What we will do with this data: ethical use and details of retention.
The fingerprint data collected will be mined for information such as: what browsers are most common, how many browsers are using Tor and what version, and what the most effective fingerprinting techniques are.
We do this as part of ongoing research in the area of browser fingerprinting, as well as to provide statistics (such as those on the statistics page) to clients of the website. A paper(s) may be published in the future that discusses fingerprints collected by this website but such research will not provide user identification, information that could be used to deanonymise Tor clients or tracking data that could be employed to track users based on data collected here.
Data may be shared with other researchers upon their request but under the same conditions as for publication. Additionally it's possible some fingerprint data (such as user-agent string) may be used in fingerprint spoofing software in the future. If cookies are enabled we associate all the fingerprints for a user with those shared by the same cookie; the purpose of this is to prevent resubmission of a fingerprint from being counted and to provide the ability to look at and compare previous fingerprints easily. You may disable cookies if you do not wish this to occur. Fingerprints collected are publicly available on the website, but to view a fingerprint you need to know the designated UUID, which is extremely hard to guess but it is still feasible that anonymised data, as previously indicated, could be read from this site. However, if you don't share your fingerprint it is unlikely to be viewed by anybody except you through the website, although researchers can and will be accessing the fingerprint data as listed above.
Currently the database has not been shared with anybody. We have received no requests from law enforcement for the database or any other data. We will do our best to prevent theft or misuse of collected data, however, such incidents are still possible.
To reiterate: We will not attempt to deanonymise Tor clients nor will we attempt to track users across other websites using data gathered here. That being said as part of the fingerprinting process we embed scripts from other sites that may (or may not, we don't know) include tracking code or collect information used to track you; in particular scripts the scripts we are unsure about are ones to display a Facebook/Twitter/Reddit share button and scripts to display a Google ad.
Thank you for participating in this project. We will place links to any published research here to allow users to confirm that we are following the usage policy.
Information we collect
When a client submits themselves to fingerprinting we collect several pieces of data about them.
We collect the results of all the fingerprint tests. This may include:
- Whether your monitor has high contrast or not.
- The User-Agent header of the HTTP request for the page.
- The Accept header, the Accept-Encoding header, and the Accept-Language header from the HTTP request for the page.
- The language of the client's browser, as detected using Flash.
- The heights and widths of a set of Unicode characters rendered in various styles (e.g. sans-serif).
- Whether cookies are enabled, detected by creating a cookie and then retrieving it.
- Whether HSTS is supported by the browser.
- Whether the browser supports IndexedDB, a database embedded within the browser.
- The value of the DNT (Do Not Track) header from the HTTP request for the page.
- Whether the client is thought to be using Tor or not. Detected by performing a TorDNSEL request.
- What version of the Tor Browser Bundle is being used, if its used.
- Whether ads are blocked by the browser.
- Whether like/share buttons are blocked or modified by the browser.
- An image created by the client's browser using a HTML5 canvas.
- The name of the WebGL vendor of the client's browser; this may be the name of the client's graphics card.
- The name of the WebGL renderer of the client's browser; this may be the name of the client's underlying graphics driver.
- Information about touch screen support by the system.
- The results of AudioContext fingerprinting tests; this does not involve recording audio or collecting sound played by your machine.
The salted hash of IP addresses is collected for most clients. For clients who are using Tor (and hence whose IP address is hidden) we instead store the entire IP address of the exit-node they used.
The date and time that a fingerprint was taken is stored along with the fingerprint.