Web fingerprinting is worse than I thought (opens in new tab)

Fingerprinting is doing terrible things for big-tech data collection, and at the same time it's excruciatingly hard to protect against bots, spammers, fraudaters etc without it.

Few people seem to try to reconcile this, since neither side cares about the other.

I personally think that discussion about fingerprinting as raw tech, without mentioning the size of the company collecting the date or the purpose is meaningless, and only leads to a few tech savy users having less data collected on them.

Most people want to use Javascript, use the default setting and not be afraid of clicking on links. I can't really see a good solution without a coordination of regulation and tech standards, so I'm hopeful at least for decent solutions.

Until everyday people realize they’re being stalked, I don’t know what will change. I am seriously thinking about trying to go through the proposition process in my state to forbid selling of data (this should already run afoul of wiretapping laws, imho).

I thought having an ad campaign that targeted subgroups very specifically and boldly might be enough drum up public interest. Something like: “Hello $name from $city. How did $recent_embarrasing_purchase work out? I hope you enjoy your birthday in $birth_month.” And then a link to the proposed policy.

Unfortunately, marketers have neither scruples nor the ability to control themselves and have captured an asymmetric advantage. Technologists do what they do, preoccupied with whether or not they could, not stopping to think if they should. It seems like legislation may be the only remaining option.

Ha! I followed the instructions and went to fingerprint.com and it all 'crashed' because I had JavaScript turned off—that's my normal default setting.

I have five different browsers on my smartphone and three on the PC all sans JS and none of them are Chrome. Also, normal operation is to automatically delete all cookies at session's end.

My smartphone and PCs are de-googleized and firewalled and I never see ads in my browsers nor in apps. The apps are mainly from F-Droid and sans ads and the few Playstore ones I use are via Aurora Store and are firewalled from the internet when in use. Honestly, I cannot remember when I last saw an app display an ad, it has to be years back.

In the past I used to go to more extensive measures to stop the spying but I found it was unnecessary as the spy leakage was essentially negligible with much less stringent efforts.

It's pretty easy to render one's online personal data essentially wothlesss if one wants to. On the other hand if you insist on using JS, Gmail, Google search, Facebook etc. then you're fair game and you only have yourself to blame if your personal data is stolen.

It's important to know that the mentioned "resistFingerprinting" breaks a lot of the web.

Examples include the back button, uploading photos on some websites uploads random data instead of the photo, etc.

Another method for web fingerprinting is called GPU-Fingerprinting [0], codenamed 'DrawnApart', it relies on WebGL to count the number and speed of the execution units in the GPU, measure the time needed to complete vertex renders, handle stall functions, and more stuff..

_______________________

0. https://www.bleepingcomputer.com/news/security/researchers-u...

As the years pass, I keep thinking back and realize that Richard Stallman was right all along:

> For personal reasons, I do not browse the web from my computer. (I also have not net connection much of the time.) To look at page I send mail to a demon which runs wget and mails the page back to me. It is very efficient use of my time, but it is slow in real time.

Why is this being fought with technical measures (which are ineffective and cripple the web as a platform) instead of legal consumer law where you can easily fine and punish companies that do the fingerprinting?

EDIT: Note that you can do BOTH - but one without the other is just a game of whack-a-mole.

Look, forget about threat models. It's relatively trivial these days to avoid fingerprinting attacks if you want to (as a private, web browsing individual).

I use fingerprinting actively in enterprise apps as a form of silent 3FA. It's a useful backstop. If I have a user who forgot their password but retrieves it via email, I'll usually let them pass if their fingerprint matches one of their priors; otherwise my software shoots off an email to their immediate superior to make that manager validate that the machine the employee is using is one they can vouch for.

I've always viewed browser fingerprinting as something that can be leveraged as a security feature. It's far more useful for that than for some sort of distributed tracking. I'd never want to live in a world (ahem ... China) where submitting to such fingerprinting actively was mandatory, or politically punishable if you didn't. No society should be run like an employer/employee organization with that sort of lack of trust. No sane free person would allow their own browser to transmit a fingerprint. But for employer/employee systems management? It's a great tool in the box.

Using the IP address & user agent alone already gives you nearly 100 % accuracy, so the fact that they can re-identify you when these things stay identical isn't surprising at all. I tested that website as well and if you take care to rotate your IP address their re-identification rate becomes abysmal, especially if you're using a privacy-focused browser and extensions like Privacy Badger / uBlock.

I use the usual adblocker UBlock and:

* https://addons.mozilla.org/de/firefox/addon/canvasblocker/

which prevents fingerprinting via Canvas elements, additionally warns you if a site does it. There are more sites out there than you would assume. Some stupid blogs even.

* https://addons.mozilla.org/en-US/firefox/addon/multi-account...

This splits your tabs into different categories, each with their own cookie storage.

The fingerprinting website in the article didn't manage to correlate me visiting the website concurrently from two distinct container tabs.

You can try https://www.amiunique.org/fp to get a view of all params can used to track you

I wish browsers did more to combat this. There should be ways to randomize or normalize every bit of information they try to gather.

If you don't pay attention to it you might be surprised how non dynamic your residential internet last mile DHCP assigned IP really is. It's not uncommon to go many months or a year with having it always renew to the same address. That, combined with all the fingerprinting mentioned in the article...

It is interesting that the site can fingerprint individual profiles/dir easily:

For example

chromium-browser --user-data-dir=/tmp/profile_A

chromium-browser --user-data-dir=/tmp/profile_A --incognito

chromium-browser --user-data-dir=/tmp/profile_B

chromium-browser --user-data-dir=/tmp/profile_B --incognito

For each command + its incognito it can detect them as separate profiles.

For ultimate privacy one needs to everytime launch browser with a new profile.

Even after discovering it is worse than they thought, it remains far worse than the author thinks.

Public knowledge is far behind the actual capabilities in practice.

I don't understand the test on this page. It says we should be worried because a fingerprinting website generates the same hash even after you clear your cache and site-data, and even if you go into a private tab. But I'm not overly concerned by this, provided I share that hash with other people.

The worry would be that the hash is unique to me (i.e. a fingerprint), but I don't see the evidence that it is.

I dont think this is a proper way to test it.

It matters more how unique your fingerprint is than how consistent or reproducible it is. Just testing if you get the same fingerprint back on your second visit doesn't tell you much if you don't know how many people "share" your fingerprint.

As a silly example, if you gave all users the same fingerprint, it would be very consistent but also useless as a tracking method.

Can we fingerprint fingerprinting code and block it? At first glance it seems like code accessing all kinds of unrelated high entropy APIs should be something detectable. But then static analysis might be too hard in face of obfuscation so it would have to be done using dynamic analysis which kind of means you let the fingerprinting happen but are now at least aware of it. So how do you prevent the fingerprint from being used? In principle one could maybe mark values from entropy sources as tainted [1] an taint all the variables potentially influenced by those values and prevent them from leaving the browser. Not sure if this would be practical and I am even more skeptical that this could be easily added to existing browsers.

[1] https://en.wikipedia.org/wiki/Taint_checking

EFF has an excellent tool to check your browser's fingerprint uniqueness:-

https://coveryourtracks.eff.org/

I use a lot of browser extensions. Unfortunately, this makes my browser easily identifiable.

When I switched off fingerprinting in this browser, the font size here on Hacker News changed. I suppose it just uses the user agent to set a certain font size, or does Hacker News track based on fingerprinting?

This author doesn’t seem to know what they’re talking about. Just because the service generated the same ID for their Chromium sessions doesn’t mean that applies to all users’ Chromium sessions. Chromium just exposes more of their machine. My guess is that they, writing a computer-technical blog post, have a particularly unique machine. Even having 16Gb of RAM separates you from the masses and might make you unique depending on graphics card etc..

The fingerprinting discussion is relatively new. The first research paper’s author is only 35 or so. (Its title is Cookie Monster.) The discussion is also a little amusing on a site like Hacker News. A perfect example of someone who’s easy to fingerprint is someone who built their own computer (likely to be found on HN). On the opposite end of the spectrum, Safari iPhone users with the same model are impossible to distinguish.

There’s a paper out there where the researchers worked with a public entity’s website to get more accurate fingerprinting data. There are very few unique fingerprints in reality and therefore no reason for any company to track them. This tech probably won’t ever identify users uniquely.

There are actually some positive aspects of fingerprinting. Tor leaves a very obvious fingerprint, and it’s easy for banks to detect its use by criminals.

I wonder if https://jshelter.org helps with that. And if it's not too slow.

Mull (FF fork on Android) and LibreWolf (FF fork on desktop) has privacy.resistFingerprinting = true by default. Highly recommended!

https://f-droid.org/en/packages/us.spotco.fennec_dos/

https://librewolf.net/

I have a sort of love hate relationhip with this stuff. On the one hand, yes tracking me is bad if I am not aware, but on the other hand I work for a company that uses it's expert knowledge to help consumers purchase the right tools for them. Ideally we would like the end product to reward us for putting them in touch with the right customer that we've used our name to help land. Much like a hairdresser would recommend a certain brand of hairspray, or a mechanic who carries their preferred oil - there is always a need for a middleman 'tell Bob I sent ya!'. Obviously this an exception to a large majority of what tracking is currently in place for, but until we drop the whole 'tracking is bad we should just shut it all down', and start to think of a fair and reasonable way for users to say 'I am ok with company B knowing that I have a relationship with company A' then these increasingly nerfarious tracking efforts will happen.

I'm just guessing here, but I'm fairly sure that they use a model that updates dynamically as the "user" or victim changes his or her web browsing settings, and even when the user tries to hide. It easily sounds like some kind of Bayesian filtering going on, or some sort of Markov Chain or decision tree. That is to say that their model tracks the likelihood that you're the same unique user that reloads the page based on the information it can glean from you.

This makes it exceedingly hard to hide from such a filter, because in communicating with these sites, you are bound to reveal at least some information about yourself. And then the "likelihood-machine" does the rest by connecting the dots, even if you gave them "fewer dots."

It's also quite interesting - or perhaps chilling - to see how fingerprinting through NLP and other language tracking algorithms can also track just about any forum post you do, even if you're using a pseudonym.

Target and the model that found the pregnant girl (bad counter argument here: https://medium.com/@colin.fraser/target-didnt-figure-out-a-t...

There are three options:

1. Prevent/Stop it: This ship sailed long ago. Not to be grim about it but pandoras box got opened.

2. Fight it: Tool up, change your print, your behavior, your place. Build focused VM's that you use per topic. Simply do a WHOLE lot less. In the grand scheme, its a lot of work for low return. Note: there are exceptions.

3. Increase Noise: The whole point of most data collection is to sell more to you. Because most people are sheep, a fairly simple model can be surprisingly accurate (over targeting is an issue). Don't be a sheep, diversify, make more noise in the system, search out side your comfort zone and change it up often.

Well, I'm glad to report that my efforts to fight fingerprinting have paid off.

I use a text based browser, with no js, no cookies, no css, no external requests past the first html page download, no user agent, no etag, I connect through Tor and I've modified the browser to randomize http headers. And of course, it sometimes happens that I want to see something that is refused to me with that configuration (like, seeing anything behind the big internet killer, aka Cloudflare - thanks archive.org for existing), so I have also a classic browser for the occasional lowering of barrier.

At first, I thought fingerprint.com did identify it, giving me the hZ4W5oQ7pJVIHbW2fBXA id. Then I realized it was giving the same id when using curl with and without Tor. Then I realized, by googling and ddging that id that it's the one reported as well to search engines. So it's not unique and it's basically a "dunno" reply.

Oh, finally I found an element of distinguation for the Iphone:

The zoom settings in the display/brightness section of the iphone seem quite relevant for fingerprint.com algorithm.

Toggling between standard/bigger text toggles the fingerprint value.

This could be because the visible area in the screen size changes, as well as some value of the CSS-fingerprint.

Fingerprint.com gives me different IDs across different tabs, and also in private mode. I guess the privacy setup still works somewhat. The stack I use:

- Firefox, Enhanced Tracking Protection ON

- Multi-Account Containers + Temporary Containers addon

- Privacy Settings addon, most settings private, but referrers enabled

- uBO with lots enabled, Decentraleyes addon

The EFF has tried to get folks to pay attention to this for years. See https://coveryourtracks.eff.org/ aka Panopticlick

And it probably understates the problem these days, missing some of the more recent techniques.

Fingerprinting is one of those things where there's really been a slippery slope we've just slid further and further down it over the last decade; back when I worked at an ad-tech startup (almost 15 years ago) I ran an experiment myself with our data to see if a simple hash of IP, browser agent, and maybe a couple other signals we had in our logs (don't recall) would co-relate with the cookies we already had through cookie matching from other sources. And the answer was: yes, about 95% of the time. Enough to be reliable enough to do basic retargeting without worrying about excessive false matches.

But at the time, it was considered to be a big do not touch -- just don't do this. Not so much for ethical reasons, but for optics in the industry. (I wasn't proposing doing it, was just curious)

In the meantime, though, this seems to have just become standard practice, but way more sophisticated with way higher accuracy, as this article touches on.

What was not acceptable a decade ago is now "ok." Not just by sketchy ad startups, but by major players.

But this whole mess ties back to one of the things that worries me the most about the propagation of LLM type ML out into the general industry. It's only a matter of time before ad targeting takes on an extra dimension of creepiness through this (and I'm sure it's already happening in some aspects, inside Google & Meta.)

In the past, in ad tech & search, etc. people could say things like: "Yes, it's highly targeted. Yes we've co-related an absolutely huge quantity of data to fingerprint you exactly, and retarget you. But it's anonymized. No humans saw your personal data. It's just statistics.". Not saying whether or not this argument has merit or not, just repeating it.

But now, here we are, where "just statistics" is a far more intricate learning model. One which is capable not just of corelating your purchases and browsing activity, but of "understanding" you, and which -- while not an AGI -- is pretty damn smart.

At what point does "a computer scanned your browsing for patterns and recommend this TV set" become ethically the same as "a human read your logs, and would like to talk to you about television sets..."?

Having worked in ad-tech before (and having worked at Google, in ads and other things as well), I do not trust the people in that industry to make the right decisions here.

Seems like a disguised ad for that fingerprinting service. Resist fingerprinting was already set to true in my Firefox. "Worse than I thought" apparently means "I thought there was no fingerprinting but I found out there is fingerprinting."

Is anyone trying to tie users to multiple devices, and consequently identify both fingerprints as being from one user? I.e. Let's say I visit HN on both my laptop and on my mobile phone, each will have a very different fingerprint, but not only do I visit the same site on both devices but I am unlikely to do so simultaneously across the two devices, and there are likely to be other factors such as not visiting on either device during sleeping hours, not visiting on either device before some date (i.e. when I got into HN).

Perhaps you could call this something like 'cross-device fingerprint unification', idk.

If I have a certain phone model with updates applied. Is there something that distinguishes me from other people with the same phone and browser version other than the IP address?

"Given there are companies selling fingerprinting as a service, if you want to really protect yourself from fingerprinting, you should use Tor Browser or Firefox with resistFingerprinting=true."

Fingerprinting services tries to figure out browsing settings. Since very few people have this feature enabled. You might be easier to fingerprint by enabling it. A metric that historically been used for fingerprinting is the "do not track" feature which is a bit of irony.

How many websites do you need to visit before being unique in the world?

Say I follow AS Monaco football, then look for Lego Castle figurines and finally visit a forum on Alaskan Malamute dogs. The combination of these three websites is pretty close to unique in the world imho.

Surely most people can be uniquely identified after visiting a couple more, unless we change browser and ip-address and GPU and set resistFingerprinting=true and ... and clear cookies after every website we visit.

The idea of the Incognito mode is, that the website should be unable to detect that you are using the Incognito mode.

There is a bug in Chorme, which I reported, but they told me they will not fix it: https://bugs.chromium.org/p/chromium/issues/detail?id=120485...

On iOS I visited fingerprint.com on safari twice and then opened used Brave with its “Block fingerprinting” setting enabled and it registered it as my third visit! They should label it as “resist” as it’s a lot more honest

And https://www.amiunique.org/ says I’m unique in Brave compared to “nearly” in Safari haha

I think Firefox might actually enable this by default for third party sites, but not 100% what this about:config one does:

  privacy.trackingprotection.fingerprinting.enabled

This would make sense since messing with values for the root frame could cause unwanted side effects, but you're not likely to care if some iframe gets your screen resolution or CPU count wrong.

Strange, `privacy.resistFingerprinting = true` did not solve the issue for me, i'm still fingerprinted by https://fingerprint.com/. Even after clearing all cache and restarting Firefox.

Adding the extensions `Canvasblocker` and `Temporariy Containers` did solve the issue though.

Anyone know if there's been any forks of Chrome that enforce more privacy features? I know Chromium is a thing, but I doubt the builds for Chromium (except when tweaked by some Linux distros) do much like Firefox does.

I only use Chrome to test some things, or to create a completely isolated browser session disconnected from my use of Firefox.

Why do these systems use hash-based fingerprinting? Wouldn't it be "better" to have a "browserspace vector", or "browser embedding"? So that if one fingerprint tactic fails in incognito, you don't completely lose the fingerprint, you just get a slightly different vector?

Is someone here working at apple?

https://niespodd.github.io/webrtc-local-ip-leak/ still? leaks local IP in mobile safari. On browserleaks local ip check fails, giving false feeling of safety.

I remember once in college I'd shared my phone's hotspot to connect a TV to the internet after it had abruptly stopped working. And all of a sudden the ads being shown (on YouTube) switched from the local language to mine, both of which are completely different.

Asking the wider audience here, I have uBlock origin installed on my Chrome browser, while I surf mostly on the incognito mode. I know this is no where close to an optimum setup, hence asking. What setup do you folks use to prevent the best you could from being tracked?

It is even worse than the OP realizes. They should run these EFF tests [1] to see how severe the problem is and that it is practically impossible to combat.

[1] https://coveryourtracks.eff.org/

I tested this myself with librewolf and firefox. Librewolf that is supposed to be hardened and has resistFingerpinting by default couldn't stand a chance. The visitor ID was always the same in Librewolf. In Firefox the visitor ID was always different.

There's a flipside question as well, how many users have the same fingerprint as you?

the problem is that the alternative, that is native applications, is even worse. Let's face it, some level of identification comes with networking, there are ways to anonymize connections, but none is perfect.

Tracking should be limited with legal means.

As another vote against JS, this website is able to accurately tell at least half of the extensions I have installed on chrome.

https://browserleaks.com/chrome

I just tried to turn on `resistFingerprinting` in Firefox and it meant that my zoom preference for HN got reset every time I opened a new page (I have it set to 120% by default). Anyone know why? Bug?

I guess we could hijack our browsers to lie about the parameters that are being collected at the fingerprinting, that would be far more convenient than disable JS etc.

EDIT: Or block the extraction

If you buy two of the same exact model iPhone and boot/config IDENTICALLY, on the same Wi-Fi network, they would have the same fingerprint, right?

Tested fingerprint.com with Vivaldi Mobile and it didn't correlate me across a norm tab and an Incognito one, so it's not fool foolproof...

From my testing, this doesn't seem to work on Safari. But it actually works on Chrome. Another reason for using Safari instead of Chrome.

I find it scary coming back to the fingerprint.js site after years and still being correctly identified and see the exact dates I visited

Actually quite surprised to see that this identifies me on Safari in Incognito, after visiting in regular mode first.

Damn yea I didn't know it was so easy to do in practice (I just heard about theoretical approaches)

It is sad that Brave + uBlock Origin + DDG Privacy Essentials does not seem to be able to fight this.

I tested it on Brave mobile (Android) and I got different fingerprint each time

the demo got my browser totally wrong. it has me showing up in various places around the country and I don't use a VPN. One of the dates I was out of the country and my laptop was at home, turned off

“Worlds most accurate”: Source, fingerprintjs. Sounds legit.

I was able to "trick" the fingerprint.com test by opening it first with firefox, then with tor browser. Gave two different visitor IDs. So as suspected, it largely relies on IP address.

It would be nice to have also the Safari evaluation.

with resist fingerprinting enabled in FF, it resets the zoom level i have set on each individual site, so it's just annoying.

In hindsight it’s clear. Why did we allow the web advertising mega corp to own the browser we use? Huge conflict of interest. There’s no way our privacy was going to survive.

We use web fingerprinting and adjacent methods to crack down on ID sharing for our SaaS that charges (per person). I make no apologies for this practice.

What is the use case for these fingerprints when adhering to the GDPR? You can't store them in a DB and use them to target your returning anonymous visitor with products relevant to their last visit. You can't send them to a third party ad service to get more relevant ads. Isn't the whole point of the fingerprint to maintain an pseudonym for your users over some time window? But that requires storing them which would be against the GDPR?

Surely if your website collects data using browser fingerprinting this is covered by GDPR and you have to tell your visitors/ask for permission?

https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-finge...

What the world needs:

<body onload="javascript.disable()">

GDPR should have been approached at browser level. But there would not have been money to make for those that provide "compliant" banners. I guess the economy needed the stimulus.

Note also: As the number of APIs increases, so does the fingerprinting. E.g. MIDI device enumeration (no prompt in Chrome, prompt in FF, not implemented in Safari): https://twitter.com/denschub/status/1582730985778556931?s=20

Is there a firecracker VM or something similar that comes preconfigured with a browser and VNC/RDP that can be used like a native browser but is running in a VM that's not fingerprintable?

For anyone who this is news to: This is why I always call the "I don't care about cookies" extension an adtech submarine, because it deceives you into thinking it’s all about cookies, when the permission you give automatically in many cases are about tracking, so using that extension will often have you consent that fingerprinting you and creating a profile based on that is perfectly fine.

"That's how web works."

Nah. I make an HTTP request and I get a response. That's how the web works. Perhaps people can have different opinions on "how the web works".

Web fingerprinting relies on a heap of assumptions. For example, that someone uses a web browser to make HTTP requests, that the web browser sends certain HTTP headers in a certain order, that the web browser runs Javascript, that it processes cookies, recognises HSTS response headers, and so on and so on.

If all the assumptions are true, maybe web fingerprinting is effective. But if the assumptions fail, maybe web fingerprinting does not work so well.

I have only ever read blog posts about web fingerprinting that take all the assumptions as true.

The majority of traffic on the internet is said to be "bots". Not web browsers running Javascript, processing cookies, and so on.

It seems to me that someone should discuss what happens when the assumptions fail.

Do advertisers care about computer users who do not use graphical browsers much. As such a user, IME, the answer is no.

(Interesting to see how defensive replies get. It's obvious the "tech" crowd intent to spy on web users is heavily reliant on certain assumptions to remain true forever. It shows that there is necessary pressure to keep web users using a "preferred" web browser and web ""features" that will subject them to "web fingerprinting". Perhaps the assumptions will always be true, conditions will never change, in the same way that interest rates could never change.)