Is it possible to defend against browser fingerprinting?Browser fingerprinting is quite a powerful method of tracking users around the Internet. There are some defensive measures that can be taken with existing browsers, but none of them are ideal.
Try to use a "non-rare" browser
The most obvious way to try to prevent browser fingerprinting is to pick a "standard", "common" browser. It turns out that this is surprisingly hard to do. It appears that the most likely candidate would be the latest version of Firefox running on a modern Windows version. But even so, many of those Firefox on Windows browsers can be distinguished from one another by the enourmous range of plugin versions and fonts that can be installed with them.
Pending the results of the Panopticlick experiment, the only browsers which we believe really meet the conflicting criteria of being common but not accompanied by high-entropy plugin and font configurations are the browsers in smartphones. This is not intuitive, since these browsers tend to be less common than desktop browsers. But, importantly, there are few other variables beyond the user agent. Current versions of the iPhone, Android, and Blackberries do not vary much with respect to plugins, installed fonts, or screen size. This situation may well change in the future, but until it does, most of these devices are far less fingerprintable than any sort of desktop PC.
A Better Solution: Browsers' "Private Browsing" Modes
There is a lot that browser and plugin developers could do to protect their users against fingerprint tracking. In general, it might not be a good engineering decision to remove all of the version-number entropy from browsers, since knowing the precise version of flash, quicktime, or whatever, is occasionally useful for debugging.
One solution would be to add a "debugging" mode to browsers, and to round version numbers off when the browser is not in debugging mode. Another solution would be to improve the "private browsing" modes that are already present in most modern browsers, so that when the mode is active, User Agent, navigator.plugins and font lists take on standardized values (or, perhaps, normalized values).