In that case you’re best off using either random readouts, or the most common readouts.
Fingerprinting is a really tricky one to deal with. Thankfully you’d pretty much always have plausible deniability if someone could only track you down via fingerprinting. I don’t think it’d be nearly definitive enough to hold any water in court or something of that nature. Tracking via fingerprinting is a method that requires making a lot of assumptions.
There’s plenty of tools that can be used to spoof or block your fingerprints and user-agent. I’m also aware of tools that allow you to change your readouts system-side - beyond the browser and in the OS.
But ultimately the effectiveness of it all is arguable. I think it’d be really difficult to trick the FBI & NSA if they were after legitimately after you. For example, I use Mullvad VPN, they could identify that I connected via a Mullvad IP and correlate that with my fingerprint, then start making a suspect out of anyone that connects over Mullvad that has even a similar fingerprint, or speech/wording patterns, etc.
When I want to track someone for real, there’s five main things I look out for:
- IP Address Patterns (they may come from the same ip range, general region, or VPN/proxy service).
- Fingerprint / User-Agent Patterns (similar readouts. Seemingly random or blank readouts can ALSO be used as a correlation, and completely blocked readouts most certainly can be).
- Patterns in the user’s choice of usernames.
- Patterns in the user’s choice of info (sex, age, location, etc)
- Patterns in the user’s overall speech and personality. (EG: How they talk. What words they tend to choose to use over others. How they structure their sentences and paragraphs. How they deal with grammar. Common spelling mistakes they make. What their interests are. Etc).
I think it’s REALLY hard to mix it all up enough to skirt someone who’s serious professional who’s determined to catch you. I think you’d have to use multiple VPN services, change your fingerprint to specific common readouts often (and never change it in the middle of a session), and be very careful to not sound like the same person either - essentially editing your entire personality and putting on a new face.
I figure Tor can help a lot with the IP end of things, but we all know it comes with it’s own concerns.
In the end since I’m not a criminal or anything, I pretty much just go to the reasonable extent to protect my security/privacy. Meaning just using a VPN so that my ISP or any wiretappers can’t see my naked traffic, and my passwords are safe etc. I figure if you were running from globally-influential three-letter agencies, boy, you’re in for a headache.
Ultimately, it’s incredibly difficult to keep yourself from being identified at least loosely on the internet (they’ll at least know that you’re the same person, even though they won’t necessarily know your real name and info unless you were careless and leaked it). However it’s relatively easy to keep yourself from getting hacked, which is actually a different topic altogether. Anonymity is harder than security nowadays it seems.
In the end I’m not terribly sure what the actual best way to deal with fingerprinting is. That’s a tricky one. I think you might have reasonable arguments between people who say “Use the most common readout possible” and others who would say “Randomize the readout” or “Blank readouts” or “Block the readout”.
It’d be nice if we could get some kind of movement going where everyone on the internet agreed to just use the same fingerprint readout. It wouldn’t be useful anymore in that case, since everyone would be the same! But lmao, good luck with getting that to happen right?