Open source · MIT licensed · Every score on this site traces back to the code below 0

How PrivacyTestLab Actually Calculates Your Fingerprint Score

Most privacy tools show you a "uniqueness score" and ask you to trust it. We publish the math, the assumptions, and the code — so you don't have to.

Two ways to calculate a "uniqueness score"

Black-box approach PrivacyTestLab's approach
A score is shown with no explanation of how it was derived. Every score is calculated using published Shannon entropy math, shown in full below.
Signal weighting is proprietary and can't be verified. Signal weights are published in an open-source repository anyone can audit.
"Uniqueness" is often just a hardcoded point system labeled as a percentage. Uniqueness is measured in bits of entropy, the standard unit used in information theory and academic fingerprinting research.
Assumptions and limitations are not disclosed. Known limitations — including which weights are still estimates — are documented publicly and updated on record.

What "bits of entropy" actually means

Imagine your screen resolution is shared by 1 in 8 people online. On its own, that fact barely narrows you down. Now add your list of installed fonts — maybe 1 in 40 people share that exact list. Then your GPU model, your timezone, your CPU thread count. None of these facts is identifying by itself. But combine enough of them, and the combination usually is — often unique among billions of browsers. That combination effect is exactly what Shannon entropy measures: not "is this one fact rare," but "how much does this fact narrow down who you could be, added on top of everything else we already know."

bits = -log2(P(observed value))

Where P is the probability of that exact value occurring in a reference population. Rarer values → lower probability → more bits → more identifying.

total_bits = Σ bits(signal_i)

Total entropy across signals (assuming independence — see Limitations below).

A total around 33 bits means your fingerprint is expected to be unique even among roughly 8.6 billion browsers (2³³), which exceeds current global internet users — so scores commonly saturate at the top of our 0–100 scale. This isn't a design flaw; independent academic research (AmIUnique, EFF Panopticlick) finds the large majority of real browsers are uniquely fingerprintable through this exact combination-of-signals effect.

What each signal contributes, and why

These values are current as of 2026-07-02. Full version history: CHANGELOG →
Signal Typical entropy Why Source
Canvas fingerprint ~15.5 bits (present) / ~1.0 bit (blocked) GPU + driver + OS + browser rendering stack combine into an effectively continuous hash space signal-weights.json#L10
WebGL renderer 4.2 bits (common GPU) / 9.8 bits (uncommon GPU) Common renderer strings (Intel/NVIDIA/AMD via ANGLE) are shared by many users; less common ones narrow the pool sharply signal-weights.json#L17
Installed fonts 1.5–11.0 bits (scales with count detected) More detected fonts = more specific software/OS install history signal-weights.json#L31
Audio context fingerprint 5.4 bits (present) / 0.3 bits (unavailable) Audio stack processing has small, consistent hardware-level variance signal-weights.json#L42
Screen resolution 2.1 bits (common) / 6.5 bits (uncommon) Standard resolutions (1920×1080, etc.) are shared by a large population signal-weights.json#L48
CPU thread count 1.0–6.0 bits (scales with count) Higher thread counts are progressively less common signal-weights.json#L58
Platform 0.2–1.8 bits Known specific platform strings (Win32, MacIntel, etc.) narrow more than an unknown/blocked value signal-weights.json#L68
Language 1.2–3.5 bits Common locales (en-US, etc.) contribute less than rare ones signal-weights.json#L74
Color depth 0.4–2.0 bits 24/32-bit is near-universal; other depths are rare signal-weights.json#L80
Device pixel ratio 0.7–3.1 bits 1x/2x are common; fractional ratios (1.25x, 1.5x) are less so signal-weights.json#L86
Timezone 2.4–5.0 bits Major population-center timezones contribute less than rare ones signal-weights.json#L92
Browser plugins 0.5–4.0 bits Zero plugins (sandboxed Chromium) is now common; higher counts narrow more signal-weights.json#L98
Device memory 0.3–2.6 bits Not-exposed is treated as low-entropy (privacy-preserving); high RAM narrows more signal-weights.json#L107
Touch support 0.6–1.4 bits No-touch is common on desktop; touch support narrows on desktop specifically signal-weights.json#L116

Current limitations, tracked openly

We'd rather tell you exactly where our numbers are strongest and weakest than present a false sense of precision. Three things worth knowing:

  • Weights are currently seeded from published academic research, not our own scan data. Sources: Laperdrix et al. (IEEE S&P 2016 / AmIUnique dataset), EFF Panopticlick methodology. As PrivacyTestLab's own scan volume grows, these will be replaced with live, self-computed frequency tables — tracked as an open item in our changelog.
  • Signals are treated as statistically independent when summed, which isn't perfectly true (e.g., platform and font list correlate somewhat). This is the same simplification used in EFF's own methodology — a reasonable estimate, not an exact figure.
  • Single-signal tools (like our standalone Canvas Fingerprint Test) report raw entropy bits for that one signal, not a 0–100 score — because that scale is calibrated for the full 14-signal combination and would misrepresent what one signal alone can determine.

Every change to this methodology, on record

v0.1.0 2026-07-02
Added
  • Initial public release of entropy.js, scoring-engine.js, and signal-weights.json.
  • Real Shannon entropy calculation (-log2(probability)) per signal, replacing an earlier internal hardcoded point system (e.g. flat +25 for canvas, +15 for WebGL) that had no statistical basis. That system is retired and does not appear anywhere in this repo.
  • signal-weights.json seeded from published fingerprinting research (Laperdrix et al. 2016 / AmIUnique dataset; EFF Panopticlick methodology). Status: not yet derived from PrivacyTestLab's own scan volume — tracked as an open item below.
  • Wired into production on:
  • Browser Fingerprint Test (full 14-signal combined score)
  • Canvas Fingerprint Test (single-signal entropy report)
Known open items (tracked, not hidden)
  • Replace seeded/published-research weights with live frequency data once PrivacyTestLab has sufficient scan volume for statistically meaningful per-value frequency tables. Target: revisit at 100k+ scans.
  • Model signal correlation (e.g. platform ↔ font list) instead of assuming full independence when summing entropy bits.
  • Re-sync individual signal-row exposure badges (set during collection, before scoring completes) to the final scoringResult.perSignal[key] values, so both are guaranteed to agree at all times instead of only by coincidence.
privacytestlab/fingerprint-scoring
Open-source Shannon entropy scoring engine for browser fingerprinting.
MIT License · 0 stars
View on GitHub

Frequently asked questions

How does PrivacyTestLab calculate browser fingerprint uniqueness?

PrivacyTestLab uses Shannon entropy — the same mathematical framework used in information theory and academic fingerprinting research — to measure how many bits of identifying information each browser signal contributes, then sums them into a total uniqueness estimate.

What is Shannon entropy in browser fingerprinting?

Shannon entropy measures how rare or common an observed value is within a reference population, expressed in bits. Rarer values contribute more bits, meaning they narrow down who a specific browser could be more effectively.

Is PrivacyTestLab's fingerprinting methodology open source?

Yes. The entropy calculation, signal weighting, and scoring engine are published under the MIT license at github.com/PrivacyTestLab/fingerprint-scoring, and the live site runs this exact code.

How accurate is a browser fingerprint entropy score?

It's an estimate, not an exact measurement — current weights are seeded from published academic datasets rather than PrivacyTestLab's own live telemetry, and signals are summed assuming independence, which is a simplification. Both limitations are documented and tracked publicly.

What data does PrivacyTestLab use to calculate fingerprint scores?

Frequency estimates are currently based on published fingerprinting research (the AmIUnique dataset and EFF Panopticlick methodology), not on data collected from PrivacyTestLab's own visitors.

Why do most browser fingerprints score as "highly unique"?

Research consistently finds that combining more than a dozen browser signals — even individually common ones — usually produces a combination unique among billions of users. This is a property of combinatorics, not a flaw in the scoring method.

Sources

  • Laperdrix, P., Rudametkin, W., Baudry, B. "Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints." IEEE Symposium on Security and Privacy, 2016. (amiunique.org)
  • Electronic Frontier Foundation. "Cover Your Tracks" (formerly Panopticlick) methodology. (coveryourtracks.eff.org)