* It's running a kind of Chrome on a kind of Linux, at a stretch.
* Nobody can infer when I work and when I sleep. That includes me.
* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.
* But yes, browser fingerprinting is annoying.
* Since you can detect light mode, would it kill you to honor it?
My browser fingerprint was unique among the visitors in the past 45 days.
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
Needs some QA.
Anyway, if you really want to know what your browser is sending:
Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
That checks out. I think what I have is similar to a graphics card but isn't quite.
> San Pablo, California, United States > You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us
I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk
- Some of the numbers are off, eg - low contrast in dark mode makes text hard to readI lasted 4 seconds on your page.
The fact that it begins with my IP address reminds me of those dubious VPN ads.
City is wrong, I may speak English but it's not my native language.
As other people said, there are much better pages showing you your browser fingerprint.
> news.ycombinator.com
This has always bothered me the most. I disabled the 'Referer' header once, but it breaks many websites.
Firefox on Android with ublock
First paragraph, and I don't like this wording already. It's as if "my device" has any choice in the matter.
And actually, it's the reverse! Often enough your own device does not know your _actual_ public IP address without asking some kind of public service to snitch on your internet connection.
It got the city wrong but close to where I live. This stuff would be wildly wrong if I fired up my VPN. Although its annoying when I connected to a VPN to Steam it’ll often show my prices in Canadian dollars instead of USD.
It’s been a long time my 2016’ iPhone as been called recent or high-end but I’ll take the compliment, thank-you.
Thanks op for reminding us of the privacy issues with our browsers. The EFF and others already told us, but the issues remain. Lets hope you're hear to stay and fight for our privacy alongside us.
While I still follow the general privacy first tenets, I have ended up backing off on some tools (noscript and librewolf) at the extremes of privacy because if every site is going to track everything by my IP or by my ASN or browser fingerprint, I do have a happy medium of being private enough while not being utterly broken in my browsing.
Roughly that looks like email aliases on demand via sieve rules, ublock origin with liberal use of filter lists, different handles and a password manager, frozen credit ratings, and Tailscale exit nodes or Mozilla(Mullvad) VPN for uncontrolled WiFi access points for my jnrootabke android device and mostly signal for comms.
I'm getting to old to be a privacy extreme enthusiast when all of my family side channels everything straight to Facebook, so this is the impure level of privacy I can sustain.
https://institut-fdh.de/?2026-aya
There's also this well known page which does the exact same thing in a more ordered way:
The set of fonts available in stock iOS is hardly going to be unique now is it?
That it is even possible to install fonts onto iOS would be news to most users.
>The specific combination of fonts on your device is nearly unique — like a fingerprint made of letters
Is this one true? I've not made any changes to fonts on my phone that I know of, wouldn't it just be bog standard iPhone fonts?
Curiosity not challenge
Would be cool if you actually did track just to prove the point like "you've opened this page 6 times now, 2 of those were via VPN and one time was using the Firefox Focus browser. Have you found any flaws in the data yet?"
does the same or better, without AI regurgitation and a WordPress theme.
Also we should disable referrer field.
This phenonemon is much older than "browser fingerprinting"
I thought this didn't work anymore and browsers left out the referer in the case of https, is that not so then?
https://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010...
Is this actually true? Because I don’t even know if I have any control over this on iOS, and if I do then I’d guess almost nobody diverges from the default?
Annoyingly the web is becoming a bit more annoying to browse as a DuckDuckGo (mobile) and Brave (desktop) user. With a VPN on top it gets even worse.
This is surely only partially true.
Of course the browser knows my IP and language. Nothing on this page is really surprising
Terrible company-at least you know you are testing what is being used.
> You left for 6.3 seconds. We noticed.
https://news.ycombinator.com/threads?id=mwheelz
Mods, is there something we should know? Is there maybe a reason to stay away from the linked website?
1. GPU "or similar" stranded prose. Firefox returns "Mozilla, or similar" as the masked renderer string and my parser was grabbing the second half. Masked-GPU case now gets its own observation.
2. Desktop battery showing NaN/100%. Chromium reports a phantom 100%-charging battery on machines without one; my filter was too narrow. Stricter check, falls through to "kept back."
3. Storage quota of 39+ GB reading as implausible. Now expressed in GB, and the prose was reworded ("would let this page write up to" rather than "allocated to").
4. Screen size matching window size (Firefox letterboxing / Brave farbling). Page now names it: "your browser appears to be returning the viewport in place of the real screen — anti-fingerprinting at work."
5. "Recent, high-end display" being claimed on old retina devices (iPhone 5-class). Tightened the heuristic.
6. No-JS hangs at "reading." <noscript> block added.
Worth saying directly since it came up. The prose is hand-written. Each observation has a small set of templated registers and the code selects among them based on what the data returns. There is no LLM in the runtime path. AI helped me iterate on the spec like it does for most projects now. The sentences on the page are mine. If that's not the kind of work you're in the mood for, fair, but the slop charge is wrong.
- Reverse IP/geocode (while be cute about "we won't show your IP", oh no, not my IP!)
- Timezone - Ok, yeah, lots of websites need/make use of that for completely legit tasks
- Browser/OS/Screen size - boring, again mostly needed or historical
- GPU - Again, not super interesting IMHO
- Battery - Ok, this is the first one I think should be behind a permission dialog
- Language - Come off it, that's just table stakes
- Fonts - Again, not sure how else this should work in a "perfect" world
- Cookies/dark mode/DnT/etc - Ehh, again aside from fingerprinting (which ruins everything) these are all QoL improvements IMHO
- Referrer - Again, this is just how the web works
I think the websites that take all of that and show you a fingerprint or show the data in a more data-oriented way are way more compelling.
This, almost certainly vibe-coded, website doesn't do anything novel and hits on a huge pet peeve of mine: using low-quality arguments for a legit issue (fingerprinting). By mixing in stuff like your IP/Language on the same level as Battery/GPU/other-fingerprinty-things it makes the whole argument less compelling.
> Every page you have ever visited knows at least this much. Most of them know more. None of them told you.
So? Why would I want the news site I'm visiting to "tell me" it knows my preferred language, that I'm using light mode, or the estimated location of my IP address...?
It's not surprising that a browser which renders text can be used to identify which fonts are available. It's not surprising that a browser which allows calculation with your GPU will identify your type of GPU.
The "without asking" framing is just silly. I expect to be asked for consent to use my webcam or microphone or exact precise location. But the last thing I want is to be asked for permission around detecting my local time zone or preferred language or my screen resolution or 20 other totally reasonable things for a website to be able to know.
> With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops.
What? When I enable JS it shows me a lot of stuff that is only queriable with JS.
No it didn't. It was queried by the JS running on the page. It's a fun demo but it could really do without the slop prose.
if you want to make me afraid of browser fingerprinting, try explaining how that information can be used to harm me. i'm aware that it's possible, i just don't care because it doesn't seem like it's that big of a deal.
It's almost like web devs don't know the concept of traveling outside ones county.
My general location is also wrong.
This site's theme is barely visible.
And the entire idea for the site is at least couple decades old.
Unoriginal slop.
I get the point, but I think the EFF Panopticon page is a better representation of browser fingerprinting and how it works, because most of the things shared are really basic elements of data that aren't personally identifiable. You can absolutely fingerprint Firefox with a default config, so obviously this was vibe-coded and just doesn't do much. Cool, you did a GeoIP lookup, read the user-agent, the referrer header, and the accessibility data, exactly zero of that should be surprising to anyone that knows how you access a website.
Not quite, I'm on a 2016 iPhone SE
Uhm... how did I get to the bottom if I scrolled 0%?
This is out of control, and y'all just comment these threads as if they're made by humans.
Are we supposed to care?
peoples obsession with 100% privacy while operating in a public space is immature. if you're that risk averse dont connect to the internet.