294 comments

[ 6.6 ms ] story [ 293 ms ] thread
I definitely want this, but the only reason I use Facebook Container is because it's an official Mozilla addon. I encouraged Mozilla to pursue a Google version, but it seems like they've declined for now, and were just looking to capitalize on the press wave about Facebook.
> I encouraged Mozilla to pursue a Google version, but it seems like they've declined for now

Doesn't Mozilla get a significant fraction of its revenue from their search deal with Google?

$539m of their $562m revenue last year came from "royalty deals" like Google. They don't break out specifics, but I'd guess Google is a significant contributor.
That's millions, not thousands, in case someone didn't know.
Crazy how high a percent that is...
I'm curious, why not just use Firefox Multi-Account Container[1] and setup Facebook and Google to open in its own container[3]?

The way I see Facebook Container (as an outside who have been using Multi-Account Container for a while) is that it tried to ride on the Delete Facebook wave few months ago to make people aware of Multi-Account Container functionality, so these Google Container/Reddit Container/etc. always seems weird to me.

[1]: https://addons.mozilla.org/en-US/firefox/addon/multi-account...

[2]: https://imgur.com/KZuJmgq

Facebook container has tha two main benefits over multi-account containers, which is that it requires zero setup, and that when you click a link on Facebook it drops out of the container.
As a workaround for your second point, it is possible to right-click a link and use "Open Link in New Container Tab » No Container". Still a workaround though.
I'm not sure an addon per tracker is web scale.
Regular trackers can be blocked outright. One may need to use fb and google from time to time.
Isn't it possible to have a "per TLD" container addon? I'm fine to be logged into Google and even have Google collect information when I'm using any of their services (same for Facebook). What I'm really after is a way to sandbox every site to only have information I explicitly grant it while using their service.
I believe First Party Isolation is what you're looking for. To enable, change `privacy.firstparty.isolate` to `true`. See also previous discussion[1]

[1]: https://news.ycombinator.com/item?id=17944991

I've been using first party isolation ever since it was ported from Tor. It's excellent, but be aware that it breaks stuff, usually JavaScript, on about 5% of websites (anecdata). I find this to be well worth it, especially to find out which sites do the worst tracking.

I have a separate Firefox profile I use for rare occasions when I need to allow third party tracking in order to do something.

Google has... literally hundreds of domains. Just assuming *.google.com would miss things like googleusercontent.com or googleapis.com or doubleclick.net. The Facebook container basically grabs "all domains by Facebook" and sandboxes them together (so they can still interoperate amongst themselves), while isolating it off from other sites you visit.

Sure, you could do a lot of this yourself with different browsers/browser profiles/containers, but it'd be far better to have someone provide that list as a prebuilt addon.

I really hate websites that do this because I have to go and whitelist the hundreds of domains that important resources are coming from.
I would say it's both a blessing and a curse. Yes, it makes it harder for first party isolation scripts to sandbox a service, but the separation of domain based on the service (doubleclick for ads, googlevideo.com for video, etc) makes it easier for ad/content blocker list maintainers to block only the domains and services it should be blocking.
All IPs used by Google have PTR records to the 1e100.net zone so it is straightforward to determine whether any given domain is a Google domain.

e.g. googlevideo.com resolves to 172.217.4.196 and the PTR for that IP is lga15s48-in-f196.1e100.net

They even have a faq for this: https://support.google.com/faqs/answer/174717?hl=en

Yes, but they are supposed to be using subdomains for that (e.g. usercontent.google.com, video.google.com, apis.google.com, ...), instead of what is essentially DNS spam (guesswhetherthisdomainalsobelongstogoogle.com).

DNS has been made hierarchic for this reason.

I was told this may have been because older browsers limited the number of simultaneous connections to a domain name and you could work around it by having multiple domain names.
So when a site relies on resources from ytimg.com, are those ads or videos? What about ggpht.com, gstatic.com, branch.io, unpkg.com, or any of the hundreds of CDNs?

Most sites I visit these days--even super common sites like medium.com--have dozens (or even the hundreds alluded to above) of dependencies from seemingly unrelated sites. I have no idea if those are CDNs for common js libs, analytics libs, spammer libs, tracking libs, or what. I recognize things like CDN links for jQuery, Bootstrap, React, etc. I see many that seem to be Facebook tracking.

Of course, blocking many of these breaks the page. I have started to avoid sites that break without access to urls I can't identify. But this is both laborious to vet, and isolating.

There is no longer such a thing as easy, anonymous, inclusive web browsing.

To trigger the switch to a container, only the user-visible URL in the address bar is relevant. Other URLs for resources on the page do not matter at all, as they will only be loaded after you are already in the corresponding container.
For me personally a per window container would work pretty well. Does that exist?
Disconnect can block Facebook, Google and twitter
just facebook.com for Facebook production

With google, i use "Always Open in this Container" each google service, this better for Container google service

This is cool, will install. Maybe Firefox embraces this idea and adopts the fork.
Unfortunately, that would be biting the hand that feeds.
Do you think the anti-tracking measures (specifically blocking third party cookies by default) in Firefox 65 is bad for Google?
Possibly, but that's an untargeted and justifiable privacy feature in a browser who's primary shtick is being privacy focused.

I think if Mozilla included code that specifically targets Google, they would be crossing a line.

That would certainly make it easier to trust this extension. I'm curious why Mozilla would ship a Facebook container but not a Google container.
Because Google pays a lot of money to Mozilla?
Then an interesting question is IF the Facebook container stemmed from principles 4 & 5 from the Mozilla Manifesto applied to the dominant social utility; is there a reason other than money that the same principles would not lead to a decision to build an add-on that gives people an option to contain Google? It's certainly not a technical limitation.

It seems natural to posit that money is the issue but is it so easy to believe that a foundation most of us trust would compromise its core values?

As mentioned elsewhere hacky add-ons cannot be the end solution, and will not be widely adopted unless incorporated as defaults.

I suspect its because containing Google hinders the web experience for people more than containing Facebook would. People have mentioned in threads here that Capchas would become frequent, Google login (which probably is more common than Facebook login) wouldn't work. The addon would make the browser of an average Joe worse than Facebook containers. And when Mozilla is grasping at straws, trying to win back market share, it'll have to really debate whether or not they would want to go forward with this.

Doesn't help that FB is getting a bad rep these days and its more mainstream to hate on it.

In order to use this supposed privacy-enhancing feature, you must allow the authors of this extension total control over everything you do on the web. Add-ons are automatically updated in Firefox by default, so you can review this code now and it will change later. This seems like a poor trade.
To be fair, I can't see any way for this to work without giving them control of the browser. Even with a TLD limited extension, the extension would need permission to access your browser window and giving it permission to do that would give it permission for any TLD.
“What three people know, the pig knows.”
>Add-ons are automatically updated in Firefox by default, so you can review this code now and it will change later

Or, if you'd like, you may disable auto-update.

But who has reviewed the code of the version available when you install?
I think Mozilla does a basic review. Not perfect but good enough. The extensions situation has gotten bad enough that I'd support Mozilla having an "approved extensions" section where you pay to have yours reviewed and approved.
The fact that Stylish managed to remain—and be featured, even—on both the Mozilla and Chrome catalogs for close to two years as it tracked user's browsing history says to me that there must be certain level of trust for pre-reviewed addons.
The mozilla add-ons site actually rejected the version with tracking (the post acquisition one) for some years due to the tracking and still featured the old version without tracking. Chrome's webstore version did have the tracking, tho.

Now in the era of WebExtensions (which are SOOO much more secure!!!) it seems they finally approved a version published by those bad actors. No idea tho if and what tracking is in there and if mozilla stuck to their guns and made them remove tracking or not.

> The mozilla add-ons site actually rejected the version with tracking (the post acquisition one) for some years due to the tracking and still featured the old version without tracking.

Is there a source you're using for this info? As I visited a couple times during that period (including mid this year) and saved a personal copy of the Versions URL which listed multiple versions post acquisition available [1].

[1] Specifically: 2.1.1 (2017-10-31), 3.0.1 (2017-11-10), and 3.1.1 (2018-05-23).

While I agree with you and wouldn't use it myself, it is relevant that Firefox uses human reviewers for their add-ons. So with every update someone will look at what changed and judge if it is benign.
I don't think this is necessarily true any more, since WebExtensions. I think human reviews are only necessary if extensions use certain constructs.

(Or human reviews are now allowed after publishing when an extension passes automated review - I'm not sure.)

When I submitted my webextension-based extension, there was an automatic review followed by a human review. But obviously it's unclear what the quality of that review was and I'm not sure whether any update triggers another round of reviews.
I know that at least for decentraleyes, the human reviewers have a script to check all the checksums of the included libraries after updates get submitted.
Email me to subscribe to my anti-spam service!

Enter your credit card details to check if they've been stolen!

There is a site that is very popular here that does just that (haveibeenpwned).
No it doesn't, it does not ask you to provide your own password.
Or CC details... ;)
This is wrong, since grandparent did not ask for passwords. Quote:

> Email me to subscribe to my anti-spam service!

This is precisely what haveibeenpwned asks for, as your parent wrote.

Troy Hunt launched another one, which does ask for password. And sells you 1Password after check :)
Yes. That's why Apple moved from JS based extentions to Content Blockers model. App provides a complex list of blocked resources to Safari, and have no access to actual browser content.

On iOS, install Firefox Focus, and in Safari settings enable FF provided Content Blocker.

that only covers some 3% of all available extension's capabilities. namely: ad blockers.
But the only capability I need from an extension :)
typical walled garden user :)

guess if you wait 10yrs for something as simple as an ad blocker, your expectations will be very low anyway

Fork the repository and maintain the extension yourself. I know, it's a hassle and only possible for programmers, but...
Or you can just setup google container manually, it's not so much work in Firefox.
That was my usual extension management method for chrome, but sadly each time I tried that on firefox, it didn't fly (IIRC, you _can_ load extension from your local FS, but they only lives for the time of the session).

By the way, if someone from firefox team is reading this : I would _really_ love to be able to just load directories from my FS as extensions rather than having to trust someone on the internet that it does what it says it does. I love building extensions myself, but I just don't install extensions from the web anymore because I don't know what's in there (note that referring to a github repos is not enough : I have no guarantee the content of the extension is the same).

...Or, you can use "Firefox Multi-Account containers" by Mozilla. [0]

This is what I use. I have everything that I log into google for in one container, social media in a second, and everything else is nicely sand-boxed away from those horrors.

[0] https://addons.mozilla.org/en-US/firefox/addon/multi-account...

Does it support mobile yet?
It bothers me that they for some reason doesn't support containers in private windows. I guess a substitute could be to wipe the firefox profile on start or something but haven't attempted that route yet.
You don't need to, Firefox has had an option to clear history (and cookies, etc.) on close, since… forever.
I guess I just haven't trusted that that feature really does what I want it to. But I should check it out, thanks!
Is anyone else bothered by Google Chrome's new attempt to suggest long and complicated passwords when you create an account anywhere? Sure this is a nice bonus for security, but it also means that you can't log into websites anymore unless you're using chrome signed into your Google account.
I think I understand what you're saying. It almost sounds like you're privacy conscious but not security conscious, but I don't think that was intentional.

Personally, if I was dealing with someone who wasn't already using strong unique passwords for everything, and didn't want the burden of having a password manager, I would absolutely recommend relying on Chrome's built in password manager and having to be signed in to Chrome everywhere. This might actually be one of the use-cases that triggered the 'auto sign into Chrome when you sign into a Google product in a tab' feature, which didn't go down very well in some circles.

I believe (re)using relatively weak passwords on multiple sites is a bigger risk to privacy than Google tracking every page I visit. I would assume they track every page I visit regardless of whether I'm signed in to Chrome or not.

EDIT: Note that I'm assuming this feature in Chrome is similar to the feature in Safari, where Safari suggests strong passwords, but this doesn't prevent those passwords from being stored in your password manager of choice.

No, I don't think you're understanding my concern, it doesn't relate to security at all, it touches on privacy, but it's more about monopoly control.

If you start using Google's password manager with their auto-suggested long complex passwords, there is no way you can remember the passwords yourself. You'll need to be logged into Google Chrome to have access to the password. Therefore, you'll need to be logged into Google Chrome to log into any website. Currently, there is not way to export passwords from one browser to another, so if all your long complex random passwords are in Chrome, as a practical matter, you won't be able to use Firefox, Safari, or Internet Explorer, you'll be required to use Chrome.

The apprehension over the feature is not about security at all (in fact, this system is likely more secure). It's about control. If you allow Google to manage all of your passwords, then you'll need Google to do anything.

But does it restrict your ability to also save those passwords into an external password manager?

Per my previous, Safari has a similar feature, which streamlines the process of generating secure passwords without needing to switch to the password manager to generate the password, and upon submission, it gets stored in the keychain, and also pops up the ability to store into 1Password via the usual extension.

Sure, all those passwords in the keychain are locked to Safari only, so Chrome, Firefox, etc are unable to access them, but that's what external password managers are for.

> But does it restrict your ability to also save those passwords into an external password manager?

It absolutely nudges people away from password managers and on to Chrome. You now you have two options... (1) get a password manager on all of your devices that properly syncs with Chrome; or (2) only use chrome on your devices.

Many people are going to choose option #2. This will lead to more people relying on Google Chrome and Google Accounts, and will now you'll need to be logged into Chrome to log into any other site. It's a way for Google to become requisite, and add more power when they already have so much.

But what would be the need? As there are no cookies to start with in a private tab anyway, right?
I don't quit my browser for weeks at a time (basically the only thing I restart the browser if for updates) so I'd like much more control than what private mode offers - which is just a session where everything is shared until you close it.
I've been using the Temporary Container addon for this purpose. It allows you to specify that any link will automatically open into a new container, fully isolated from previous sites, with more rules so that sites like reddit work without logging you out all the time.

Coupled with clearing history, this should be fairly close to a much more stricter private mode.

What's wrong with profiles. They've had those forever and I have half a dozen. I don't see what any of this new "container" stuff really adds to that.
Profiles provide isolation at the browser level, containers at the origin/domain level. Different profiles are essentially different browser installations that share nothing more than core browser code: extensions, settings, and even looks. It can get tedious to have to replicate one's browser customisations in every profile. Containers bring convenience.

I never made a separate browser profile for Facebook, but the moment Firefox's Containerisation was available in Test Pilot, I made a container for all things Facebook.

Depends on if you prefer separate windows or just separate tabs. I prefer having a single window and I've become so used to containers that using Private Browsing feels weird because I can't move those tabs into the main window.
Considering that a lot of people still use Chrome I think just using Firefox is a great start.

But yeah there is always nitpicking to do when it comes to security. No one is ever truly secure.

I use the brave browser which is based on chromium, blocks ads, trackers, has tor private tabs and soon will pay you for seeing ads which you can then use pay BAT to the websites you want to support.

All this without breaking user privacy.

How do you track that each update hasn't turned evil?
I mean, you don't. You have to trust the maintainers of the software you use, to a certain degree, or spend a majority of your time auditing the software you use.

That being said, Brave is pretty upfront about the security of their software. They've paid $25k in bug/security bounties so far and their browser is open source. So if an update turns evil, it stands to reason that someone is going to notice.

> I use the brave browser which is based on chromium ...

Two points against it:

1. You stand out from the crowd with this User-Agent, easy to fingerprint you.

2. Chromium is Google (Ad company) software, like Android. Un-googling it may not be complete or full. Safest way is not using any Google software.

I agree. I have no idea who the author is and, while they may well have the best of motives, that's not a basis for trust.

FF extensions just have too much power and too little end-user control. At a minimum I'd like to be able to selectively disable them in private browsing mode, as Chrome allows.

Feel free to read the source code (the entire thing is 400 lines) and disable extension auto updates. Or sideload the addon from the github repo so there's no way for it to auto update in the first place.
How does this compare to extensions like uBlock Origin and Ghostery?
Two different schemes.

uBlock loads privately-constructed filtersets which are used to decide what net contents to block. (That blockage can be customized per-site in advanced mode.)

Each FF container keeps content associated with one or multiple sites 'isolated' (in theory) so they can't be 'seen' by sites in other containers ... all in the browser.

not sure why you'd use this over the Multi-Account Containers addon by Mozilla.

https://addons.mozilla.org/en-US/firefox/addon/multi-account...

The Firefox Multi-Account Containers is a more general extension that allows you to create containers and determine which sites open in each container. This extension can be customized to suit your needs for multiple sites and multiple logins but takes more time to set up than Google Container.
Exactly. It's easy to tell a privacy-unsavvy person to install this and the Facebook-only container rather than explaining how to containerize and set up all the specific URLs and what the broader concept means. The multi-account container is pretty cumbersome to set up despite being easy.
The facebook-only container is really slick. If you go to facebook.com or instagram.com it'll replace the current tab with a FB container automatically.
It serves different purpose. These Facebook/Google containers are for automatic isolation. The Multi-Account Containers is for creating and managing containers.
I think this one also makes sure that links you click inside the Google container get opened outside of it?
I've been using MAC for a week, and just added this extension. It immediately shows up in the MAC as an option. SO (I assume) it's no better than just creating a MAC 'google' container. Just easier.

I'd been using a 'sketchy' container for YTube, but dropped YTube into this. Thereby isolating (I think) YTube from the other 'sketchy' sites I may visit. As for Google ... long-ago blocked it and FB on the network level. Chopping off -some- of the octopus' tentacles.

This is probably a good idea in theory. In practice, it might lower your internal ReCAPTCHA score and end up prompting you more actual CAPTCHAs, possibly up to unsolvable[1] ones.

[1] https://patents.google.com/patent/US9407661

... a tarpit nominally designed for bot detection and anti-spam. I'm sure the patent wasn't created with sinister motives but it somehow enforced a system in which you have to either accept full surveillance or end up being increasingly excluded from the socioeconomic sphere. This is the danger of solving the human factor with pure technological means - it doesn't really solve it, instead the human conflict is transported into a more radical one.
Since Google deletes you wife's gmail if you sell your nexus (or how it was), I don't think so.
Huh? I’ve sold many Nexus phones and my wife’s Gmail is perfectly intact.
I'm sorry, but how on Earth is that a patent?

Things like this make me believe less in patent reform, and more in complete abolishment.

what worries me about patent abolishment is the contracts employees would have to sign to work places. It would make career maneuverability absolutely brutal if every single thing was a trade secret.
I don’t think you need to worry about that. In my experience, unless your IP has really bad reputation (think tor exit nodes), a normal browser with a fresh profile will get an easy captcha (2-3 pictures at most).
If you enable privacy.resistFingerprinting recaptcha becomes much harder and it always asks for multiple captchas.
That would be a good reason to quit using Google services altogether.
When using Tor Browser I often get (Google) Captchas on all sorts of websites, before I'm even allowed to load the page. (I think it's integrated into CloudFlare's DDoS protection?)

These are typically pretty straightforward (although tedious) but on some Tor circuits it just never lets me through: the endless "Please try again".

That is to say, if Google's Catcha bot does not like you[r IP], many other parts of the internet stop working, too.

anecdotally: i run a fairly fingerprint-resilient browser setup (using firefox containers plus additional measures) and, while i am asked for full CAPTCHAs every single time, i haven't yet noticed them increasing in difficulty.
I switched to using Private Browsing windows and tabs, which clears all tracking cookies on close. And browse via always-on VPN to hide my IP. Much safer, imho.

Still unresolved are history leaks via Referer, from things like fonts, ajax, tagmanager google.com API calls, present on all websites.

Why web people link so much Google stuff in their websites is a mystery.

You're not inherently trusting your VPN service to: a) not track you b) not keep logs c) not disclose this information to your actual ISP

You're also now just sitting behind whatever ISP your VPN uses which knows everything you're doing and sells it back to who-ever.

If your not rotating your VPN services that still allows you to be tracked via that IP. At the end of the day all your data still belongs to someone and can be used for whatever. Until DNS over TLS is complete and rolled out across the board your metadata can still be used.

Not to mention all of the other things associated with this. Even being connected to a VPN via your phone will still leak information like your coarse location, wifi networks and bluetooth beacons nearby which all get sent to your primary phone carrier and whatever applications you use.

No VPN:

- ISP has your name and history. The AdTech knows your IP's history, and most likely your Id.

VPN:

- VPN has your history, but no name (paid via voucher), and is other country's legal entity. My ISP only knows I'm using some VPN service (DoT enabled on my router). The AdTech is missing key identifier, IP, to link your data together (to aggregate).

> ISP your VPN uses which knows everything

Both ISPs know squat, just encrypted traffic from my real IP

And all of your DNS traffic since it's not over TLS
Cmon, all DNS queries go via VPN tunnel.
...And are trivially demasked for your VPN provider's ISP by traffic analysis (DNS requests are pretty obvious when transiting a VPN, then wait for the VPN provider to forward the packet).
Do you truly believe that a VPN provider with access to all of your traffic has no idea who you are? If so, you either have truly impressive opsec or are not considering just how much can be gained from traffic analysis.

Leaving aside the giant DNS question, there's SNI to consider as well as the VPN provider knowing your source IP and times of access. Then, because you're on hn, consider what the graph of little-used services you (probably) use says about you. Work VPN/chat/webmail servers? Admin interfaces for side projects you work on? And of course good old fashioned typos in your shell.

They produce a lot of things that are super useful for avoiding edge cases. Consider Google fonts, for instance.
Can't you host all fonts you use on your server? Why use remote google fonts?
Google fonts does a bunch of stuff, it looks at user-agent to determine what css to serve and there are at least 10 font files for each weight of each font you want to use. It's not impossible to replicate but using Google fonts is convenient
FF has an option to configure the Referer (lots of websites might break). Scripts/fonts can be filtered via extensions like Privacy Badger, either by blocking the cookie, or the domain completely.
Though most ad-blocker extentions whitelist stuff like fonts.googleapis.com, jquery, tagmanager, ajax. They treat it like non-issue calls. Sadly leaks via Referer are under radar by most.
Still not sure whether, and why, these containers are needed when Firefox's internal ‘tracking protection’ is enabled.
For anyone else wondering, this is now “content blocking” and by default is in private browsing mode only but can be set to always on. Sounds like a good idea. https://support.mozilla.org/en-US/kb/tracking-protection
I've thought for a minute when looking at that option, and couldn't think of why I wouldn't want it, so turned it on. IDK if it misses anything but seems to be working pretty good, judging by messages in the console.

It's rather aggressive, even: blocks Yandex's maps embedded on other sites (though iirc doesn't block Google's maps).

It does trip a lot of “turn off your ad blocker” nag screens.
Firefox tracking blocking is a fairly weak "make the web a bit safer while breaking nothing". This extensions actually does break stuff like google logins on non google websites.
This is a cool idea for an add-on, I use the Multi-Account Containers add on along with Cookie AutoDelete to do basically the same thing for a number of sites: Google, Facebook, twitter, linkedin (rot in hell, linkedin), amazon, etc. I like having my cookies there so I don't have to log in every time, but also don't want to be tracked around the web.

This looks like a great way to help people who don't want to fiddle with settings to get the same sort of protection. It'd be nice if Multi-Account Containers had an option to add these sites. I should cut a PR for that, probably :\",

I use this as well. You don't need a site specific addon with this. It's actually useful for separating my different google accounts as well. I'd love an extension that makes all tabs in the a particular container private. That way, any kind of tracking would be opt in by assigning it a non private container and limited to that container.
I'm still waiting for bookmarks with the target container baked in. I also use separate containers for three different Google accounts, but opening a bookmark to a Google drive document or file is annoying, because I always have to open a specific container for that Google account tab first so the document access attempt is from the right account.
I tried using Multi-Account Containers because I loved the idea but found the user interface rather clunkier and more manual than I hoped.

What I really want is for it to be optimised for the common use case with each domain automatically put in its own container, with some whitelisting of common grouped services (e.g. MS and Xbox Live, Facebook and Instagram).

It's very rare that I actually want to share any cookie info between sites as most of it is tracking. In the rare situation you do, the browser could let you disable containers or add them to a group.

I'd also like something that automatically opts out of tracking preferences, as well as something that periodically deletes cookies/localstorage (say every 14 days).

You could then set it all up and forget about it.

I use the Temporary Containers extension and it does much of what you're looking for. I have it set up so every tab is opened in a new container and the container gets deleted when the tab closes. So everything is kept separate from everything else.
This is what first-party isolation is supposed to help with.
Would be nice to have social network container, rather than having individual google, facebook container.
Which websites would you define under social container?
I'd redefine it as a "mega-website/tracker container", to limit the scope of those sites that get seemingly everywhere. That would include the social networks but also the likes of google and maybe amazon.
Can somebody tdlr everybody why this is needed in addition to the official container extension?
Containers need curating. You could in theory do that yourself, but you probably don't know how in practice (most users) or don't want to (most remaining users). These pre-made containers are curated by their developer so they do all that work once.
This is cool but I don't think I will be using it. I already use Searchonymous[1] to prevent Google from tracking my web searches while also browsing YouTube in a separate container where I'm not signed in.

I really on Google's sign-in mechanism for many websites and this would probably interfere with that.

[1]: https://addons.mozilla.org/en-US/firefox/addon/searchonymous...

I'm probably in a minority around these here parts but... Am I the only one who doesn't worry too much about all this "tracking"?

Trying to avoid tracking is like some weird obsession/hobby. You go to all these lengths and then you realise they were tracking you anyway, so you throw your arms up in disgust, exclaiming how evil they are and start trying to block that vector, soon enough rinse and repeat. I was there too only a few years ago but I've since given up and my life has gotten measurably better because of it - I no longer feel like I'm trying to "stick it to the man", I don't have to integrate a bunch of different services in an attempt to keep x and y in separate products to reduce my "awareness surface area" to any one company. I just stopped worrying so much. Simple as that. And I'm really not convinced some evil affliction is going to strike me down as a result. Next time you find yourself wasting hours of your time trying to make yourself "private" just think of all the other fun stuff you could be doing.

But if you want best bang for minute spent worrying privacy: Use Incognito, uBlock, Proton Mail and a VPN. 20 minutes of your life and you're pretty darn private. This should cover you without labouring over choices of extensions etc.

Agreed - it seems to come from a similar mindset as being obsessed with "websites must run without Javascript because 0.00003% of HN users disable JS".
Another aspect of this I don't see mentioned nearly as much is that attempting to be more private may actually make you stand out more in terms of government surveillance. They wouldn't be getting as much data on you from companies, but odds are they're still getting plenty, and in the case of taking extreme measures to limit that it only takes one mistake to undo a lot work. So hypothetically if you did have something to hide, or if you really wanted to maximize privacy for a subset of your life, you would allow most of what you do to be tracked in order to appear "normal"
Not wanting to be tracked is normal.
I'm reminded of the (possibly apocryphal) stories of criminals who underwent various procedures to remove their fingerprints - methodical scarring, acid burns, skin grafts from elsewhere on the body, etc: even the procedures that worked didn't actually help them evade identification, because the marks left by their now-printless fingertips were even more distinctive than before.
This is actually one of the arguments that Telegram uses.

https://telegram.org/faq#q-why-not-just-make-all-chats-secre...

>This allows Telegram to be widely adopted in broad circles, not just by activists and dissidents, so that the simple fact of using Telegram does not mark users as targets for heightened surveillance in certain countries. We are convinced that the separation of conversations into Cloud and Secret chats represents the most secure solution currently possible for a massively popular messaging application.

https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by...

>people using these apps can be targeted by governments as those who have something to hide. Due to the limited distribution of such apps, the government can identify and track individuals whose phones connect to the corresponding IP addresses. This is something that is already happening in case of tools like Tor, and, to a lesser extent, of some messaging apps. Yasha Levine is publishing a brilliant investigation about it.

No it's not just you. I block ads with ublock origin. The end result of the tracking is targeted ads, and as I don't see any of them I don't care how accurate they are.
I can easily imagine that there's an identity for me at Google which is linked to all the IP I had ever used (meaning country and ISP at the least), and linked to every google account I ever used and browser ever used (meaning what devices I've been using) and then every page I've visited which has Google ads or analytics (meaning what site I visit) and every keyword I used to search the web (easy to guess what kind of life I'm having) and then every location I've ever searched on their map (meaning they know where I go and perhaps roughly where I live).

They know more about your online history than yourself they can write a diary for you but if you feel comfortable with that, then you don't need to do anything.

Changing IP, clearing cookie and changing browser may divide your ID but as soon as you log in with your Google account or they realize you may be having identical online activities, you can easily get linked again.

And as soon as you buy something on your Google account, be it physical item or an in app purchase, they know your real identity along with all of the above and then with more profiling, you will be linked with other people by family name, location you often visit and recognized by any other profiling I can't think of now.

No google accounts, private browser windows and always-on VPN (not self hosted, as IP must be mixed with other ppl) :)
You know that you can delete, opt in/out to most of that information right. One click, boom.
Data leaks are one way, you can't put toothpaste back into the tube.
Protecting your privacy is much like security, in the sense that it's not a black or white issue.

Having a lock on your door won't stop professional burglars, but it implies effort and isn't the same as leaving your front door wide open, which also invites passerbys.

Protecting your privacy actually has a non-negligible effect on your experience on the Internet. Let me give you an example ...

I have a friend that's a T2 diabetic, is self treating and doesn't want to go to a doctor due to past bad experiences. So in trying to help him, I signed up for a Facebook group for diabetics in my area. The result is that now I'm getting commercials for treatments of diabetes.

This to me is freaking scary, because this data can be used against you. Your medical history could affect your credit score for example. Your buying history or your friends list could affect the price of your insurance. Your daughter could get pregnant and the store could find out about it before you. Oh wait, these already happened.

You can't escape all profiling, but the less these profiling companies know about you, the better you are.

I'm using DuckDuckGo lately to search for symptoms of hypothyroidism, because apparently I suffer from it. Along with the privacy extensions I have installed (Privacy Badger, and ad-blocker with EasyPrivacy), guess what, I don't have commercials following me around on hypothyroidism, which to me is confirmation that I'm doing a good job.

You can choose to not care of course. But you're probably young. Give it another decade.

Congratulations, they beat you into submission.

You now have accepted a fundamentally different world where anything you like, anything you say, anyone you are with or hope to be with, anything you hope to do, have done, didn't do, every mistake or misstep or misstatement or misunderstanding or fuckup, is recorded, analyzed, classified, and mined. You're being constantly thought about, by the machines, who, if you are lucky, are only interested in making a buck off you, and if you are not lucky, have targeted you for increased scrutiny, security checks, auditing, social classification, digitized karma, and eventually, all of this will translate to a significantly different experience through life. How will it manifest? Maybe it'll be something big like being denied a loan for a car or a house. Maybe it'll be a landlord turning you down for an apartment. Maybe it'll be a constant drip of ads trying to trick you into buying something. Or maybe one day beaker53 will say something bad about the government, or get involved with a terror group, or it will accidentally look like you got involved with a terror group. Or maybe they'll just come annoy you while you're sitting down to tune your guitar with an ad on how to make yourself a better guitar player, if only you did this or that or the other thing. Or maybe they'll pester you because your friends did something or didn't do something or should do something, or how you'll look better in relation to them if you did do something.

Speak for yourself. I'm sick of being watched and being "thought about" by all these damn machines. FFS leave me alone, like it was just 15 years ago. Just 15 years ago.

I'm going to bookmark this comment for when people throw the "I have nothing to hide argument" at me
If that's your angle, remember that that nonsense included explicitly the suggestion that one problem with tracking might be when you "get involved with a terror group", along with other drivel about "digitized karma" and unwanted ads. If you don't want ads, run an adblocker. That's literally what they're for.
> remember that that nonsense included explicitly the suggestion that one problem with tracking might be when you "get involved with a terror group"

No, it was about someone (“beaker53”) who could be confused for a known person (“beaker52”).

P.S. I reject the assertion that being concerned about privacy is some kind of "weird obsession/hobby". It is, or was rather, the default state of life to not be watched constantly not long ago. This new thing of having to fight for basic privacy is the alien thing. You aren't obligated to think about it 24/7, and kudos to you (or something) for going and having fun while not worrying about it. But make no mistake, society has been radically altered while you were sleeping.
You're quite the rebel prophet, huh? "Wake up, sheeple! Listen to me - I'll open your eyes to the truth". I understand there's a compound in Texas going cheap. One previous owner; slight fire damage.
I watched the new mini-series about that just last week. Horrific. Not a cool thing to joke about.
Please provide me with a list of topics I'm not allowed to joke about.
I think there is room for nuance between 'concern' about privacy and 'absolute dedication' to privacy, and the tone of your opinion ignores it. You make good points, but I would hope for some critical reading of the original poster's argument.

Data never being completely deleted, and the unending tracking being a slow sort of death of personal freedom is a good point, but I read the point of the poster you responded to as this: We can only do so much to secure our privacy, do effective and easy to implement solutions. If we want absolute privacy, its probably never possible until you cut out massive parts the digital world for yourself, and diminishing returns for your efforts most likely aren't worth it.

> Just 15 years ago

Yeah you were still being tracked. It's just a lot easier and more specific now. But everything about you that's public record, or even semi-public, including your credit reports, housing history, leins/judgments, voter registration, bio/demo data from any product registration card you ever sent in, purchase history from credit cards, etc. was in marketing databases and bought, sold, and traded. This has been going on since the 1970s at least.

But you're right, it's MUCH more pervasive now.

However, if you really yearn for what it was like 15 - 20 years ago, there's an easy solution: Don't be online. At all. Just like it was then.

> Congratulations, they beat you into submission.

This is not really an acceptable attitude towards this opinion. You can not mind the current state of tracking, acknowledge benefits, etc and should not be demonized or told your opinion was beat into you. And then congratulate them some rude way?

I used to wonder why so many people were surprised at recent presidential election results, assumed propaganda must be the cause, assumed ignorance of those they don't understand, take elitist attitudes towards others' preferences, etc. But now I'm starting to understand this cognitive dissonance. It's ok that they don't see tracking as a big deal, it's ok they don't want governments to step in, they aren't just dumb victims beat into submission.

I hope I wasn't rude, I didn't downvote the OP or anything, so I don't think I crossed any lines. Generally speaking opinions that are "meh, status quo seems fine to me" are poorly informed. I don't want to personally attack the OP but they literally stated that they don't want to think about this and would rather spend time doing something more fun. Fine, go ahead, but the rest of us who actually think about the implications of this recognize that a very gradual but very profound shift in society has already occurred. We're not discussing it, frankly, because people are generally passive and some, like the poster, express a pretty dangerous lack of concern. Not only that, but the OP literally said it was a "weird obsession" to be concerned with privacy. That is actually demonization, and it raised my hackles.
> "meh, status quo seems fine to me" are poorly informed

Personally, I feel the status quo is preferred over alternatives, but to each their own. Whether someone is poorly informed on a subject or not is hard to gauge and not always something that has to be fixed. The problem here is that ignorance is used as a reason to protect people from themselves forcefully thereby silencing the informed-yet-disagreeing (emphasis on "here" in this situation at this time, can't make generic absolute statements about consumer protection in general).

> We're not discussing it, frankly, because people are generally passive and some, like the poster, express a pretty dangerous lack of concern.

I see quite the opposite. Can't open any newspaper or obtain any general news without the ills of big-web-tech shoved in your face. The harms are explained as extreme but to many, regardless of what the pitchfork bearers shout, the harms are not that extreme. What's dangerous is over concern and the results of that fervor. But all of that is personal opinion, the good part is the freedom to hold that opinion and act on it personally without imposing.

Your comment aligns closely with this excellent dystopian Alexa/Google Home parody: https://www.youtube.com/watch?v=RfqM63CAC8g

The video portrays a future advanced home speaker which terrorizes its family through ads, AI, and "helpfulness" through data mining and the occasional benign hacking of remote systems.

China has their social score built around tracking. People can't get on planes/buses because of it now.

Considering all data is saved forever, how likely do you think your country is to get something similar in the next 30 years?

In my case it's not a hobby. I actually hate wasting time and money on these kind of things. But on the other side I'm legitimately scared about what's happening with all my digital information. It could be paranoia because of all the privacy movement and the recent scandals but it's not worth the risk when you have very easy to setup tools to improve your privacy like that ones you mentioned in your last paragraph which is exactly what I'm currently using (+ DDG for searching).
Well, I don't really worry much about trying to avoid it. I do stuff somewhere along the lines of your "best bang for the minute" guidelines (aside from running my own mail server).

However, it does concern me that it exists. They use this data to manipulate people. To drive "engagement", which means addiction. I could spend too long describing the evil in it, but at the end of the day, why do they care so much about the data? It all only really comes down to a way to manipulate people... into buying goods, into believing things... without hyperbole, just to try to avoid listing out so many points and examples, their desire for data stands in opposition to the popular conception of free will and democracy. I will always take a strong dislike to people and organizations attempting to manipulate me by means other than simply providing value in my life and getting some value back in exchange.

At this point, it concerns me less how much data they collect on me, and that we as a society haven't dropped some kind of regulatory hammer on them before they almost literally brainwash us out of the notion that we would even want something like it.

Why did you put tracking in quotations?

>Am I the only one who doesn't worry too much about all this "tracking"? Trying to avoid tracking is like some weird obsession/hobby.

A cursory glance at recent human history[1] shows the extreme naivety of not worrying about the negative effects of mass computer tracking.

[1]https://en.m.wikipedia.org/wiki/IBM_and_the_Holocaust

For everyone not knowing why you would use this extension, it is so the container breaks after Google. Say you Google spaghetti, after you click you defined food.com to be a food container, with this extension it will break out of Google container into food container. It is pretty great except it creates two tabs for me and breaks history. If that could be fixed or would be flawless.
1. use google.ca as default search engine

2. disable cookie & javascript for *.google.ca

3. disable all google ads & analytics domains.

4. enjoy annoying captcha during every search

5. switch to duckduckgo

for the first few days, yes. But it's smooth afterwards.
Because they linked your IP to your profile. Now your searches are logged to a person, smooth sailing.
How on earth can they link a IP to an profile with js and cookie disabled?
You previously logged in as you from the same IP, many times.
I've tried this tool and had to remove it after a few weeks as the continuity breaks when clicking links on google results.

Its just too annoying having to re-google something you search for after clicking the first result and losing your history.

Containers are a feature built into Firefox. There are extensions that let you use them more generally with any given website. It's also quite useful to log into websites with multiple accounts at the same time.

However, to prevent tracking I mostly use CookieAutoDelete [0] which only stores Cookies for sites that I have whitelisted after the tab is closed. It's really just a handful of sites I visit frequently and don't want to log in every time. Cookies aren't required for anything else.

Also, not having a Google account comes in handy to prevent tracking by Google. My default search engine is DuckDuckGo.

0: https://addons.mozilla.org/de/firefox/addon/cookie-autodelet...

Exact same setup here. Works great.
I just block them for everything except for first party sites using uMatrix.

For some sites I need to allow google.com cookies otherwise I will keep getting recaptcha checks.

I also find CookieAutoDelete invaluable, particularly in combination with "I don't care about cookies" extension which removes almost all of the cookie warning dialogs which you would get otherwise. Web is usable again :)
>to prevent tracking I mostly use CookieAutoDelete

Removing cookies will not prevent anyone from tracking.

Simple example: I once visited an online shop from browser profile in which I never logged into Facebook. Few hours later I switched to another browser profile, used exclusively for Facebook, and I got an ad on my timeline from said online shop, for the exact product I was looking for earlier in another browser profile. Facebook associated my two browsing personas without cookies, most likely using a combination of my browser's request headers and IP address. Not to mention that JavaScript (if enabled) provides additional and extremely detailed fingerprinting capabilities.

In my experience, Google seems to have a better track record in terms of respecting cookies (or lack thereof) as the main carrier of online privacy management. But I think it's just an illusion. They're just obscuring it to not freak people out too much the way like Facebook does. The information is still there. They have it, from analytics, fonts, reCaptcha and all other means of their creep.

To prevent tracking, you need to have a full control over information you send to the internet, including browser request headers, IP address, behavior patterns of web browser, and so on. Cookie management alone is just a fallacy and gives a false feeling of control over privacy.

This is also why I consider those "privacy containers" broken by design. They just operate on cookies and don't contain anything besides cookies. I would even consider them harmful because of their misleading nature.

AFAIK FB will do semi-targetted advertising based on IP alone if there's a very small number of users logged in from that IP.
That happened behind my ISP's NAT in a densely populated area, so I don't think so, no.
I'd be surprised if it was the only thing they used, to be fair. But there is fairly obviously some IP-specificity going on.
So you need to control your IP address but your example shows it doesn't matter?
On mobile your IP will change every few hours.

Anyway the very idea that people are making money from me keeps me up at night so I use FF with a bunch of privacy aiding extensions. The war to fingerprint users is endless though. Ad tech is a billion dollar industry.

> This is also why I consider those "privacy containers" broken by design. They just operate on cookies and don't contain anything besides cookies. I would even consider them harmful because of their misleading nature.

Privacy containers could do more interesting things like:

- Connect through a VPN/proxy, so IP address changes all the time.

- Change browser characteristics (screen size, available fonts, user agent string, etc) to fool the fingerprint. I suppose that fingerprints are hashes, so you only have to corrupt one ingredient of the hash to make the fingerprint unusable.

Tor browsers do stuff like this.

"Change browser characteristics ... to fool the fingerprint."

What about hardcoding the fingerprint? So that every end user looks the same.

This doesn't deserve to be downvoted. The quickest way to combat fingerprinting is to hide in the crowd, which has value without requiring buy-in from other users; randomization as fingerprint deterrence only works once you have a critical mass of people using it.
Or if you actually randomise it, meaning "different output every time it's accessed", not "randomly set once, now it's hardcoded until you close the browser".
This is what Tor does, I believe. The problem with spoofing the fingerprint is that all the features that allow you to be fingerprinted are features that are in use by some site or another, so it would break compatibility.
Ya. I suppose you're right.

So long as the client runtime can inspect the host, inferring the fingerprint, and call back to the mothership, there's no foolproof, durable way to defeat fingerprinting.

At best, fudging the fingerprint just buys some time in the arms race.

The problem is that a 'browser fingerprint' is not some function call that can have its result be spoofed. There isn't even a single specification for what constitutes a browser 'fingerprint'

It is simply a series of attributes that are tested and compiled. Attributes that are consistent for a single browser but have some degree of variation between different computers.

Put enough of those together and you can uniquely identify someone. The exact things that are checked, however, will vary between implementations, and can always be changed in the future, so there isn't an easy way to spoof all of them to be identical.

In addition, many of these attributes that are tested need to return accurate results for normal functionality to work, so you are again limited in what you can fudge to avoid fingerprinting.

That's not a problem. Make those things normally untestable, and sites will by definition work normally without accurate information about those attributes.
Much of the detail is irrelevant, though. There are things like languages I never use, and sofware version point-revision.
You could use separate profiles on Firefox (which I do, I have half a dozen) and in each profile set up different browser headers. Everything coming from the same IP address would still be an issue, but I doubt that trackers rely on that alone as it's too coarse. Families will easily have 6 - 12 devices for several different people in the home all NATed through the same ISP IP address. You could use proxies if you're really worried about it.
Device fingerprinting (and cache attacks) could still connect the different profiles unless you change more parameters than just headers. Or disable javascript for some or all the profiles.
Like I mentioned in parent comment, my project has had a lot of success with that. I know I was able to fool the Evercookie[1]. I can even have different profiles have different browser engines if I want. They each use individual prefs.js files.

[1]: https://samy.pl/evercookie/

My project does that.[1] Since each profile has its own profile.js and extensions. One application is that I hate triggering financial portals to re-authenticate. So all of my finance happens from my home IP, no matter where I am. And instead of a heavy VPN, it is just an ssh tunnel. When I was in university, my school browser profile always routed through my school proxy. If I start using facebook again, I will use Facebook's TOR public gateway, but only for the Facebook profile.

[1]: https://github.com/unqueued/foxbox

X is not perfect so it must be broken by design. Better not use it, instead follow these impossible steps!
They aren’t impossible steps, just get virtualbox for sites you don’t want tracking you. Unless they can break out of the VM they can’t fingerprint the hardware even if JavaScript is enabled
IP address, screen size, etc. will still be the same in the VM no?
Not to mention the attributes of the VM itself will then be used for tracking.
How exactly would you use the attributes of a VM for tracking? You can have a separate one for fb and for google. All they are going to be able to track is what you want them to know
Not exactly impossible, the Tor browser for example implements many if not all of these.
Do you have much experience using the tor browser? I think it’s a good example of why it’s impossible.
Yes indeed, I've generally found it quite good - what's the issue? You don't like dealing with NoScript or something?

I have that even on my regular browser...

ReCaptchas, the inability to post to many sites because tor ip addresses have been blacklisted, latency, etc. It’s better than nothing but like many solutions it doesn’t really seem to address the underlying problem.
Those have absolutely nothing to do with the Tor browser though nor any of the solutions mentioned, that's simply IP blacklisting.

The underlying problem of privacy is addressed. The consequence of anonymity is a lack of trust.

It advertises itself as "prevent Google from tracking you around the web", which I consider a false and misleading statement. It doesn't prevent it. It is not "not perfect", it is not even far from perfect.

I think it is very important to make Internet users aware that cookies are the red herring in all privacy issues that are plaguing the World Wide Web. Cookie feature in modern browsers is just a tiny puzzle piece in a larger picture, consisting of wide range of entry points used for collecting data. It includes invasive JavaScript fingerprinting that can easily extract a list of installed fonts, local IP address and list of media devices from WebRTC, device capabilities, WebGL/Canvas fingerprinting, content filter list detection and much much more. Even with JS disabled most browsers share so much explicit information that is enough for precise identification without the use of cookies.

Is it impossible? For 99.99% of Internet users it requires so much hoops to hop through it might as well be impossible. However, I believe that awareness could slow down this privacy decline. I hope users will finally start demanding more native privacy controls in their browsers. Native JavaScript filter in Firefox would be a good place to start.

I mostly use the phone for browsing the internet and I couldn't find the container feature on FF for Android so what I did was refused to store cookies on FF & began using Chrome for logins

That way, my identity is disassociates, hopefully. All logins are on chrome which are used minimally and all browsing is on FF with no track on, cookies blocked etc

I've been using a separate profile for FB for several years. I've never seen this happen. I wonder what I have to do to make it happen
I think you are right that fingerprinting is much better at tracking than just cookies. And that it has become trivial to do.

I think that your comment makes it seem trivial to control fingerprinting by controlling the information you send over the internet. While I suppose it is true that you can prevent fingerprinting by not allowing data transmission, this will also make the intenet and especially the www unusable.

Masking your IP address would require access to multiple IP pools, which is cost prohibitive. Alternatively, you could use some centralized proxy, which just changes who controls the information about you, but perhaps in even a more scary way.

Obscuring your screen size breaks responsive web design. Obscuring your browser still breaks a lot of everything even in 2018. Chrome vs Firefox vs Edge vs Safari still don't have the same web api. Disabling Javascript breaks most websites. Disabling XHR/fetch also breaks a great deal.

Once again, privacy and convenience conflict.

> Also, not having a Google account comes in handy to prevent tracking by Google. My default search engine is DuckDuckGo.

They still can track and target ads at you without an account. An account is not required for that.

Indeed. Your unique fingerprint is your account. Even with Facebook. Being logged in just syncs your fingerprint better, possibly your multiple fingerprints.
The problem is that containers don't have unique local storage
DDG is the shit. I find the user experience of bangs an absolute pleasure and the engine is my primary interface to nearly every site I frequent. I care about privacy, but I have a Google account and enjoy their services as much as the next pleb, privacy isn't even the primary reason I use DDG. I feel like the combination of Firefox, DDG, VPN, and ublock affords privacy with no compromise.
Why not just have container for every damn site. No one should track me
Have a look at the temporary containers add-on which does just that. It is completely usable. I just create a permanent container for sites where I want persistent cookies.
I prefer this setup:

- install Cookie Auto-Delete (https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...)

- set it to delete all local data for all domains, 15 seconds after its last tab is closed

- create a Firefox container for untrusted apps you can't get rid of (e.g Gmail, Facebook) and set these domains to open in this "untrusted" container by default

- set Cookie Auto-Delete not to delete the data for this particular container

- whitelist the few domains you trust so that you can keep their sessions open in the Default container

Result: No need to use a secondary browser or to install special "Google/Facebook/etc Containers for Firefox". You always browse the Web incognito by default! Only when you visit some particular webpages do you enter a custom container that keep your personal data separate from other activities.

This has worked nicely for 2+ years, with other essential extensions such as uBlock Origin, Privacy Badger, HTTPS Everywhere and Decentraleyes.

I ended up using the exact same solution! The only annoying thing is that I want "untrusted apps" to open external links in a new DEFAULT tab so that I don't carry over the whitelisted cookies but that requires manual "right click > open in" with the default setup.
… all of which is futile as long as NSA records everything and their databases will leak one day.
Anonymity will always be greater than privacy. What I'm saying is that there should be a focus on being anonymous without a care (almost) of what you're doing.
I just think it's a futile kind of paranoia. Your anomalous behavior puts you on some list. Writing about it here puts you on some list. As every admin knows so well, spying on user data is much too easy for that not being done all over. We'd need to tear down large scale digital infrastructure to make even a dent into the problem of massive abuse potential. Deleting cookies is cope.
Depending on the context, platform, and data, de-anonymization is almost trivial to perform. Worse, someone can replicate your patterns and masquerade as you (thinking about that "lodestar" opinion where people were debating whether it was Pence or not).
A possible threat does not mean a probable one.
Note: none of this prevents tracking unless you also have fingerprinting turned off, which makes things a whole lot less useful. For example, if you like Date.now() to be reliable, and you want to about:config your way to locking down finger printing: too bad. It's one or the other.
>Note: none of this prevents tracking unless you also have fingerprinting turned off

It does prevent tracking of websites that don't do fingerprinting. The best is the enemy of the good!

Yeah except in this case Google is the enemy of even the moderately useful. Find any website you like. Odds are it uses google analytics and/or google ads, and good news: that website absolutely uses fingerprinting, even if they didn't implement it "themselves".
The only thing that's annoying is that with GDPR I have to do 3 clicks on every website. What I want is an addon where I can mute / suppress the cookie overlay.

Though I guess with this setup I can do "accept cookies" knowing that they will shortly be deleted.

ublock Origin does it. You can subscribe to filter lists like "Fanboy’s Cookiemonster". And you can manually remove annoying elements (e.g overlay, banners, etc).

I can't skip GDPR page redirects, though.

That doesn't prevent shit. These companies have invested far more man power to track you than you have to protect yourself. They can use a variety of methods to still track you. And they will. Think IP address based tracking.
Why bother with installing anything?

Run your browser in private mode for everything except a few websites you trust.

Done.