Everyone talks about how evil browser fingerprinting is, and it is, but I don’t get why people are only blaming the companies doing it and not putting equal blame on browsers for letting it happen.
Go to Am I Unique and look at the kind of data browsers let JavaScript access unconditionally with no user prompting. Here’s a selection of ridiculous ones that pretty much no website needs:
- Your operating system (Isn’t the whole damn point of the internet that it’s platform independent?)
- Your CPU architecture (JS runs on the most virtual of virtual environments why the hell does it need to know what processor you have?)
- Your JS interpreter’s version and build ID
- List of plugins you have installed
- List of extensions you have installed
- Your accelerometer and gyroscope (so any website can figure out what you’re doing by analyzing how you move your phone, i.e. running vs walking vs driving vs standing still)
- Your magnetic field sensor AKA the phone’s compass (so websites can figure out which direction you’re facing)
- Your proximity sensor
- Your keyboard layout
- How your mouse moves every moment it’s in the webpage window, including how far you scroll, what bit of text you hovered on or selected, both left and right clicks, etc.
- Everything you type on your keyboard when the window is active. You don’t need to be typing into a text box or anything, you can set a general event listener for keystrokes like you can for the mouse.
If you’re wondering how sensors are used to fingerprint you, I think it has to do with manufacturing imperfections that skew their readings in unique ways for each device, but websites could just as easily straight up record those sensors without you knowing. It’s not a lot of data all things considered so you likely wouldn’t notice.
Also, canvas and webGL rendering differences are each more than enough to 100% identify your browser instance. Not a bit of effort put into making their results more consistent I guess.
All of these are accessible to any website by default. Actually, there’s not even a way to turn most of these off. WHY?! All of these are niche features that only a tiny fraction of websites need. Browser companies know that fingerprinting is a problem and have done nothing about it. Not even Firefox.
Why is the web, where you’re by far the most likely to execute malicious code, not built on zero trust policies? Let me allow the functionality I need on a per site basis.
Fuck everything about modern websites.
You must log in or register to comment.
100% agree. Browsers don’t need to, and shouldn’t be reporting all Javascript attributes that make us unique, especially things like canvas.
You can test this out here, but nowadays its rare for any out of the box browser to be anonymous.
What the fuck. When I thought these were already comical amounts of data points they just kept going and going and going.
This is why using a local web proxy is a good idea; it can standardize those responses (or randomize them) no matter what you’re actually using.
Personally, I keep JavaScript disabled by default specifically because of this, and turn on those features per-site. So if a website has a script that requires the accelerometer for what it does, that script gets to use it. Other sites keep asking for it? I suppress the requests on that site and if it fails to operate (throws one of those ad blocker or “you have JS disabled errors), I just stop going to the site.
I’ve found that with everything disabled by default, browsing the web is generally a pleasant experience… until it isn’t.
This of course requires using a JS management extension. What I’d really like to see is a browser that defaults to everything disabled, and if a site requests something, have the browser ask for permission to turn on the feature for that particular script, showing the URL for the script and describing what the code does that needs the permission. This seems like an obvious use for locally run AI models.
Let’s hope ladybird implement something like that
Most of those crying about this are likely still stuck on the easy stuff, trapped in WhatsApp, Discord and iOS. Try start there.
Is this true for TOR?
Just tried it. Am I Unique says yes.
Tor still reports your operating system and processor architecture which is dumb as hell. If you’re on Linux for example, that’s probably one of the biggest things making you unique. Why not just make everyone “Windows x64” since that’s the most common?
It also still reports extensions. Apparently it’s definitely possible to tell vanilla Tor and Tails users apart because Tails has uBlock Origin installed by default, and the generally accepted advice is to never install extensions on Tor, one reason being it could make you unique.
Also, apparently the default window size Tor chooses in an attempt to prevent the window size from being used in fingerprinting isn’t all that common, I got 1% and 5% on screen width and height respectively.
Tor doesn’t seem to have WebGL enabled by default so it can’t be used to fingerprint (though having it disabled is unique in itself).
Tor’s canvas data is unique but I’ve heard that it generates a new canvas fingerprint each time you restart it. I don’t know if that’s true or how well it works though.
Tor, like every other browser, also has something called “audio data” that’s a weird graph of numbers without units. No browser I’ve seen has ever not been unique for that category and Tor is no different. I didn’t mention it in the post because I don’t know what it is or if it has a genuine purpose or not.
I didn’t try Tor on my phone but I would hope it would block sensor access?
Awesome, thanks for sharing.
It’s generally okay to have uBlock on the Tor Browser as your only extension, as it’s not uncommon (Mullvad Browser also has uBlock and it’s based on Tor Browser). Although it might be a good idea to keep its settings untouched.
I suppose it also still has noscript enabled by default (preventing the execution of javascript).
That works for me, but how do the browser builders achieve that privacy AND retain at least reasonable useability for normal / majority users?
Basically, most of the internet won’t work right, if you don’t allow the browsers to track you. I have had a very strict Firefox setting and kept having to create exception to every site I visited just get in.
You can boycot the sites but in the end, you’ll be missing out on everything really
That’s just about numbers. Most sites will adjust, if enough users are turning away to another site that are less intrusive.
I hope so - it doesn’t seem to work with platforms like facebook, twitter, reddit. We have had massive exodus from those too, but they keep growing and making money. People don’t value privacy, if it gets in the way of convenience, socializing and entertainment
With some workplaces using Facebook messenger even, to plan shifts, you practically get forced to have accounts places where you wouldn’t
I don’t disagree… but we must keep the pressure up. I know I’ve helped a little more than 10 people leave FB and Google (and most of Microsoft)… A couple of them have left Apple too… It’s a slow, but steady movement. :-)
Maybe
I believe that one should leave those platforms for personal reasons. Not as a statement to those companies.
I left because I don’t like being tracked or being forced to accept being tracked. I did not leave because I wanted them to stop tracking their users or to show them that i don’t like them doing it.
Imo these companies won’t change the way they operate and even if they did, I wouldn’t trust them to have done so. They will always find loopholes and workarounds to get to what and where they want.
For me, leaving is a statement, and a personal reason. I don’t see how it could not be both? I don’t know anyone who trusts them. But shifting the powerbalance towards privacy and ethics, will never be a bad thing.
That a page knows technical details of my system and in which I live country (if I do not use a VPN), I give a fuck, why this only serves to correctly show the content, eventually in my language and allow the download of possible compatible apps.
Fingerprints are a very broad issue and are not necessarily related to privacy, blocking or counterfeiting all is possible, but in many cases counterproductive, it must be done specifically only in those that involve private and personal data, everything else is to put a tin foil hat.
To protect the privacy there are needed way more measures, avoiding trackers, Pixel tracking (Meta), keyloggers (Towerdata, Imgur, M$ US and some others), avoiding search engines which logs the activity (Google, Bing…), recognize dark pattern, using encrypted mailservices, best with disposable alias, harden the SO with Portmaster, Pi-ole or similar…apart of Common sense-
Browsers, which are not directly from Big Corporations which itself log user actividad (Chrome, EDGE, Opera…), are relative irrelevant in this game of user profiling, they are only depends on personal preferences and needs.
Privacy is a huge issue, but too often misunderstood with wrong measures, PEBCAK
