Skip to main content
Panopticlick
METHODOLOGY
unclassified

Methodology

How we calculate browser fingerprint uniqueness

November 30, 2025

1. Overview

This document describes the technical methodology behind Panopticlick's browser fingerprinting analysis. We use information theory and statistical analysis to measure how unique your browser is compared to others.

2. Fingerprint Collection

We collect fingerprinting signals from multiple sources:

2.1 Canvas Fingerprint

We render text and shapes on an HTML5 canvas element and extract the pixel data. Differences in GPU, drivers, and rendering engines create unique patterns.

// Canvas fingerprint collection
ctx.fillText("Panopticlick", 10, 50);
ctx.arc(100, 100, 50, 0, Math.PI * 2);
const data = canvas.toDataURL();
const hash = sha256(data);

2.2 WebGL Fingerprint

We query WebGL renderer information and render a 3D scene. The combination of GPU vendor, renderer string, and rendering output creates a unique signature.

2.3 Audio Fingerprint

We create an audio oscillator and measure the processed output. Different audio stacks produce subtly different results due to floating-point precision differences.

2.4 Font Enumeration

We test for the presence of ~140 fonts by rendering text and measuring dimensions. The set of installed fonts is highly distinctive.

2.5 Additional Signals

  • Screen: Resolution, color depth, pixel ratio
  • Timezone: IANA timezone, UTC offset
  • Navigator: User agent, platform, languages, hardware concurrency
  • Capabilities: Touch support, WebGL extensions, codec support

3. Entropy Calculation

We use Shannon entropy to measure the information content of each fingerprinting signal.

3.1 Information Theory Basis

Entropy (H) is calculated as:

H = -Σ p(x) × log₂(p(x))

Where p(x) is the probability of observing a particular value.

3.2 Practical Calculation

For each fingerprint component, we calculate entropy based on observed frequencies in our dataset:

// Example: User Agent entropy
// 1000 observations, 200 unique values
// Chrome 120 on Windows: 15% of users
entropy = -0.15 × log2(0.15) = 0.41 bits
// Rare configuration: 0.1% of users
entropy = -0.001 × log2(0.001) = 0.01 bits
// Total entropy is sum of all contributions

3.3 Component Weights

Different components have different entropy ranges:

ComponentTypical EntropyMax Entropy
Canvas12-18 bits~25 bits
WebGL8-14 bits~20 bits
Audio6-12 bits~18 bits
Fonts8-16 bits~22 bits
Screen4-8 bits~12 bits
Navigator6-12 bits~18 bits

4. Uniqueness Score

We express uniqueness as "1 in N" where N = 2^entropy:

  • 20 bits → 1 in 1,048,576 (one million)
  • 30 bits → 1 in 1,073,741,824 (one billion)
  • 40 bits → 1 in 1,099,511,627,776 (one trillion)

Most browsers achieve 25-45 bits of entropy, making them effectively unique among the global browser population.

5. RTB Valuation

We simulate Real-Time Bidding (RTB) auctions to estimate advertising value.

5.1 Persona Detection

Based on fingerprint signals, we infer demographic categories that advertisers target:

  • Hardware: High-end device → affluent user
  • Software: Developer tools → tech professional
  • Behavior: Privacy tools → privacy-conscious
  • Location: US timezone → US market (higher CPMs)

5.2 CPM Calculation

We simulate bids from fictional DSPs with different targeting criteria. CPM rates are based on industry averages:

Finance/Investment: $8-15 CPM
Tech/Enterprise: $6-12 CPM
E-commerce: $3-8 CPM
Gaming: $2-5 CPM
General Display: $1-3 CPM

5.3 Annual Value Estimation

We estimate annual value based on typical browsing patterns:

// Annual value calculation
const avgCPM = 4.50;
const pagesPerDay = 50;
const daysPerYear = 365;
const impressionsPerPage = 3;
annualValue = (avgCPM / 1000)
× pagesPerDay
× daysPerYear
× impressionsPerPage;
// Result: ~$246/year

6. Defense Analysis

We evaluate your browser's privacy protections:

6.1 Scoring Criteria

  • Canvas blocking: +20 points
  • WebGL protection: +15 points
  • Tracker blocking: +15 points
  • Fingerprint randomization: +20 points
  • Ad blocking: +10 points
  • Secure DNS: +10 points
  • WebRTC protection: +10 points

6.2 Tier Classification

  • Fortress (90-100): Maximum protection
  • Hardened (70-89): Strong protection
  • Protected (50-69): Moderate protection
  • Basic (25-49): Minimal protection
  • Exposed (0-24): No protection

7. Limitations

Our methodology has known limitations:

  • Sample bias: Users visiting privacy tools may have different browser configurations than the general population
  • Temporal changes: Fingerprints change over time as browsers update and users install/remove software
  • Client-side only: We cannot verify fingerprints against server-side tracking implementations
  • RTB simulation: Actual advertising prices vary significantly based on context, time, and advertiser demand

8. References

Our methodology is based on academic research:

  • Eckersley, P. (2010). "How Unique Is Your Web Browser?" Proceedings of the Privacy Enhancing Technologies Symposium
  • Laperdrix, P., et al. (2016). "Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints." IEEE Symposium on Security and Privacy
  • Mowery, K. & Shacham, H. (2012). "Pixel Perfect: Fingerprinting Canvas in HTML5." W2SP
  • Englehardt, S. & Narayanan, A. (2016). "Online Tracking: A 1-million-site Measurement and Analysis." ACM CCS

9. Open Source

Our fingerprinting SDK and valuation engine are open source. You can review the code and methodology:

View on GitHub
Peer Reviewed
Research
← Back to Home