This isn't exactly browser fingerprinting (though it may involve browser fingerprinting.) But the biggest open question I have right now is: what is Meta doing to get around Apple's iOS privacy protections?
A couple of years ago, Apple launched App Tracking Transparency as a way to reduce tracking across their iOS app ecosystem. People predicted that this would be devastating for companies like Meta and Snap, and it was -- briefly, for Meta. But Meta seems to have rebounded very quickly, maybe Snap not so quickly. The rumor I've heard is that Meta threw every brain they had against the problem of finding new ways to track app users, which presumably involves some similar type of fingerprinting. The revenue success strongly indicates were successful. But if this is true, nobody has much written about it.
They found sneaky ways on Android. There is no way they aren't trying to do so on iOS. One must always assume malice with anything Meta.
dietr1ch · 16h ago
It always freaked me out that WhatsApp found the SMS code sent to verify the phone number without requiring any action from me.
Also, WhatsApp refuses to be usable without giving it Contacts access. I had to use the app, login to the web client, and then I was finally able to type a phone number to start a new chat.
I ended up uninstalling it, but there's plenty of people AND business that nowadays mainly or even only use WhatsApp that it's painful to be on the privacy-first side.
homebrewer · 15h ago
If you're on Android, it's an Android API feature, it has nothing to do with WhatsApp and is used by lots of other applications.
That's nice for the careless user, but without any system request or notification it's impossible for the user to tell whether the app used a workaround or the system just cooperated.
1vuio0pswjnm7 · 3h ago
In testing I did, it is possible to run WhatsApp on Android without access to "Contacts"
For example,
1. Export contacts from the Contact app to a file if it is not a new phone
2. Disable Contacts app
3. Install a different contact database such as OpenContacts from F-Droid or Github
4. Import contacts from the file into OpenContacts
WhatsApp will not import the contacts in the OpenContacts database
Further, no other app will import these contacts either
This solves the "access to contacts" issue
ornornor · 13h ago
On iOS this is an OS facility and works for all apps (also for email codes if using apple mail on the iPhone)
For WhatsApp, WhatsApp business lets you easily start conversations just by entering any phone number. But yeah it’s still WhatsApp and meta, I personally avoid it as much as I can.
Klonoar · 4h ago
> It always freaked me out that WhatsApp found the SMS code sent to verify the phone number without requiring any action from me.
I don't fault you for not trusting Meta - I feel the same.
That said, what you're talking about here is an OS feature nowadays.
pavel_lishin · 13h ago
I share your woes regarding WhatsApp; my family overseas uses it, so I have to use it when visiting them, and I also had to do the weird workaround of creating a Whatsapp URL with the destination phone number, and then opening it in the browser, and then having it redirect me to the app.
dietr1ch · 5h ago
Oh, I forgot about this, yeah, you can use the links that webpages post to workaround it. Quite annoying though, I think I only used it once.
I find it is useful to do so for all corporations.
spease · 13h ago
Whose interests corporations act in is not arbitrary, it’s tied to how they make money.
Meta and Google make their money primarily from advertisers, Apple makes money from consumers buying iPhones. One of the upsides to paying for something is that the company is incentivized to keep you paying or get you to pay more.
Something I remind people who buy cheaper Android phones and then complain about ads - the OS development is being subsidized by those ads. From Google’s perspective, securing their revenue stream is the justification for Chrome and Android’s existence. It’s not a purely altruistic move to fund their open source development.
Charts of the revenue stream for some major tech companies:
Sure, but most aren’t able to execute on their evil so effectively.
amelius · 17h ago
Apple included?
metalliqaz · 17h ago
Yes. Apple is a huge corporation and I feel confident that such an entity would happily harm any person or group of persons in the pursuit of profit.
amelius · 16h ago
Are there any examples?
antiframe · 15h ago
I get the impression that Apple would rather have lower hardware manufacturing costs than ensure fair working conditions, as an example of harming people in the pursuit of profit. [1]
Perhaps that's not "bad enough" but I think the general sentiment that corporations value profits over harms to people (especially since they often try to distance themselves by offshoring, etc) applies to Apple as well.
Not really. Meta is kind of the most corrupt towards users of the big tech companies imho. All companies want to make a profit but Meta has very few scruples.
Beijinger · 16h ago
"But companies found another way to uniquely identify you across different sessions and websites without using cookies or other persistent storage. It’s called web fingerprinting. Fingerprinting is a more sophisticated approach to identify a user among millions of others. It works by studying your web browser and hardware configuration. Many websites use a fingerprinting library to generate a unique ID. This library collects data from multiple JavaScript APIs offered by your web browser. For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details that you would not want a typical news website to see."
My "rugged" browser for regular browsing has plug-ins that randomize all this data.
rafram · 16h ago
This most likely makes you more identifiable, not less, until a critical mass of people are using a browser with the exact same randomness properties.
graemep · 16h ago
I can see this as an argument for avoiding unusual properties, but how can they identify you using random properties? Even if it is just one user doing this how can they match the fingerprints?
Also, its unusual enough that its unlikely they will bother trying.
rafram · 15h ago
The fact that the properties are randomized (and which properties are randomized) identifies the extension that you’re using, and if that extension has like 10 users, that uniquely identifies you across sites.
All of this is overkill anyway unless you actually think you’re up against a determined actor targeting you personally. If you are, they will bother trying.
graemep · 10h ago
> The fact that the properties are randomized (and which properties are randomized) identifies the extension that you’re using, and if that extension has like 10 users, that uniquely identifies you across sites.
How do they know they are randomised rather than actual properties?
bigbuppo · 13h ago
Go hang out with people that actually work in marketing and advertising and see if that changes your views.
Beijinger · 16h ago
Yes. It makes me unique. Every visit. If I visit the site 10 times, you have 10 unique IDs.
rafram · 15h ago
And if the site loads 100 iframes, it can figure out the distribution of values that your browser returns, which doesn’t change, and is likely to be close to unique until many people are using the same setup as you.
(Or it can just use properties of the extension like monkey-patched function toString() outputs to identify its users, which, again, narrows it down to a very small group.)
Beijinger · 15h ago
Yes! You are unique among the 4162412 fingerprints in our entire dataset.
Yes! You are unique among the 4162649 fingerprints in our entire dataset.
Yeah, you get the exact same results in two separate incognito sessions in stock Chrome. They don't immediately add your fingerprint to their database. (And that site isn't using the state of the art in fingerprinting - check https://fingerprint.com/ for a slightly better indicator.)
Yes, fingerprint.com realizes that I am the same visitor. But ONLY IF I access it from the same IP address. This is impressive, but in the end not so much. They claim VPN does not matter for them. It does. Probably one of the last things that makes my browser identifiable.
rafram · 15h ago
> Yes, fingerprint.com realizes that I am the same visitor.
QED...
Beijinger · 15h ago
Yes, based on IP address. Great achievement. I change my IP, I am unique again. And they want money for this? Nice try.
miki123211 · 14h ago
Haha, that failed spectacularly.
On stock Mac OS Safari (no plugins, no hardened config), I did what they asked and visited their site in incognito mode via a VPN. It gave me a different id, with a message gleefully announcing that "your ID is the same when you're in incognito mode!" It even showed me some supposed visit from a minute ago.
Jesus what a scam.
agoodwinfp · 10h ago
Hi, I work at Fingerprint. Our demo accuracy is actually much lower than in production. You're welcome to try it yourself for free: https://dashboard.fingerprint.com/signup
RiverCrochet · 16h ago
what plugins do you use/recommend?
Beijinger · 15h ago
You could try these:
Browser Plugs Fingerprint Privacy Randomizer
Clear URLs
[I don't care about cockies]
Privacy Badger
Random User-Agent Switcher
Temporary Containers
uBlock Origin
Canvas Blocker
NoScript
Font Fingerprint Defender
Not all sites will work with it. For banking and plan ticket booking, I always recommend a separate, but major (e.g. Chrome) browser without any plug-ins.
gruez · 13h ago
>Random User-Agent Switcher
Don't bother. User agent spoofing is easily detectable and it's trivial to figure out your real user-agent based on js implementation differences or TLS fingerprinting. All this does is get you banned/flagged by security vendors, on top of sticking out like a sore thumb.
>Canvas Blocker
>Font Fingerprint Defender
Also easy to easy to detect because randomized values will put you in the bucket of "uses privacy extension" users, which is probably a smaller bucket than whatever hardware profile you're on (eg. macbook pro m3 14").
Beijinger · 12h ago
Maybe.
>>Random User-Agent Switcher
>Don't bother. User agent spoofing is easily detectable and it's trivial to figure out your real user-agent based on js implementation differences or TLS fingerprinting.
JS is blocked by default on my browser.
>Canvas Blocker
>Font Fingerprint Defender
> Also easy to easy to detect because randomized values will put you in the bucket of "uses privacy extension"
Hm. How are they going to detect it is randomized? They would have to identify me first again as the same user and then conclude I randomize these values.
gruez · 12h ago
>JS is blocked by default on my browser.
The major browsers can still be differentiated via default headers and TLS fingerprints, none of which requires js. Moreover if they're inconsistent you'd get flagged with "spoofs user agent", which makes you more identifiable than something like "firefox on mac".
>Hm. How are they going to detect it is randomized? They would have to identify me first again as the same user and then conclude I randomize these values.
Because a given canvas/font metrics value should return the same result given the same graphics hardware/font set. If you randomize the results it basically guarantees that your fingerprint has never been seen before. This might seem like a good thing (because you're randomized every time), but any competent fingerprinting implementation is just going to flag you as "spoofs canvas/font information". The point isn't necessarily to identify you as any particular user, it's to use the fact you're spoofing canvas/font/user-agent to fingerprint you further.
RiverCrochet · 13h ago
Thanks! IMHO The portable versions of Chrome or Firefox are great when you want a completely separate browser instance.
prasadjoglekar · 18h ago
IP addresses are quite static. Most phones and laptops come "home" once a day and get attached to the home IP. Do it for long enough and you can household all the other IP v6s, MACs etc. that are untethered.
gruez · 14h ago
>MACs etc. that are untethered.
MAC addresses don't leave the local network, so it's not relevant to web tracking. Moreover it's randomized by default on ios/android so the tracking potential is limited.
eli · 17h ago
Apple's iCloud Private Relay seems like it should solve this for iOS.
kytazo · 17h ago
My impression would be the opposite.
IPv6s get constantly rotated by most ISPs.
MACs are always randomized, even when connecting to the same network. At least as far as modern devices go.
Am I wrong?
aorloff · 17h ago
IPv6 isn't the boogeyman for tracking in general, because so much still relies on IPv4
SpaghettiCthulu · 16h ago
Last I heard, the default on Android was to randomize MAC address across networks but keep them static for each network.
homebrewer · 15h ago
It's actually well documented. What you're describing is the default (mostly), but it's more complicated than that.
Proper randomization can be enabled through the developer settings.
And yeah, sure, my device cycles through ephemeral IPv6 addresses often, but always within the same prefix.
Group IPs somewhere between /64s and /56 and you'll essentially get a household identity, at least for a few days to a few years.
kstrauser · 15h ago
Yep. The addresses in an IPv6 /56 or so are about the same as an IPv4 address as far as identifying a single location.
Hilift · 15h ago
> what is Meta doing to get around Apple's iOS privacy protections?
Money always finds a way. Everyone thought the changes made a few years ago would hurt Meta but they make $70 billion net profit. At a minimum, they only need a good relationship with advertisers, and a (sort of measurable) increase from a campaign. Also ads are different now. One address may see the same five seconds of an ad hundreds of times. That is a much easier ecosystem to correlate targets through data enrichment.
0cf8612b2e1e · 14h ago
Let’s pretend that the Apple restriction is 100% effective- how much impact would you expect to Meta’s bottom line? Sure, Meta would love to know every spicy detail of your life, but just following in app activity probably reveals more than enough to sway advertisers.
Meta hoovers up every detail because they can. Knowing that user #7227724 spends 23 minutes a day in Spotify might make the ad targeting 0.4% more accurate, but does not seem like the lynchpin for the entire business.
dec0dedab0de · 18h ago
probably just ignored them. Aren't those privacy protections basically you saying "pretty please don't track me?"
tagraves · 18h ago
Not on iOS, as I understand it. If you "Ask app not to track" on iOS then the app cannot access your IDFA, which was the ID that previously was used to track a device across apps.
willis936 · 18h ago
If we're exploring the space of "they're lying" isn't a simpler explanation be that they're lying about their revenue?
pc86 · 18h ago
The consequences for lying about revenue as a public company are many orders of magnitude worse than lying about compliance with some private contract or TOS.
PenguinCoder · 17h ago
Mess with someone's personal privacy, non-issue. Mess with investors money, instant problem.. Money is more important than people, to these groups.
cr125rider · 18h ago
No. The SEC gets very grumpy with public companies if they do that.
rafram · 16h ago
You're confusing IDFA with Do Not Track.
resource_waste · 17h ago
>what is Meta doing to get around Apple's iOS privacy protections?
A strong relationship to Apple and cross-value marketing.
Surely these rules only apply to middle sized and smaller companies. We've seen Apple get caught bending the rules for big players, even if they don't admit it.
kyle-rb · 16h ago
There's a company, currently called Tie (meettie.com), formerly known as Revenue Roll, who promises to "de-anonymize your highest value web traffic", which in practice means that they give you an email address for retargeting, for a user who visited your site without ever explicitly providing any identifying info.
The old site had a blog post [0] where they explicitly said they were using fingerprinting, and even called it "privacy-compliant".
I'm sure they're not unique in the service they provide, but that was the first time I'd seen someone brag about browser fingerprinting.
It's pretty hilarious legalese and tells you nothing about what it even achieves. Maybe makes you a Very Important Marketing Target.
One thing that struck me was the 'Under penalty of perjury, I declare all the above information to be true and accurate'. Shame they seem to require validating request by email. It'd be fun to take a PII breach and throw all the emails you find at 'em.
amelius · 14h ago
Why aren't privacy orgs trying these services.
jordanb · 18h ago
I'm considering it a good thing at this point that I'm getting captcha-walled with increasing frequency. It means that my setup and behavior looks more like the billions of anonymous bots flooding the web rather than a lucrative mark.
bo1024 · 15h ago
Same, but to access so many websites now, you have to turn on JS (i.e. turn on fingerprinting). Even for sites where this isn't on purpose, it's true because they're behind Cloudflare.
daneel_w · 17h ago
You should share details on your setup.
bo1024 · 15h ago
(Different commenter, same experience)
Firefox, VPN, UBlock Origin, Privacy Badger, and UMatrix plugin to block cookies and javascript by default. (You can easily whitelist first and/or third-party cookies and/or JS on sites of your choice.)
Actually, usually librewolf instead of firefox, but not a big difference I suspect.
daneel_w · 14h ago
When I test with Librewolf (anti-fingerprinting enabled) and uBlock Origin as only addon installed, it manages to retain my fingerprint across sessions. Perhaps it's my static IP.
mudkipdev · 15h ago
+1 for librewolf
firefax · 13h ago
I use noscript, ublock origin, and container tabs to isolate my personal email and banking, and often get accused of being a robot. (I'm a real boy!)
jordanb · 17h ago
Nothing special just Firefox and the normal privacy plugins.
PunchTunnel · 16h ago
It also might be (as it proved in my case) that your address block (including the whole neighborhood from an ISP perspective) includes a compromised device. I discovered one of my neighbors has a compromised device that's sending a couple million spam emails per month, and it tainted the reputation of the entire network address block.
jordanb · 16h ago
Well it happens on both my laptop and my phone, both of which are firefox with a lot of the fingerprinting stuff like useragent knocked out, as well as adblock, etc.
Browser fingerprinting is one of those things that should be outright illegal - it is far more of a threat than tracking cookies ever were. But it hasn't permeated the public consciousness like cookies have, so regulators seem to ignore it.
patrickmay · 18h ago
This is a technical problem, not a legal one. The solution is for browsers to provide users with the ability to limit the information being sent. There's no need for the vast majority of websites to know my OS, number of CPUs, screen or window size, or most of the other fingerprinting metrics.
kennywinker · 18h ago
Making it a technical problem means it’s an arms race forever. Making it a regulation problem, if done right, can simply end the arms race.
Not to mention the big players on the users’ team in the technical arms race (google, ms, apple) are also advertising companies.
By all means let’s solve it from the technical side - but also lets regulate privacy so everyone gets it not just people paranoid/technical enough to use the latest/best privacy respecting tools.
Aurornis · 15h ago
> Making it a technical problem means it’s an arms race forever. Making it a regulation problem, if done right, can simply end the arms race.
“If done right” is doing a lot of work in that sentence.
The way hypothetical regulation is spoken of in abstract terms where it’s perfect, solves everything, and everyone complies perfectly is at odds with how regulation works in the real world.
kennywinker · 12h ago
I agree entirely, but I think that’s a problem because gov is captured by corporate interests / neoliberal ideas.
They try to balance keeping corporate donors happy with keeping people happy, and create regulations that are toothless empty gestures that only serve as employment opportunities for lawyers and consultants.
So yes, “if done right” is doing a lot of work. But i refuse to cede gov to the corps and retreat to anarcho-capitalist ideas like “this is a technical problem”. We attack on all fronts - regulation and technological solutions.
Sanzig · 18h ago
I think it's both. It wasn't a problem when browsers were simple content display engines, but now that they are full VMs for application software, they need some of that capability just to function. FWIW, I think this was a mistake, but the genie is out of the bottle.
I suppose one technical mitigation might be a permissions dialog when a script requests access to a high-risk API like canvas or WebGL. But that's unfortunately something that won't work for most users, who will just click through the dialog.
istjohn · 18h ago
I'm loathe to suggest it, but perhaps LLM's could help here? Once local LLMs are a couple orders of magnitude better and resource efficient, a user agent LLM could decide what features are actually needed for each page.
codingminds · 16h ago
Until the LLM learned that Cloudflare and friends will bomb you with Captchas until you allow all features again.
rsync · 13h ago
… which is why it is so frustrating (and damning) that Firefox does not make it simple to block all of these measurements.
To whatever degree this is, indeed, a technical problem. There’s a simple choke point that is being intentionally unutilized.
grishka · 16h ago
It can't be made entirely illegal so IMO a better way would be to remove or restrict the APIs that fingerprinting scripts abuse. Make browsers hypertext viewers again!
thrance · 14h ago
Why can't it be made illegal? And from the article, a very succinct explanation as to why browsers will never be fingerprint-resilient:
> Chromium (Chrome) is built by Google, an advertisement company which tracks its users for showing relevant ads. So naturally it doesn’t have any inbuilt protection against fingerprinting.
quantas · 13h ago
Even if they make it illegal, it won't stop bad actors especially from foreign countries to abuse stuff like this. It's better to build better systems that fix this issue instead of relying on government laws.
You could compare it to the concept of security by obscurity which is obviously bad.
It should be illegal, but we also need technical prevention of it, because the internet is global and goes through too many jurisdictions to really regulate.
Plus, fingerprinting tech would get developed for criminal organizations or intelligence agencies anyway.
Szpadel · 17h ago
there are some more or less legit causes for fingerprinting.
like bot protection or to identifying scammers that just create another account when previous is banned.
whether this is justified is of course subjective
ryandrake · 13h ago
Somewhat off topic, but I think calling something "more or less legit" is a form of justifying it.
amelius · 18h ago
We need regulators with more balls. And more brains. This privacy theater is becoming very painful to watch.
t0lo · 18h ago
People with ideas are a dying breed. The west doesn't have a fraction of the idealism of the 80s and 90s
Yeul · 15h ago
Those people all sold out and now live in California mansions.
rimbo789 · 16h ago
Good: that naive idealism led us down some very stupid paths
t0lo · 2h ago
You ready to see what a world without naive idealism has in store for us?
Lord-Jobo · 18h ago
The core issue is that politically you gain nearly no votes and definitely no money by running with regulation as a pillar of your campaign.
In fact, doing so will often times end up bringing donations from relevant industries directly to your opponent.
Now, this system of perverse incentive and legal bribery should be fixed at the constitutional level but thats a gigantic can of worms.
In the current system there are two methods that can circumvent the issue. The first is one deployed by the likes of Elizabeth Warren; run your campaign on a broad array of "fighting for your constituents" and don't get specific until you see already elected and drafting a bill.
The second path is underutilized and should be done more: lie out your ass to the moneyed interests. Take their money, make them promises, eat at their fancy dinners, befriend them, laugh at their awful jokes. Then just fucking dunk on them in the legislature, as quietly as possible. Make a big show of being forced to, keep the charade going as long as possible.
The inverse of this has been done a lot recently, with Sinema, with Fetterman. But the good version is quite rare, and a good opportunity to make our country a better place.
Key notes: tough to do in bigger positions because they're rarely the first public office seats people hold, so track records build. Tough to do in many districts because voters can be rubes who actively agree with the corporations stomping on their nards. Tough to do if you make too large of a profile(not really a concern).
jancsika · 16h ago
> The core issue is that politically you gain nearly no votes and definitely no money by running with regulation as a pillar of your campaign.
Proof of Domain Expertise: Name the famous presidential campaign which focused directly on combating "this system of perverse incentive and legal bribery" as its core campaign message.
Edit: Hint: primary, lots of votes, lots of money
MD5 of answer: 1c02462874398d776ff28aeed2d056b1
bugsMarathon88 · 13h ago
The Internet is a war zone: demanding made up rules for behavior online is as ineffectual as pleading for peace with the enemy during battle. Strap on a helmet if you're shell-shocked.
chpatrick · 18h ago
Seems almost impossible to police though.
tonyedgecombe · 18h ago
Yes, it’s probably worse to have unenforced regulations than no regulations.
Sanzig · 18h ago
Since fingerprinting is mostly client side, it should be detectable. If you serve a web page with a fingerprinting script, that should be an automatic big fine.
MontyCarloHall · 17h ago
Sites would then avoid running purpose-built fingerprint scripts and collect fingerprint metrics as a side-effect of necessary activities. Lots of sites need to know window/screen size, DPI, installed fonts, timezone/locale, etc. as a matter of being able to function properly. It would be impossible to know whether a site is also using this information to fingerprint users.
The unsolvable problem is that modern websites are not simply documents but rather full-blown software with web browsers their runtime environments, and you simply cannot enable that amount of power without also enabling the power to fingerprint that runtime environment and thus fingerprint the user.
TIL, thanks! The usual convention of calling them "cookie dialogues" sure obfuscates that.
dylnuge · 17h ago
Which is a very intentional (and successful) marketing ploy by companies to get users to not care about them. It sounds like a boring technical thing instead of "we need your permission to let massive advertising networks track you around the internet" (consent isn't needed for site functionality; you can use cookies and never mention it if you don't use them for tracking).
Unfortunately this is a challenge with regulation; companies find a way to break the spirit of it as much as possible while following the letter. It's better that companies need consent to track us than not, but consent managers are dark patterns designed to deeply annoy us at the prospect of saying no.
aniviacat · 18h ago
So does that mean that fingerprint.com, which records your fingerprint without asking for your consent, is operating illegally?
eagleal · 16h ago
Without permission yes, if it stores it (but that would probably just be client-side).
If it stores it and uses it for matters different than what explicitely advertised when you consented to it, than yes it's even worse.
edit: just saw that's a service they resell. So yeah it is against GDPR
troupo · 18h ago
Good question :)
I think if it's all client-side, not logged or retained, and is not transmitted to third parties, it should be fine.
IANAL
9dev · 18h ago
Yes, almost certainly so. You did not consent, they have no legitimate interest to track you, and you were never informed about the what and why in plain language.
The GDPR isn’t the complex legislation monster people make it out to be, but for the most part common sense about handling sensitive data.
u8_ · 17h ago
From my experience, fingerprint.com isn't really the best at fingerprinting. The scariest one to me is creepjs
> go to about:config and setting privacy.resistFingerprinting = true in your Firefox browser
Two questions jump to mind:
Why isn't this the default in Firefox?
What is the downside? I.e., what can break by enabling this parameter?
JohnFen · 18h ago
It's isn't the default because the countermeasures cause a lot of side-effects. If it were on by default, new users would probably think the browser is broken or buggy.
Here's what the settings do and what sort of side-effects you might experience:
Yeah I have it on but I use a second browser for banking and government business.
jeroenhd · 18h ago
> What is the downside
Just of the top of my head:
- Timezone is set to UTC which means any web calendar input becomes confusing at best
- Canvases turn into random stripes, which leaves artefacts all over many websites
- Some websites outright block you as bots (twitch does this)
- Some web APIs break, which can be a pain if you're web apps that rely on them
You can add websites to a whitelist to avoid the downsides on some sites (privacy.resistFingerprinting.exemptedDomains) but it's a pain to do that for every website.
Szpadel · 17h ago
other downsides, cloudflare, PayPal and all kinds of finance related sites will assign high threat level for you and you will make your life miserable for causes ranging from captcha through rejecting your purchases to even blocking you access.
and the worst part is that this didn't changed the fingerprint generated by mentioned here site just increases suspect level to 9
Workaccount2 · 16h ago
The solution I use is to have two browsers, one bolted down and the other mostly untethered.
After a while you develop and intuition for which browser to use depending on what you will be doing.
gruez · 13h ago
>and the worst part is that this didn't changed the fingerprint generated by mentioned here site
???
It definitely does. Are you talking about how it doesn't change between subsequent visits?
Szpadel · 11h ago
In my case it stayed the same, but I tested it on android Firefox, maybe it works better on desktop, but I do not have access to it right now to verify
gruez · 10h ago
You probably need to quit/force close and reopen. At the very least it randomizes your canvas results and timezone, which should mess with most fingerprinting sites.
keyringlight · 17h ago
The biggest one I've noticed which I think is linked to that preference is sites using Cloudflare sending you into an endless loop of a bot check.
rinz · 18h ago
Some websites prefilled username to allow quicker re-login - this kind of features. Worst case scenario, you will get a first-time visit experience all over again
Cyykratahk · 18h ago
The most obvious downside for me was remote terminal windows (e.g. using ttyd) being unusable because canvas rendering was "broken".
capitainenemo · 17h ago
That one at least is easy to fix, since firefox shows a little icon in url bar if it is blocking canvas data, and the remote site asked for it. You just click on it to whitelist that site.
I've had more issues personally with resist fingerprinting making major sites completely unusable (drupal.com, walmart.com..)
micromacrofoot · 18h ago
It's actually part of the privacy preferences in the normal settings, and they supply this warning
> This setting may cause some websites to not display content or work correctly. If a site seems broken, you may want to turn off tracking protection for that site to load all content.
Some sites use light fingerprinting to provide features
jeroenhd · 18h ago
resistFingerprinting is stricter (and has worse side effects) than the standard "strict" privacy protection.
Vinnl · 18h ago
So, one thing I don't quite get about fingerprinting:
> For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details
If, for example, I upgrade my web browser in two weeks (i.e. I get a new version number), doesn't that mean that the site has lost me?
Sites like https://coveryourtracks.eff.org seem to focus on how unique your fingerprint is, but doesn't it also matter how stable it is over time?
rinz · 18h ago
That is why they probably don't put features that can be easily changed into the final fingerprint hash.
Vinnl · 16h ago
But how many features then remain? For example, I've seen people discuss font size, version numbers, viewport size, etc. Do the remaining features still make a unique identifier?
corford · 16h ago
In most cases yes. If you upgrade your browser, the only thing that changes is the user agent data. The underlying device remains the same and it is this that leaks a lot of fingerprinting attributes (screen, gfx card, fonts, timezone, language, operating system, battery status, audio setup, bluetooth, installed video codecs, TCP data, IP address if static etc.).
Although not perfect, FF is much better out of the box at limiting the leaks than chrome.
dehrmann · 15h ago
It depends if they hash the data points or send them unprocessed. If they're unprocessed, they can associate two fingerprints where only the browser has changed.
and it did identify that as a repeat Chrome visit.
Does Safari have better privacy than Chrome?
laborcontract · 18h ago
Safari will assign you a random ip address on a per tab basis if private relay is on. With chrome there is zero plausible deniability as to who you are. You are who you are today, yesterday, and a year before, in every tab, window, incognito or not.
adzm · 17h ago
ip addresses are not used in browser fingerprints though
ezfe · 12h ago
That's not true...they're a major signal
rogerkirkness · 18h ago
Yes by a lot.
piker · 18h ago
This comes with some downside because to protect privacy Safari blocks some useful APIs. For example, you can't tell if the user is running Apple silicon or Intel. That means you have to ask them whether they want the Intel or Apple silicon version of a download. This is a non-trivial question for a lot of Mac users. And, sure, you can always publish through the App store but that comes with its own drawbacks.
9dev · 18h ago
A price I’ll gladly pay in favor of increased privacy, and I haven’t heard of too many people stumped by the question. In the worst case, you can just try it out.
piker · 17h ago
Yeah for folks who are viewing this site it's obvious, but my target audience doesn't have a clue for example.
There are a whole lot of downsides to that approach. Most applications don't do it, although perhaps it does make sense for the general audience like mine. Fortunately, however, a lot of Macs are using Chrome or Firefox that expose this info.
voidUpdate · 18h ago
How does web fingerprinting work with things like iPhones, where many people have the same screen, browser, os version, etc?
kevindamm · 18h ago
The browser version will have some variance because releases are rolled out to clients over time, and users don't restart their browser immediately. I don't know all the signals FingerprintJS use but they obviously depend significantly on the user agent string (which has the precise version) seen by how the author could spoof it with Tor's UA randomizer.
BTW, the article is incorrect that Chrome doesn't allow for user agent modification or other fingerprint resistance; you can: https://developer.chrome.com/docs/devtools/device-mode/overr... and there are extensions for more convenience. The article is also incorrect about third party cookie leakage from ads but it was possible to sniff the session ID in some cases, back a decade ago before everything went cookieless and dropped session identifiers from the protocol entirely. However, it is possible for advertisers to parameterize their campaigns and analytics to such a detail that they can link demographics to their internal user IDs, though it's against policy it is easy to go unnoticed. And things like location exfiltration in too many Android apps, I'm not trying to give Google a complete pass on privacy but it's clear the author made some assumptions based on bias.
Back to your question, though, there are other things you can use as part of the fingerprint. The fonts that are installed are a proxy for which applications have been installed. The artifacts at the edge of text rendered onto a canvas can indicate which graphics chip and drivers are installed, sometimes with differences even within the same GPU model and driver version. Touch tracking can tell whether you swipe with your left hand or your right hand. Timing signals can indicate CPU specs and even hint at whether you're in a VM or behind a VPN, etc. There are more, accessible from JS in most cases, and really most of it is more reliable than what's in the user agent string.
fuzzy2 · 18h ago
I think there’s still quite a bit: font size, regional settings (language etc), software versions, browser extensions, adblockers…
dehrmann · 15h ago
Not as well. This is especially true for iPhones where there are fewer SKUs and aggressively pushed updates.
Does it matter? Brave is adware, so even if they prevent fingerprinting, you're just trading one vendor for another.
yjftsjthsd-h · 13h ago
It depends exactly what they do and what you're trying to prevent. If Brave shows you ads but does it without tracking you, then that might be better than them not showing ads and letting you be tracked. So the question is: Are they tracking you?
oldandboring · 17h ago
I just turn off all the news, ads, crypto wallet, etc. stuff in Brave and it honestly feels just like Chrome but with really good ad-blocking. I'm just a little disappointed to see that it isn't as good at blocking fingerprinting as they claim to be.
Maintained by a Brave employee, though the site is fully open in all senses of the word, as far as I'm aware.
nuker · 4h ago
Safari in Private mode checks a lot of boxes!
Great find!
anonymousDan · 14h ago
Oh wow, supercool! Seems to do pretty well on desktop private mode at least.
jeroenhd · 18h ago
Tested with Brave on my phone using fingerprint.com. Visited the website, took note of the ID, closed the tab, cleared browsing data, and opened the website again. The ID remained the same.
This is on Android, so Brave is using their own browser engine, so I don't think things will be different on desktop.
1a527dd5 · 18h ago
Adding the other side; we use ja3/ja4 * for rate limiting and it works a treat, especially when we set our rate limits to much higher than normal traffic.
I've pushed back any attempts for any kind of tracking for business purposes (e.g. fancy charts).
* ja3 seems to be slightly better, ja4 sometimes groups too many "people".
Edit* Title also needs (2023).
mystraline · 17h ago
Bigger question: why isn't Firefox and Tor Browser modifying the JavaScript reporting calls to lie?
All machines would have 16 cores and 32GB ram, running windows 10, and 1 point-touch or mouse. And the resolution would also be fixed as reporting, and only on client would change.
The user-agent should be acting on our behalf. So, why isn't it (Firefox, TBB) utterly lying and acting in our interest? We know why Chrome wouldn't.
Tor also gave up this web fingerprinting fight without even really trying. Editing the JavaScript calls to consistently lie the same way was "too hard". https://m.youtube.com/watch?v=3wlNemFwbwE
rsync · 12h ago
Going further: why does Firefox allow site operators to dictate common user interface restrictions?
Infantile developer behaviors like disabling paste in the password field? Or bona fide on page text that cannot be selected in the browser window?
There is no reason for Firefox to enable or honor these requests.
Jeremy1026 · 18h ago
I didn't get the same ID when using Safari in a "regular" window, then visiting again in a Private Browsing window. So that's good I guess?
It's really "cool" when you get vendors like 6sense that combine browser fingerprinting with semi-licit data brokers to do full deanonymization of visitor traffic. Why bother doing marketing when you can just get a report of the name, email address, mailing address, and creditworthiness of every person who's visited your website?
I've seen people argue with a straight face that these tools and their reports don't run afoul of GDPR/CCPA because they don't involve information that a user gave you on purpose, so it's not protected. Ghouls, all of them.
bellajbadr · 18h ago
People who are recommending Tor/torBrowser the last versions are enabling system spoofing which helps to fingerprints you. Also Javascript can just help to fingerprint you easily even if the browser doesn't
NooneAtAll3 · 18h ago
how does system spoofing fingerprint you, if it spoofs same way for all tor users?
acheong08 · 15h ago
Must be a typo. They are disabling user agent spoofing for operating systems (but not versions)
There are legitimate use cases of fingerprinting, like bot management. Unfortunately too many people abuse the system
soruly · 15h ago
Yes. As a site owner who keep fighting with bots and malicious traffic, I wish web browsers provide me a way to identify real users from bot traffic. Otherwise I'll have to put everything behind account registration.
specproc · 18h ago
I just tried this with the Firefox setting recommended in the article, with and without a VPN, and it still recognised me. Any other tips?
jabjq · 18h ago
Yep, doesn't work at all. This post is two years old and the methods they use have been updated.
thesuitonym · 18h ago
Did you restart Firefox after enabling the setting?
specproc · 17h ago
Actually, no. Good shout. AFK right now, but will try later.
nicman23 · 18h ago
ipv6?
Zak · 18h ago
I turned on resistfingerprinting and started getting sites in light mode. The horror!
This doesn't look to be among the available toggles, and I hope that changes. I realize the light/dark setting is a data point for fingerprinting, but it's also something I have a genuine strong preference about.
bugsMarathon88 · 16h ago
Tor Browser is the only last remaining bastion for a semblance of privacy online, both through the network and hardened Firefox. Any other attempts, through VPN or otherwise, are frankly futile and only increase attack surface.
Oras · 18h ago
title should mention this is from March 2023
coffeecantcode · 18h ago
Would be curious how Brave handles fingerprinting, I’ll have to look into that.
mitkebes · 18h ago
Brave has built in fingerprinting protection (https://github.com/brave/brave-browser/wiki/Fingerprinting-P...), that's enabled by default. It seems like it's less aggressive than firefox's though (since firefox's fingerprint protection is disabled by default because it breaks things), and it doesn't seem to be able to block this companies fingerprinting tech. I got the same ID in a regular window and private browsing window.
The brave shields setting section also has an option for blocking scripts, which may work. It prevents the demo from being able to show an identifier for the user at all, but I'm not sure if it's preventing identification or just preventing the displaying of the identification.
t_mann · 18h ago
Isn't fingerprinting covered by GDPR in a similar way to how cookies are? So in theory you should be able to opt out, at least as an EU user.
bryanrasmussen · 18h ago
sure, if they ask you can we track you and you say no they should not fingerprint.
apples_oranges · 18h ago
EU (or whoever) could mandate a switch in the browser, when turned on, all identifying apis are disabled. But the IP is still the same, so..
afiori · 18h ago
This falls into the same problem as the DNT header, while being a good technology it will be used by so few people that is might very well increase fingerprinting capabilities in some ways.
kennywinker · 18h ago
Non-hostile websites use identifying apis for functionality.
Disabling them globally means a broken browsing experience.
troupo · 18h ago
The law has been around for almost 10 years now. If browser vendors wanted, they could have come up with such a switch themselves.
Guess which company is coincidentally is the world's largest advertiser, largest ad broker, largest data tracker and owns world's most popular browser?
AlexandrB · 18h ago
How would you ever find out/enforce this though? With cookies, you can examine the local cookie storage but with fingerprinting everything happens server-side (as I understand).
bryanrasmussen · 14h ago
>How would you ever find out/enforce this though?
programmers really have a hard time understanding the law, how does any violation of the law ever get found out, or any law enforced? Generally someone says hey this company is doing X, and then the government gets a warrant to say let us look through your stuff to find out if you are doing X.
As a normal rule most companies work something like:
"excuse me, we have reports you are doing X"
"Not exactly, this is what we are doing - we call it X1, which is why we are totally ok under the rules governing X. Our legal dept. can totally explain"
Court case instantiates.
If the company is doing something that they will actually say "no we are doing nothing of the sort!" then it is likely someone in the company will at some time say "hey they are really doing X" and then the warrant thing I discussed first happens.
At any rate finding out enforcing things can happen without perfect technical access to everything, that's how justice systems have managed to work for centuries.
Sanzig · 18h ago
The fingerprint collection happens mostly using client-side JS (a bit of server side with HTTP headers, but the really high entropy stuff is client side).
Conceivably you could develop some sort of heuristic that detects when a script is simultaneously poking at a whole bunch of APIs associated with common fingerprinting techniques (canvas capabilities, WebGL, screen size, installed fonts, etc) and then kill it. But it is certainly much harder than blocking cookies.
mhitza · 18h ago
> with fingerprinting everything happens server-side (as I understand).
It happens client-side. Browser headers sent through for requests aren't enough for fingerprinting.
bryanrasmussen · 14h ago
sure but anyway the data collection is not that important, it is actually the data storage and data deletion parts that are going to make or break a GDPR case.
on edit: better clarify, I mean if you are fingerprinting, but not storing in such a way that you can actually identify someone (although not sure why you would use fingerprinting then) then I don't think there is a case.
troupo · 18h ago
Those obnoxious "cookie" dialogs? Yes, they cover fingerprinting as well. E.g. some innocent company wants to keep your precise geolocation data for 12 years: https://x.com/dmitriid/status/1817122117093056541
Cookie banners were never about cookies or privacy. The industry designed them with some very explicit goals in mind: to force users to opt-in to pervasive tracking, and to blame "how unusable web has become" on GDPR
dmix · 18h ago
Cookie banners were a result of an EU ePrivacy "cookie law" from 2002, 16yrs prior to GDPR and before fingerprinting.
troupo · 17h ago
The current breed of cookie banners is the industry's response to GDPR
apples_oranges · 18h ago
Using the same IP address, isn't he?
apples_oranges · 18h ago
I tried with phone, switch from wifi to cellular and I get a new fingerprint. (private browser, always on)
0points · 18h ago
Many of us are. It's not a unique identifier.
nelblu · 17h ago
This really saddens me. The fingerprinting even works when using Mullvad browser with VPN. I am so tired of this new internet, I hope someone is working on figuring out an alternative to this type of fingerprinting. I understand it is a cat and mouse game, but whatever, this is absolutely shitty.
I was wondering why can't browsers just fake the hardware (assuming that is what it is using to recognize)? I understand sometimes these javascripts run some type of algorithm to detect how fast it was processed to fingerprint, but even those could potentially be faked by the browser. Is anyone working on such stuff?
dingody · 5h ago
Every now and then, news like this pops up and sparks some discussion.
But in reality, I believe any internet-based business—every single app to some extent—tracks users in this way.
It’s just the nature of the internet.
ezfe · 18h ago
This doesn’t work on my iPhone in Safari
luxuryballs · 15h ago
what if I just have a script that browses random websites when I’m away and now they id my machine but the data isn’t a true reflection of anything
fortran77 · 17h ago
I cleared my cookies, went to private mode (on Edge) and fingerprint.com knew it was me. Now I wonder how much was a good guess from IP address and things that are other than browser-supplied information.
A couple of years ago, Apple launched App Tracking Transparency as a way to reduce tracking across their iOS app ecosystem. People predicted that this would be devastating for companies like Meta and Snap, and it was -- briefly, for Meta. But Meta seems to have rebounded very quickly, maybe Snap not so quickly. The rumor I've heard is that Meta threw every brain they had against the problem of finding new ways to track app users, which presumably involves some similar type of fingerprinting. The revenue success strongly indicates were successful. But if this is true, nobody has much written about it.
They found sneaky ways on Android. There is no way they aren't trying to do so on iOS. One must always assume malice with anything Meta.
Also, WhatsApp refuses to be usable without giving it Contacts access. I had to use the app, login to the web client, and then I was finally able to type a phone number to start a new chat.
I ended up uninstalling it, but there's plenty of people AND business that nowadays mainly or even only use WhatsApp that it's painful to be on the privacy-first side.
https://developers.google.com/identity/sms-retriever/overvie...
For example,
1. Export contacts from the Contact app to a file if it is not a new phone
2. Disable Contacts app
3. Install a different contact database such as OpenContacts from F-Droid or Github
4. Import contacts from the file into OpenContacts
WhatsApp will not import the contacts in the OpenContacts database
Further, no other app will import these contacts either
This solves the "access to contacts" issue
For WhatsApp, WhatsApp business lets you easily start conversations just by entering any phone number. But yeah it’s still WhatsApp and meta, I personally avoid it as much as I can.
I don't fault you for not trusting Meta - I feel the same.
That said, what you're talking about here is an OS feature nowadays.
Here's an example link,
https://api.whatsapp.com/send?phone=5551112233
Meta and Google make their money primarily from advertisers, Apple makes money from consumers buying iPhones. One of the upsides to paying for something is that the company is incentivized to keep you paying or get you to pay more.
Something I remind people who buy cheaper Android phones and then complain about ads - the OS development is being subsidized by those ads. From Google’s perspective, securing their revenue stream is the justification for Chrome and Android’s existence. It’s not a purely altruistic move to fund their open source development.
Charts of the revenue stream for some major tech companies:
https://www.visualcapitalist.com/charted-how-does-meta-make-...
https://www.visualcapitalist.com/alphabets-revenue-breakdown...
https://www.visualcapitalist.com/charted-how-apple-makes-its...
https://www.visualcapitalist.com/how-amazon-makes-its-billio...
https://www.visualcapitalist.com/how-microsoft-makes-its-bil...
Older aggregate chart:
https://www.visualcapitalist.com/how-big-tech-makes-their-bi...
Perhaps that's not "bad enough" but I think the general sentiment that corporations value profits over harms to people (especially since they often try to distance themselves by offshoring, etc) applies to Apple as well.
[1]: https://www.bbc.com/news/business-30532463
https://news.ycombinator.com/item?id=43852145
https://news.ycombinator.com/item?id=26644216
https://news.ycombinator.com/item?id=42014588
https://news.ycombinator.com/item?id=41712728
https://news.ycombinator.com/item?id=34299433
https://news.ycombinator.com/item?id=44529061
My "rugged" browser for regular browsing has plug-ins that randomize all this data.
Also, its unusual enough that its unlikely they will bother trying.
All of this is overkill anyway unless you actually think you’re up against a determined actor targeting you personally. If you are, they will bother trying.
How do they know they are randomised rather than actual properties?
(Or it can just use properties of the extension like monkey-patched function toString() outputs to identify its users, which, again, narrows it down to a very small group.)
Yes! You are unique among the 4162649 fingerprints in our entire dataset.
Two visits...
https://amiunique.org/
Yes, fingerprint.com realizes that I am the same visitor. But ONLY IF I access it from the same IP address. This is impressive, but in the end not so much. They claim VPN does not matter for them. It does. Probably one of the last things that makes my browser identifiable.
QED...
On stock Mac OS Safari (no plugins, no hardened config), I did what they asked and visited their site in incognito mode via a VPN. It gave me a different id, with a message gleefully announcing that "your ID is the same when you're in incognito mode!" It even showed me some supposed visit from a minute ago.
Jesus what a scam.
Browser Plugs Fingerprint Privacy Randomizer
Clear URLs
[I don't care about cockies]
Privacy Badger
Random User-Agent Switcher
Temporary Containers
uBlock Origin
Canvas Blocker
NoScript
Font Fingerprint Defender
Not all sites will work with it. For banking and plan ticket booking, I always recommend a separate, but major (e.g. Chrome) browser without any plug-ins.
Don't bother. User agent spoofing is easily detectable and it's trivial to figure out your real user-agent based on js implementation differences or TLS fingerprinting. All this does is get you banned/flagged by security vendors, on top of sticking out like a sore thumb.
>Canvas Blocker
>Font Fingerprint Defender
Also easy to easy to detect because randomized values will put you in the bucket of "uses privacy extension" users, which is probably a smaller bucket than whatever hardware profile you're on (eg. macbook pro m3 14").
>>Random User-Agent Switcher >Don't bother. User agent spoofing is easily detectable and it's trivial to figure out your real user-agent based on js implementation differences or TLS fingerprinting.
JS is blocked by default on my browser.
>Canvas Blocker >Font Fingerprint Defender
> Also easy to easy to detect because randomized values will put you in the bucket of "uses privacy extension"
Hm. How are they going to detect it is randomized? They would have to identify me first again as the same user and then conclude I randomize these values.
The major browsers can still be differentiated via default headers and TLS fingerprints, none of which requires js. Moreover if they're inconsistent you'd get flagged with "spoofs user agent", which makes you more identifiable than something like "firefox on mac".
>Hm. How are they going to detect it is randomized? They would have to identify me first again as the same user and then conclude I randomize these values.
Because a given canvas/font metrics value should return the same result given the same graphics hardware/font set. If you randomize the results it basically guarantees that your fingerprint has never been seen before. This might seem like a good thing (because you're randomized every time), but any competent fingerprinting implementation is just going to flag you as "spoofs canvas/font information". The point isn't necessarily to identify you as any particular user, it's to use the fact you're spoofing canvas/font/user-agent to fingerprint you further.
MAC addresses don't leave the local network, so it's not relevant to web tracking. Moreover it's randomized by default on ios/android so the tracking potential is limited.
MACs are always randomized, even when connecting to the same network. At least as far as modern devices go.
Am I wrong?
Proper randomization can be enabled through the developer settings.
https://source.android.com/docs/core/connect/wifi-mac-random...
I've had the same prefix for five years now.
And yeah, sure, my device cycles through ephemeral IPv6 addresses often, but always within the same prefix.
Group IPs somewhere between /64s and /56 and you'll essentially get a household identity, at least for a few days to a few years.
Money always finds a way. Everyone thought the changes made a few years ago would hurt Meta but they make $70 billion net profit. At a minimum, they only need a good relationship with advertisers, and a (sort of measurable) increase from a campaign. Also ads are different now. One address may see the same five seconds of an ad hundreds of times. That is a much easier ecosystem to correlate targets through data enrichment.
Meta hoovers up every detail because they can. Knowing that user #7227724 spends 23 minutes a day in Spotify might make the ad targeting 0.4% more accurate, but does not seem like the lynchpin for the entire business.
A strong relationship to Apple and cross-value marketing.
Surely these rules only apply to middle sized and smaller companies. We've seen Apple get caught bending the rules for big players, even if they don't admit it.
The old site had a blog post [0] where they explicitly said they were using fingerprinting, and even called it "privacy-compliant".
I'm sure they're not unique in the service they provide, but that was the first time I'd seen someone brag about browser fingerprinting.
[0] https://web.archive.org/web/20240527125312/https://www.reven...
It's pretty hilarious legalese and tells you nothing about what it even achieves. Maybe makes you a Very Important Marketing Target.
One thing that struck me was the 'Under penalty of perjury, I declare all the above information to be true and accurate'. Shame they seem to require validating request by email. It'd be fun to take a PII breach and throw all the emails you find at 'em.
Firefox, VPN, UBlock Origin, Privacy Badger, and UMatrix plugin to block cookies and javascript by default. (You can easily whitelist first and/or third-party cookies and/or JS on sites of your choice.)
Actually, usually librewolf instead of firefox, but not a big difference I suspect.
Not to mention the big players on the users’ team in the technical arms race (google, ms, apple) are also advertising companies.
By all means let’s solve it from the technical side - but also lets regulate privacy so everyone gets it not just people paranoid/technical enough to use the latest/best privacy respecting tools.
“If done right” is doing a lot of work in that sentence.
The way hypothetical regulation is spoken of in abstract terms where it’s perfect, solves everything, and everyone complies perfectly is at odds with how regulation works in the real world.
They try to balance keeping corporate donors happy with keeping people happy, and create regulations that are toothless empty gestures that only serve as employment opportunities for lawyers and consultants.
So yes, “if done right” is doing a lot of work. But i refuse to cede gov to the corps and retreat to anarcho-capitalist ideas like “this is a technical problem”. We attack on all fronts - regulation and technological solutions.
I suppose one technical mitigation might be a permissions dialog when a script requests access to a high-risk API like canvas or WebGL. But that's unfortunately something that won't work for most users, who will just click through the dialog.
To whatever degree this is, indeed, a technical problem. There’s a simple choke point that is being intentionally unutilized.
> Chromium (Chrome) is built by Google, an advertisement company which tracks its users for showing relevant ads. So naturally it doesn’t have any inbuilt protection against fingerprinting.
You could compare it to the concept of security by obscurity which is obviously bad.
Plus, fingerprinting tech would get developed for criminal organizations or intelligence agencies anyway.
whether this is justified is of course subjective
In fact, doing so will often times end up bringing donations from relevant industries directly to your opponent.
Now, this system of perverse incentive and legal bribery should be fixed at the constitutional level but thats a gigantic can of worms.
In the current system there are two methods that can circumvent the issue. The first is one deployed by the likes of Elizabeth Warren; run your campaign on a broad array of "fighting for your constituents" and don't get specific until you see already elected and drafting a bill.
The second path is underutilized and should be done more: lie out your ass to the moneyed interests. Take their money, make them promises, eat at their fancy dinners, befriend them, laugh at their awful jokes. Then just fucking dunk on them in the legislature, as quietly as possible. Make a big show of being forced to, keep the charade going as long as possible.
The inverse of this has been done a lot recently, with Sinema, with Fetterman. But the good version is quite rare, and a good opportunity to make our country a better place.
Key notes: tough to do in bigger positions because they're rarely the first public office seats people hold, so track records build. Tough to do in many districts because voters can be rubes who actively agree with the corporations stomping on their nards. Tough to do if you make too large of a profile(not really a concern).
Proof of Domain Expertise: Name the famous presidential campaign which focused directly on combating "this system of perverse incentive and legal bribery" as its core campaign message.
Edit: Hint: primary, lots of votes, lots of money
MD5 of answer: 1c02462874398d776ff28aeed2d056b1
The unsolvable problem is that modern websites are not simply documents but rather full-blown software with web browsers their runtime environments, and you simply cannot enable that amount of power without also enabling the power to fingerprint that runtime environment and thus fingerprint the user.
Unfortunately this is a challenge with regulation; companies find a way to break the spirit of it as much as possible while following the letter. It's better that companies need consent to track us than not, but consent managers are dark patterns designed to deeply annoy us at the prospect of saying no.
If it stores it and uses it for matters different than what explicitely advertised when you consented to it, than yes it's even worse.
edit: just saw that's a service they resell. So yeah it is against GDPR
I think if it's all client-side, not logged or retained, and is not transmitted to third parties, it should be fine.
IANAL
The GDPR isn’t the complex legislation monster people make it out to be, but for the most part common sense about handling sensitive data.
https://abrahamjuliot.github.io/creepjs/
[0]https://news.ycombinator.com/item?id=44670308
Two questions jump to mind:
Why isn't this the default in Firefox?
What is the downside? I.e., what can break by enabling this parameter?
Here's what the settings do and what sort of side-effects you might experience:
https://support.mozilla.org/en-US/kb/resist-fingerprinting
Just of the top of my head:
- Timezone is set to UTC which means any web calendar input becomes confusing at best
- Canvases turn into random stripes, which leaves artefacts all over many websites
- Some websites outright block you as bots (twitch does this)
- Some web APIs break, which can be a pain if you're web apps that rely on them
You can add websites to a whitelist to avoid the downsides on some sites (privacy.resistFingerprinting.exemptedDomains) but it's a pain to do that for every website.
and the worst part is that this didn't changed the fingerprint generated by mentioned here site just increases suspect level to 9
After a while you develop and intuition for which browser to use depending on what you will be doing.
???
It definitely does. Are you talking about how it doesn't change between subsequent visits?
I've had more issues personally with resist fingerprinting making major sites completely unusable (drupal.com, walmart.com..)
> This setting may cause some websites to not display content or work correctly. If a site seems broken, you may want to turn off tracking protection for that site to load all content.
Some sites use light fingerprinting to provide features
> For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details
If, for example, I upgrade my web browser in two weeks (i.e. I get a new version number), doesn't that mean that the site has lost me?
Sites like https://coveryourtracks.eff.org seem to focus on how unique your fingerprint is, but doesn't it also matter how stable it is over time?
To get a feeling for this, try: https://abrahamjuliot.github.io/creepjs/ ; https://bot.incolumitas.com/ and https://amiunique.org/fingerprint
Combined with super cookies (https://blog.mozilla.org/en/internet-culture/mozilla-explain...), that's a lot of data points to stitch together a high confidence fingerprint.
Although not perfect, FF is much better out of the box at limiting the leaks than chrome.
I then tried
and it did identify that as a repeat Chrome visit.Does Safari have better privacy than Chrome?
No comments yet
BTW, the article is incorrect that Chrome doesn't allow for user agent modification or other fingerprint resistance; you can: https://developer.chrome.com/docs/devtools/device-mode/overr... and there are extensions for more convenience. The article is also incorrect about third party cookie leakage from ads but it was possible to sniff the session ID in some cases, back a decade ago before everything went cookieless and dropped session identifiers from the protocol entirely. However, it is possible for advertisers to parameterize their campaigns and analytics to such a detail that they can link demographics to their internal user IDs, though it's against policy it is easy to go unnoticed. And things like location exfiltration in too many Android apps, I'm not trying to give Google a complete pass on privacy but it's clear the author made some assumptions based on bias.
Back to your question, though, there are other things you can use as part of the fingerprint. The fonts that are installed are a proxy for which applications have been installed. The artifacts at the edge of text rendered onto a canvas can indicate which graphics chip and drivers are installed, sometimes with differences even within the same GPU model and driver version. Touch tracking can tell whether you swipe with your left hand or your right hand. Timing signals can indicate CPU specs and even hint at whether you're in a VM or behind a VPN, etc. There are more, accessible from JS in most cases, and really most of it is more reliable than what's in the user agent string.
Maintained by a Brave employee, though the site is fully open in all senses of the word, as far as I'm aware.
This is on Android, so Brave is using their own browser engine, so I don't think things will be different on desktop.
I've pushed back any attempts for any kind of tracking for business purposes (e.g. fancy charts).
* ja3 seems to be slightly better, ja4 sometimes groups too many "people".
Edit* Title also needs (2023).
All machines would have 16 cores and 32GB ram, running windows 10, and 1 point-touch or mouse. And the resolution would also be fixed as reporting, and only on client would change.
The user-agent should be acting on our behalf. So, why isn't it (Firefox, TBB) utterly lying and acting in our interest? We know why Chrome wouldn't.
Tor also gave up this web fingerprinting fight without even really trying. Editing the JavaScript calls to consistently lie the same way was "too hard". https://m.youtube.com/watch?v=3wlNemFwbwE
Infantile developer behaviors like disabling paste in the password field? Or bona fide on page text that cannot be selected in the browser window?
There is no reason for Firefox to enable or honor these requests.
https://imgur.com/a/OBoaTdy
I've seen people argue with a straight face that these tools and their reports don't run afoul of GDPR/CCPA because they don't involve information that a user gave you on purpose, so it's not protected. Ghouls, all of them.
Not a great move imo
This doesn't look to be among the available toggles, and I hope that changes. I realize the light/dark setting is a data point for fingerprinting, but it's also something I have a genuine strong preference about.
The brave shields setting section also has an option for blocking scripts, which may work. It prevents the demo from being able to show an identifier for the user at all, but I'm not sure if it's preventing identification or just preventing the displaying of the identification.
Disabling them globally means a broken browsing experience.
Guess which company is coincidentally is the world's largest advertiser, largest ad broker, largest data tracker and owns world's most popular browser?
programmers really have a hard time understanding the law, how does any violation of the law ever get found out, or any law enforced? Generally someone says hey this company is doing X, and then the government gets a warrant to say let us look through your stuff to find out if you are doing X.
As a normal rule most companies work something like:
"excuse me, we have reports you are doing X"
"Not exactly, this is what we are doing - we call it X1, which is why we are totally ok under the rules governing X. Our legal dept. can totally explain"
Court case instantiates.
If the company is doing something that they will actually say "no we are doing nothing of the sort!" then it is likely someone in the company will at some time say "hey they are really doing X" and then the warrant thing I discussed first happens.
At any rate finding out enforcing things can happen without perfect technical access to everything, that's how justice systems have managed to work for centuries.
Conceivably you could develop some sort of heuristic that detects when a script is simultaneously poking at a whole bunch of APIs associated with common fingerprinting techniques (canvas capabilities, WebGL, screen size, installed fonts, etc) and then kill it. But it is certainly much harder than blocking cookies.
It happens client-side. Browser headers sent through for requests aren't enough for fingerprinting.
on edit: better clarify, I mean if you are fingerprinting, but not storing in such a way that you can actually identify someone (although not sure why you would use fingerprinting then) then I don't think there is a case.
Cookie banners were never about cookies or privacy. The industry designed them with some very explicit goals in mind: to force users to opt-in to pervasive tracking, and to blame "how unusable web has become" on GDPR
I was wondering why can't browsers just fake the hardware (assuming that is what it is using to recognize)? I understand sometimes these javascripts run some type of algorithm to detect how fast it was processed to fingerprint, but even those could potentially be faked by the browser. Is anyone working on such stuff?