Hi, I did my thesis on browser fingerprinting. Most algorithms that build profiles and look for combinations of features that are unique. The best way to hide your fingerprint is to be as similar to everyone as possible.
So that means use as much of the standards as possible that comes with the OS. Do not use anything that would not be considered mainstream (e.g. don't be the only person from Guatemala on Opera, Linux, DVORAK Keyboard using an odd screen resolution.)
The absolute hardest thing to create a browser fingerprint on is corporate laptops as they have identical setups!
Does changing things often also help? Like, if there was a way to set things up so the browser would randomly change (on every request, or maybe every N minutes) bits of your user-agent, font list, screen resolution, etc., would that make it harder for sites to track you?
The rate of change is of course an important factor, but some things like the order of how you installed fonts (which depends on the order you installed the software that fonts came with) or the plugins you have installed in your browser are still going to be constant.
What we saw was that people tried to spoof their UA only made it more unique. (E.g. your UA says Internet Explorer but you have Chrome specific plugins). Or even worse if you have a completely unique User Agent.
As long as you're spoofing your fingerprint info (you can randomly change things like fonts, video cards, battery life, plugins etc) it doesn't matter how unique you are because every time you visit the site you'll be unique just like everyone else who is either a first time visitor or does the same. That seems way more effective than trying to hide in a "crowd" when even the smallest consistent deviation in an ever growing and changing list of potential flags will get you tracked 100% of the time.
Couldn't the frequency of profile information itself be considered a uniquely identifying attribute? Couple that with something that's harder to change on every request (such as IP address) and I imagine you can confidently build a profile out of that.
frequency of changes could be an issue in cases where connections are continuous, but for most browsing it shouldn't be a huge problem. Your information will have changed multiple times between requests. The IP problem is larger, but can be mitigated by the use of VPN, TOR, or shared connections (school, workplace, public wifi etc). I think the real takeaway is that there is no perfect solution, only means which make the work of people attempting traffic correlation more difficult. For services you're already logged into (facebook, steam, reddit, insta, youtube, HN) the battle is already lost. Blocking trackers and ads helps prevent 3rd parties from building a profile of your actions across the web, but all we can ever hope to do is make the record less complete. We're all vulnerable. Now that ISPs are able to decrypt much of our traffic and sell our entire browsing histories alongside our names it's not something I see being solved anytime soon.
Is there anything a user could do to switch a common "corporate laptop" profile, either manually (set this resolution, these fonts, etc) or via an extension.
I know about Privacy Badger and they provide some protection but not from all fingerprinting. Their statement about is:
Privacy Badger can detect canvas based fingerprinting, and will block third party domains that use it. Detection of other forms of fingerprinting and protections against first-party fingerprinting are ongoing projects.
Tor Browser is trying to do something like this, even going so far to restrict viewport resolutions to some common multiple, leaving you with black bars for the remaining space.
How did you validate this research? It is not like companies that do profiling do that in the open, in verifiable manner.
Also, weird you mention dvorak. I know this is just a hyperbole for the joke of being an easy to identify linux hacker... but keymap is the one thing you can't use for fingerprinting... well, you are able to use the language (by detecting typed in keycodes and matching against a mimum denominator of keymaps) but not the keymap itself (e.g. no way to see qwerty-US vs dvorak-US, but easy to detect -US vs -DE for example)
I don't think it matters, roughly half of browsers have it on and half have it off. The most important thing is to not change it from its default since thats the real marker trackers can use.
DNT was an entirely pointless idea. Given the easy choice, no one wants to be tracked when not being tracked is an option so browsers rightfully started making it the default since its what everyone wants. But no tracker is going to think, gee, no one wants me to track, guess I'll shut down my business so they ignore the marker or use it as another tracking point.
So that means use as much of the standards as possible that comes with the OS. Do not use anything that would not be considered mainstream (e.g. don't be the only person from Guatemala on Opera, Linux, DVORAK Keyboard using an odd screen resolution.)
The absolute hardest thing to create a browser fingerprint on is corporate laptops as they have identical setups!