117 comments

[ 2.8 ms ] story [ 197 ms ] thread
Seems like anyone using a third party content blocker like uMatrix will be immune.
uMatrix is a lifesaver ... I enable only css, images and media for 1st party sites, everything else is disabled by default.

Have not seen an ad in years.

Isn't uMatrix abandoned? No longer developed? I used to use it but now use uBlock Origin in advanced mode. I'd switch back immediately if it was actively developed again.
It’s not, sadly. But it still works, and the interface is still far superior to uBlock on Desktop. So I, and many others, use it as is, together with uBlock. There was actually a short time it broke, which was when the repo was unarchived, fixed, and archived again, so while there’s no new development, there’s at least a chance it might not break.
I'm definitely loath to use something that's not been updated in that long considering the speed of change in web development. How do you know it's not missing some stuff? I agree the interface is much superior to the advanced ublock interface. Much more granular control. I do wish it was getting developed still or unlocked interface updated to uMatrix style.
> I'm definitely loath to use something that's not been updated in that long considering the speed of change in web development.

I mean, all you are missing out on, is even finer granularity. Details don’t matter, you got the basic blocks: cookies, css, images, other media, script, XHR, frames, and "other" aka everything else. Those don’t change, the "other" category will simply very slowly grow over time.

I can remember hoping, thinking someone would definitely take over development :(
> Have not seen an ad in years.

Likewise. It's always quite a shock what the internet looks like on computers owned by relatives.

Is this new? Seems like a long present low hanging fruit.
Firefox container mode stops this. I can imagine a product that makes every tab an ephemeral container by default, and you had to explicitly opt-in to a container profile to share cookies, etc. cross-tab.
Yeah there’s an extension called Temporary containers that does exactly that (^:
Been using it for years and watching others’ machines for how tracked they are across the web is terrifying. Even things as basic as being on clothingshop.com and then seeing ads for said shop on someotherdomain.com, which I understand is totally normal, has become jarring for me. I recommend everyone installs it. Yes, you have to click more cookie banners, and I still say no, but mind less when I cave and say yes because what they’ll learn is so limited. My temporary containers have a persistent auto increment so after a few years it’s (semi-) interesting to see that I’m on my ~20,000th temporary container
With Temporary Tontainers you can just install one of the cookie-ignoring plugins, since cookies don't do much if your containers are ephemeral.
It is my understanding that the name "cookie banner" is misleading, to the point of acting against your own interests.

If you click Agree you agree to be tracked regardless of the method. So yes, cookies won't do much, but now you've agreed to any kind of tracking, even those that defeat private mode and/or script blockers (assuming there's one).

I haven't really looked into the plugins but surely if they can find the "accept tracking" button, they could also find the "no thanks" button instead
Temporary Containers is fantastic. Its functionality should really be a core feature of any browser that claims to be concerned with privacy.
If you're linked to something on twitter or discord or so, odds are that you'll open it in that container because that's the default behavior. While you're right, and I use containers as well, I'm not sure that's a solid way to prevent this attack unless the person can be convinced to diligently right click anything they wish to open, copy the link, and manually paste it in a fresh new tab.
This is solved in Qubes OS by using separate VMs for different security domains. For Discord, a single click can be configured to open a browser in a dedicated disposable VM.
My work requires me to open links in different VMs. How exactly do I tell a browser to override link clicks to be handled by an external program? This would be very useful indeed
This is how I do it on Debian. First, reate a custom "browser" like this:

touch .local/share/applications/open-in-dispvm.desktop,

and put inside a command like this:

qvm-open-in-vm '@dispvm:fedora-37-dvm' %u

in accordance with this guide:

https://www.qubes-os.org/doc/how-to-use-disposables/#opening...

To make this browser default, you do this:

xdg-settings set default-web-browser open-in-dispvm.desktop

See also how to create .desktop files: https://askubuntu.com/questions/45885/how-do-i-set-a-custom-....

Browsers don't call the OS to open a URL, it would have to be an add-on or something
When the link is in a different app (e.g email client), the click event is handled by the OS and the URI is sent to the “default app” for that URI schema (for http/https, that would be your default browser). You can therefore reconfigure your OS to use a different app for that schema.

On Mac, you can for example create a simple App in AppleScript with the following code:

  on open location the_url
     do shell script "/path/script.sh" & quoted form of the_url
  end open location

Then, using a tool like “SwiftDefaultApps”, you can configure this new AppleScript app to be the default app for the http/https schema.

In script.sh, which receives the clicked url as the its first positional argument, you can then run any arbitrary logic that you require.

So this idea would work if the links you wanted to open were coming from another app. If they come from inside the browser, I would suggest writing an additional browser extension that replaces all http/https links in a page with an invented URI schema, like newschema://. Then the browser would pass those links to the OS for handling and then you would have full control over how to handle this new schema.

Hope this makes sense.

That makes sense and I knew this, but browsers are the main use case for me, not external programs
Yeah, so your script.sh could send the URI received in its positional argument to a browser with the configuration you need (and substitute newscheme:// to https://). I think it’s 100% doable
Temporary Containers extension in Firefox can be configured to isolate upon normal left-click, for any links heading to different domains/subdomains, then you don't need to copy/paste or do anything special.

How?

  - about:addons
  - Temporary Containers > 3 dots > Preferences
  - Isolation > Global settings tab
  - Mouse Click settings
  - Change behavior for Middle Mouse, Ctrl/Cmd-Mouse, or normal Left Mouse clicks
  - Always = always open in new temp container
  - Never = never start new temp container on click
  - Different From Tab Domain/Subdomain = start a new temp container only when navigating to a different domain/subdomain
Even better, type "about:profiles" into your URL bar, create a new profile that runs in an entirely separate Firefox process, and live your second life there.
Disable automatic updates in this case (Windows).

When an update is applied between the first and second profile process, any new tab won't do anything in any of the instances. Firefox likely still doesn't detect this state.

Edit: That is, if you use Firefox with two or more profiles, and may start one profile later (after a new update was published).

I run Firefox stable and Firefox beta on separate profiles (in addition to containers). The stuff I'm less worried about using beta.
Same thing happens on macOS. And yeah, I turn off automatic updates and just update when it bugs me.

It's an underrated feature, IMO. Profiles can be made very purpose-specific, and I like that there's not the possibility of leakage due to a site exploiting an add-on sharing data across containers, etc. I still like the mukti-containers feature, but I see it as less of an anonymity thing and more as a convenient way to be able to sign into multiple website accounts at once.

wouldn't that be stopped by CORS blocking which is pretty much the norm for large websites?
Iframes bypass CORS, so the trick is to use an Iframe and figure out (using some side channel since you can’t peek into the frame) whether the iframe loaded the content successfully or whether it loaded an error page.
I mean websites that blocks cors usually blocks iframes too?
There's a type of side-channel attack you can do to get around CORS but still leak limited information.

Suppose you want to detect whether one of N pre-chosen users of FakeMail (a service I made up) have visited a malicious page you control. Let's also say that in FakeMail:

1. you can see a hi-res version of your profile pic only if you're authenticated

2. only you can see your own hi-res profile pic

3. the path to this private pic is unique to each user, e.g. `/users/{user_id}/private_pic`

The trick then is to embed an `<img>` tag with a `src` to this private, hi-res profile pic for each of the N pre-chosen targets in your malicious page. Then, in `onerror` and `onload` event handlers of `img`, you can implement logic to handle "user X is not here" and "user X is here" respectively.

Of course, this attack could be thwarted by SameSite cookies or browsers with protection against cross-site use of cookies. And it's rather hard to find FakeMail's exact three conditions needed to pull off such an attack. AND just add one more, your targets have to be authenticated to FakeMail. It might seem like an attack that's not viable, but this has happened before, and iirc it was called XS-Leaks for a while when I first heard of it.

Relevant paragraphs:

> How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it—the attack works both ways.

> Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content.

> The attack takes advantage of a number of factors most people likely take for granted: Many major services—from YouTube to Dropbox—allow users to host media and embed it on a third-party website. Regular users typically have an account with these ubiquitous services and, crucially, they often stay logged into these platforms on their phones or computers.

Isn't this one of the older forms of de-anonymization? And this is pretty visible to the user too, embeds hint to even non-technical people they can be tracked across websites.

> And this is pretty visible to the user too

How would even a tech savvy person know of this going on in the background, without being suspicious a priori? Embedded frames can be made invisible, overlaid with something else, or put off-screen. You'd have to be very familiar with this attacker's site to know that it's unusually slow today and loading longer than usual, or showing it's loading while the page appears to be already fully loaded. With the gigabytes of javascript that are common nowadays, that's not unusual.

The riskiest part is probably the sharing, as email notifications of such actions are commonly sent out.

Embeds in general can lead to this suspicion, not the attack itself. I've seen people question "why am I logged in to these Facebook comments? Does Facebook know I visited this site?", which then leads to them discovering recommendations that others have commented on here. They don't even need to know anything technical beyond "install this addon to stop Facebook from spying on you" and poof, this attack doesn't work anymore.
I’d also assume that ublockorigin will stop most of this in its tracks.
I'd love a reference on that. I didn't think it did anything like that.

Firefox containers and good browser hygiene can, but if you slip up...

This is why I clear cookies and history when the browser closes, disable saved passwords/logins, and I close my browser frequently, generally between sites or at least sessions of use.
If you block third-party frames and third-party scripts then indeed it should. See uBlock Origin medium and hard blocking modes [0][1].

Bonus points if you adopt cookie higiene and clean cookies, form data, etc. on browser exit (maybe save for some exceptions) [1]. Even better if you also use firefox containers, browser profiles, or maybe even different browsers for different browsing needs and online profiles.

[0]: https://github.com/gorhill/uBlock/wiki/Blocking-mode#medium-...

[1]: https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-Be...

[2]: https://support.mozilla.org/en-US/questions/1308719#answer-1...

How do they even see there's facebook comments being loaded? You'd have to have the dev tools open or be looking at an add-on like privacy badger
They'd see them because they're there on the page, below the article. Let me repeat:

> Embeds in general can lead to this suspicion, not the attack itself.

I don't see how this fits with what I said above:

> Embedded frames can be made invisible, overlaid with something else, or put off-screen

Which isn't what I was talking about, so I have no idea what you're trying to say.
Can the attacker still get any information about the user if the embedded frame is hidden?

From the description above quoted by GP, it sounds like the user has to "interact" with the content in the embedded page for the attacker to be able to conclude they have access to the content.

Oh, to me it sounded like the loading of a large image or so would give it away. If it's transparent to the user that something was shared with them, I'm not sure it can still be called a deanonymisation attack but basically straight up says to the user "I think you're Joe"
Lots of companies do this. I've seen it on HN even. We probably should consider it an attack, but there's no way regulators will go for it. There are counter measures against it though, but I doubt anything is foolproof
Wouldn’t multi-account containers, or using private windows segmented to only one website solve it?

Don’t open a private window and log in to multiple things… problem solved?

Don’t ever make a mistake is what you are saying there.

That’s borderline impossible for humans.

Or, use a web browser that doesn’t support any cross site state, at all.

I’d love to have such a browser, and to disable the browser that came with my phone, but does not have this property.

(Things like firefox focus or the duck duck go browser for iOS try to do this; I’m not sure if they succeed, but they should protect against the attack described in the article, at least.)

It reminds me of the gmail timing attack.

I can't find the link anymore and I don't remember it precisely but it was something like loading the auth page for a specific address in the background and depending on the load time you'd know if the person was already logged in with that address.

It assumed there was a specific list of people you were targeting whose address you already knew and you could show different content to a specific target.

TL;DR (the crucial info is, predictably, at the very end): share a picture with someone via dropbox or whatever and embed that dropbox page on a website you control, then "analyze accessible information about the target’s browser and the behavior of their processor as the request is happening to make an inference about whether the content request was allowed or denied."

So you can confirm via unspecified vectors whether a visitor is among a specific set of persons if they are logged in with the right user account. (Not exactly a way to unmask any anonymous user on any major platform, the way the headline sounds.)

Edit: oh, it's not at the very end. Beyond the horizontal line and newsletter begging there's a few more paragraphs I didn't see before. Credit where it's due, they didn't bury it at the end but, instead, only 988 words stand between you and the above information!

Oh haha this might be an attack itself:

> The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn’t available for all browsers.

And if you click through to the Firefox one...

> This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.

The target demographic selects itself ;-)
I am pretty sure that how it works is almost every Firefox add on that isn't in their recommended add ons has this warning.
As far as I know they can get it reviewed without reaching "recommended" status. My point is these are security researchers that didn't bother getting it reviewed. Surely they'd go through the effort to get it reviewed if they really wanted to convince people it was safe, right? Seems to imply to me there's something that would get it removed if Mozilla did review it.

Edit: I guess maybe reviewed and recommended are the same (I swear they were different at one point), but there is an email you can send to suggest extensions to reach this status.

There was a similar attack from a couple years ago that checked if favicons for sites were cached and then polled them
It’s a classic problem. It’s also why :visited was limited, why caches were partitioned, etc.
> “If you’re an average internet user, you may not think too much about your privacy when you visit a random website,” says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group."

I get so dizzied by statements like this. It's almost as if researchers want to undermine their own work. Privacy can be essential for certain groups, but it should be a priority for everyone. Frankly I'm not even sure the statement about minority groups is true anymore. We've seen unmasking used by corporations, interest groups, governments, etc against a wide variety of people with dangerous outcomes.

I'd prefer we refactor messaging to make people realize that this is important to everyone and that we lay an impotus to do something about it, especially as governments all over the world are moving to eliminate personal and online privacy.

(comment deleted)
I don’t understand. This seems pretty innocuous to me.

>“If you’re an average internet user, you may not think too much about your privacy when you visit a random website” Surely you don’t dispute that? Like, maybe the average user should think about their privacy when they visit a random website, but it’s not dizzying to say that they probably don’t.

And the rest of statement is just saying that some users are more at risk of what is a targeted exploit. Probably both in terms of the chance it is used against them, and the consequences of that use.

Your point that unmasking gets used against a wide range of people is well taken, but it hardly invalidates the argument being made here, does it?

You believe it’s more important to emphasize that everyone should care about privacy. The author seems to believe that it’s more important to emphasize the impact on populations more likely to be targeted. Both are fair perspectives.

It's impossible to know the author's intent of course, but I think the problem/confusion is the choice of the word 'impacted' - GP is saying essentially 'everyone is impacted, even if only a few are aware/care'.

Your reading I assume is impacted in the sense of thinking and worrying about it; affected (strictly speaking) by it.

The article says there “certain categories of internet users who may be more significantly impacted by this”.

I think that’s probably true. And regardless of whether or not everyone is impacted at some level, I think it’s reasonable to point out that some may be impacted more significantly. Regardless of which version of “impacted” you mean.

In the next sentence, by saying that minorities etc. are more significantly impacted the author is implying that average internet users are justified in not worrying about privacy. This is what GP is arguing against.
Is that what the author is implying? That certainly wasn’t my takeaway. If that was the author’s intended message, I’d certainly agree it’s not a good one. But I doubt that was the intended message, to be honest. One population being more significantly impacted by something does not imply that other populations are not also meaningfully impacted.
Maybe the author's intent wasn't that, but the phrasing is a bit apologetic, like (exaggerating here...) "we're sorry to bother you, the average internet user with this discovery, but just so you know there ARE minorities that care about privacy"
The best data point we have for opting into invasive privacy violations is the iOS thing, where over 90% of people opted out.

Therefore, it is more than safe to conclude the 50th percentile of all users would prefer to opt out of web tracking.

You seem to be claiming that half of the users that turned on private mode don’t care about tracking, or that it doesn’t matter if the industry doesn’t respect their explicit attempts to opt out of tracking.

The difference is Apple has the muscle to make that happen without, ya know, breaking the internet.
You really should at least make an effort to get what the author is telling instead of just reading their words. It's astonishing how narrow minded people can be when the fixate on unrelated things that the author is saying instead of understanding what they meant.
Particularly academics use the language the author used. It narrows who is severely affected by a lack of privacy to small groups. It's akin to the folks who say, "Privacy? I have nothing to hide!"

The reality is that as the fragile pillars of privacy that exist in most governments are eroded the impact radius grows exponentially. I'd really like them to be stressing that losing privacy is life or death for just about everyone.

I can't tell you what the author meant other than what they said, but I can tell you that there's an abundance of folks who believe privacy is a niche issue for small groups which is far from the truth.

We should assume that what someone says is unrelated to what they meant? That's an interesting viewpoint. I have to guess at your meaning since I can't fixate on what you're saying, but I think you mean that language is meaningless?
I really don't think privacy is something everyone should value equally.

"Unmaskings" don't generally happen to most folks, and these "dangerous outcomes" are exceedingly rare.

If your threat model includes the possibility of things you do online having negative consequences for you should they be discovered, that's one thing. But the vast majority of people do not fall into that category, and pretending like they do is a great way to numb folks to the very real risk some people carry.

Having something to hide or not, privacy doesn't mean the same thing to everyone, and that's completely okay.

If you're doing nothing wrong, you have nothing to hide from the giant surveillance apparatus the government's been hiding.

-Stephen Colbert

The other side of the question is too often left out: a vast majority of people are empowering surveilling entities.

They're giving a trove of information to establish a baseline that will impact anyone diverging from there, while also helping further manipulation as the feedback loop between what they're pushed and how they react to it is transparent.

So IMHO, privacy should be enforced by default if we look at it from the group's perspective.

Except that's not happening.

Could my DNA be used to scan for racial anomalies in newborns? Yes. Is that actually happening? Hell no.

Doomsday screeching is not a productive activity, and privacy is not the issue here. It's how people are using their collected data.

Besides, caring about other people's treatment of privacy is, if you actually believe what you're saying, none of your business.

> that actually happening? Hell no.

I'm kinda tired of blanket dismissal of anything that could be mildly tinfoil hat looking.

Not falling into a panic every thursday about random corporate action is a thing, being ultra confident that no one is ever doing anything harmful on a specific subject is unwarranted.

Eugenism was a thing baked into laws not that long time ago and is still in the books depending on where you live. Patients are still suing govs for reparation because their claims were memoryholed. You can't just throw around "Is that actually happening? Hell no." rhetoric as if you were due a demonstration served on a plate before accepting that the world is 't as skweeky clean as you seem to assume it is.

And I'm kinda tired of blanket chicken littling over privacy from folks who refuse to accept the general situation of the vast majority of people.

Eugenics is not a thing modern humans in Western society need to realistically worry about, and the main reason you're not getting the traction you think you should be getting is because you keep pretending like it is. People tune this attitude out, because of how patently absurd it is.

The average person operates in their own best interest. The reality is that caring deeply about privacy is not in their best interest, no matter how many boogeymen you try to pull out. It just doesn't come up nearly as often or as severely as you apparently wish.

> Eugenics is not a thing modern humans in Western society need to realistically worry about,

Hard disagree, the facts are against you.

My father was born in 1935 and is still alive and very healthy, during his lifetime here in Australia, a modern Western Society, a Eugenics based carding and restricted movement system was in force.

https://culture.wa.gov.au/feature/perths-prohibited-area

Looking about the world there are still many examples of divided rules for colonists and indigenous peoples, if you're in North America ask your nearest Indigenous American whether any significant issues still hang on bloodlines, you'll hear a range of answers some of which might suprise you.

All that aside .. never forget that what has happened in the past can happen in the future and perhaps faster than many expect.

With a rise in far right policy and the US still somewhat shocked by the overturning of Roe V Wade with womens search data wrt reproductive health now a hot topic in security and law enforcement it's not at all outlandish to posit that it wouldn't take much to see the emergance of policy to seperate those that are different in some manner .. the intersex, arabs and chinese and have all been recent and current tarets of the US right.

What you’re describing isn’t eugenics, and what you’re fear mongering for isn’t realistic or relevant to 99% of people.

You really want to make privacy everyone’s problem, but it simply isn’t.

> the main reason you're not getting the traction you think you should be getting

I'm not sure to understand. What traction ?

> If your threat model includes the possibility of things you do online having negative consequences for you should they be discovered, that's one thing.

Let's start with you then, Zetice. Post your name, face, and home address.

My threat model includes negative consequences for me should I be discovered.
Bruce Schneier put it quite succinctly in his article The Eternal Value of Privacy (from 2006):

Some clever answers: “If I'm not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what's wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these – as right as they are – is that they accept the premise that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

— <https://www.wired.com/2006/05/the-eternal-value-of-privacy/>

> I really don't think privacy is something everyone should value equally.

> "Unmaskings" don't generally happen to most folks, and these "dangerous outcomes" are exceedingly rare

Can you provide a source for this claim? I have some sources that say otherwise:

- https://www.safehome.org/family-safety/doxxing-online-harass...

- https://www.nytimes.com/2017/08/30/technology/doxxing-protes...

However, doxxing/"unmasking" are really only part of the problem when talking about privacy. It opens doors for new and unfounded forms of oppression. Prior to the internet there was at least some inherent privacy in that aspects of your life were self-contained in private activities. In a world where many/most of your activities have some form of connectedness, whether shared with the public or not, "privacy" or the choice to share more widely and/or with the government becomes more paramountly important: https://learningcenter.ecnl.org/learning-package/surveillanc...

> If your threat model includes the possibility of things you do online having negative consequences for you should they be discovered, that's one thing. But the vast majority of people do not fall into that category, and pretending like they do is a great way to numb folks to the very real risk some people carry.

An interesting take. I'm part of online gun forums; I promote good gun and safety culture among other things. One of those forums is queer-centric/leftist. The people who doxx gun owners could care less whether they're doxxing via a state agency, a leftist gun forum, or a righty gun forum - the objective is the same: guns are the enemy they're targeting and people are a mere consequence. If I ideologically allow people to doxx one part of the gun community, I have opened the door for alternative approaches, so I relinquish that right to the state who requires cause for such a thing. That is a bit at odds with my (dis-)trust towards the government to maintain cause uniformly and justly, but that's a different discussion and a different approach.

Key to your argument is that privacy is one in the same with eschewing consequences, which is far from the truth. In fact, technologies like PGP prove you can maintain privacy and ensure accountability given more mainstream adoption and tooling. Who holds those people accountable and the ability to engage in moderation of online discussions are equally important parts of privacy because it involves the how of a lot of those things. Saying the vast majority of people deserve the unmasking, and the inevitable violence, they received is a lot like saying I deserved being beat as a kid. My dad would tell you that he had the best of intentions in mind and he thought he knew what we was doing and that I deserved it. My siblings and I have a life of experiences that prove why the best of intentions and his knowledge were acutely wrong. The change he wanted in each of us could've been attained in entirely different and more healthy ways.

You miss the point here entirely; the real life experiences of the vast majority of the population of Western society precludes the need for absolute privacy.

What you would need are not anecdotes about how individuals who legitimately require privacy, but a systemic and successful push to use data collected by browser fingerprinting (the topic of this submission) to meaningfully harm more than a random handful of people.

You lack this evidence, because it doesn’t happen, and cannot happen, in society as it’s structured today. Anyone attempting to do the things you’re afraid of would be stopped.

This says only about a specific attack vector. Privacy should not be trivialized to the issue of only one attack vector (However, it is unclear who trivialized it).
Think about it from the researcher's perspective. They're used to being asked all the time to justify why their research matters. In fact, it's critical that they do so in order to get funding.

If they answer, "well, privacy is important for everyone" or "corporations can use this to serve more targeted ads," most people are going to say, "who cares?" -- or at least that it's less important than other projects the agency or foundation could be funding. If they talk about political dissidents and journalists, then it becomes much easier to make the case that it matters.

maybe its late, but this sounds utterly contradictory to me.

we are well passed the time and millions in fines from a time when nobody cared about GDPR.

> "we are well passed the time ... when nobody cared about GDPR"

You probably meant that now giant providers care about GDPR because of risk of (mostly small) fines, but most users do not care, because of GDPR fatigue, they just click on "accept all", which is defeating the purpose of GDPR.

If you can’t see yourself possibly being on in a protest in the future, you’re not someone who cares about the world and you’ll never care about privacy no matter what arguments they use.
> Frankly I'm not even sure the statement about minority groups is true anymore

I think gay people in most of the world are still legally persecuted by their states. At least in a number of countries, the penalties for being homosexual or engaging in homosexual activities range from imprisonment to execution.

That sentence is explicitly with respect to privacy, it does not negate aggregate oppression trends. A lack of privacy opens new doors for oppression, and that harms everyone is more my point. Many people here, if you read the thread entirely, think the status quo is a constant.
It really isn't that important for most people though, most people are only looked at in terms of large aggregate metrics, most people don't feel that participation in a survey constitutes a violation of one's privacy, why are large aggregate marketing statistics any different?
> but it should be a priority for everyone

It's not black and white, though. There are a lot of people who accept that some levels of sacrificing privacy is an acceptable price for security (i.e. street cameras that allow police to track a criminal who attacked you, plus add some deterrence value). The question, of course, is how to keep this sacrifice under checks and balances to prevent/minimize abuse, but that's another discussion.

Combined with AI/ML this would be useful for PaaS to provide a curated offering of porn, except for those from Louisiana.
WebKit has a feature where all script-accessible cookies are deleted after 7 days: https://webkit.org/tracking-prevention/

While this feature is annoying in that I have to repeatedly log in to some websites that I visit less frequently, it could make this exact attack less effective.

Am I the only one who use a separate profile in the browser and always open new links in private tabs?
Can someone explain why the cache timing pattern gets such a strong signal for something so seemingly distant? Is this about memory locality or just the effects of a different “CPU workload” in general?

Also, what JS APIs are used to carry out such high resolution time measurements?

Wouldn't blocking third-party cookies prevent this? It should really be the default setting at this point.
Cookies don't save you from having your CPU memory speed profiled
Indeed. Although I'm a little surprised that CPU access isn't one of the features denied through simple anti-fingerprinting measures.

Edit: After a brief search there (thankfully) doesn't appear to be such a straightforward way to measure CPU load. Which of course makes it that much harder to block.

I don't know. Seems like this only affects people with no opsec. Surely if you're doing stuff on the internet you think is likely to attract attention from law enforcement you're at the least using a different browser profile than the one you use to post your cat memes and food pictures?? Surely you'd be using a different browser or even device.
I've become all but convinced over the past decade or so (largely though not entirely post-Snowden) that opsec matters far less than immunity and/or impunity.

The difference between those last two is that immunity is actual freedom from consequence, whilst impunity may be the impression of invulnerability (leaning heavily on the sense of the word as "rashness or inconsideration" ... I'm aware that this may not be entirely standard or customary usage).

The upshot is that the immune know that they cannot be touched, the impudent believe that they cannot be touched. The former is a more robust protection, the latter may prove highly brittle. (Activities of participants in the events of 6 Jan 2021 come to mind.)

The distinction between either of these and opsec is that opsec must be good most or all of the time. Immmunity/impunity buy you a lot of sloppiness.

A related concept is that of intelligence agencies doing far less of observing information and far more of planting it. This was common practice amongst both the USA and USSR during the Cold War, as has been detailed in numerous accounts. John Crewsden and Carl Bernstein both (separately) wrote of the CIA's activities in this regard, quite often working directly with news organisations (or personnel associated with same), during the 1970s:

Crewsden: "The CIA’s 3-Decade Effort to Mold the World’s Views" (1977) <https://www.nytimes.com/1977/12/25/archives/the-cias-3decade...> (In six parts, listed and linked here: (<https://diaspora.glasswings.com/posts/cdec9a80ce3b0139a0df00...>)).

The story became the subject of a US Congressional investigation, documented here: <https://archive.org/details/CIAMedia1978Hearings/page/n3/mod...>

Bernstein's account, "The CIA and the Media" (1977), <https://web.archive.org/web/20071026060752/http://www.carlbe...>

Or that the NSA's capabilities in decoding ecrypted communications had much less to do with superhuman cryptographic hax0ring skillz, and more with flooding the market with affordable, back-doored encryption tools, via Crypto AG, a Swiss front company: <https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-ci...>

At this point, I’m convinced that the web is now sophisticated enough that it’s inherently unsafe, and anyone who wants to track you has a myriad of nuanced ways to probe various technical indicators, timings, and form heuristics about who you might be at the very least.

Considering there are commercial solutions KNOWN to do this today, and do so with staggering accuracy even through VPNs and relays such as Apple’s, it seems like a game that can’t be cat-and-moused anymore.

It’s done, there’s too much exposed information when browsing the web.

Ironically, even Stallman’s technique of emailing webpages to himself to read is risky depending on how the page is sent to him and whether scripts are completely removed or disabled.

It just feels like playing with fire. You always have the chance of being burned. Or rather, the only winning move is to not play.

The last line of your comment appears hypocritical.
Tails OS is still a thing
Expecting otherwise is not reasonable.

Digital privacy does not exist, even for tech savvy people. Anybody saying otherwise is trying to sell you something.