Google Container for Firefox – Prevent Google from tracking you around the web(addons.mozilla.org) |
Google Container for Firefox – Prevent Google from tracking you around the web(addons.mozilla.org) |
Still unresolved are history leaks via Referer, from things like fonts, ajax, tagmanager google.com API calls, present on all websites.
Why web people link so much Google stuff in their websites is a mystery.
You're also now just sitting behind whatever ISP your VPN uses which knows everything you're doing and sells it back to who-ever.
If your not rotating your VPN services that still allows you to be tracked via that IP. At the end of the day all your data still belongs to someone and can be used for whatever. Until DNS over TLS is complete and rolled out across the board your metadata can still be used.
Not to mention all of the other things associated with this. Even being connected to a VPN via your phone will still leak information like your coarse location, wifi networks and bluetooth beacons nearby which all get sent to your primary phone carrier and whatever applications you use.
- ISP has your name and history. The AdTech knows your IP's history, and most likely your Id.
VPN:
- VPN has your history, but no name (paid via voucher), and is other country's legal entity. My ISP only knows I'm using some VPN service (DoT enabled on my router). The AdTech is missing key identifier, IP, to link your data together (to aggregate).
> ISP your VPN uses which knows everything
Both ISPs know squat, just encrypted traffic from my real IP
2. disable cookie & javascript for *.google.ca
3. disable all google ads & analytics domains.
Its just too annoying having to re-google something you search for after clicking the first result and losing your history.
I have 0 knowledge of the web and whatnot..
I already have privacy badger, would this also help? or would it make no difference?
With google, i use "Always Open in this Container" each google service, this better for Container google service
Leaving aside the giant DNS question, there's SNI to consider as well as the VPN provider knowing your source IP and times of access. Then, because you're on hn, consider what the graph of little-used services you (probably) use says about you. Work VPN/chat/webmail servers? Admin interfaces for side projects you work on? And of course good old fashioned typos in your shell.
https://github.com/unqueued/foxbox
But I never got around to polishing it and making it more accessible.
The thing that really prompted me was peeking at what financial websites were doing, trying to connect to data mining sites like ru4.com and refusing to load if they couldn't connect to facebook.com and twitter.com.
My script also fixes paths in profile folders so that the roboforms extension will still work, because it is the only password manager that I have found that is able to completely automate my logins, despite the best efforts of UX designers.
I also couldn't order food from seamless.com unless I allowed a script on their site to connect to facebook.com. So, now seamless.com gets its own empty sandbox.
And because you're using your filesystem to store a browser profile, you can have specific extensions or settings for each profile.
So whenever I want to do financial stuff, it just connects over an autossh tunnel to my home, so it will never trigger any any stupid re-authentications when I'm connecting from a cellphone or work.
You have a link and/or author for the add-on to which you're referring?
When your browser redirects a tab from example.com to accounts.google.com to do an OAuth login, the Google OAuth login cookie that gets set by accounts.google.com under that tab, needs to also be visible later on to any other tab whose "root node" navigates to accounts.google.com.
Maybe you can make an exception for just SSO providers—but won't other nefarious uses (e.g. analytics providers) then just pretend to be SSO flows?
And maybe you can just whitelist the existing SSO providers—but that's an instant oligopoly.
"Single sign on" means "contact centralised provider with identifying information plus site browsed".
The explicit desire here is to stop that tracking.
Tracking _is_ single sign on with the "sign on" being invisible to the user.
If you click a link that opens a new tab and swipe back from that new tab, Safari closes the new tab and shows you the previous tab.
I’m not exactly sure of the behavior when you open a new tab, then go to another tab, then back to the tab that was opened and then swipe back, though.
Not sure if it has any traction anymore.
However, to prevent tracking I mostly use CookieAutoDelete [0] which only stores Cookies for sites that I have whitelisted after the tab is closed. It's really just a handful of sites I visit frequently and don't want to log in every time. Cookies aren't required for anything else.
Also, not having a Google account comes in handy to prevent tracking by Google. My default search engine is DuckDuckGo.
0: https://addons.mozilla.org/de/firefox/addon/cookie-autodelet...
- install Cookie Auto-Delete (https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...)
- set it to delete all local data for all domains, 15 seconds after its last tab is closed
- create a Firefox container for untrusted apps you can't get rid of (e.g Gmail, Facebook) and set these domains to open in this "untrusted" container by default
- set Cookie Auto-Delete not to delete the data for this particular container
- whitelist the few domains you trust so that you can keep their sessions open in the Default container
Result: No need to use a secondary browser or to install special "Google/Facebook/etc Containers for Firefox". You always browse the Web incognito by default! Only when you visit some particular webpages do you enter a custom container that keep your personal data separate from other activities.
This has worked nicely for 2+ years, with other essential extensions such as uBlock Origin, Privacy Badger, HTTPS Everywhere and Decentraleyes.
Things like this make me believe less in patent reform, and more in complete abolishment.
These are typically pretty straightforward (although tedious) but on some Tor circuits it just never lets me through: the endless "Please try again".
That is to say, if Google's Catcha bot does not like you[r IP], many other parts of the internet stop working, too.
I have a separate Firefox profile I use for rare occasions when I need to allow third party tracking in order to do something.
Sure, you could do a lot of this yourself with different browsers/browser profiles/containers, but it'd be far better to have someone provide that list as a prebuilt addon.
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
An isolation policy will let you treat subdomain different from main domain. So I can use mail.google.com and still always be logged in, while a search from address bar or elsewhere will open in a temporary container that lasts only as long as the browser tab.
The persistent "Google" container I have has domains mail.google.com, accounts.google.com, and myaccount.google.com.. everything else loads in temporary containers.
Combine with this to remove the link stubs on SERP so you're not sending back click data if there's a shadow profile based on IP and browser metrics.. so shadow profile only knows what you searched and not necessarily what you clicked, and its cleaner for container assignment when opening links in new tabs because there's no brief hop to the same temp container google search loads in before going on to a separate temporary container for the target site:
https://addons.mozilla.org/en-US/firefox/addon/google-search...
https://addons.mozilla.org/en-US/firefox/addon/multi-account...
I'd been using a 'sketchy' container for YTube, but dropped YTube into this. Thereby isolating (I think) YTube from the other 'sketchy' sites I may visit. As for Google ... long-ago blocked it and FB on the network level. Chopping off -some- of the octopus' tentacles.
This looks like a great way to help people who don't want to fiddle with settings to get the same sort of protection. It'd be nice if Multi-Account Containers had an option to add these sites. I should cut a PR for that, probably :\
What I really want is for it to be optimised for the common use case with each domain automatically put in its own container, with some whitelisting of common grouped services (e.g. MS and Xbox Live, Facebook and Instagram).
It's very rare that I actually want to share any cookie info between sites as most of it is tracking. In the rare situation you do, the browser could let you disable containers or add them to a group.
I'd also like something that automatically opts out of tracking preferences, as well as something that periodically deletes cookies/localstorage (say every 14 days).
You could then set it all up and forget about it.
The way I see Facebook Container (as an outside who have been using Multi-Account Container for a while) is that it tried to ride on the Delete Facebook wave few months ago to make people aware of Multi-Account Container functionality, so these Google Container/Reddit Container/etc. always seems weird to me.
[1]: https://addons.mozilla.org/en-US/firefox/addon/multi-account...
Doesn't Mozilla get a significant fraction of its revenue from their search deal with Google?
I have PiHole/VPN/privacy browser extensions installed. Javascript is disabled for the majority of the sites. LittleSnitch supposedly takes care of the chatty non-browser programs. All my 3G/4G data goes through PiHole. I have only a selected few apps installed on my phone.
Paranoia? Yes. Do I have the piece of mind? No. I just simply cannot stay 24/7 on Wireshark examininig every outgoing packet.
Unless the legislation changes for good I really don't see how this mess can be tackled.
Trying to avoid tracking is like some weird obsession/hobby. You go to all these lengths and then you realise they were tracking you anyway, so you throw your arms up in disgust, exclaiming how evil they are and start trying to block that vector, soon enough rinse and repeat. I was there too only a few years ago but I've since given up and my life has gotten measurably better because of it - I no longer feel like I'm trying to "stick it to the man", I don't have to integrate a bunch of different services in an attempt to keep x and y in separate products to reduce my "awareness surface area" to any one company. I just stopped worrying so much. Simple as that. And I'm really not convinced some evil affliction is going to strike me down as a result. Next time you find yourself wasting hours of your time trying to make yourself "private" just think of all the other fun stuff you could be doing.
But if you want best bang for minute spent worrying privacy: Use Incognito, uBlock, Proton Mail and a VPN. 20 minutes of your life and you're pretty darn private. This should cover you without labouring over choices of extensions etc.
[1] see here https://support.mozilla.org/en-US/kb/tracking-protection?red... or, alternatively, you can use Privacy Badger or one of the many ad-blockers that let you enable tracking-related lists, such as uBlock Origin.
[2] see here: https://addons.mozilla.org/en-US/firefox/addon/multi-account...
It's rather aggressive, even: blocks Yandex's maps embedded on other sites (though iirc doesn't block Google's maps).
Doesn't help that FB is getting a bad rep these days and its more mainstream to hate on it.
I really on Google's sign-in mechanism for many websites and this would probably interfere with that.
[1]: https://addons.mozilla.org/en-US/firefox/addon/searchonymous...
1: https://addons.mozilla.org/en-US/firefox/addon/multi-account...
uBlock loads privately-constructed filtersets which are used to decide what net contents to block. (That blockage can be customized per-site in advanced mode.)
Each FF container keeps content associated with one or multiple sites 'isolated' (in theory) so they can't be 'seen' by sites in other containers ... all in the browser.
Relevant addon issue: https://github.com/containers-everywhere/contain-google/issu...
Removing cookies will not prevent anyone from tracking.
Simple example: I once visited an online shop from browser profile in which I never logged into Facebook. Few hours later I switched to another browser profile, used exclusively for Facebook, and I got an ad on my timeline from said online shop, for the exact product I was looking for earlier in another browser profile. Facebook associated my two browsing personas without cookies, most likely using a combination of my browser's request headers and IP address. Not to mention that JavaScript (if enabled) provides additional and extremely detailed fingerprinting capabilities.
In my experience, Google seems to have a better track record in terms of respecting cookies (or lack thereof) as the main carrier of online privacy management. But I think it's just an illusion. They're just obscuring it to not freak people out too much the way like Facebook does. The information is still there. They have it, from analytics, fonts, reCaptcha and all other means of their creep.
To prevent tracking, you need to have a full control over information you send to the internet, including browser request headers, IP address, behavior patterns of web browser, and so on. Cookie management alone is just a fallacy and gives a false feeling of control over privacy.
This is also why I consider those "privacy containers" broken by design. They just operate on cookies and don't contain anything besides cookies. I would even consider them harmful because of their misleading nature.
Privacy containers could do more interesting things like:
- Connect through a VPN/proxy, so IP address changes all the time.
- Change browser characteristics (screen size, available fonts, user agent string, etc) to fool the fingerprint. I suppose that fingerprints are hashes, so you only have to corrupt one ingredient of the hash to make the fingerprint unusable.
Tor browsers do stuff like this.
I think that your comment makes it seem trivial to control fingerprinting by controlling the information you send over the internet. While I suppose it is true that you can prevent fingerprinting by not allowing data transmission, this will also make the intenet and especially the www unusable.
Masking your IP address would require access to multiple IP pools, which is cost prohibitive. Alternatively, you could use some centralized proxy, which just changes who controls the information about you, but perhaps in even a more scary way.
Obscuring your screen size breaks responsive web design. Obscuring your browser still breaks a lot of everything even in 2018. Chrome vs Firefox vs Edge vs Safari still don't have the same web api. Disabling Javascript breaks most websites. Disabling XHR/fetch also breaks a great deal.
Once again, privacy and convenience conflict.
That way, my identity is disassociates, hopefully. All logins are on chrome which are used minimally and all browsing is on FF with no track on, cookies blocked etc
They still can track and target ads at you without an account. An account is not required for that.
For some sites I need to allow google.com cookies otherwise I will keep getting recaptcha checks.
It does prevent tracking of websites that don't do fingerprinting. The best is the enemy of the good!
Though I guess with this setup I can do "accept cookies" knowing that they will shortly be deleted.
I can't skip GDPR page redirects, though.
Run your browser in private mode for everything except a few websites you trust.
Done.
This is what I use. I have everything that I log into google for in one container, social media in a second, and everything else is nicely sand-boxed away from those horrors.
[0] https://addons.mozilla.org/en-US/firefox/addon/multi-account...
Or, if you'd like, you may disable auto-update.
(Or human reviews are now allowed after publishing when an extension passes automated review - I'm not sure.)
On iOS, install Firefox Focus, and in Safari settings enable FF provided Content Blocker.
But yeah there is always nitpicking to do when it comes to security. No one is ever truly secure.
All this without breaking user privacy.
https://addons.mozilla.org/en-US/firefox/addon/facebook-cont...
FF extensions just have too much power and too little end-user control. At a minimum I'd like to be able to selectively disable them in private browsing mode, as Chrome allows.
Enter your credit card details to check if they've been stolen!
By the way, if someone from firefox team is reading this : I would _really_ love to be able to just load directories from my FS as extensions rather than having to trust someone on the internet that it does what it says it does. I love building extensions myself, but I just don't install extensions from the web anymore because I don't know what's in there (note that referring to a github repos is not enough : I have no guarantee the content of the extension is the same).
You now have accepted a fundamentally different world where anything you like, anything you say, anyone you are with or hope to be with, anything you hope to do, have done, didn't do, every mistake or misstep or misstatement or misunderstanding or fuckup, is recorded, analyzed, classified, and mined. You're being constantly thought about, by the machines, who, if you are lucky, are only interested in making a buck off you, and if you are not lucky, have targeted you for increased scrutiny, security checks, auditing, social classification, digitized karma, and eventually, all of this will translate to a significantly different experience through life. How will it manifest? Maybe it'll be something big like being denied a loan for a car or a house. Maybe it'll be a landlord turning you down for an apartment. Maybe it'll be a constant drip of ads trying to trick you into buying something. Or maybe one day beaker53 will say something bad about the government, or get involved with a terror group, or it will accidentally look like you got involved with a terror group. Or maybe they'll just come annoy you while you're sitting down to tune your guitar with an ad on how to make yourself a better guitar player, if only you did this or that or the other thing. Or maybe they'll pester you because your friends did something or didn't do something or should do something, or how you'll look better in relation to them if you did do something.
Speak for yourself. I'm sick of being watched and being "thought about" by all these damn machines. FFS leave me alone, like it was just 15 years ago. Just 15 years ago.
This is not really an acceptable attitude towards this opinion. You can not mind the current state of tracking, acknowledge benefits, etc and should not be demonized or told your opinion was beat into you. And then congratulate them some rude way?
I used to wonder why so many people were surprised at recent presidential election results, assumed propaganda must be the cause, assumed ignorance of those they don't understand, take elitist attitudes towards others' preferences, etc. But now I'm starting to understand this cognitive dissonance. It's ok that they don't see tracking as a big deal, it's ok they don't want governments to step in, they aren't just dumb victims beat into submission.
Yeah you were still being tracked. It's just a lot easier and more specific now. But everything about you that's public record, or even semi-public, including your credit reports, housing history, leins/judgments, voter registration, bio/demo data from any product registration card you ever sent in, purchase history from credit cards, etc. was in marketing databases and bought, sold, and traded. This has been going on since the 1970s at least.
But you're right, it's MUCH more pervasive now.
However, if you really yearn for what it was like 15 - 20 years ago, there's an easy solution: Don't be online. At all. Just like it was then.
The video portrays a future advanced home speaker which terrorizes its family through ads, AI, and "helpfulness" through data mining and the occasional benign hacking of remote systems.
Having a lock on your door won't stop professional burglars, but it implies effort and isn't the same as leaving your front door wide open, which also invites passerbys.
Protecting your privacy actually has a non-negligible effect on your experience on the Internet. Let me give you an example ...
I have a friend that's a T2 diabetic, is self treating and doesn't want to go to a doctor due to past bad experiences. So in trying to help him, I signed up for a Facebook group for diabetics in my area. The result is that now I'm getting commercials for treatments of diabetes.
This to me is freaking scary, because this data can be used against you. Your medical history could affect your credit score for example. Your buying history or your friends list could affect the price of your insurance. Your daughter could get pregnant and the store could find out about it before you. Oh wait, these already happened.
You can't escape all profiling, but the less these profiling companies know about you, the better you are.
I'm using DuckDuckGo lately to search for symptoms of hypothyroidism, because apparently I suffer from it. Along with the privacy extensions I have installed (Privacy Badger, and ad-blocker with EasyPrivacy), guess what, I don't have commercials following me around on hypothyroidism, which to me is confirmation that I'm doing a good job.
You can choose to not care of course. But you're probably young. Give it another decade.
I'd add searx.me to search engines, and uBlock Origin to ad-blockers, in medium mode:
https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium...
They know more about your online history than yourself they can write a diary for you but if you feel comfortable with that, then you don't need to do anything.
Changing IP, clearing cookie and changing browser may divide your ID but as soon as you log in with your Google account or they realize you may be having identical online activities, you can easily get linked again.
And as soon as you buy something on your Google account, be it physical item or an in app purchase, they know your real identity along with all of the above and then with more profiling, you will be linked with other people by family name, location you often visit and recognized by any other profiling I can't think of now.
Considering all data is saved forever, how likely do you think your country is to get something similar in the next 30 years?
However, it does concern me that it exists. They use this data to manipulate people. To drive "engagement", which means addiction. I could spend too long describing the evil in it, but at the end of the day, why do they care so much about the data? It all only really comes down to a way to manipulate people... into buying goods, into believing things... without hyperbole, just to try to avoid listing out so many points and examples, their desire for data stands in opposition to the popular conception of free will and democracy. I will always take a strong dislike to people and organizations attempting to manipulate me by means other than simply providing value in my life and getting some value back in exchange.
At this point, it concerns me less how much data they collect on me, and that we as a society haven't dropped some kind of regulatory hammer on them before they almost literally brainwash us out of the notion that we would even want something like it.
https://telegram.org/faq#q-why-not-just-make-all-chats-secre...
>This allows Telegram to be widely adopted in broad circles, not just by activists and dissidents, so that the simple fact of using Telegram does not mark users as targets for heightened surveillance in certain countries. We are convinced that the separation of conversations into Cloud and Secret chats represents the most secure solution currently possible for a massively popular messaging application.
https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by...
>people using these apps can be targeted by governments as those who have something to hide. Due to the limited distribution of such apps, the government can identify and track individuals whose phones connect to the corresponding IP addresses. This is something that is already happening in case of tools like Tor, and, to a lesser extent, of some messaging apps. Yasha Levine is publishing a brilliant investigation about it.
>Am I the only one who doesn't worry too much about all this "tracking"? Trying to avoid tracking is like some weird obsession/hobby.
A cursory glance at recent human history[1] shows the extreme naivety of not worrying about the negative effects of mass computer tracking.
If you switch tabs, or close the app, or do anything other than somewhat immediately go back, that back history is lost. And if you do use the shortcut to go back, the new tab is destroyed. There's no ability to open a bunch of tabs and then in each of them independently navigate back to the parent.
I think if Mozilla included code that specifically targets Google, they would be crossing a line.
It seems natural to posit that money is the issue but is it so easy to believe that a foundation most of us trust would compromise its core values?
As mentioned elsewhere hacky add-ons cannot be the end solution, and will not be widely adopted unless incorporated as defaults.
I never made a separate browser profile for Facebook, but the moment Firefox's Containerisation was available in Test Pilot, I made a container for all things Facebook.
Personally, I feel the status quo is preferred over alternatives, but to each their own. Whether someone is poorly informed on a subject or not is hard to gauge and not always something that has to be fixed. The problem here is that ignorance is used as a reason to protect people from themselves forcefully thereby silencing the informed-yet-disagreeing (emphasis on "here" in this situation at this time, can't make generic absolute statements about consumer protection in general).
> We're not discussing it, frankly, because people are generally passive and some, like the poster, express a pretty dangerous lack of concern.
I see quite the opposite. Can't open any newspaper or obtain any general news without the ills of big-web-tech shoved in your face. The harms are explained as extreme but to many, regardless of what the pitchfork bearers shout, the harms are not that extreme. What's dangerous is over concern and the results of that fervor. But all of that is personal opinion, the good part is the freedom to hold that opinion and act on it personally without imposing.
Two points against it:
1. You stand out from the crowd with this User-Agent, easy to fingerprint you.
2. Chromium is Google (Ad company) software, like Android. Un-googling it may not be complete or full. Safest way is not using any Google software.
That being said, Brave is pretty upfront about the security of their software. They've paid $25k in bug/security bounties so far and their browser is open source. So if an update turns evil, it stands to reason that someone is going to notice.
> Email me to subscribe to my anti-spam service!
This is precisely what haveibeenpwned asks for, as your parent wrote.
e.g. googlevideo.com resolves to 172.217.4.196 and the PTR for that IP is lga15s48-in-f196.1e100.net
They even have a faq for this: https://support.google.com/faqs/answer/174717?hl=en
Most sites I visit these days--even super common sites like medium.com--have dozens (or even the hundreds alluded to above) of dependencies from seemingly unrelated sites. I have no idea if those are CDNs for common js libs, analytics libs, spammer libs, tracking libs, or what. I recognize things like CDN links for jQuery, Bootstrap, React, etc. I see many that seem to be Facebook tracking.
Of course, blocking many of these breaks the page. I have started to avoid sites that break without access to urls I can't identify. But this is both laborious to vet, and isolating.
There is no longer such a thing as easy, anonymous, inclusive web browsing.
DNS has been made hierarchic for this reason.
Data never being completely deleted, and the unending tracking being a slow sort of death of personal freedom is a good point, but I read the point of the poster you responded to as this: We can only do so much to secure our privacy, do effective and easy to implement solutions. If we want absolute privacy, its probably never possible until you cut out massive parts the digital world for yourself, and diminishing returns for your efforts most likely aren't worth it.
You can review it yourself. There is not a whole lot of code here.
Now in the era of WebExtensions (which are SOOO much more secure!!!) it seems they finally approved a version published by those bad actors. No idea tho if and what tracking is in there and if mozilla stuck to their guns and made them remove tracking or not.
Anyway the very idea that people are making money from me keeps me up at night so I use FF with a bunch of privacy aiding extensions. The war to fingerprint users is endless though. Ad tech is a billion dollar industry.
No, it was about someone (“beaker53”) who could be confused for a known person (“beaker52”).
I'll stick to Chrome when I want my browser to not lose my sessions constantly.
Is there a source you're using for this info? As I visited a couple times during that period (including mid this year) and saved a personal copy of the Versions URL which listed multiple versions post acquisition available [1].
[1] Specifically: 2.1.1 (2017-10-31), 3.0.1 (2017-11-10), and 3.1.1 (2018-05-23).
(Mind you, Google themselves are working to move enterprises away from this model, with their https://cloud.google.com/beyondcorp/ effort avoiding the "Intranet as a bunch of services on separate internal domains" model, in favor of a "Intranet as a bunch of services all living under smart proxies that make them look like one domain and handle IAM for you" model. But enterprises would need to move first, before complete tab isolation could be workable for them.)
There's also even-more-enterprise SSO, i.e. SAML and its "using your bank as an SSO provider to prove your identity to government services" use-cases. This actually isn't SSO at all—there are more identity providers than there are services. The point here is to federate proofs-of-identity by allowing many different (whitelisted) agencies to vouch for your identity, so that the government doesn't need to issue you some centralized proof-of-identity. This would also break under complete tab isolation, and I don't think there's any good replacement in this case.
(personally I get a small hit of joy every time I hit a site that is caught and blocked trying to do things it shouldn't, and vow never to return. it's better than it happening without knowing.)
If you don't want every tab to be connected, every tab isn't connected.
It's not like the problem is impossible; nobody is saying that. My point is that the solution is non-obvious to the point that nobody has solved it yet, despite likely man-years being put into trying. Firefox Containers are the best UX we've come up with so far to kinda-sorta solve the problem. Do you have any better idea?
I think it is very important to make Internet users aware that cookies are the red herring in all privacy issues that are plaguing the World Wide Web. Cookie feature in modern browsers is just a tiny puzzle piece in a larger picture, consisting of wide range of entry points used for collecting data. It includes invasive JavaScript fingerprinting that can easily extract a list of installed fonts, local IP address and list of media devices from WebRTC, device capabilities, WebGL/Canvas fingerprinting, content filter list detection and much much more. Even with JS disabled most browsers share so much explicit information that is enough for precise identification without the use of cookies.
Is it impossible? For 99.99% of Internet users it requires so much hoops to hop through it might as well be impossible. However, I believe that awareness could slow down this privacy decline. I hope users will finally start demanding more native privacy controls in their browsers. Native JavaScript filter in Firefox would be a good place to start.
I have that even on my regular browser...
Personally, if I was dealing with someone who wasn't already using strong unique passwords for everything, and didn't want the burden of having a password manager, I would absolutely recommend relying on Chrome's built in password manager and having to be signed in to Chrome everywhere. This might actually be one of the use-cases that triggered the 'auto sign into Chrome when you sign into a Google product in a tab' feature, which didn't go down very well in some circles.
I believe (re)using relatively weak passwords on multiple sites is a bigger risk to privacy than Google tracking every page I visit. I would assume they track every page I visit regardless of whether I'm signed in to Chrome or not.
EDIT: Note that I'm assuming this feature in Chrome is similar to the feature in Safari, where Safari suggests strong passwords, but this doesn't prevent those passwords from being stored in your password manager of choice.
If you start using Google's password manager with their auto-suggested long complex passwords, there is no way you can remember the passwords yourself. You'll need to be logged into Google Chrome to have access to the password. Therefore, you'll need to be logged into Google Chrome to log into any website. Currently, there is not way to export passwords from one browser to another, so if all your long complex random passwords are in Chrome, as a practical matter, you won't be able to use Firefox, Safari, or Internet Explorer, you'll be required to use Chrome.
The apprehension over the feature is not about security at all (in fact, this system is likely more secure). It's about control. If you allow Google to manage all of your passwords, then you'll need Google to do anything.
Coupled with clearing history, this should be fairly close to a much more stricter private mode.
[0] https://addons.mozilla.org/en-US/firefox/addon/tree-style-ta...
What about hardcoding the fingerprint? So that every end user looks the same.
So long as the client runtime can inspect the host, inferring the fingerprint, and call back to the mothership, there's no foolproof, durable way to defeat fingerprinting.
At best, fudging the fingerprint just buys some time in the arms race.
It is simply a series of attributes that are tested and compiled. Attributes that are consistent for a single browser but have some degree of variation between different computers.
Put enough of those together and you can uniquely identify someone. The exact things that are checked, however, will vary between implementations, and can always be changed in the future, so there isn't an easy way to spoof all of them to be identical.
In addition, many of these attributes that are tested need to return accurate results for normal functionality to work, so you are again limited in what you can fudge to avoid fingerprinting.
The underlying problem of privacy is addressed. The consequence of anonymity is a lack of trust.
Per my previous, Safari has a similar feature, which streamlines the process of generating secure passwords without needing to switch to the password manager to generate the password, and upon submission, it gets stored in the keychain, and also pops up the ability to store into 1Password via the usual extension.
Sure, all those passwords in the keychain are locked to Safari only, so Chrome, Firefox, etc are unable to access them, but that's what external password managers are for.
It absolutely nudges people away from password managers and on to Chrome. You now you have two options... (1) get a password manager on all of your devices that properly syncs with Chrome; or (2) only use chrome on your devices.
Many people are going to choose option #2. This will lead to more people relying on Google Chrome and Google Accounts, and will now you'll need to be logged into Chrome to log into any other site. It's a way for Google to become requisite, and add more power when they already have so much.