Browser Fingerprint Detector

> the bulk of the population an advertiser would actually care about would be the huge middle of the bell curve on Chrome using Windows

The middle of the bell curve in the USA would be an iPhone and there is very little you can customize. So many people have the same model with the same settings that trying to track by fingerprinting is effectively useless.

Yes, PC/Linux users have more to track. They are the minority though. I'm not saying therefore ignore this issue. But grandma is using her phone. Not a PC.

> Firefox sends some dummy data when making use of privacy.resistFingerprinting, and so you should get a unique fingerprint _every time_ you visit a site

This assumes the fingerprinter can't filter out that random data, and that the feature is actually useful. Some of things it does sound like sites might fail or cause problems. Setting timezone to something else seems like I'm going to make a reservation for 7pm only to find out it was 7pm in another timezone. other things it doesn't might not be good for grandma. CSS will report preferred reduced motion as False. CSS will report preferred contrast as No Preference.

Yes, because those randomized results can be detected, and that can be incorporated into your fingerprint. Think of a site that asks you about your birthday. If you put in obviously false answers like "February 31, 1901", a smart implementation could just round those answers off to "lies about birthday" rather than taking them at face value.

>- My understanding is that the primary utility of browser fingerprinting is for advertising / tracking. In other words, the bulk of the population an advertiser would actually care about would be the huge middle of the bell curve on Chrome using Windows, not the privacy nuts on Linux with a custom browser config. In other words, if "blending in with the crowd" really worked I would think that tracking companies would fail against the most important and largest part of the user pool. If anything, it's more important to target grandma as she will actually click on ads and buy stuff online compulsively.

The problem is all this fingerprinting/profiling machinery ends up building a profile on privacy conscious people, even if they're impossible to sell to. That can later be exploited if the data gets leaked, or the government demands it. "I'm not a normie so nobody would want to show ads to me" doesn't address this.

No, you're thinking correctly and the odd discourse that you (and I) see is based on two implicit assumptions:

1) Your threat model is a global observer that notices - and tracks and exploits - your supposed perfect per-request uniqueness.

2) Our browsers do not give us fine grained control over every observable value so if only one variable is randomized per request, that can be discarded and you are still identifiable by (insert collection of resolution and fan speed or mouse jiggle or whatever).

Item (1) I don't care about. I'd prefer per-hit uniqueness to what I have now.

Item (2) is a valid concern and speaks to the blunt and user-hostile tools available to us (browsers, that is) which barely rise to the level of any definition of "user agent" we might imagine.

I repeat: I would much prefer fully randomized per-request variables and I don't care how unique they are relative to other traffic. I care about how unique they are relative to my other requests. Unfortunately, I am wary of browser plug-ins and have no good way to build a trust model with the 12 different plug-ins this behavior would require. This is the fault of firefox and the bad decisions they continue to make.

At the end of the day the object of the exercise is generally less about building a perfect profile of a person and a lot more about getting said person to buy something. We found our system worked very well at figuring out what ads worked on privacy-conscious people and our customers saw a nice ROI from it.

In fact, it turns out pro-privacy technically skilled people cluster nicely and it's entirely possible to sell them stuff, and their attempts to be less 'profileable' than normal actually helped our mission (which was advertising, an endeavor that in my experience doesn't GAF about violating a given person's privacy in the way the pro-privacy crowd often thinks it does).

Take from that what you will.

Creepjs actually tries to detect what your browser is lying about and takes that into consideration (or not) based on its heuristics.

I'm still not aware of any FOSS browser (with JS actually enabled and functioning) that can produce a random fingerprint ID on every refresh of the creepjs test site.

But please prove me wrong.

First, you'd have to define how one can determine what an abusive service is. Is Facebook an abusive service? Is some random website that happens to use FB's SDK an abusive service? How does a normie internet user find out the site they are using has abusive code? Some plugin/extension that has a moderated list that prevents a page from loading and instead loads a page dedicated to explain how that specific site is abusive?

It is not checking how unique you are based off of some data-set it has.

This site also has plenty other such "issues"/"bugs" feels like it was quickly vibe-coded without much care.

at this point browser fingerprinting is a feature, not a bug

[0]: https://brave.com

https://github.com/abrahamjuliot/creepjs

https://github.com/thumbmarkjs/thumbmarkjs