So, manifest v3 was all about preventing Google’s competitors from tracking you so that Google could forge ahead.
The fewer of your competitors who have the data the more valuable that data is.
Would it be possible for a browser or extension to just provide false metadata in order to subvert this type of fingerprinting?
No. Anything that executes Javascript will be fingerprinted.
That being said it depends who are you fighting. For common commercial tools like Cloudflare fingerprinter it might work to some extent but if you want to safeguard against more sophisticated fingerprinting then TOR and no JS is the only way to combat this.
The issue is that browsers are so incredibly complex that it’s impossible to patch everything and you’ll just end up getting infinite captchas and break your browsing experience.
Yes. There is a firefox extension called Chameleon that does this.
Others have mentioned what Firefox/etc do, but another option is a PiHole. If you can’t look up the IP for an advertiser URL, you don’t load the JavaScript to begin with.
This has been the case for years. I develop fingerprinting services so AMA but it’s basically a long lost battle and browser are beyond the point of saving without a major resolution taking place.
The only way to resist effective fingerprint is to disable Javascript in its entirity and use a shared connection pool like wireguard VPN or TOR. Period. Nothing else works.
How can you live with yourself?
I do it as a security measure for private institutions and everyone involved has signed contracts. It’s not on the public web.
I know right. I was offered a job at a betting site and online casino with those addictive games and shit. Gave that a hard pass, said no thanks, don’t think that’s the right business area for me. I would feel so dirty going to and coming from work every damn day.
Hello grease monkey and no script, my old friends
Wouldn’t selective disabling of JavaScript make fingerprinting easier? Your block and white list are likely to be unique.
Tracking scripts are usually separate from the scripts that do stuff. But also giving them less info is always just better.
What are some good scripts for grease monkey?
Disabling JavaScript entirely is another data point for fingerprinting. Only a tiny fraction of users do it.
Besides, without JavaScript most websites are not functional anymore. Those that are are likely not tracking you much in the first place.
Yeah unfortunately disabling JS is not viable option tho onion websites are perfectly functional without JS and it just shows how unnecessarily JS had been expanded without regard for safety but theres no stopping the web.
I disable JS with noscript.net and it really is an enormous pain. It has some security advantages, like I don’t get ambushed so easily by an unfamiliar site and pop ups. I often will just skip a site if it seems too needy
This is what I’ve been saying for months in the reddit privacy sub and to people IRL. Some people seem perfectly happy to just block ads so they don’t see the tracking. Literal ignorance is bliss. Most simply don’t have time or wherewithal to do the minimal work it takes to enjoy relative “privacy” online.
FWIW, any VPN where you can switch locations should do the job since the exit node IPs ought to get re-used. My practice is to give BigG a vanilla treat because my spouse hasn’t DeGoogled, and leave anything attached to our real names with location A. Then a whole second non-IRL-name set of accounts usually with location B with NoScript and Chameleon. Then anything else locations C, D, E, etc.
Ugh… This all sucks.
What are you people trying to hide ??? /s
So… how effective is it? The fingerprinting. I’m guessing there are studies? Also don’t know whether there’s been legal precedent, ie whether fingerprinting has been recognized as valid means of user identification in a court case.
It’s super effective but there are very few real use cases for it outside of security and ad tracking. For example you can’t replace cookies with it because while good fingerprint is unique it can still be fragile (browser update etc.) which would cause data loss and require reauth.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
As for court cases and things like GDPR - the officials are still sleeping on this and obviously nobody wants to talk about it because it’s super complex and really effective and effects soo many systems that are not ad tech.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
I’ve been wondering about those “click here” captchas and their purpose 🤔
Yes, and even before js fingerprint happens the connection is fingerprinted through HTTP and TLS protocol fingerprints as each system is slightly different like supporting different encryption ciphers, different http engine and how requests are performed etc.
So even before you see the page itself the server has a pretty good understanding of your client which determines whether you see this captcha box at all. That’s why on public wifi and rare operating systems (like linux) and web browsers you almost always get these captcha verifications.
The more complex the web becomes the easier it is to gather this data and currently the web is very complex with no sight of stopping.
Huh had no idea. I still wonder how accurate this is though, like whether it can be used forensically as the word “fingerprint” suggests to identify a specific person/private machine. It’s kind of fascinating as a topic. I would think that given that most people use similar setups, similar hardware and software, similar routers and settings, it would be impossible, but perhaps with enough details of a particular setup, a specific machine and user can be identified with decent accuracy.
Just in time for their prophet, Curtis Yarvin, to be pushing a full-scale surveillance state!
Googlers aren’t on our side. They want to rule. They think being a fucking admin on a server makes them cut out to run society.
They want to tear down democracy and basically replace it with administrator rules and access control lists.
Googlers aren’t on our side
They never were, out interests just aligned while they were growing market share. They have that now, so there’s no more reason to stay aligned.
Corporations aren’t your friend, but they can be momentary allies. People should’ve bailed once IE was dethroned, but here we are…
Further evidence that a Republican government in the USA results in private organisations pushing the bar as far as they can.
In Reagan’s time it was Wall Street. Now it’s Silicon Valley.
You want private organisations working for your benefit and not that of their shareholders? You need a government that actually has the gumption to challenge them. The current US government is 4 years of a surrender flag flying on the white house.
Or we could bin off this fucking failed neoliberal experiment, but that’s apparently a bit controversial for far too many people
Having the gall to suggest we not allow less than 3000 people to own all of the worlds supply lines, media platforms, institutional wealth, construction companies, dissemination platforms, politicians, private equity firms and the single largest interconnected (private or otherwise) espionage and social engineering plot known to mankind?
You fucking tanky you! Go back to Russia!!!
Republicans aren’t the problem here, they’re a natural result of a two party system. If you have a coin, half the time you’ll get the “good” side, and half the time you’ll get the “bad.”
And this isn’t to say either side is consistently “good” or “bad,” parties rarely stick anything. The deregulation you’re complaining about started under Jimmy Carter, affectionately called “the great deregulator.” In fact, many (most?) of Carter’s changes took effect during Reagan’s term, and it was incredibly successful.
However, for some reason Democrats are now against deregulation, probably because Republicans took the credit and Democrats needed to rebrand.
That doesn’t imply that Trump’s deregulation is “good,” it just means deregulation isn’t inherently “bad.”
Yeah, I have an anti fingerprint extension installed in Firefox, and immediately no Google site will work anymore, all google sessions break with it while most other sites just continue to work.
I’m working to rid myself completely from Google, my target being that I will completely DNS block all google (and Microsoft and Facebook) domains within a year or so. Wish I could do it faster but I only have a few hours per weekend for this
What search engine do you use?
I want to do this but really the only thing holding me back is my phone.
Which is why I had hoped the EU would ban all forms of fingerprinting and non-essential data tracking. But they somehow got lobbied into selecting cookies as the only possible mechanism that can be used, leaving ample room to track using other methods.
How would that even be enforced?
same way other regulations are enforced: fines
That might work if the fine was say $1.5 B
The European Commission has fined Apple over €1.8 billion for abusing its dominant position on the market for the distribution of music streaming apps to iPhone and iPad users (‘iOS users’) through its App Store
EU knows how to get it done
God bless those European MF’rs
How do you prove they’re doing it?
They’re making money aren’t they? They have to be doing something weird.
If you have reason to believe they are, you explain that reasoning to a court and if the reasoning is sufficiently persuasive the company can be compelled to provide internal information that could show whatever is going on.
Hiding this information or destroying it typically carries personal penalties for the individuals involved in it’s destruction, as well as itself being evidence against the organization. “If your company didn’t collect this information, why are four IT administrators and their manager serving 10 years in prison for intentionally deleting relevant business records?”The courts are allowed to go through your stuff.
Investigation, witnesses, gather evidence, build a case and present the evidence. Same as any other thing.
I don’t get why this would be harder to prove than other things?
Not sure how to effectively do that, but I reckon it would be no different than the cookie mess today. Which unfortunately is, hardly ever. The big GDPR related fines can still apply. Let’s say a data set is leaked that includes tracking data that was not necessary for the service to have, then the company can receive a hefty fine. As long as the fine is larger than the reward, it might not be worth it for the company to track you anymore.
This article actually shares what changed, as opposed to just asserting that there was a change.
It would be nice to hammer a manually created fingerprint into the browser and share that fingerprint around. When everyone has the same fingerprint, no one can be uniquely identified. Could we make such a thing possible?
Not really. The “fingerprint” is not one thing, it’s many, e.g. what fonts are installed, what extensions are used, screen size, results of drawing on a canvas, etc… Most of this stuff is also in some way related to the regular operation of a website, so many of these can’t be blocked.
You could maybe spoof all these things, but some websites may stop behaving correctly.
I get that some things like screen resolution and basic stuff is needed, however most websites don’t need to know how many ram I have, or which CPU I use and so on. I would wish for an opt-in on this topics: So only make the bare minimum available and ask the user, when more is needed. For example playing games in the browser, for that case it could be useful to know how much ram is available, however for most other things it is not.
Unfortunately the bare minimum is in most cases already enough to uniquely fingerprint you.
This is called Tor
*Tor browse
Leave everything default and you’ll look like every other Tor browser user.
Tor browser
And Mullvad browser
I go to pornhub every morning to check out the articles. Lately I’ve noticed that they have exactly the kind of articles I’m interested in always at the top two rows and then a bunch of stuff I’m not really into elsewhere. They are definitely testing stuff.
I thought people go to pornhub for the lack of articles
I go to pornhub for the definite article
Idk, I see a lot of “a”, “an”, and “the” there.
Time for a user agent switcher. Like “Yeah, I swear, I’m a PS5, that has only monospaced comic sans insrelled”
Fingerprinting unfortunately uses more than useragent strings. It takes hashes of data in your browser from a javascript context that is not easily masked or removed. For example, it might render a gradient of colors projected onto a curved 3d plane. The specific result of this will create a unique hash for your GPU. They can also approximate your geolocation by abusing the time-to-live information within a TCP packet, which is something you can’t control on the clientside at all. If you TRULY want to avoid tracking by google, you need to block google domains in your hosts file and maybe consider disabling javascript on all sites by default until you trust them. Also don’t use google.
How must it feel being clever enough to come up with these ideas and then implement them for companies invading everyones privacy for advertisement revenue and malicious information serving or stealing.
I guess they sleep soundly on a fat bank account.
Jokes aside, keep in mind that the idea of fingerprinting is that your computer’s configuration is as unique as a fingerprint (e.g., your monitor is x resolution, you are on this operating system, you are using these following extensions in this browser, you have these fonts on your system).
Setting your user agent to something super unique is basically shining a spotlight on yourself.
It’s way worse than that.
Even if you somehow magically have the same settings as everyone else, you’re mouse movement will still be unique.
You can even render something on a canvas out of view and depending on your GPU, your graphics driver, etc the text will look different…
There is no real way to escape fingerprinting.
I have a novice coding question using the mouse tracking as an example: Is it possible to intercept and replace mouse tracking data with generic inputs? For example, could you implement an overlay that blocks mouse interactions, and instead of physically clicking on elements, send a direct packet to the application to simulate selecting those elements?
Yes, it’s possible. That’s the way a lot of automated web UI testing tools work. The problem with doing it during normal browser use is that your intentional actions with the real mouse wouldn’t work right, or the page would start acting like you clicked on things you didn’t click on.
Digital fingerprinting is a method of data collection – one that in the past has been refused by Google itself because it “subverts user choice and is wrong.” But, we all remember that Google removed “Don’t be evil” from its Code of Conduct in 2018. Now, the Silicon Valley tech giant has taken the next step by introducing digital fingerprinting.
Oh, forgot to mention - we’re evil now. Ha! Okay, into the chutes.
Google removed “Don’t be evil”
Still parading that lie around? It’s easily verified as false. Their code of conduct ends with:
And remember… don’t be evil, and if you see something that you think isn’t right – speak up!
We need Richard Hendricks and his new internet asap
What’s this about? Fill me in? 🙏
But why would any browser accept access to those metadata so freely? I get that programming languages can find out about the environment they are operating in, but why would a browser agree to something like reading installed fonts or extensions without asking the user first? I understand why Chrome does this, but all of the mayor ones and even Firefox?
Because the data used in browser fingerprinting is also used to render pages. Example: a site needs to know the size of browser window to properly fit all design elements.
Just for an example that isn’t visible to the user: the server needs to know how it can communicate responses to the browser.
So it’s not just “what fonts do you have”, it also needs to know "what type of image can you render? What type of data compression do you speak? Can I hold this connection open for a few seconds to avoid having to spend a bunch of time establishing a new connection? We all agree that basic text can be represented using 7-bit ASCII, but can you parse something from this millennium?”.Beyond that there’s all the parameters of the actual connection that lives beneath http. What tls ciphers do you support? What extensions?
The exposure of the basic information needed to make a request reveals information which may be sufficient to significantly track a user.
I fucking hate this. Let me zoom, stop reacting and centering omfg.
Using Mullvad Browser + Mullvad VPN could mitigate this a little bit. Because if you use it as intended (don’t modify Mullvad browser after installation) , all Mullvad users would have the same browser fingerprint and IPs from the same pool.
The problem is it’s all or nothing. You must foil IP address, fingerprint, and cookies - all three at once.
Mullvad browser might make your fingerprint look similar to other users, but it’s not common is the problem. Test it with the EFF Cover your tracks site.
And now Mullvad has all the data
If you don’t trust anyone the internet (or any net you don’t fully control yourself) is not something you will use.
Practical security is a matter of threat-modeling and calculated risks.
Mullvad has a good track record, but if you know of better alternatives that don’t require building it yourself, please share!
Tor browser. It’s probably more popular, and they lead the charge in standardizing everything so you know it’ll be top tier.
And Mullvad is not in business if selling user profiles to advertisers, at least as far as we know
