Everyone talks about how evil browser fingerprinting is, and it is, but I don’t get why people are only blaming the companies doing it and not putting equal blame on browsers for letting it happen.
Go to Am I Unique and look at the kind of data browsers let JavaScript access unconditionally with no user prompting. Here’s a selection of ridiculous ones that pretty much no website needs:
- Your operating system (Isn’t the whole damn point of the internet that it’s platform independent?)
- Your CPU architecture (JS runs on the most virtual of virtual environments why the hell does it need to know what processor you have?)
- Your JS interpreter’s version and build ID
- List of plugins you have installed
- List of extensions you have installed
- Your accelerometer and gyroscope (so any website can figure out what you’re doing by analyzing how you move your phone, i.e. running vs walking vs driving vs standing still)
- Your magnetic field sensor AKA the phone’s compass (so websites can figure out which direction you’re facing)
- Your proximity sensor
- Your keyboard layout
- How your mouse moves every moment it’s in the webpage window, including how far you scroll, what bit of text you hovered on or selected, both left and right clicks, etc.
- Everything you type on your keyboard when the window is active. You don’t need to be typing into a text box or anything, you can set a general event listener for keystrokes like you can for the mouse.
If you’re wondering how sensors are used to fingerprint you, I think it has to do with manufacturing imperfections that skew their readings in unique ways for each device, but websites could just as easily straight up record those sensors without you knowing. It’s not a lot of data all things considered so you likely wouldn’t notice.
Also, canvas and webGL rendering differences are each more than enough to 100% identify your browser instance. Not a bit of effort put into making their results more consistent I guess.
All of these are accessible to any website by default. Actually, there’s not even a way to turn most of these off. WHY?! All of these are niche features that only a tiny fraction of websites need. Browser companies know that fingerprinting is a problem and have done nothing about it. Not even Firefox.
Why is the web, where you’re by far the most likely to execute malicious code, not built on zero trust policies? Let me allow the functionality I need on a per site basis.
Fuck everything about modern websites.
You must log in or register to comment.
Removed by mod
There’s 2 separate universes here.
Devs and tech companies care only for UX, convenience, and reduced friction to use any service. They would put their granny’s home address and SSN in the headers if it made a page load 10ms faster. Their incentives are all short-sighted to hit the next goal to outcompete other devs/companies and ship their end of history killer app that will solve all problems - and that will still get bloated and enshittified within 18 months.
Then there’s us, a subset of rational people educated about how much data gets transmitted, who are horrified by the general state of being online, and are hard to impress when it comes to more than just saying “privacy!” when promoting anything at all.
IMO, we have to DIY and cobble together so much of our own protection, we’re closer to artists that live a strange life that few people understand, seems weird from the outside, but we love for the peace of mind. Which is not enough to be any appreciable segment of the market to move the needle on any product worth real money.
They would put their granny’s home address and SSN in the headers if it made a page load 10ms faster.
Have they ever considered that pages would load faster if they didn’t include 20MB of JavaScript?
Just yesterday I was on a news website. I wanted to support it and the author of the piece so I opened a clean session of firefox. No extensions or blocking of any kind.
The “initial” payload (i.e. after I lost patience approximately 30s after initial page load and decided to call a number) was 14.79MB transferred. But the traffic never stopped. In the network view you could see the browser continually running ad auctions and about every 15s the ads on the page would cycle. The combination of auctions and ads on my screen kept that tab fully occupied at 25-40% of my CPU. Firefox self-reported the tab as taking over 400MB of RAM.
This was so egregious that I had to run one simple test. I set my DNS on my desktop to my PiHole and re-ran my experiment.
Initial payload went from almost 14.79 -> 4.00MB (much of which was fonts and oversized images to preview other articles). And the page took 1/4 the RAM and almost no CPU anymore.
Modern web is dogshit.
This was the website in question. https://www.thenation.com/article/politics/welcomefest-dispatch-centrism-abundance/
Dude. I thought That was bad. Just now I went to arstechnica to view one article and I did the same thing to “support” the site. It was 36MB in one minute.
Yes, but the manager with a shitty MBA doesn’t care about overall company appearance of performance, as long as their department looks good on paper. And they figured that would be easier by using four different external libraries, and then let another department figure out the rest.
Yeah, this is so fucked up ! When you archive reddit pages, those are over 20 fucking MB for just a conversation ! That’s fucking insane…
I can reduce it to less than 500KB with alternative frontends, but still… This makes absolutely no sense and I’m scared to find out what they are hiding in between all those lines of code !
IMO, we have to DIY and cobble together so much of our own protection, we’re closer to artists that live a strange life that few people understand, seems weird from the outside, but we love for the peace of mind.
That’s beautiful
we’re closer to artists that live a strange life that few people understand, seems weird from the outside
Wow! That’s a great way to put it!
Now I understand why my neighbors look at me like I’m one of the guys performing this act:
This is why using a local web proxy is a good idea; it can standardize those responses (or randomize them) no matter what you’re actually using.
Personally, I keep JavaScript disabled by default specifically because of this, and turn on those features per-site. So if a website has a script that requires the accelerometer for what it does, that script gets to use it. Other sites keep asking for it? I suppress the requests on that site and if it fails to operate (throws one of those ad blocker or “you have JS disabled errors), I just stop going to the site.
I’ve found that with everything disabled by default, browsing the web is generally a pleasant experience… until it isn’t.
This of course requires using a JS management extension. What I’d really like to see is a browser that defaults to everything disabled, and if a site requests something, have the browser ask for permission to turn on the feature for that particular script, showing the URL for the script and describing what the code does that needs the permission. This seems like an obvious use for locally run AI models.
Let’s hope ladybird implement something like that
This of course requires using a JS management extension.
What’s a good extension for this? What do you use?
Depends on the browser/OS.
My go-to for general browsing is Firefox with uBlock Origin and NoScript, which I also use in Edge; I have a few browsers that are still using uMatrix, and I have a proxy filter that strips calls to .js URLs by default except for specifically allowed URLs.
Thanks!
- Your operating system
- Your CPU architecture
Agree. No reason they should have this.
- Your JS interpreter’s version and build ID
I can see a reasonable argument for this being allowed. Feature detection should make this unnecessary, but it doesn’t seem to be fully supported yet.
- Plugins & Extensions
This is clearly a break of the browser sandbox and should require explicit permission at the very least (if not be blocked outright…I’m curious what the legitimate uses for these would be).
- Accelerometer and gyroscope & magnetic field sensor
Should probably be tied to location permission, for the sake of a simple UX.
- Proximity sensor
Definitely potential legitimate reasons for this, but it shouldn’t be by default.
- Keyboard layout
As someone who uses a non-QWERTY (and non-QWERTY-based) layout, this is one I have quite a stake in. The bottom line is that even without directly being able to obtain this, a site can very easily indirectly obtain it anyway, thanks to the difference between
event.codeandevent.key. And that difference is important, because there are some cases where it’s better to use one or the other. A browser-based game, for example, probably wants to useevent.codeso the user can move around based on whereWASDwould be on a QWERTY keyboard, even though as a Dvorak user, for me that would be<AOE. But keyboard shortcuts likeJandKfor “next”/“previous” item should usually useevent.key.There could/should be a browser setting somewhere, or an extension, that can hide this from sites. But it is far too useful, relative to its fingerprinting value, to restrict for ordinary users.
how sensors are used to fingerprint you, I think it has to do with manufacturing imperfections that skew their readings in unique ways
It’s also simple presence detection. “You have a proximity sensor” is a result not every browser will have, so it helps narrow down a specific browser.
Operating system and CPU architecture are useful for sites to serve the correct binaries when a user is downloading an application. I know you could just give them all the options, but the average idiot has no idea what the difference between ARM and x86 is, or whether they have a 64 bit system. Hell, I wouldn’t even trust some users to accurately tell me what operating system they’re using.
Operating system and CPU architecture are useful for sites to serve the correct binaries when a user is downloading an application.
Barely. You could trim down the data to incredibly low granularity (“OS: Windows”, “CPU: Intel Desktop”) and you’d still get the exact same binary as 99% of the people 99% of the time, anyway.
Oh yes, that’s a very good point, actually. That actually seems such a fundamental use case that you could almost justify it being available without a permission.
No. It should be made available with a permission, because not every site out there is going to offer you to download binaries. 1% of the web “”“requiring”“” this does not justify 99% of the web being able to violate that privacy.
Reread the comment you replied to. Not one word of it was in there accidentally.
Good catch. Still, doesn’t make it true either: it’s not such a “fundamental use case” that it would even require the capability. The browser already reports the usable information in the user agent (you rarely even in that 1% need more specificity than “Windows” on “Desktop Intel”).
Plugins and extensions could make sense if the site and plugin are designed to talk to each other. But that could be made safer by each extension being able to decide whether to announce itself (and the user being able to override that).
Maybe, but I’d like to see a concrete example of how they are “designed to talk to each other” that couldn’t be achieved by the extension just reading the DOM.
Most of those crying about this are likely still stuck on the easy stuff, trapped in WhatsApp, Discord and iOS. Try start there.
Is this true for TOR?
Just tried it. Am I Unique says yes.
Tor still reports your operating system and processor architecture which is dumb as hell. If you’re on Linux for example, that’s probably one of the biggest things making you unique. Why not just make everyone “Windows x64” since that’s the most common?
It also still reports extensions. Apparently it’s definitely possible to tell vanilla Tor and Tails users apart because Tails has uBlock Origin installed by default, and the generally accepted advice is to never install extensions on Tor, one reason being it could make you unique.
Also, apparently the default window size Tor chooses in an attempt to prevent the window size from being used in fingerprinting isn’t all that common, I got 1% and 5% on screen width and height respectively.
Tor doesn’t seem to have WebGL enabled by default so it can’t be used to fingerprint (though having it disabled is unique in itself).
Tor’s canvas data is unique but I’ve heard that it generates a new canvas fingerprint each time you restart it. I don’t know if that’s true or how well it works though.
Tor, like every other browser, also has something called “audio data” that’s a weird graph of numbers without units. No browser I’ve seen has ever not been unique for that category and Tor is no different. I didn’t mention it in the post because I don’t know what it is or if it has a genuine purpose or not.
I didn’t try Tor on my phone but I would hope it would block sensor access?
Awesome, thanks for sharing.
It’s generally okay to have uBlock on the Tor Browser as your only extension, as it’s not uncommon (Mullvad Browser also has uBlock and it’s based on Tor Browser). Although it might be a good idea to keep its settings untouched.
I suppose it also still has noscript enabled by default (preventing the execution of javascript).
That works for me, but how do the browser builders achieve that privacy AND retain at least reasonable useability for normal / majority users?
That a page knows technical details of my system and in which I live country (if I do not use a VPN), I give a fuck, why this only serves to correctly show the content, eventually in my language and allow the download of possible compatible apps.
Fingerprints are a very broad issue and are not necessarily related to privacy, blocking or counterfeiting all is possible, but in many cases counterproductive, it must be done specifically only in those that involve private and personal data, everything else is to put a tin foil hat.
To protect the privacy there are needed way more measures, avoiding trackers, Pixel tracking (Meta), keyloggers (Towerdata, Imgur, M$ US and some others), avoiding search engines which logs the activity (Google, Bing…), recognize dark pattern, using encrypted mailservices, best with disposable alias, harden the SO with Portmaster, Pi-ole or similar…apart of Common sense-
Browsers, which are not directly from Big Corporations which itself log user actividad (Chrome, EDGE, Opera…), are relative irrelevant in this game of user profiling, they are only depends on personal preferences and needs.
Privacy is a huge issue, but too often misunderstood with wrong measures, PEBCAK
