Is it suited for users that just want to avoid tracking for commercial purposes? If the user does not enable Javascript, what good is that user to such trackers? How much commercial tracking is conducted without any use of Javascript (and without cookies)?

[danShumway]

I'm not sure I'd use the word "threat model". I don't think Panopticlick is making the world more dangerous. What I'm getting at is that just because Panopticlick says it can't fingerprint you, that doesn't necessarily you can't be fingerprinted anywhere, because the audience using Panopticlick is different than the audience visiting many other sites.

So something like disabling Javascript might mean that that you blend in on Panopticlick because a lot of users disable Javascript. But on a small news site or ring of nontechnical blogs, it might help narrow you down because very few people disable Javascript.

The other thing I want to get at is that privacy isn't just about fingerprinting, it's also about the effects of being tracked, and what specific information that you're leaking. So what you bring up -- that not having Javascript makes a user less useful to an ad network -- is true. Not having Javascript makes it harder to show you flashy ads or to guarantee that you're looking at them. It makes it harder (but not impossible) to set up persistent tracking that works over longer periods of time and across multiple devices. It also makes it harder to detect and circumvent adblockers.

Disabling Javascript doesn't address threat models like using your location to change the content that you get served, or sticking information into cookies, or doing some screwy things with image caches.

But that's... sorry, it's just a kind of complicated question. I'm not sure I can give a short, concise answer about how good you should feel about a low Panopticlick score, I think that's dependent on what sites you visit and what kinds of tracking you're trying to prevent, and what other measures you're taking. It's just a very broad topic.

> why not just disable (HTTP) redirects?

Unfortunately that would break a lot of sites, so it's not feasible as a default setting in the base browser. That being said, I believe that what you're looking for is `network.http.prompt-temp-redirect` inside `about:config` if you want to disable it for yourself.

I'm not sure I'd advise it, and I suspect that it's a kind of superfluous setting if you're already invested heavily into other privacy settings, but maybe there's some benefit. I haven't played with that setting to know for certain whether or not there would be non-obvious downsides or caveats.

[1vuio0pswjnm7]

Of course the user can choose software that sends no cookies or she can remove cookies from headers with a proxy if the user-agent itself (e.g., "modern" browser) cannot be controlled adequately.

There is some relief for the location issue. It is not too difficult to discover alternate geolocated IP addresses for websites that choose to employ such strategies. Further, proxies, even just Tor with a proper config file, can give the user a specific geolocation of the user's choosing.

Do users choose different user-agents for different web usage? On smartphones we routinely see users choosing a variety different applications for different purposes, e.g., an online shopping app versus a news reading app. For example, if the user is engaged in online shopping, then she almost certainly will need to enable Javascript and cookies. However, if the user is reading^1 news on small news websites or nontechnical blogs (to use your examples) then IME neither Javascript nor cookies are required. Using the same application (the same "modern" browser) for both purposes, and with Javascript and cookies enabled, is, IME, from a technical standpoint, unnecessary. The text of the articles can be retrieved and read with much simpler software; none of this software needs Javascript nor cookies to perform its respective task.

1. The situation changes if the user is "viewing" news (photojournalism) or "watching" news (autoplaying videos). IME, neither Javascript nor cookies are required, however short of the user writing custom Javascript to process page contents, employing some software, e.g., standard UNIX utilities, other than a modern browser, to extract the image or video URLs, is sometimes necessary.

[danShumway]

> Using the same application (the same "modern" browser) for both purposes, [...is...] unnecessary. The text of the articles can be retrieved and read with much simpler software;

Well, to push this a step farther, the great thing about extensions like uMatrix are that you can turn off Javascript+Cookies on a site-specific basis. So I know people who would feel like it was too cumbersome to juggle two browsers at the same time, but who don't have the same aversions to saying, "oh sure, I could turn Javascript and cookies off by default, but turn them on for this one specific video/shopping site."

> There is some relief for the location issue.

Definitely. I didn't want to go too in depth here, but this one of the things I'm getting at when I say Panopticlick shouldn't be the only thing people look at. Panopticlick doesn't even consider geolocation around IP addresses at all, so there's an entire vector there where Panopticlick won't tell you whether or not you're vulnerable.

There's a world of considerations here that are just hard to fit into a single comment.

> employing some software, e.g., standard UNIX utilities, other than a modern browser, to extract the image or video URLs, is sometimes necessary.

cough youtube-dl cough

If you're a user who's comfortable with the terminal, this can be a game changer even ignoring the privacy aspect. I see people all the time on HN complain about bookmarking a video and having it disappear later. Not a problem if you download them.

If you want to go even farther and you're comfortable with Bash scripting, youtube-dl even has options around managing playlists, so you can kind of "subscribe" to ongoing playlists/channels and treat them like podcast RSS feeds.

But with that I'm straying off topic.