How PrivacyTestLab Actually Calculates Your Fingerprint Score
Most privacy tools show you a "uniqueness score" and ask you to trust it. We publish the math, the assumptions, and the code — so you don't have to.
Two ways to calculate a "uniqueness score"
| Black-box approach | PrivacyTestLab's approach |
|---|---|
| A score is shown with no explanation of how it was derived. | Every score is calculated using published Shannon entropy math, shown in full below. |
| Signal weighting is proprietary and can't be verified. | Signal weights are published in an open-source repository anyone can audit. |
| "Uniqueness" is often just a hardcoded point system labeled as a percentage. | Uniqueness is measured in bits of entropy, the standard unit used in information theory and academic fingerprinting research. |
| Assumptions and limitations are not disclosed. | Known limitations — including which weights are still estimates — are documented publicly and updated on record. |
What "bits of entropy" actually means
Imagine your screen resolution is shared by 1 in 8 people online. On its own, that fact barely narrows you down. Now add your list of installed fonts — maybe 1 in 40 people share that exact list. Then your GPU model, your timezone, your CPU thread count. None of these facts is identifying by itself. But combine enough of them, and the combination usually is — often unique among billions of browsers. That combination effect is exactly what Shannon entropy measures: not "is this one fact rare," but "how much does this fact narrow down who you could be, added on top of everything else we already know."
Where P is the probability of that exact value occurring in a reference
population. Rarer values → lower probability → more bits → more identifying.
Total entropy across signals (assuming independence — see Limitations below).
What each signal contributes, and why
| Signal | Typical entropy | Why | Source |
|---|---|---|---|
| Canvas fingerprint | ~15.5 bits (present) / ~1.0 bit (blocked) | GPU + driver + OS + browser rendering stack combine into an effectively continuous hash space | signal-weights.json#L10 |
| WebGL renderer | 4.2 bits (common GPU) / 9.8 bits (uncommon GPU) | Common renderer strings (Intel/NVIDIA/AMD via ANGLE) are shared by many users; less common ones narrow the pool sharply | signal-weights.json#L17 |
| Installed fonts | 1.5–11.0 bits (scales with count detected) | More detected fonts = more specific software/OS install history | signal-weights.json#L31 |
| Audio context fingerprint | 5.4 bits (present) / 0.3 bits (unavailable) | Audio stack processing has small, consistent hardware-level variance | signal-weights.json#L42 |
| Screen resolution | 2.1 bits (common) / 6.5 bits (uncommon) | Standard resolutions (1920×1080, etc.) are shared by a large population | signal-weights.json#L48 |
| CPU thread count | 1.0–6.0 bits (scales with count) | Higher thread counts are progressively less common | signal-weights.json#L58 |
| Platform | 0.2–1.8 bits | Known specific platform strings (Win32, MacIntel, etc.) narrow more than an unknown/blocked value | signal-weights.json#L68 |
| Language | 1.2–3.5 bits | Common locales (en-US, etc.) contribute less than rare ones | signal-weights.json#L74 |
| Color depth | 0.4–2.0 bits | 24/32-bit is near-universal; other depths are rare | signal-weights.json#L80 |
| Device pixel ratio | 0.7–3.1 bits | 1x/2x are common; fractional ratios (1.25x, 1.5x) are less so | signal-weights.json#L86 |
| Timezone | 2.4–5.0 bits | Major population-center timezones contribute less than rare ones | signal-weights.json#L92 |
| Browser plugins | 0.5–4.0 bits | Zero plugins (sandboxed Chromium) is now common; higher counts narrow more | signal-weights.json#L98 |
| Device memory | 0.3–2.6 bits | Not-exposed is treated as low-entropy (privacy-preserving); high RAM narrows more | signal-weights.json#L107 |
| Touch support | 0.6–1.4 bits | No-touch is common on desktop; touch support narrows on desktop specifically | signal-weights.json#L116 |
Current limitations, tracked openly
We'd rather tell you exactly where our numbers are strongest and weakest than present a false sense of precision. Three things worth knowing:
- Weights are currently seeded from published academic research, not our own scan data. Sources: Laperdrix et al. (IEEE S&P 2016 / AmIUnique dataset), EFF Panopticlick methodology. As PrivacyTestLab's own scan volume grows, these will be replaced with live, self-computed frequency tables — tracked as an open item in our changelog.
- Signals are treated as statistically independent when summed, which isn't perfectly true (e.g., platform and font list correlate somewhat). This is the same simplification used in EFF's own methodology — a reasonable estimate, not an exact figure.
- Single-signal tools (like our standalone Canvas Fingerprint Test) report raw entropy bits for that one signal, not a 0–100 score — because that scale is calibrated for the full 14-signal combination and would misrepresent what one signal alone can determine.
Every change to this methodology, on record
- Initial public release of
entropy.js,scoring-engine.js, andsignal-weights.json. - Real Shannon entropy calculation (
-log2(probability)) per signal, replacing an earlier internal hardcoded point system (e.g. flat+25for canvas,+15for WebGL) that had no statistical basis. That system is retired and does not appear anywhere in this repo. signal-weights.jsonseeded from published fingerprinting research (Laperdrix et al. 2016 / AmIUnique dataset; EFF Panopticlick methodology). Status: not yet derived from PrivacyTestLab's own scan volume — tracked as an open item below.- Wired into production on:
- Browser Fingerprint Test (full 14-signal combined score)
- Canvas Fingerprint Test (single-signal entropy report)
- Replace seeded/published-research weights with live frequency data once PrivacyTestLab has sufficient scan volume for statistically meaningful per-value frequency tables. Target: revisit at 100k+ scans.
- Model signal correlation (e.g. platform ↔ font list) instead of assuming full independence when summing entropy bits.
- Re-sync individual signal-row exposure badges (set during collection, before scoring completes) to the final
scoringResult.perSignal[key]values, so both are guaranteed to agree at all times instead of only by coincidence.
Frequently asked questions
How does PrivacyTestLab calculate browser fingerprint uniqueness?
PrivacyTestLab uses Shannon entropy — the same mathematical framework used in information theory and academic fingerprinting research — to measure how many bits of identifying information each browser signal contributes, then sums them into a total uniqueness estimate.
What is Shannon entropy in browser fingerprinting?
Shannon entropy measures how rare or common an observed value is within a reference population, expressed in bits. Rarer values contribute more bits, meaning they narrow down who a specific browser could be more effectively.
Is PrivacyTestLab's fingerprinting methodology open source?
Yes. The entropy calculation, signal weighting, and scoring engine are published under the MIT license at github.com/PrivacyTestLab/fingerprint-scoring, and the live site runs this exact code.
How accurate is a browser fingerprint entropy score?
It's an estimate, not an exact measurement — current weights are seeded from published academic datasets rather than PrivacyTestLab's own live telemetry, and signals are summed assuming independence, which is a simplification. Both limitations are documented and tracked publicly.
What data does PrivacyTestLab use to calculate fingerprint scores?
Frequency estimates are currently based on published fingerprinting research (the AmIUnique dataset and EFF Panopticlick methodology), not on data collected from PrivacyTestLab's own visitors.
Why do most browser fingerprints score as "highly unique"?
Research consistently finds that combining more than a dozen browser signals — even individually common ones — usually produces a combination unique among billions of users. This is a property of combinatorics, not a flaw in the scoring method.
Sources
- Laperdrix, P., Rudametkin, W., Baudry, B. "Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints." IEEE Symposium on Security and Privacy, 2016. (amiunique.org)
- Electronic Frontier Foundation. "Cover Your Tracks" (formerly Panopticlick) methodology. (coveryourtracks.eff.org)
See your own score.