I wonder how safe is Apple ecosystem from this.
Lol
So I thought this is never going to fly under GDPR. Then the article goes on to say:
Many privacy laws, including the EU’s GDPR and California’s CCPA, require user consent for tracking. However, because fingerprinting works without explicit storage of user data on a device, companies may argue that existing laws do not apply which creates a legal gray area that benefits advertisers over consumers.
Oh come on Google, seriously? I remember a time when Google were the good guys, can’t believe how they’ve changed…
That time was like 20 years ago, dude
It’s still sad to see the development. We’re allowed to mourn things that happened long ago, you know.
Oh absolutely. At this point I’m not surprised anymore that they turned to shit, it’s more like I think they’ve hit rock bottom already but they manage to surprise me with new ways to dig their hole even deeper.
Google were maybe seen as the good guys back in the days of Yahoo search, and perhaps the very early days of Android.
But those times are so long passed. Google has been a tax-avoiding, anti-consumer rights, search-rigging, anti-privacy behemoth for decades now, and they only get worse with each passing year.
for decades now
You should drop that S. The company has only existed for a little over 2 decades and Android hasn’t been around for much more than 1. Yes they’ve become an evil fucking corporation but let’s not exaggerate for how long.
I’ve been using Google since 1998, and everyone loved them because their search indexed sites quicker than others and the search results were more useful than the competition at the time like Yahoo and Altavista and AskJeeves. They started turning nasty as soon as they gained steam & commercial success with AdWords… around 2003-2004. So no, while they get worae each year they haven’t been ‘the good guys’ for decades.
You’re mad cause they started putting ads into your search results? Like that was always going to happen. Having ads doesn’t make them evil. The shit they’re doing right now, and have been doing for the last half a dozen years or so, that makes them evil.
In other words, they went public and must now maximize gains for shareholders.
I don’t bother. I know they know everything about me already, and that I’m not an important person. As such, I wonder why it matters.
The only thing that matters in government politics is public opinion.
Username checks out.
Behaviour is tracked in order to be influenced.
Google can’t fingerprint you very well if you block all scripts from Google.
This breaks all kinds of stuff though. A ton of sites use Google for captchas.
I just don’t use any sites like that. If a site is using something other than Turnstile from Cloudflare, then I refuse to use it. I haven’t really experienced any inconvenience myself with this policy, but obviously I don’t depend on any sites that require recaptcha.
But you can allow/block any elements per site, or globally, which makes it trivial to block all unwanted scripts except on specific sites. So there is nothing preventing you from only exposing yourself to Google on the few sites you use that need those scripts.
Considering how few people block all scripts, this could also make it trivial for them to fingerprint you.
I’ve checked, its true. Linux plus Firefox already puts you in the 2 percent category.
plus Random User Agent.
Random User Agent.
I love this.
Anyone who uses uBlock blocks Google scripts.
uBlock Origin + PiHole FTW.
Unlock Origin, Ghostery, and what else? Scriptmonkey maybe?
They’ll stop it.
Nope. Try Creep.js. It is real creepy.
Ooooh, no they won’t stop this. It’s the workaround for tracking with all the things you just mentioned.
You have to either mask the fingerprint like how Brave does, or spoof the headers and block JS to make the fingerprint useless.
If that’s what it takes. It’s worth it.
This article actually shares what changed, as opposed to just asserting that there was a change.
@misk I think your federation software is broken. In Mastodon, the urls in your posts just lead back to themselves every time, not out to an external article.
Sir, this is a Lemmy’s.
It’s all Fediverse. You can follow things on lemmy on mastodon and vice versa and so on.
I’m aware but the degree of compatibility differs. Lemmy to Mastodon is pretty smooth but subOP is using some different microblogging platform it seems.
I loled
@mighty_orbot@retro.pizza @misk@sopuli.xyz same thing happens for me, i use sharkey on my instance (misskey fork) and i have to go to that linked post and click the link there to access it
@mighty_orbot @misk I’m using Friendica. From here, the links are normal. As it’s also not Lemmy, I guess it’s a Mastodon-specific (or even instance-specific) problem.
I’m not sure if you’ll get this reply @mighty_orbot@retro.pizza, but here’s the link visible from Lemmy itself: https://tuta.com/blog/digital-fingerprinting-worse-than-cookies.
Your method of accessing this Lemmy community seems not to be working on your side somehow. You might try a different app - I’ve never used Mastodon so I don’t know what might work.
@OpenStars That was my point. I can open the post on its own server and see it as intended. But the federation part of the Lemmy (?) software is clearly not generating the right data.
@mighty_orbot@retro.pizza
What I mean is, the link in a Lemmy community when viewed from a Lemmy instance works just fine. So it’s not broken at that level.
I can’t speak to how it comes across to Mastodon, or your particular method of access to that, as you showed in your screenshot. In general, instances running the Mbin software seem to work better to access both Lemmy and Mastodon, but overall communication between Mastodon and Lemmy seems not perfect, as you said.
This has been the case for years. I develop fingerprinting services so AMA but it’s basically a long lost battle and browser are beyond the point of saving without a major resolution taking place.
The only way to resist effective fingerprint is to disable Javascript in its entirity and use a shared connection pool like wireguard VPN or TOR. Period. Nothing else works.
How can you live with yourself?
I know right. I was offered a job at a betting site and online casino with those addictive games and shit. Gave that a hard pass, said no thanks, don’t think that’s the right business area for me. I would feel so dirty going to and coming from work every damn day.
I do it as a security measure for private institutions and everyone involved has signed contracts. It’s not on the public web.
Hello grease monkey and no script, my old friends
Wouldn’t selective disabling of JavaScript make fingerprinting easier? Your block and white list are likely to be unique.
What are some good scripts for grease monkey?
This is what I’ve been saying for months in the reddit privacy sub and to people IRL. Some people seem perfectly happy to just block ads so they don’t see the tracking. Literal ignorance is bliss. Most simply don’t have time or wherewithal to do the minimal work it takes to enjoy relative “privacy” online.
FWIW, any VPN where you can switch locations should do the job since the exit node IPs ought to get re-used. My practice is to give BigG a vanilla treat because my spouse hasn’t DeGoogled, and leave anything attached to our real names with location A. Then a whole second non-IRL-name set of accounts usually with location B with NoScript and Chameleon. Then anything else locations C, D, E, etc.
Ugh… This all sucks.
What are you people trying to hide ??? /s
So… how effective is it? The fingerprinting. I’m guessing there are studies? Also don’t know whether there’s been legal precedent, ie whether fingerprinting has been recognized as valid means of user identification in a court case.
It’s super effective but there are very few real use cases for it outside of security and ad tracking. For example you can’t replace cookies with it because while good fingerprint is unique it can still be fragile (browser update etc.) which would cause data loss and require reauth.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
As for court cases and things like GDPR - the officials are still sleeping on this and obviously nobody wants to talk about it because it’s super complex and really effective and effects soo many systems that are not ad tech.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
I’ve been wondering about those “click here” captchas and their purpose 🤔
Yes, and even before js fingerprint happens the connection is fingerprinted through HTTP and TLS protocol fingerprints as each system is slightly different like supporting different encryption ciphers, different http engine and how requests are performed etc.
So even before you see the page itself the server has a pretty good understanding of your client which determines whether you see this captcha box at all. That’s why on public wifi and rare operating systems (like linux) and web browsers you almost always get these captcha verifications.
The more complex the web becomes the easier it is to gather this data and currently the web is very complex with no sight of stopping.
Huh had no idea. I still wonder how accurate this is though, like whether it can be used forensically as the word “fingerprint” suggests to identify a specific person/private machine. It’s kind of fascinating as a topic. I would think that given that most people use similar setups, similar hardware and software, similar routers and settings, it would be impossible, but perhaps with enough details of a particular setup, a specific machine and user can be identified with decent accuracy.
Disabling JavaScript entirely is another data point for fingerprinting. Only a tiny fraction of users do it.
Besides, without JavaScript most websites are not functional anymore. Those that are are likely not tracking you much in the first place.
I disable JS with noscript.net and it really is an enormous pain. It has some security advantages, like I don’t get ambushed so easily by an unfamiliar site and pop ups. I often will just skip a site if it seems too needy
Yeah unfortunately disabling JS is not viable option tho onion websites are perfectly functional without JS and it just shows how unnecessarily JS had been expanded without regard for safety but theres no stopping the web.
Further evidence that a Republican government in the USA results in private organisations pushing the bar as far as they can.
In Reagan’s time it was Wall Street. Now it’s Silicon Valley.
You want private organisations working for your benefit and not that of their shareholders? You need a government that actually has the gumption to challenge them. The current US government is 4 years of a surrender flag flying on the white house.
Or we could bin off this fucking failed neoliberal experiment, but that’s apparently a bit controversial for far too many people
Having the gall to suggest we not allow less than 3000 people to own all of the worlds supply lines, media platforms, institutional wealth, construction companies, dissemination platforms, politicians, private equity firms and the single largest interconnected (private or otherwise) espionage and social engineering plot known to mankind?
You fucking tanky you! Go back to Russia!!!
Using Mullvad Browser + Mullvad VPN could mitigate this a little bit. Because if you use it as intended (don’t modify Mullvad browser after installation) , all Mullvad users would have the same browser fingerprint and IPs from the same pool.
And now Mullvad has all the data
Mullvad, (the vpn, I have not tried the browser) uses a single account number as both name and password, no emails. It allows for multiple anonymous payment methods and it’s open source.
Sliiiiightly more trustworthy than Google imo.
The random dude on the corner is more trustworthy than Google, it’s not that hard to be sadly.
And Mullvad is not in business if selling user profiles to advertisers, at least as far as we know
If you don’t trust anyone the internet (or any net you don’t fully control yourself) is not something you will use.
Practical security is a matter of threat-modeling and calculated risks.
Mullvad has a good track record, but if you know of better alternatives that don’t require building it yourself, please share!
Tor browser. It’s probably more popular, and they lead the charge in standardizing everything so you know it’ll be top tier.
The problem is it’s all or nothing. You must foil IP address, fingerprint, and cookies - all three at once.
Mullvad browser might make your fingerprint look similar to other users, but it’s not common is the problem. Test it with the EFF Cover your tracks site.
its captcha v3, its the same thing reddit uses to catch bots and ban evaders, apparently its expensive for reddit so they only mostly use it for ban waves.
I know nothing, but isn’t some pieces of Google software to be found on many sites that aren’t Google or YouTube?
Yes, mainly Analytics, sometimes Maps.
Yes, a lot of websites embed Google Analytics, or more nefariously Google Fonts.
And recaptcha. And Google-hosted Javascript libraries. And youtube embeds.
what?
Time for meshnet?
It would be nice to hammer a manually created fingerprint into the browser and share that fingerprint around. When everyone has the same fingerprint, no one can be uniquely identified. Could we make such a thing possible?
Not really. The “fingerprint” is not one thing, it’s many, e.g. what fonts are installed, what extensions are used, screen size, results of drawing on a canvas, etc… Most of this stuff is also in some way related to the regular operation of a website, so many of these can’t be blocked.
You could maybe spoof all these things, but some websites may stop behaving correctly.
I get that some things like screen resolution and basic stuff is needed, however most websites don’t need to know how many ram I have, or which CPU I use and so on. I would wish for an opt-in on this topics: So only make the bare minimum available and ask the user, when more is needed. For example playing games in the browser, for that case it could be useful to know how much ram is available, however for most other things it is not.
Unfortunately the bare minimum is in most cases already enough to uniquely fingerprint you.
This is called Tor
No it isn’t.
And this is really important. If you go on Google tracked websites without tor, Google will still know it’s you when you use tor, even if you’ve cleared all your cookies.
Tor means people don’t know your IP address. It doesn’t protect against other channels of privacy attack.
Yes, it is… Tor prevents against fingerprinting as well. It isn’t just relay plumbing to protect your IP… This can easily be tested on any fingerprinting site with default config of Tor demonstrating a low entropy https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead/
It’s been a long while since I looked, but I remember it being a thing in tails to specifically not resize your browser window or only have it full screen to match a ton of other fingerprints.
Plus since it was a live distro that reset on every reboot it would only have the same fonts and other data as other people using tails. Honestly, I hate that all that info is even available to browsers and web sites at all.
Letterboxing has significantly reduced threat presented by window sizing. https://support.torproject.org/glossary/letterboxing/
I don’t quite understand – does this feature let you resize the window again to the size you want, and you are still sharing the same fingerprint with everyone else? Or do you still have to keep the browser window the default size to minimize your unique fingerprint?
It rounds the browser window to the nearest 100x100 window size. Using the default will likely be the biggest dataset to hide yourself in, but maximizing the window will still have some amount of obfuscation.
Tor browser is not Tor.
This is Tor https://en.m.wikipedia.org/wiki/Tor_(network)
Tor browser is an additional piece of software built on top of it. Using the network(what everyone else means when they say tor) is unfortunately not enough to prevent fingerprinting.
Good point, that difference does matter. I guess other browsers like Brave use the Tor Network, and it would be misleading to suggest Brave has good anti-fingerprinting.
What kind of fingerprint avoidance are you suggesting then that the Tor browser cannot do that makes a difference?
If you enable JavaScript, you open Pandora’s box to fingerprinting (e.g. tracking mouse movements, certain hardware details, etc). If you don’t, half (or more) of the internet is unusable.
No, it is not. Tor Browser != Tor. Get your shit right or be pwned.
Tor browser
And Mullvad browser
So, manifest v3 was all about preventing Google’s competitors from tracking you so that Google could forge ahead.
The fewer of your competitors who have the data the more valuable that data is.
It was never about privacy, it was supposedly about security, which there is some evidence for. There were a lot of malicious extensions. The sensible thing to do would be to crack down on malicious extensions but I guess that costs too much money and this method also conveniently partially breaks adblockers.
