48 comments

[ 3.0 ms ] story [ 76.5 ms ] thread
Would be curious how Brave handles fingerprinting, I’ll have to look into that.
Isn't fingerprinting covered by GDPR in a similar way to how cookies are? So in theory you should be able to opt out, at least as an EU user.
How does web fingerprinting work with things like iPhones, where many people have the same screen, browser, os version, etc?
Not as well. This is especially true for iPhones where there are fewer SKUs and aggressively pushed updates.
Adding the other side; we use ja3/ja4 * for rate limiting and it works a treat, especially when we set our rate limits to much higher than normal traffic.

I've pushed back any attempts for any kind of tracking for business purposes (e.g. fancy charts).

* ja3 seems to be slightly better, ja4 sometimes groups too many "people".

Edit* Title also needs (2023).

Browser fingerprinting is one of those things that should be outright illegal - it is far more of a threat than tracking cookies ever were. But it hasn't permeated the public consciousness like cookies have, so regulators seem to ignore it.
It can't be made entirely illegal so IMO a better way would be to remove or restrict the APIs that fingerprinting scripts abuse. Make browsers hypertext viewers again!
The Internet is a war zone: demanding made up rules for behavior online is as ineffectual as pleading for peace with the enemy during battle. Strap on a helmet if you're shell-shocked.
I just tried this with the Firefox setting recommended in the article, with and without a VPN, and it still recognised me. Any other tips?
This isn't exactly browser fingerprinting (though it may involve browser fingerprinting.) But the biggest open question I have right now is: what is Meta doing to get around Apple's iOS privacy protections?

A couple of years ago, Apple launched App Tracking Transparency as a way to reduce tracking across their iOS app ecosystem. People predicted that this would be devastating for companies like Meta and Snap, and it was -- briefly, for Meta. But Meta seems to have rebounded very quickly, maybe Snap not so quickly. The rumor I've heard is that Meta threw every brain they had against the problem of finding new ways to track app users, which presumably involves some similar type of fingerprinting. The revenue success strongly indicates were successful. But if this is true, nobody has much written about it.

>what is Meta doing to get around Apple's iOS privacy protections?

A strong relationship to Apple and cross-value marketing.

Surely these rules only apply to middle sized and smaller companies. We've seen Apple get caught bending the rules for big players, even if they don't admit it.

"But companies found another way to uniquely identify you across different sessions and websites without using cookies or other persistent storage. It’s called web fingerprinting. Fingerprinting is a more sophisticated approach to identify a user among millions of others. It works by studying your web browser and hardware configuration. Many websites use a fingerprinting library to generate a unique ID. This library collects data from multiple JavaScript APIs offered by your web browser. For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details that you would not want a typical news website to see."

My "rugged" browser for regular browsing has plug-ins that randomize all this data.

> what is Meta doing to get around Apple's iOS privacy protections?

Money always finds a way. Everyone thought the changes made a few years ago would hurt Meta but they make $70 billion net profit. At a minimum, they only need a good relationship with advertisers, and a (sort of measurable) increase from a campaign. Also ads are different now. One address may see the same five seconds of an ad hundreds of times. That is a much easier ecosystem to correlate targets through data enrichment.

People who are recommending Tor/torBrowser the last versions are enabling system spoofing which helps to fingerprints you. Also Javascript can just help to fingerprint you easily even if the browser doesn't
title should mention this is from March 2023
So, one thing I don't quite get about fingerprinting:

> For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details

If, for example, I upgrade my web browser in two weeks (i.e. I get a new version number), doesn't that mean that the site has lost me?

Sites like https://coveryourtracks.eff.org seem to focus on how unique your fingerprint is, but doesn't it also matter how stable it is over time?

It depends if they hash the data points or send them unprocessed. If they're unprocessed, they can associate two fingerprints where only the browser has changed.
> go to about:config and setting privacy.resistFingerprinting = true in your Firefox browser

Two questions jump to mind:

Why isn't this the default in Firefox?

What is the downside? I.e., what can break by enabling this parameter?

This doesn’t work on my iPhone in Safari
I'm considering it a good thing at this point that I'm getting captcha-walled with increasing frequency. It means that my setup and behavior looks more like the billions of anonymous bots flooding the web rather than a lucrative mark.
You should share details on your setup.
Same, but to access so many websites now, you have to turn on JS (i.e. turn on fingerprinting). Even for sites where this isn't on purpose, it's true because they're behind Cloudflare.
I tried the demo, fingerprint.com, in:

  - Safari
  - Safari private mode
  - Chrome private mode
and it was not able to identify me across those.

I then tried

  - Chrome (normal, non-private mode)
and it did identify that as a repeat Chrome visit.

Does Safari have better privacy than Chrome?

It's really "cool" when you get vendors like 6sense that combine browser fingerprinting with semi-licit data brokers to do full deanonymization of visitor traffic. Why bother doing marketing when you can just get a report of the name, email address, mailing address, and creditworthiness of every person who's visited your website?

I've seen people argue with a straight face that these tools and their reports don't run afoul of GDPR/CCPA because they don't involve information that a user gave you on purpose, so it's not protected. Ghouls, all of them.

I turned on resistfingerprinting and started getting sites in light mode. The horror!

This doesn't look to be among the available toggles, and I hope that changes. I realize the light/dark setting is a data point for fingerprinting, but it's also something I have a genuine strong preference about.

This really saddens me. The fingerprinting even works when using Mullvad browser with VPN. I am so tired of this new internet, I hope someone is working on figuring out an alternative to this type of fingerprinting. I understand it is a cat and mouse game, but whatever, this is absolutely shitty.

I was wondering why can't browsers just fake the hardware (assuming that is what it is using to recognize)? I understand sometimes these javascripts run some type of algorithm to detect how fast it was processed to fingerprint, but even those could potentially be faked by the browser. Is anyone working on such stuff?

Bigger question: why isn't Firefox and Tor Browser modifying the JavaScript reporting calls to lie?

All machines would have 16 cores and 32GB ram, running windows 10, and 1 point-touch or mouse. And the resolution would also be fixed as reporting, and only on client would change.

The user-agent should be acting on our behalf. So, why isn't it (Firefox, TBB) utterly lying and acting in our interest? We know why Chrome wouldn't.

Tor also gave up this web fingerprinting fight without even really trying. Editing the JavaScript calls to consistently lie the same way was "too hard". https://m.youtube.com/watch?v=3wlNemFwbwE

I cleared my cookies, went to private mode (on Edge) and fingerprint.com knew it was me. Now I wonder how much was a good guess from IP address and things that are other than browser-supplied information.