Further evidence that a Republican government in the USA results in private organisations pushing the bar as far as they can.
In Reagan’s time it was Wall Street. Now it’s Silicon Valley.
You want private organisations working for your benefit and not that of their shareholders? You need a government that actually has the gumption to challenge them. The current US government is 4 years of a surrender flag flying on the white house.
Or we could bin off this fucking failed neoliberal experiment, but that’s apparently a bit controversial for far too many people
Having the gall to suggest we not allow less than 3000 people to own all of the worlds supply lines, media platforms, institutional wealth, construction companies, dissemination platforms, politicians, private equity firms and the single largest interconnected (private or otherwise) espionage and social engineering plot known to mankind?
You fucking tanky you! Go back to Russia!!!
Republicans aren’t the problem here, they’re a natural result of a two party system. If you have a coin, half the time you’ll get the “good” side, and half the time you’ll get the “bad.”
And this isn’t to say either side is consistently “good” or “bad,” parties rarely stick anything. The deregulation you’re complaining about started under Jimmy Carter, affectionately called “the great deregulator.” In fact, many (most?) of Carter’s changes took effect during Reagan’s term, and it was incredibly successful.
However, for some reason Democrats are now against deregulation, probably because Republicans took the credit and Democrats needed to rebrand.
That doesn’t imply that Trump’s deregulation is “good,” it just means deregulation isn’t inherently “bad.”
Just in time for their prophet, Curtis Yarvin, to be pushing a full-scale surveillance state!
Googlers aren’t on our side. They want to rule. They think being a fucking admin on a server makes them cut out to run society.
They want to tear down democracy and basically replace it with administrator rules and access control lists.
Googlers aren’t on our side
They never were, out interests just aligned while they were growing market share. They have that now, so there’s no more reason to stay aligned.
Corporations aren’t your friend, but they can be momentary allies. People should’ve bailed once IE was dethroned, but here we are…
And yet the normie still has nothing to hide…
Adult People accepting these material conditions disgust me.
But as society we got what we deserve, get fucked by daddy and asking for seconds because convenience and you can’t expect a peasant to have any agency
Not sure why youre being downvoted your not wrong. The peasants need to sack up and help dismantle this shit
These statements appear to be insulting to them?
However, clearly politely explaining shit to them doesn’t work so I am just shit posting until I am dead or we hit critical mass of freedom enjoyers which ever one comes first.
You’d THINK the article would link to a source about the fingerprinting in question instead of 90% filler slop and ads for their own service… Anyone got a link?
What is it you’re looking for? Do you want to know what kinds of information is used for fingerprinting?
If so, check out coveryourtracks.eff.org and amiunique.org.
I’m aware of fingerprinting techniques, thank you. The article is claiming that Google will start using some of those and I’m looking for the source for that claim, hopefully with specifics about which techniques are involved. Confusingly, the article does not appear to provide such a source.
Thanks – that’s an announcement about policy updates. I already read it and it says nothing about fingerprinting. The only change to underlying technologies it mentions is the use of e.g. trusted execution environments (the doc for which, per a further link, is in fact on github). Those seem to claim that they let announcers run ad campaigns through Google ads while keeping their campaign data provably locked away from Google. So, basically, all these links are about purported “privacy-enhancing” techs, and you’d be forgiven for taking that with an enormous grain of salt, but either way, nothing in there about fingerprinting.
The Guardian article basically paraphrases the Tuta one – or it’s the other way around, maybe – but does also not provide actual sources.
I just want a source on what fingerprinting Tuta is claiming Google will start using. I feel like the details of the purported fingerprinting techniques should be front and center to this discussion and I’m frustrated that the article entirely fails to provide that info.
Yeah I also looked into it and there seems no concrete information on that, just speculation about the policy change, like this one:
“While Google doesn’t explicitly state that IP addresses and other fingerprint methods are now allowed, the Privacy Disclosure section of Google’s February 16th Platforms Program Policies now explicitly mentions ‘cookies, web beacons, IP addresses, or other identifiers.’”
When you dive into it, it does look more like companies that sell encryption and VPNs using some potential danger to get more subscribers.
Ah, that Techlicious link is a great find, thanks. It does lay out clearly what the theoretical concern is. That’s still a far cry from the “Google will start fingerprintint you” scenario that seems to have people up in arms.
Thanks for digging out this link, I really appreciate it.
We need Richard Hendricks and his new internet asap
What’s this about? Fill me in? 🙏
Which is why I had hoped the EU would ban all forms of fingerprinting and non-essential data tracking. But they somehow got lobbied into selecting cookies as the only possible mechanism that can be used, leaving ample room to track using other methods.
How would that even be enforced?
same way other regulations are enforced: fines
How do you prove they’re doing it?
They’re making money aren’t they? They have to be doing something weird.
If you have reason to believe they are, you explain that reasoning to a court and if the reasoning is sufficiently persuasive the company can be compelled to provide internal information that could show whatever is going on.
Hiding this information or destroying it typically carries personal penalties for the individuals involved in it’s destruction, as well as itself being evidence against the organization. “If your company didn’t collect this information, why are four IT administrators and their manager serving 10 years in prison for intentionally deleting relevant business records?”The courts are allowed to go through your stuff.
Investigation, witnesses, gather evidence, build a case and present the evidence. Same as any other thing.
I don’t get why this would be harder to prove than other things?
That might work if the fine was say $1.5 B
The European Commission has fined Apple over €1.8 billion for abusing its dominant position on the market for the distribution of music streaming apps to iPhone and iPad users (‘iOS users’) through its App Store
EU knows how to get it done
God bless those European MF’rs
But why would any browser accept access to those metadata so freely? I get that programming languages can find out about the environment they are operating in, but why would a browser agree to something like reading installed fonts or extensions without asking the user first? I understand why Chrome does this, but all of the mayor ones and even Firefox?
Because the data used in browser fingerprinting is also used to render pages. Example: a site needs to know the size of browser window to properly fit all design elements.
I fucking hate this. Let me zoom, stop reacting and centering omfg.
Just for an example that isn’t visible to the user: the server needs to know how it can communicate responses to the browser.
So it’s not just “what fonts do you have”, it also needs to know "what type of image can you render? What type of data compression do you speak? Can I hold this connection open for a few seconds to avoid having to spend a bunch of time establishing a new connection? We all agree that basic text can be represented using 7-bit ASCII, but can you parse something from this millennium?”.Beyond that there’s all the parameters of the actual connection that lives beneath http. What tls ciphers do you support? What extensions?
The exposure of the basic information needed to make a request reveals information which may be sufficient to significantly track a user.
Firefox has built-in tracking protection.
I know that it has that in theory, but my Firefox just reached a lower score on https://coveryourtracks.eff.org/ (which was posted in this threat, thanks!) than a Safari. Firefox has good tracking protection but has an absolute unique fingerprint, was 100% identifiable as the first on the site, as to Safari, which scored a bit less in tracking but had a not unique fingerprint.
Probably because Safari is default macOS and most people leave it at default settings. I doubt Apple is doing anything special here.
Apple is doing good on the privacy browser front because it makes the data they collect more valuable
Digital fingerprinting is a method of data collection – one that in the past has been refused by Google itself because it “subverts user choice and is wrong.” But, we all remember that Google removed “Don’t be evil” from its Code of Conduct in 2018. Now, the Silicon Valley tech giant has taken the next step by introducing digital fingerprinting.
Oh, forgot to mention - we’re evil now. Ha! Okay, into the chutes.
Google removed “Don’t be evil”
Still parading that lie around? It’s easily verified as false. Their code of conduct ends with:
And remember… don’t be evil, and if you see something that you think isn’t right – speak up!
Still parading that lie around? It was removed and then added back later.
It was removed and then added back later
Really? Because the articles that noticed it back then said it was retained at the end of the document, it was only removed from the preface:
https://www.searchenginejournal.com/google-dont-be-evil/254019/
https://gizmodo.com/google-removes-nearly-all-mentions-of-dont-be-evil-from-1826153393
PiHole
AdAway
Burn the ads down.
Sadly, neither will truly protect you from fingerprinting.
They can block domains known to collect fingerprinting data but yes, they don’t block fingerprinting itself.
When you go to The Verge and there’s a full-screen pop-up about “our 872 partners store and access personal data, like browsing data or unique identifiers” those are all databrokers, and it’s not just them, it’s a fucking epidemic on the internet of sites that sell user data. The web has a cancer and it’s called advertising.
PopUpOff gets rid of the box on most sites without having to give your consent. Can’t remember the last time an annoying cookie disclaimer blocked me from web content.
I wasn’t complaining about annoying cookie banners, I was complaining about data collection.
You can get rid of cookie banners with a normal ad blocker like uBO
deleted by creator
Like, why not? The article says:
“And this is exactly why Google wants to use digital fingerprinting: It is way more powerful than cookie-based tracking, and it can’t be blocked for instance by switching to a privacy-first browser.”
If I use Firefox and Firefox doesn’t send any fingerprint to the website, then how is it identifying me?
I get that if you use Android (which is normally tied to Google), you’re still subject to see it on Google websites, but how will it work otherwise?
This website explains it: https://pixelprivacy.com/resources/browser-fingerprinting/
Basically you send your user agent, browser and OS configuration like screen resolution, your primary system language, timezone, installed plugins and so forth as you browse the internet. Not so easy to block. In fact, avoiding fingerprinting 100% is almost impossible, because there are so many configurations. It is hard not be somewhat unique. Still there are ways to minimize the identifying information. Using Firefox, this is what you might want to read: https://support.mozilla.org/en-US/kb/resist-fingerprinting. Note, though, that even there it says that such techniques can “help prevent websites from uniquely identifying you”, not prevent it entirely.
Good thing I erased Google out of my life a decade ago meaning I can much easier block even more of their everywhere present garbage and not have issues.
Ditching gmail remains one of the best choices I’ve made in years.
What did you switch to?
Our work is switching from them and god damn they are so good at things though. I always disliked labels but the layout is top tier.
But yeah they are awful people
Dropped your 👑, king
Beware, the current administration might send you to Gitmo if you don’t kneel to King Trump!
So I guess for Firefox users it’s time to enable the resist fingerprinting option ? https://support.mozilla.org/en-US/kb/resist-fingerprinting
It annoys me that this is not on by default…
It’s a nice feature for those that actively enable it and know that it’s enabled, but not for the average user. Most people never change the default settings. Firefox breaking stuff by default would only decrease their market share even further. And this breaks so much stuff. Weird stuff. The average user wants a browser that “just works” and would simply just switch back to Chrome if their favourite website didn’t work as expected after installing Firefox. Chrome can be used by people who don’t even know what a browser is.
You can also use canvas blocker add-on.
Use their containers (firefox multi-account container add-on) feature and make a google container so that all google domains go to that container.
If you want to get crazy, in either set in about:config or make yourself a user.is file in your Firefox profile directory and eliminate all communication with google. And some other privacy tweaks below.
google shit and some extra privacy/security settings
Google domains and services:
user_pref(“browser.safebrowsing.allowOverride”, false);
user_pref(“browser.safebrowsing.blockedURIs.enabled”, false);
user_pref(“browser.safebrowsing.downloads.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_dangerous”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_dangerous_host”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_potentially_unwanted”, false):
user_pref(“browser.safebrowsing.downloads.remote.block_uncommon”, false);
user_pref(“browser.safebrowsing.downloads.remote.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.url”, “”);
user_pref(“browser.safebrowsing.malware.enabled”, false);
user_pref(“browser.safebrowsing.phishing.enabled”, false);
user_pref(“browser.safebrowsing.provider.google.advisoryName”, “”);
user_pref(“browser.safebrowsing.provider.google.advisoryURL”, “”);
user_pref(“browser.safebrowsing.provider.google.gethashURL”, “”);
user_pref(“browser.safebrowsing.provider.google.lists”, “”);
user_pref(“browser.safebrowsing.provider.google.reportURL”, “”);
user_pref(“browser.safebrowsing.provider.google.updateURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.advisoryName”, “”);
user_pref(“browser.safebrowsing.provider.google4.advisoryURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.dataSharingURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.gethashURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.lists”, “”);
user_pref(“browser.safebrowsing.provider.google4.pver”, “”);
user_pref(“browser.safebrowsing.provider.google4.reportURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.updateURL”, “”);Privacy and security stuff:
user_pref(“dom.push.enabled”, false);
user_pref(“dom.push.connection.enabled”, false);user_pref(“layout.css.visited_links_enabled”, false);
user_pref(“media.navigator.enabled”, false);user_pref(“network.proxy.allow_bypass”, false);
user_pref(“network.proxy.failover_direct”, false);
user_pref(“network.http.referer.spoofSource”, true);user_pref(“security.ssl.disable_session_identifiers”, true);
user_pref(“security.ssl.enable_false_start”, false);
user_pref(“security.ssl.treat_unsafe_negotiation_as_broken”, true);
user_pref(“security.tls.enable_0rtt_data”, false);user_pref(“privacy.partition.network_state.connection_with_proxy”, true);
user_pref(“privacy.resistFingerprinting”, true);
user_pref(“privacy.resistFingerprinting.block_mozAddonManager”, true);
user_pref(“privacy.resistFingerprinting.letterboxing”, true);
user_pref(“privacy.resistFingerprinting.randomization.daily_reset.enabled”, true);
user_pref(“privacy.resistFingerprinting.randomization.enabled”, true);user_pref(“screenshots.browser.component.enabled”, false);
user_pref(“privacy.spoof_english”, 2);
user_pref(“webgl.enable-debug-renderer-info”, false); user_pref(“webgl.enable-renderer-query”, false);
This is why I like Lemmy, never knew canvas blocker was a thing. Thank you.
Or Mullvad Browser, which is just the Tor Browser without Tor.
There’s also IronFox on Android which is more similar to LibreWolf than MV Browser.
I’m still trying to wrap my head around fingerprinting, so excuse my ignorance. Doesn’t an installed plugin such as Canvas Blocker make you more uniquely identifiable? My reasoning is that very few people have this plugin relatively speaking.
Maybe if they can connect you to your other usage but it’s probably more of their resources and such a small % of the population that it isn’t worth the time to subvert? Idk just guessing here
Iirc, Websites can’t query addons unless those addons manipulate the DOM in a way that exposes themselves.
They can query extensions.
Addons are things installed inside the browser. Like uBlock, HTTPS Everywhere, Firefox Containerr, etc.
Extensions are installed outside the browser. Such as Flashplayer, the Gnome extensions installer, etc.
Further: the Canvas API doesn’t have any requirements on rendering accuracy.
By deferring to the GPU, font library, etc, tracking code can generate an image that is in most cases unique to your machine.
So blocking the Canvas API would return a 0. Which is less unique than what it would be normally.
I use (and love) Firefox containers, and I keep all Google domains in one container. However, I never know what to do about other websites that use Google sign in.
If I’m signing into XYZ website and it uses my Google account to sign in, should I put that website in the Google container? That’s what I’ve been doing, but I don’t know the right answer.
Yes, that’s right. Also seriously consider ditching Single
StalkSign On entirely.Thank you. I agree re ditching it and have been working on that.
Does ublock do this?
No
I mean it doesn’t hurt but as far as I can tell, it doesn’t actually block fingerprinting, it blocks domains known to collect and track your activity. The entire web is run on Google domains so that would be nearly impossible to block.
The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That’s why the main strategy is to “blend in”.
The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That’s why the main strategy is to “blend in”.
So, essentially the best way to actually resist fingerprinting would be to spoof the results to look more common - for example when I checked amiunique.org one of the most unique elements was my font list. But for 99% of sites you could spoof a font list that has the most common fonts (which you have) and no others and that would make you “blend in” without harming functionality. Barring a handful of specific sites that rely on having a special font, that might need to be set as exceptions.
No, the best way is to randomly vary fingerprinting data, which is exactly what some browsers do.
Font list is just one of a hundred different identifying data points so just changing that alone won’t do much.
I wasn’t suggesting it as “font list and you’re done”. I was using it as an example because it’s one where I’m apparently really unusual.
I would think you’d basically want to spoof all known fingerprinting metrics to be whatever is the most common and doesn’t break compatibility with the actual setup too much. Randomizing them seems way more likely to break a ton of sites, but inconsistently, which seems like a bad solution.
I mean hypothetically you could also set up exceptions for specific sites that need different answers for specific fields, essentially telling the site whatever it wants to hear to work but that’s going to be a lot of ongoing work.
It’s a combination of both.
Why does it do this?
- Math operations in JavaScript may report slightly different values than regular.
PS grateful for this option!
Some math functions have slightly different results depending on architecture and OS, so they fuzz the results a little. Here’s a tor issue discussing the problem: https://gitlab.torproject.org/legacy/trac/-/issues/13018
But one question I’ve been asking myself is : then, wouldn’t I be fingerprinted as one of the few nerds who activated the resist fingerprinting option?
Just use Tor browser if you want to blend in. Some sites will probably not work, and I don’t suggest accessing banks with it, but it works well for regular browsing.
Yes. But it’s better than being identified as a unique user which is much more likely without it. You can test it yourself on https://amiunique.org/fingerprint
I’ve used this. The only annoyance is that all the on-screen timestamps remain in UTC because JS has no idea what timesone you’re in.
I get that TZ provides a piece of the fingerprint puzzle, but damn it feels excessive.
Wait is that why my Firefox giving me errors when I try to log into websites with 2FA?
And automatic darkmode isn’t respected, and a lot of other little annoyances. That’s why this is so difficult. These are all incredibly useful features we would have to sacrifice for privacy.
Dark mode can be recreated using extensions, although the colors most likely won’t be as legible as “native support”.
I don’t see why a similar extrnsion couldn’t change the timezones of clocks.
Additionally, I don’t see why the server should bother with either (pragmatically) - Dark mode is just a CSS switch and timezones could be flagged to be “localized” by the browser. No need for extra bandwidth or computing power on the server end, and the overhead would be very low (a few more lines of CSS sent).
Of course, I know why they bother - Ad networks do a lot more than “just” show ads, and most websites also like to gobble any data they can.
Privacy Badger anyone?
But does privacy badger also act on the canvas APIs & cie. ?
Please don’t enable this blindly. A lot of modern websites depend on a bunch of features which will simply not work with that flag enabled. Only do it, if you’re willing to compromise and debug things a bit
its captcha v3, its the same thing reddit uses to catch bots and ban evaders, apparently its expensive for reddit so they only mostly use it for ban waves.
Using Mullvad Browser + Mullvad VPN could mitigate this a little bit. Because if you use it as intended (don’t modify Mullvad browser after installation) , all Mullvad users would have the same browser fingerprint and IPs from the same pool.
The problem is it’s all or nothing. You must foil IP address, fingerprint, and cookies - all three at once.
Mullvad browser might make your fingerprint look similar to other users, but it’s not common is the problem. Test it with the EFF Cover your tracks site.
And now Mullvad has all the data
If you don’t trust anyone the internet (or any net you don’t fully control yourself) is not something you will use.
Practical security is a matter of threat-modeling and calculated risks.
Mullvad has a good track record, but if you know of better alternatives that don’t require building it yourself, please share!
Tor browser. It’s probably more popular, and they lead the charge in standardizing everything so you know it’ll be top tier.
And Mullvad is not in business if selling user profiles to advertisers, at least as far as we know
Mullvad, (the vpn, I have not tried the browser) uses a single account number as both name and password, no emails. It allows for multiple anonymous payment methods and it’s open source.
Sliiiiightly more trustworthy than Google imo.
The random dude on the corner is more trustworthy than Google, it’s not that hard to be sadly.
Big corp facts.
It would be nice to hammer a manually created fingerprint into the browser and share that fingerprint around. When everyone has the same fingerprint, no one can be uniquely identified. Could we make such a thing possible?
Not really. The “fingerprint” is not one thing, it’s many, e.g. what fonts are installed, what extensions are used, screen size, results of drawing on a canvas, etc… Most of this stuff is also in some way related to the regular operation of a website, so many of these can’t be blocked.
You could maybe spoof all these things, but some websites may stop behaving correctly.
I get that some things like screen resolution and basic stuff is needed, however most websites don’t need to know how many ram I have, or which CPU I use and so on. I would wish for an opt-in on this topics: So only make the bare minimum available and ask the user, when more is needed. For example playing games in the browser, for that case it could be useful to know how much ram is available, however for most other things it is not.
Unfortunately the bare minimum is in most cases already enough to uniquely fingerprint you.
This is called Tor
*Tor browse
Leave everything default and you’ll look like every other Tor browser user.
No it isn’t.
And this is really important. If you go on Google tracked websites without tor, Google will still know it’s you when you use tor, even if you’ve cleared all your cookies.
Tor means people don’t know your IP address. It doesn’t protect against other channels of privacy attack.
Yes, it is… Tor prevents against fingerprinting as well. It isn’t just relay plumbing to protect your IP… This can easily be tested on any fingerprinting site with default config of Tor demonstrating a low entropy https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead/
It’s been a long while since I looked, but I remember it being a thing in tails to specifically not resize your browser window or only have it full screen to match a ton of other fingerprints.
Plus since it was a live distro that reset on every reboot it would only have the same fonts and other data as other people using tails. Honestly, I hate that all that info is even available to browsers and web sites at all.
Letterboxing has significantly reduced threat presented by window sizing. https://support.torproject.org/glossary/letterboxing/
I don’t quite understand – does this feature let you resize the window again to the size you want, and you are still sharing the same fingerprint with everyone else? Or do you still have to keep the browser window the default size to minimize your unique fingerprint?
No, it is not. Tor Browser != Tor. Get your shit right or be pwned.
Tor browser is not Tor.
This is Tor https://en.m.wikipedia.org/wiki/Tor_(network)
Tor browser is an additional piece of software built on top of it. Using the network(what everyone else means when they say tor) is unfortunately not enough to prevent fingerprinting.
Good point, that difference does matter. I guess other browsers like Brave use the Tor Network, and it would be misleading to suggest Brave has good anti-fingerprinting.
What kind of fingerprint avoidance are you suggesting then that the Tor browser cannot do that makes a difference?
If you enable JavaScript, you open Pandora’s box to fingerprinting (e.g. tracking mouse movements, certain hardware details, etc). If you don’t, half (or more) of the internet is unusable.
Tor browser
And Mullvad browser
I don’t bother. I know they know everything about me already, and that I’m not an important person. As such, I wonder why it matters.
The only thing that matters in government politics is public opinion.
Username checks out.
Behaviour is tracked in order to be influenced.
