Also the funny thing is you cannot be tracked by this, because whenever you install a new font, update a plugin, install a plugin etc, you change your unique data.

Their paper [1] mentions this, and suggests that ~37% of individuals who returned for repeat testing had differing fingerprints (they assessed this via a control cookie, placed by the site). Although this seems high, this was over the entire life of the experiment, with some users returning after weeks or months.

Importantly, we can assume that the fingerprint will change incrementally, and remain mostly constant (eg., upgrade plugin OR install new fonts, but probably not everything at once). Therefore, closely-spaced repeat visits could be algorithmically matched, even if the fingerprint changes. This could be especially effective when including other "unstable" (short term) information, such as IP or geolocation, something the authors did not attempt (because these are generally unstable).

From the paper (page 13):

"We ran our algorithm over the set of users whose cookies indicated that they were returning to the site 1-2 hours or more after their first visit, and who now had a divergent fingerprint. Excluding users whose fingerprints changed because they disabled javascript (a common case in response to visiting panopticlick. eff.org, but perhaps not so common in the real world), our heuristic made a correct guess in 65% of cases, an incorrect guess in 0.56% of cases, and no guess in 35% of cases. 99.1% of guesses were correct, while the false positive rate was 0.86%. Our algorithm was clearly very crude, and no doubt could be signifcantly improved with effort."

[1] https://panopticlick.eff.org/browser-uniqueness.pdf

I'm not sure how your conclusion follows from your premise. You are still trackable until you install a new font, update a plugin, install a plugin, etc. This may not happen for some time.

Even when you do make a change, you could still easily be tracked in many cases. If I see a new signature that I have never seen before that differs from an existing signature only by the version of a plugin, I can probably safely assume it's the same person, especially if I see that the plugin was updated between the last time I saw the existing signature and now.

I have a feeling that web developers are extra vulnerable to this type of tracking because we tend to install several useful developer extensions, and many of us have our own unique combination of extensions.

> Even when you do make a change . . .

On top of that, if you use a resource that had only previously been used by your previous fingerprint, your identity can probably be smeared that way too. This is only measuring client-side entropy, but there is also server-side entropy that can be used to make inferences about clients.

If I upgrade my browser - which is something that happens quite often, my fingerprint would change.

If the only factor they're ever tracking you with is your fonts, then yes, you're correct.

But what if you have the same IP address, user-agent, and plugins for a week, and midway through the week your font fingerprint changed? Then they just go and tie both fingerprints, or repalce the old one with the new one.

In reality this is not going to be a problem for any web service that seriously attempts to track users, and there are multiple such companies that are doing so and don't let this stop them. Usually only one fingerprint will change at a time, which makes it easy for them to account for it.

The only good solution is to prevent them from capturing that information in the first place, and the only way to prevent it is to block Javascript and Flash, which is most easily done with NoScript.

I don't think the majority of those who track you (e.g. retargeting advertisers) would need to track you for more than a month, that is, unless you are setting up your system or tweaking your IDE, it is very unlikely that you will change your set of fonts within that time.

Also, they aren't particularly picky about keeping you, the trackee, forever uniquely-identifiable.

Consider this: when was the last time you (the non-average) or your grandmother (the average) installed a font?

However, an unusual rare font could easily make someone detectable. It could even be a common font, but a rare variant of it namewise.

That's not exactly true, but there is no public research that shows the contrary. I worked on a research project at INRIA earlier this year that focuses on that topic: http://stopfingerprinting.inria.fr/

AFAIK the project it's still active, but no definitive conclusion has been obtained.

Given that now ISPs give you an IP address that doesn't change for months, isn't it much easier to track someone via IP+OS+ScreenSize?

At my office, everyone uses the same model laptop. Thus, everyone has the same ip, os and screen size.