|
Their paper [1] mentions this, and suggests that ~37% of individuals who returned for repeat testing had differing fingerprints (they assessed this via a control cookie, placed by the site). Although this seems high, this was over the entire life of the experiment, with some users returning after weeks or months. Importantly, we can assume that the fingerprint will change incrementally, and remain mostly constant (eg., upgrade plugin OR install new fonts, but probably not everything at once). Therefore, closely-spaced repeat visits could be algorithmically matched, even if the fingerprint changes. This could be especially effective when including other "unstable" (short term) information, such as IP or geolocation, something the authors did not attempt (because these are generally unstable). From the paper (page 13): "We ran our algorithm over the set of users whose cookies indicated that they
were returning to the site 1-2 hours or more after their first visit, and who now
had a divergent fingerprint. Excluding users whose fingerprints changed because
they disabled javascript (a common case in response to visiting panopticlick.
eff.org, but perhaps not so common in the real world), our heuristic made a
correct guess in 65% of cases, an incorrect guess in 0.56% of cases, and no guess
in 35% of cases. 99.1% of guesses were correct, while the false positive rate was
0.86%. Our algorithm was clearly very crude, and no doubt could be signifcantly
improved with effort." [1] https://panopticlick.eff.org/browser-uniqueness.pdf |