by Bright_Machine on 3/21/23, 7:18 AM with 510 comments
by mihaic on 3/21/23, 10:09 AM
Few people seem to try to reconcile this, since neither side cares about the other.
I personally think that discussion about fingerprinting as raw tech, without mentioning the size of the company collecting the date or the purpose is meaningless, and only leads to a few tech savy users having less data collected on them.
Most people want to use Javascript, use the default setting and not be afraid of clicking on links. I can't really see a good solution without a coordination of regulation and tech standards, so I'm hopeful at least for decent solutions.
by jonhohle on 3/21/23, 1:49 PM
I thought having an ad campaign that targeted subgroups very specifically and boldly might be enough drum up public interest. Something like: “Hello $name from $city. How did $recent_embarrasing_purchase work out? I hope you enjoy your birthday in $birth_month.” And then a link to the proposed policy.
Unfortunately, marketers have neither scruples nor the ability to control themselves and have captured an asymmetric advantage. Technologists do what they do, preoccupied with whether or not they could, not stopping to think if they should. It seems like legislation may be the only remaining option.
by hilbert42 on 3/21/23, 8:31 AM
I have five different browsers on my smartphone and three on the PC all sans JS and none of them are Chrome. Also, normal operation is to automatically delete all cookies at session's end.
My smartphone and PCs are de-googleized and firewalled and I never see ads in my browsers nor in apps. The apps are mainly from F-Droid and sans ads and the few Playstore ones I use are via Aurora Store and are firewalled from the internet when in use. Honestly, I cannot remember when I last saw an app display an ad, it has to be years back.
In the past I used to go to more extensive measures to stop the spying but I found it was unnecessary as the spy leakage was essentially negligible with much less stringent efforts.
It's pretty easy to render one's online personal data essentially wothlesss if one wants to. On the other hand if you insist on using JS, Gmail, Google search, Facebook etc. then you're fair game and you only have yourself to blame if your personal data is stolen.
by chaosite on 3/21/23, 7:38 AM
Examples include the back button, uploading photos on some websites uploads random data instead of the photo, etc.
by redbell on 3/21/23, 9:39 AM
_______________________
0. https://www.bleepingcomputer.com/news/security/researchers-u...
by zamubafoo on 3/21/23, 8:25 AM
> For personal reasons, I do not browse the web from my computer. (I also have not net connection much of the time.) To look at page I send mail to a demon which runs wget and mails the page back to me. It is very efficient use of my time, but it is slow in real time.
by izacus on 3/21/23, 8:35 AM
EDIT: Note that you can do BOTH - but one without the other is just a game of whack-a-mole.
by noduerme on 3/21/23, 8:15 AM
I use fingerprinting actively in enterprise apps as a form of silent 3FA. It's a useful backstop. If I have a user who forgot their password but retrieves it via email, I'll usually let them pass if their fingerprint matches one of their priors; otherwise my software shoots off an email to their immediate superior to make that manager validate that the machine the employee is using is one they can vouch for.
I've always viewed browser fingerprinting as something that can be leveraged as a security feature. It's far more useful for that than for some sort of distributed tracking. I'd never want to live in a world (ahem ... China) where submitting to such fingerprinting actively was mandatory, or politically punishable if you didn't. No society should be run like an employer/employee organization with that sort of lack of trust. No sane free person would allow their own browser to transmit a fingerprint. But for employer/employee systems management? It's a great tool in the box.
by ThePhysicist on 3/21/23, 8:30 AM
by luckystarr on 3/21/23, 8:36 AM
* https://addons.mozilla.org/de/firefox/addon/canvasblocker/
which prevents fingerprinting via Canvas elements, additionally warns you if a site does it. There are more sites out there than you would assume. Some stupid blogs even.
* https://addons.mozilla.org/en-US/firefox/addon/multi-account...
This splits your tabs into different categories, each with their own cookie storage.
The fingerprinting website in the article didn't manage to correlate me visiting the website concurrently from two distinct container tabs.
by kapsteur on 3/21/23, 8:00 AM
by matheusmoreira on 3/21/23, 7:35 AM
by walrus01 on 3/21/23, 7:33 AM
by throwaway2056 on 3/21/23, 8:06 AM
For example
chromium-browser --user-data-dir=/tmp/profile_A
chromium-browser --user-data-dir=/tmp/profile_A --incognito
chromium-browser --user-data-dir=/tmp/profile_B
chromium-browser --user-data-dir=/tmp/profile_B --incognito
For each command + its incognito it can detect them as separate profiles.
For ultimate privacy one needs to everytime launch browser with a new profile.
by ergonaught on 3/21/23, 10:48 AM
Public knowledge is far behind the actual capabilities in practice.
by momentoftop on 3/21/23, 7:51 AM
The worry would be that the hash is unique to me (i.e. a fingerprint), but I don't see the evidence that it is.
by bawolff on 3/21/23, 12:29 PM
It matters more how unique your fingerprint is than how consistent or reproducible it is. Just testing if you get the same fingerprint back on your second visit doesn't tell you much if you don't know how many people "share" your fingerprint.
As a silly example, if you gave all users the same fingerprint, it would be very consistent but also useless as a tracking method.
by danbruc on 3/21/23, 9:46 AM
by textread on 3/21/23, 2:31 PM
https://coveryourtracks.eff.org/
I use a lot of browser extensions. Unfortunately, this makes my browser easily identifiable.
by beeforpork on 3/21/23, 9:36 AM
by comfypotato on 3/21/23, 8:01 PM
The fingerprinting discussion is relatively new. The first research paper’s author is only 35 or so. (Its title is Cookie Monster.) The discussion is also a little amusing on a site like Hacker News. A perfect example of someone who’s easy to fingerprint is someone who built their own computer (likely to be found on HN). On the opposite end of the spectrum, Safari iPhone users with the same model are impossible to distinguish.
There’s a paper out there where the researchers worked with a public entity’s website to get more accurate fingerprinting data. There are very few unique fingerprints in reality and therefore no reason for any company to track them. This tech probably won’t ever identify users uniquely.
There are actually some positive aspects of fingerprinting. Tor leaves a very obvious fingerprint, and it’s easy for banks to detect its use by criminals.
by brunoqc on 3/21/23, 8:31 AM
by t0bia_s on 3/21/23, 10:01 AM
by royletron on 3/21/23, 2:14 PM
by Technotroll on 3/21/23, 8:44 AM
This makes it exceedingly hard to hide from such a filter, because in communicating with these sites, you are bound to reveal at least some information about yourself. And then the "likelihood-machine" does the rest by connecting the dots, even if you gave them "fewer dots."
It's also quite interesting - or perhaps chilling - to see how fingerprinting through NLP and other language tracking algorithms can also track just about any forum post you do, even if you're using a pseudonym.
by zer00eyz on 3/21/23, 10:21 AM
There are three options:
1. Prevent/Stop it: This ship sailed long ago. Not to be grim about it but pandoras box got opened.
2. Fight it: Tool up, change your print, your behavior, your place. Build focused VM's that you use per topic. Simply do a WHOLE lot less. In the grand scheme, its a lot of work for low return. Note: there are exceptions.
3. Increase Noise: The whole point of most data collection is to sell more to you. Because most people are sheep, a fairly simple model can be surprisingly accurate (over targeting is an issue). Don't be a sheep, diversify, make more noise in the system, search out side your comfort zone and change it up often.
by Jaer3hah on 3/21/23, 8:46 AM
I use a text based browser, with no js, no cookies, no css, no external requests past the first html page download, no user agent, no etag, I connect through Tor and I've modified the browser to randomize http headers. And of course, it sometimes happens that I want to see something that is refused to me with that configuration (like, seeing anything behind the big internet killer, aka Cloudflare - thanks archive.org for existing), so I have also a classic browser for the occasional lowering of barrier.
At first, I thought fingerprint.com did identify it, giving me the hZ4W5oQ7pJVIHbW2fBXA id. Then I realized it was giving the same id when using curl with and without Tor. Then I realized, by googling and ddging that id that it's the one reported as well to search engines. So it's not unique and it's basically a "dunno" reply.
by throwaway202302 on 3/21/23, 2:39 PM
The zoom settings in the display/brightness section of the iphone seem quite relevant for fingerprint.com algorithm.
Toggling between standard/bigger text toggles the fingerprint value.
This could be because the visible area in the screen size changes, as well as some value of the CSS-fingerprint.
by npteljes on 3/21/23, 10:05 PM
- Firefox, Enhanced Tracking Protection ON
- Multi-Account Containers + Temporary Containers addon
- Privacy Settings addon, most settings private, but referrers enabled
- uBO with lots enabled, Decentraleyes addon
by mwexler on 3/21/23, 12:09 PM
And it probably understates the problem these days, missing some of the more recent techniques.
by cmrdporcupine on 3/21/23, 2:02 PM
But at the time, it was considered to be a big do not touch -- just don't do this. Not so much for ethical reasons, but for optics in the industry. (I wasn't proposing doing it, was just curious)
In the meantime, though, this seems to have just become standard practice, but way more sophisticated with way higher accuracy, as this article touches on.
What was not acceptable a decade ago is now "ok." Not just by sketchy ad startups, but by major players.
But this whole mess ties back to one of the things that worries me the most about the propagation of LLM type ML out into the general industry. It's only a matter of time before ad targeting takes on an extra dimension of creepiness through this (and I'm sure it's already happening in some aspects, inside Google & Meta.)
In the past, in ad tech & search, etc. people could say things like: "Yes, it's highly targeted. Yes we've co-related an absolutely huge quantity of data to fingerprint you exactly, and retarget you. But it's anonymized. No humans saw your personal data. It's just statistics.". Not saying whether or not this argument has merit or not, just repeating it.
But now, here we are, where "just statistics" is a far more intricate learning model. One which is capable not just of corelating your purchases and browsing activity, but of "understanding" you, and which -- while not an AGI -- is pretty damn smart.
At what point does "a computer scanned your browsing for patterns and recommend this TV set" become ethically the same as "a human read your logs, and would like to talk to you about television sets..."?
Having worked in ad-tech before (and having worked at Google, in ads and other things as well), I do not trust the people in that industry to make the right decisions here.
by reportgunner on 3/21/23, 9:22 AM
by jefc1111 on 3/21/23, 1:20 PM
Perhaps you could call this something like 'cross-device fingerprint unification', idk.
by aktuel on 3/21/23, 12:43 PM
by AtNightWeCode on 3/21/23, 6:00 PM
Fingerprinting services tries to figure out browsing settings. Since very few people have this feature enabled. You might be easier to fingerprint by enabling it. A metric that historically been used for fingerprinting is the "do not track" feature which is a bit of irony.
by cobbaut on 3/21/23, 12:10 PM
Say I follow AS Monaco football, then look for Lego Castle figurines and finally visit a forum on Alaskan Malamute dogs. The combination of these three websites is pretty close to unique in the world imho.
Surely most people can be uniquely identified after visiting a couple more, unless we change browser and ip-address and GPU and set resistFingerprinting=true and ... and clear cookies after every website we visit.
by IvanK_net on 3/21/23, 11:00 AM
There is a bug in Chorme, which I reported, but they told me they will not fix it: https://bugs.chromium.org/p/chromium/issues/detail?id=120485...
by switch007 on 3/21/23, 11:00 AM
And https://www.amiunique.org/ says I’m unique in Brave compared to “nearly” in Safari haha
by tomxor on 3/21/23, 12:24 PM
privacy.trackingprotection.fingerprinting.enabled
by DavideNL on 3/26/23, 7:42 PM
Adding the extensions `Canvasblocker` and `Temporariy Containers` did solve the issue though.
by giancarlostoro on 3/21/23, 1:35 PM
I only use Chrome to test some things, or to create a completely isolated browser session disconnected from my use of Firefox.
by jamesfisher on 3/21/23, 9:14 AM
by throwaway202302 on 3/23/23, 9:35 AM
https://niespodd.github.io/webrtc-local-ip-leak/ still? leaks local IP in mobile safari. On browserleaks local ip check fails, giving false feeling of safety.
by shashashank on 3/21/23, 12:16 PM
by unrequited on 3/21/23, 2:14 PM
by neop1x on 3/23/23, 9:43 PM
by _Mobius_ on 3/21/23, 4:12 PM
by raverbashing on 3/21/23, 8:22 AM
by dariosalvi78 on 3/21/23, 9:10 AM
Tracking should be limited with legal means.
by Operative0198 on 3/21/23, 6:29 PM
by domh on 3/21/23, 1:24 PM
by xkcd1963 on 3/21/23, 1:24 PM
EDIT: Or block the extraction
by sluuuuurpey on 3/21/23, 8:38 AM
by OOPMan on 3/22/23, 7:10 PM
by aaronrobert on 3/21/23, 12:31 PM
by chrisMyzel on 3/21/23, 1:07 PM
by oellegaard on 3/21/23, 7:51 AM
by victorbjorklund on 3/21/23, 7:40 AM
by EastSmith on 3/21/23, 9:38 AM
by someoneFromWeb on 3/21/23, 12:05 PM
by fnord77 on 3/21/23, 12:06 PM
by darefalcon on 3/21/23, 12:01 PM
by KoftaBob on 3/21/23, 9:14 AM
by giuliomagnifico on 3/22/23, 7:26 AM
by dean2432 on 3/21/23, 11:40 AM
by dcow on 3/21/23, 3:05 PM
by funstuff007 on 3/21/23, 12:49 PM
by alkonaut on 3/21/23, 9:23 AM
by helsinkiandrew on 3/21/23, 8:00 AM
https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-finge...
by est on 3/21/23, 9:44 AM
<body onload="javascript.disable()">
by toldyouso2022 on 3/21/23, 7:54 AM
by illiarian on 3/21/23, 7:54 AM
by throwawayacc5 on 3/21/23, 3:43 PM
by Semaphor on 3/21/23, 8:59 AM
by 1vuio0pswjnm7 on 3/21/23, 7:56 AM
Nah. I make an HTTP request and I get a response. That's how the web works. Perhaps people can have different opinions on "how the web works".
Web fingerprinting relies on a heap of assumptions. For example, that someone uses a web browser to make HTTP requests, that the web browser sends certain HTTP headers in a certain order, that the web browser runs Javascript, that it processes cookies, recognises HSTS response headers, and so on and so on.
If all the assumptions are true, maybe web fingerprinting is effective. But if the assumptions fail, maybe web fingerprinting does not work so well.
I have only ever read blog posts about web fingerprinting that take all the assumptions as true.
The majority of traffic on the internet is said to be "bots". Not web browsers running Javascript, processing cookies, and so on.
It seems to me that someone should discuss what happens when the assumptions fail.
Do advertisers care about computer users who do not use graphical browsers much. As such a user, IME, the answer is no.
(Interesting to see how defensive replies get. It's obvious the "tech" crowd intent to spy on web users is heavily reliant on certain assumptions to remain true forever. It shows that there is necessary pressure to keep web users using a "preferred" web browser and web ""features" that will subject them to "web fingerprinting". Perhaps the assumptions will always be true, conditions will never change, in the same way that interest rates could never change.)