Web fingerprinting is worse than I thought(bitestring.com) |
Web fingerprinting is worse than I thought(bitestring.com) |
For me, the cookie consent modals are the submarines. Why would I outsource the responsibility not to track me to the people with the incentive to track me? IDCAC, Cookie Autodelete, and strict tracking protection feels like the better alternative for me.
(From today onwards, I'll add resistFingerprinting=true to that list as well.)
There are also proper consent blockers [0], but they are not as big because everyone tells people to use that please track me shit.
Nah. I make an HTTP request and I get a response. That's how the web works. Perhaps people can have different opinions on "how the web works".
Web fingerprinting relies on a heap of assumptions. For example, that someone uses a web browser to make HTTP requests, that the web browser sends certain HTTP headers in a certain order, that the web browser runs Javascript, that it processes cookies, recognises HSTS response headers, and so on and so on.
If all the assumptions are true, maybe web fingerprinting is effective. But if the assumptions fail, maybe web fingerprinting does not work so well.
I have only ever read blog posts about web fingerprinting that take all the assumptions as true.
The majority of traffic on the internet is said to be "bots". Not web browsers running Javascript, processing cookies, and so on.
It seems to me that someone should discuss what happens when the assumptions fail.
Do advertisers care about computer users who do not use graphical browsers much. As such a user, IME, the answer is no.
(Interesting to see how defensive replies get. It's obvious the "tech" crowd intent to spy on web users is heavily reliant on certain assumptions to remain true forever. It shows that there is necessary pressure to keep web users using a "preferred" web browser and web ""features" that will subject them to "web fingerprinting". Perhaps the assumptions will always be true, conditions will never change, in the same way that interest rates could never change.)
even the simplest bots nowadays can run Javascript and process cookies. What's much harder for a bot (or some other actor that has been doing shady things across many websites) to uniquely fake are things like the graphics card (WebGL Vendor & Renderer), audio and other hardware, which gets queried during fingerprinting.
Full fingerprinting is relatively expensive, so it originally was used by fintechs to combat fraudulent/automated signups, but with the third-party cookie situation it might be already economical to track regular users for ads/retargeting.
GPT-3 was trained on a filtered version of CommonCrawl.
IMO, this is text-only web use. No (fingerprint-friendly) graphical web browser needed. Others may have different opinions. Perhaps I am biased as I use the web this way seven days a week.
Almost nobody does this, so obviously not. You're probably in a group that makes up less than 0.0001% of web users. And that might even be generous.
Tech companies routinely get fined for what may seem like massive amounts to us.
https://www.businessinsider.com/the-7-biggest-fines-the-eu-h...
If "breaking the law" meant something they would try to avoid doing it so often.
Microsoft in the 90s was recognized guilty of abusing their monopoly. What were the consequences? nothing. This sort of thing used to mean something, see: Standard Oil v United States. But the current world is a world that belongs to megacorporations.
Tracking people against their will is a drop in the ocean of what corporations get away with.
This, in many ways, is like a billionaire getting a ticket that doesn't amount to more than the hundreds of dollars for bad parking. The billionaire doesn't care.
Law only has meaning when the punishment is coercive.
There are three options:
1. Prevent/Stop it: This ship sailed long ago. Not to be grim about it but pandoras box got opened.
2. Fight it: Tool up, change your print, your behavior, your place. Build focused VM's that you use per topic. Simply do a WHOLE lot less. In the grand scheme, its a lot of work for low return. Note: there are exceptions.
3. Increase Noise: The whole point of most data collection is to sell more to you. Because most people are sheep, a fairly simple model can be surprisingly accurate (over targeting is an issue). Don't be a sheep, diversify, make more noise in the system, search out side your comfort zone and change it up often.
You want to quickly throw targeting systems off your scent (or get them distracted) see how sticky high value sales are for the ad's you see on line. Start looking for a new car, use the word wedding too much (god help you if your a woman) or say vacation 3 times near search engine and watch how quickly your ad experience changes.
This won't work "long term"
As an example: You get an ID as a 24 year old male, who likes his local sports ball team, drinks canned domestic beer... that's a profile that is perfect to sell you a BBQ grill and a subscription to the meat of the month club. Spend an hour or two a week pursuing sewing, the engine is going to get confused! Maybe you share a device with your wife, or she got on it...
This is the sort of noise you create, its not random its "more" and you do it by going off type for a while. Have a friend who is into something you aren't (music, art, and so on) ask them some questions and go spend a week getting more informed on their hobby and have a chat with them. Suddenly the systems will see you as MORE...
I use a text based browser, with no js, no cookies, no css, no external requests past the first html page download, no user agent, no etag, I connect through Tor and I've modified the browser to randomize http headers. And of course, it sometimes happens that I want to see something that is refused to me with that configuration (like, seeing anything behind the big internet killer, aka Cloudflare - thanks archive.org for existing), so I have also a classic browser for the occasional lowering of barrier.
At first, I thought fingerprint.com did identify it, giving me the hZ4W5oQ7pJVIHbW2fBXA id. Then I realized it was giving the same id when using curl with and without Tor. Then I realized, by googling and ddging that id that it's the one reported as well to search engines. So it's not unique and it's basically a "dunno" reply.
The zoom settings in the display/brightness section of the iphone seem quite relevant for fingerprint.com algorithm.
Toggling between standard/bigger text toggles the fingerprint value.
This could be because the visible area in the screen size changes, as well as some value of the CSS-fingerprint.
- Firefox, Enhanced Tracking Protection ON
- Multi-Account Containers + Temporary Containers addon
- Privacy Settings addon, most settings private, but referrers enabled
- uBO with lots enabled, Decentraleyes addon
And it probably understates the problem these days, missing some of the more recent techniques.
But at the time, it was considered to be a big do not touch -- just don't do this. Not so much for ethical reasons, but for optics in the industry. (I wasn't proposing doing it, was just curious)
In the meantime, though, this seems to have just become standard practice, but way more sophisticated with way higher accuracy, as this article touches on.
What was not acceptable a decade ago is now "ok." Not just by sketchy ad startups, but by major players.
But this whole mess ties back to one of the things that worries me the most about the propagation of LLM type ML out into the general industry. It's only a matter of time before ad targeting takes on an extra dimension of creepiness through this (and I'm sure it's already happening in some aspects, inside Google & Meta.)
In the past, in ad tech & search, etc. people could say things like: "Yes, it's highly targeted. Yes we've co-related an absolutely huge quantity of data to fingerprint you exactly, and retarget you. But it's anonymized. No humans saw your personal data. It's just statistics.". Not saying whether or not this argument has merit or not, just repeating it.
But now, here we are, where "just statistics" is a far more intricate learning model. One which is capable not just of corelating your purchases and browsing activity, but of "understanding" you, and which -- while not an AGI -- is pretty damn smart.
At what point does "a computer scanned your browsing for patterns and recommend this TV set" become ethically the same as "a human read your logs, and would like to talk to you about television sets..."?
Having worked in ad-tech before (and having worked at Google, in ads and other things as well), I do not trust the people in that industry to make the right decisions here.
Perhaps you could call this something like 'cross-device fingerprint unification', idk.
The demo delivered an ad-unit on mobile after viewing an ad-unit on TV.
(0) https://www.bleepingcomputer.com/news/security/researchers-u...
Firefox, VPN, privacy extensions, nothing works.
Apple has work to do.
Fingerprinting services tries to figure out browsing settings. Since very few people have this feature enabled. You might be easier to fingerprint by enabling it. A metric that historically been used for fingerprinting is the "do not track" feature which is a bit of irony.
Say I follow AS Monaco football, then look for Lego Castle figurines and finally visit a forum on Alaskan Malamute dogs. The combination of these three websites is pretty close to unique in the world imho.
Surely most people can be uniquely identified after visiting a couple more, unless we change browser and ip-address and GPU and set resistFingerprinting=true and ... and clear cookies after every website we visit.
There is a bug in Chorme, which I reported, but they told me they will not fix it: https://bugs.chromium.org/p/chromium/issues/detail?id=120485...
And https://www.amiunique.org/ says I’m unique in Brave compared to “nearly” in Safari haha
privacy.trackingprotection.fingerprinting.enabled
Adding the extensions `Canvasblocker` and `Temporariy Containers` did solve the issue though.
I only use Chrome to test some things, or to create a completely isolated browser session disconnected from my use of Firefox.
https://niespodd.github.io/webrtc-local-ip-leak/ still? leaks local IP in mobile safari. On browserleaks local ip check fails, giving false feeling of safety.
You can experiment there: https://coveryourtracks.eff.org
Tracking should be limited with legal means.
EDIT: Or block the extraction
- Since you charge per person, what about people that use multiple machines and browsers (with presumably different fingerprints)? - On the other hand, unless two people share the same workstation and computer account, how do you expect to use fingerprints to detect license abuse?
https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-finge...
<body onload="javascript.disable()">
Those same two companies effectively control the browser market. If there's political will in Europe, they can be forced to implement working privacy controls.
GDPR. isn't. about. browsers.
> But there would not have been money to make for those that provide "compliant" banners.
Are you serious? Do you think WordPress addon makers lobbied GDPR through the European parlament?
Surprisingly, one thing that seems to work just fine in this environment is (even modern versions of) phpBB. Lot of phpBB dark web forums.
Also surprisingly, this doesn’t preclude polish or some level of app-like stateful interactivity, because CSS still works. You just have to think differently about how you use it.
One of the nicest things about Flash was that you could set your browser to only load and run Flash content after you click it.
I've wondered for a long time if a sort of posh gopher based on markdown with extensions would be able to make a comeback. Especially if it allowed for CSS.
And to be fair it makes a lot of sense because writing HTML templates feels super jank once you've experienced not doing it. Even for a site with static content I would still prefer to deliver it as a static JS bundle and a data payload.
I really like https://docsify.js.org. Gotta be one of the lowest touch libs out there. The whole site from git repo to page one single completely static asset.
EDIT: nope, not as implemented in Chrome https://www.jefftk.com/test/webmidi
Edit: I think MDN confirms this, with the asterisk next to Firefox: https://developer.mozilla.org/en-US/docs/Web/API/Web_MIDI_AP...
Edit 2: oh, the tweet shows two prompts, one of them to install the extension, so I suppose that is actually the prompt you're referring to.
That also violates it. Facebook just lost in court in the first instance trying that.
Per-website, for dozens (if not hundreds) of APIs and convenient? These are contradictory :)
There's also the million-markdowns problem, and markdown's HTML embedding. This being Tuesday, I'd start with djot (without embedding), but Wednesday I might go for asciidoc.
It's not that simple though.
If I offer a website in the US, I can collect the info of anyone that visit it as long as I am not breaking US law.
If the EU doesn't like that, then they can block my site.
They claim though that I am subject to their law if I harness the data of Europeans.
Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.
I think unless we lock down new APIs that aide in fingerprinting to only be accessible to WebAssembly and let people block or enable WASM theres not too much else we can do. It would be nice to be able to block web APIs selectively to limit what a JS script can do.
Those incessant RCEs were only due to the sloppy way the Adobe Flash player was written. There is nothing bad security-wise inherent to the SWF format itself.
Ruffle is an open source Flash player in Rust, currently under active development. I'm sure it won't have such problems because 1) it's open-source and 2) it's in Rust, and I was told that anything written in Rust can't possibly have any memory-related vulnerabilities; we'll wait and see if this would still hold true if/when they implement JIT compilation for AS3.
IMO, it should be enough if incognito mode presents an identical fingerprint on everyone's browser.
Looks like Chrome is trying to change this, and is slow as usual: https://groups.google.com/a/chromium.org/g/blink-api-owners-...
It's funny because for anything Chrome deems beneficial to Google they are anything but slow, including shipping APIs that no other browser agreed on.
Google ships 400 new APIs per year. It readily ships API within a month after it spits out a half-prepared spec and asks other browsers for input.
Even benign changes like CSS headline balancing was sent to TAG three weeks ago, and will ship a month from now.
From the outside this is neck-breaking speed with utter disregard for anything. But when user privacy is concerned? Nah, must spend sweet time to do anything.
The "text-wrap: balance" proposal is not new, though? I see it in the 2019-11-13 draft spec: https://www.w3.org/TR/2019/WD-css-text-4-20191113/#valdef-te...
Of course you can. Viewport? Just return fake viewport data containing the most statistically common display properties. Website renders incorrectly? They only have themselves to blame, shouldn't have abused that data for hostile purposes. Data is a privilege, we can and should take it away. Fonts? Just force everything to use Noto Sans or Noto Mono. Everything will render correctly. Maybe the designer's vision won't be fully realized but that's not a problem.
And that's exactly what I'm talking about.
> what about things like viewport size and font rendering?
Not much can be done about viewport size, but a browser could easily ship with 2 fonts (one serif and one sans serif) and only allow access to those.
If users decide they want pixel-perfect display, they can either resize the window to one of the allowed sizes or disable this feature for a specific page.
But also, even if they did, AFAIK browsers still mostly lean on OS text-drawing APIs for font rendering. Text in Chrome on Windows looks different than text in Chrome on macOS, etc. The same pile of beziers, and the same pile of hints, converts into a different set of hinted pixels (and sub-pixels!) when fed to each OS text-drawing API. Especially when those APIs are configured by user settings around subpixel hinting / "font smoothing", and when those APIs are aware of the device being rendered to and so render subpixels differently for high-DPI vs low-DPI screens, RGB vs BGR displays, etc.
The opposite of the RFC approach is the “airy design document written by standards body in reference to nothing, never implemented by anyone” approach; and I know which of the two I prefer.
The problem with having anything in "production" on the web is that you can neither update it or change it because people will rely on it.
The idea behind web standards is that there should be at least two independent implementations, tested behind a flag, with iterations on design, before it becomes a full standard.
Chrome's approach for the past several years has been: spit out a half-completed spec, "ask" other browser for input.... and ship it in prod a month later.
Few people seem to try to reconcile this, since neither side cares about the other.
I personally think that discussion about fingerprinting as raw tech, without mentioning the size of the company collecting the date or the purpose is meaningless, and only leads to a few tech savy users having less data collected on them.
Most people want to use Javascript, use the default setting and not be afraid of clicking on links. I can't really see a good solution without a coordination of regulation and tech standards, so I'm hopeful at least for decent solutions.
Mouse movement data is a fairly potent fingerprinting vector. Bucketing the average spouse speed and acceleration rates could provide provide useful information. This may imply specific OS speed settings, or physical mouse DPI. A machine learning system would likely be able to distinguish traditional mouse, vs trackpoint, vs touchpad, vs trackball. Etc.
Also it is not just bots that have non-human like mouse movement. Many assistive technologies would have no mouse movement, or would auto snap the mouse to relevant spot. That is actually a quite powerful for fingerprinting, since assistive technology users are a pretty small subset of internet users, so only a relatively small amount of additional data is needed to uniquely fingerprint that user/machine.
Edit: The required FaaS implementation is trivial too. I could launch an endpoint that performs exactly this function in 30-60 minutes.
Totally agree that this is perfectly within the government's purview, and they should be doing something about it. But, as with anything else in the US, until a Fortune 100, some few 1%-ers, or the deep state MIC wants it, we're not going to be getting it.
I thought having an ad campaign that targeted subgroups very specifically and boldly might be enough drum up public interest. Something like: “Hello $name from $city. How did $recent_embarrasing_purchase work out? I hope you enjoy your birthday in $birth_month.” And then a link to the proposed policy.
Unfortunately, marketers have neither scruples nor the ability to control themselves and have captured an asymmetric advantage. Technologists do what they do, preoccupied with whether or not they could, not stopping to think if they should. It seems like legislation may be the only remaining option.
I have five different browsers on my smartphone and three on the PC all sans JS and none of them are Chrome. Also, normal operation is to automatically delete all cookies at session's end.
My smartphone and PCs are de-googleized and firewalled and I never see ads in my browsers nor in apps. The apps are mainly from F-Droid and sans ads and the few Playstore ones I use are via Aurora Store and are firewalled from the internet when in use. Honestly, I cannot remember when I last saw an app display an ad, it has to be years back.
In the past I used to go to more extensive measures to stop the spying but I found it was unnecessary as the spy leakage was essentially negligible with much less stringent efforts.
It's pretty easy to render one's online personal data essentially wothlesss if one wants to. On the other hand if you insist on using JS, Gmail, Google search, Facebook etc. then you're fair game and you only have yourself to blame if your personal data is stolen.
Examples include the back button, uploading photos on some websites uploads random data instead of the photo, etc.
_______________________
0. https://www.bleepingcomputer.com/news/security/researchers-u...
> For personal reasons, I do not browse the web from my computer. (I also have not net connection much of the time.) To look at page I send mail to a demon which runs wget and mails the page back to me. It is very efficient use of my time, but it is slow in real time.
EDIT: Note that you can do BOTH - but one without the other is just a game of whack-a-mole.
I use fingerprinting actively in enterprise apps as a form of silent 3FA. It's a useful backstop. If I have a user who forgot their password but retrieves it via email, I'll usually let them pass if their fingerprint matches one of their priors; otherwise my software shoots off an email to their immediate superior to make that manager validate that the machine the employee is using is one they can vouch for.
I've always viewed browser fingerprinting as something that can be leveraged as a security feature. It's far more useful for that than for some sort of distributed tracking. I'd never want to live in a world (ahem ... China) where submitting to such fingerprinting actively was mandatory, or politically punishable if you didn't. No society should be run like an employer/employee organization with that sort of lack of trust. No sane free person would allow their own browser to transmit a fingerprint. But for employer/employee systems management? It's a great tool in the box.
* https://addons.mozilla.org/de/firefox/addon/canvasblocker/
which prevents fingerprinting via Canvas elements, additionally warns you if a site does it. There are more sites out there than you would assume. Some stupid blogs even.
* https://addons.mozilla.org/en-US/firefox/addon/multi-account...
This splits your tabs into different categories, each with their own cookie storage.
The fingerprinting website in the article didn't manage to correlate me visiting the website concurrently from two distinct container tabs.
But that's merely because of the canvasblocker (or something else you have), because just separate containers doesn't cut it?
For instance it claims iOS is 4.63% of users and Safari is 3,42% when all other more complete statistical sources put those numbers at closer to 20%-30%.
If it changed with every call they'd just block you as a bot.
The more you do to prevent fingerprinting the more you hobble the web as a platform. A lot of restrictions that got placed on the canvas tag to help prevent fingerprinting for instance really limited its functionality.
In my opinion a workable solution would be to make more of these things opt-in by the end user to high accuracy data for the page.
There is a price, of course. Lying about screen resolution might mess up how the website looks. Lying about which fonts are installed might make the site a bit uglier.
> The IPv6 Privacy Extension is defined in RFC 4941. It is a format defining temporary addresses that change in regular time intervals; successive addresses appear unrelated to each other for outsiders and are a means of protection against address correlation. Their regular change is independent from the network prefix; this way, they protect against tracking of movement as well as against temporal correlation.
The false positive and negative rates are reasonable, and false positives (new customer seen as returning) could be further reduced by browser feature testing.
For example
chromium-browser --user-data-dir=/tmp/profile_A
chromium-browser --user-data-dir=/tmp/profile_A --incognito
chromium-browser --user-data-dir=/tmp/profile_B
chromium-browser --user-data-dir=/tmp/profile_B --incognito
For each command + its incognito it can detect them as separate profiles.
For ultimate privacy one needs to everytime launch browser with a new profile.
Public knowledge is far behind the actual capabilities in practice.
The worry would be that the hash is unique to me (i.e. a fingerprint), but I don't see the evidence that it is.
It matters more how unique your fingerprint is than how consistent or reproducible it is. Just testing if you get the same fingerprint back on your second visit doesn't tell you much if you don't know how many people "share" your fingerprint.
As a silly example, if you gave all users the same fingerprint, it would be very consistent but also useless as a tracking method.
You'd have to mask every informational API with a suitable corrupted alternative that is plausible.
https://coveryourtracks.eff.org/
I use a lot of browser extensions. Unfortunately, this makes my browser easily identifiable.
Is it possible you had set the zoom level previously, which the browser remembers between sessions, and turning off the tracking reset the zoom to 100%? Do you have any extensions like Greasemonkey or Stylus for per-site customisation?
The fingerprinting discussion is relatively new. The first research paper’s author is only 35 or so. (Its title is Cookie Monster.) The discussion is also a little amusing on a site like Hacker News. A perfect example of someone who’s easy to fingerprint is someone who built their own computer (likely to be found on HN). On the opposite end of the spectrum, Safari iPhone users with the same model are impossible to distinguish.
There’s a paper out there where the researchers worked with a public entity’s website to get more accurate fingerprinting data. There are very few unique fingerprints in reality and therefore no reason for any company to track them. This tech probably won’t ever identify users uniquely.
There are actually some positive aspects of fingerprinting. Tor leaves a very obvious fingerprint, and it’s easy for banks to detect its use by criminals.
Given how companies have completely and utterly ignored the idea of consent banners, I am deeply disinclined to believe that most companies would ever actually be satisfied with a user controlled choice in the matter. Where we actually are is that companies will relentlessly attempt to stalk everyone all the time no matter what, and in face of that the only sane conclusion is that in practice tracking is bad and we should shut it all down.
This isn't a situation where one rotten apple spoils the whole bunch, it's more like one good apple inadvertently was dropped into a toxic cesspool of rotten apples.
This makes it exceedingly hard to hide from such a filter, because in communicating with these sites, you are bound to reveal at least some information about yourself. And then the "likelihood-machine" does the rest by connecting the dots, even if you gave them "fewer dots."
It's also quite interesting - or perhaps chilling - to see how fingerprinting through NLP and other language tracking algorithms can also track just about any forum post you do, even if you're using a pseudonym.
[1] https://signal.org/blog/the-instagram-ads-you-will-never-see...
Techie people are convinced non-techie people don't know they're being tracked. They do! Ask your smart non-techie friends what they think about online privacy. I guarantee you they'll say something like "yeah, I know it's probably tracking me, but whachya gonna do".
Thanks to this disconnect, we have so many privacy campaigns with a message like "Did you know you can be uniquely identified on the web?", but so few (none?) that actually proceed to explain why that's bad, and what someone could do with that information. That's the missing piece. Give average people an actual reason to dislike or fear tracking, not just the mere curio that it exists.
edit: It is still impressive. Even with the firefox settings on, the website was able to identify me. I am not entirely certain how I want to approach this.
None of these should be available to websites by default. The first two come from simpler times when people were not as concerned with privacy implications. The third has been and continues to be pushed by advertising companies (Google, Apple, Microsoft).
So quick update since I am mildly obsessive.
I was sure it was either GPU, CPU or addons that were giving me away ( I do have a mildly unique setup ).
I ran few tests in VM and the moment I dropped GPU passthrough ( left CPU passthrough ), I was no longer ( based on that website anyway ) tracked across sessions.
In other words, cat and mouse game continues.
I know what to think about this… I fucking hate it.
FTFY: People already know; nothing will change.
Many of the things that are happening (at least in the US) are deeply, deeply unpopular, but are not changing, and show no signs that they are even susceptible to change. Fortune-sized companies, the 1%, and the deep state are calling the shots, despite how much can be seen in real time, through things like Twitter and TikTok. I've actually had to pull back from Twitter because of all the things that are obviously beyond the pale, yet will never change. (Snowden, Assange, et. al.)
This has been tried by a guy who placed Facebook ads like these. FB blocked his account in a few hours.
So good in theory, wont work in practice
People are such dumb fucking cattle that they'll lash out at you rather than the data brokers or the software vendors who ratted them out though
Not only that, but they might have a legal case against you. I've been slowly working through Seek and Hide: The Tangled History of the Right to Privacy, and my main takeaways have been:
(1) The constitutional right to free speech and a free press is not as broad as most people probably think.
(2) Truth is not necessarily an air-tight defense in a case of libel, as courts at various times and places have decided against publishers for true but embarrassing things intended to humiliate or harm.
They describe their approach[1]. They use HTTP headers and conditional request triggered by CSS conditional media queries to gather data. Something like @media(...) {background: url(/tracking/$clientid)}. But in principle, they could also try and fingerprint the TCP/IP stack or the TLS implementation. I'm not sure it would get them more data than OS+Browser, though.
[0] https://noscriptfingerprint.com/
[1] https://fingerprint.com/blog/disabling-javascript-wont-stop-...
I didn't detail every protection I've put in place or the post would have been too long. However, I'd suggest that spreading my browsing over at least eight browsers (and I actually use more than two machines and do so at different locations and with different ISPs) effectively reduces my profile across the net.
I also use randomized browser user agents and clean links, occasionally I'll even cut-and-paste links between multiple browsers in a single session. I often do this on HN not to hide from HN but for convenience when multitasking. (Having worked in surveillance professionally, this modus operandi just comes naturally, it's now second nature for me to work this way.)
Working with multiple browsers and multiple machines also solves the problem when on rare occasions I have to use JS. That said, I never watch YouTube with a JS-enabled browser, instead I'll use NewPipe or similar. There are other measures I could list but you get the idea. Oh, and I never use the internet on a smartphone with a SIM enabled, instead the SIM resides in a separate portable router and my 'real' phone is a dumb feature phone, it's only capable of making phone calls.
I really don't care if some stuff leaks but I've satisfied myself it's pretty trivial, as frankly, I've not had one indication over the past 20 or so years that I've been targeted as a result of fingerprinting. It's not necessary to make things completely watertight, I'm not trying to hide from the NSA or GCHQ, etc. (and it'd be unsuccessful and a complete waste of time to bother trying).
Moreover, even if something were to leak, I'm simply not a revenue-making target—that means I never respond to any targeted marketing because I simply never receive any.
I also notice that the no-JS hash changes when I move the window to a different monitor.
For example: I have set up the systems of family members for whom i am some sort of digital janitor with a nice collection of firefox plugins to get rid of the worst offenders.
If you continue to willingly use socials like FB, TikTok, et al, your complaints about stolen personal data fall on deaf ears. Show me that you don't have those apps installed or do not visit their websites, then we can talk about being serious on deserving to not have data stolen.
Right, it probably is. But the issue of stolen personal data has been around for so long that nontechnical people have had years to develop political lobbying and to swing elections to put a stop to it.
The fact is that most people don't give a damn about such matters, if most did then the problems would be behind us by now.
Thus, unfortunately, with the internet it's every man and woman for him or herself. QED!
At this point I'm 100% OK with us being the only ones able to protect ourselves. We warned them and they didn't care. Allow them to remain uncaring. We don't have to help everyone. People must want to be helped.
Nobody said that. "My defenses work" != "my defenses should be necessary".
Surely there could be valid reasons for doing so?
I imagine for example that:
1. It ensures the selected file is a valid image before uploading it
2. It strips meta data like GPS position from the image before uploading it
3. It could reduce the size of the image, by either scaling it down, or compressing it more, or both, before uploading it
Or it might not be strictly necessary, but Instagram does it anyway.
No, this is how most pre-upload image editors work. Why upload a 5MB avatar photo that's you're going to have the user crop and scale on the client-side to a few hundred KB first?
Using canvas for this is much more friendly to their bandwidth, no nefarious intent needed.
(I'm guessing it was too much implementation work to separate out this feature: to preserve normal, expected UI behavior client-side, while presenting a fake pagezoom value to scripts. That would degrade only a handful of (poorly-designed, script-layout) websites, rather than the whole accessible browser experience).
I really like the idea behind this feature, but it seems the Web API might have become too complex to counteract bad actors like this. It's particularly scary that it can correlate your activity in private mode with your identity in normal mode.
It was in the early 2000, and smartphones weren't a thing. It also was a time where companies were paranoid into letting employees access the internet, but at the same time had abysmal security. By that I mean viruses ran free on shared folders, undetected because their antivirus software was years outdated. Very different times...
"Mail for you, sir!"
Granted, the enforcement should be stepped up.
Example please
The burden of proof is on the claimant, and with proper information control you can't ever meet that burden of proof. It becomes an ant versus a gorilla instead of David vs. Goliath.
Tell me, how do you differentiate a simple random alpha-numeric string from another random string that may have been generated as a fingerprint.
Mathematically do you think there's any way to actually prove one way or the other? If not, how would that bias the system if the person is adversarial and lies.
The only way to prevent this is to make sure the information is nonsensical.
Preventing collection would identify you in a way that they can prevent access. Even though websites are public, you see this happening with any captcha service.
Might be my European outlook, but consumer law has been stupidly effective at curbing abuses from companies here and was much more effective than playing the technology race USA is trying to fight. There's always a next side-step, the next abuse a company can invent - and you keep trying to push the responsibility of avoiding it to users (by adding more and more onerous technology) instead of punishing the abusers.
FTFY?
[edit] also, the less trivial it is, the better for corporate security.
That said, fingerprinting is only useful as a third security measure because most people don't understand its mechanics. The mechanics of avoiding being tracked are pretty basic. If our country required browsers or computers to transmit their fingerprint, people would find ways around it and it would stop being useful as a security metric.
Put another way, the moment this becomes a feature of an oppressive regime, it's one of the easiest things to work around. The obscurity is what makes it remain somewhat useful.
(2) The server gets sent your password every time you log in. You shouldn't rely on a server operator not knowing your password.
(3) You can tune how sensative the system is in response to changes in the fingerprint. Even if their in a failure to match that just means authentication will be extra strict.
Atleast they can use this to prevent reCaptcha - and make passwords disappear!
TEMP_DIR=$(mktemp -d /tmp/chromium.XXXXXXX) ; /usr/bin/chromium-browser --user-data-dir=$TEMP_DIR
At the end as other say they use hardware information + IP + other stuff. It is a lost battle.
It's certainly a mystery, because you'd expect any capability fingerprinting (some combo of UA, extensions, CPU/GPU specs, IP etc) to give an identical result between profiles, so it does seem there's some per-profile difference. But I can't think of any browser API that exposes something like an ID...
So if I fingerprint you on a site which is using my commercial fingerprint service, then I can sell your hash to other places and tell them all about your browsing habits. The more places run my fingerprinting service, the more data I can collect on you.
The first time I heard about fingerprinting was with EFF's panoptoclick, which stated how many hashes had been generated from visitors, and how many you shared with them.
The worst part of this? Trying to hide from fingerprinting makes your fingerprint more unique
Didn't seem so in the experiment in the article.
Sure they'll be able to place you in the bucket "tor user", but is that really more narrow than what you'd get without Tor?
However, I doubt that's a problem in practice. I'd assume these finger printers know what they're doing. It certainly seems so.
How could one make an experiment collecting lots of these finger prints and determine the false positive rate?
Some people want to do those things and for very specific websites. Most people don't even know what MIDI or serial ports are.
Settings > Safari > Advanced > Experimental Features
Brave browser, no VPN, they recorded one visit, one IP.
Brave browser, no VPN, incognito, they recorded two visits, one IP.
Brave browser, with VPN, incognito, recorded three visits, two IPs.
I'm pretty impressed / surprised. A fresh incognito session, through a VPN, still matched the same fingerprint. Especially surprising since TFA indicates Brave randomizes the fingerprint. I even changed my fingerprint block setting to "strict, may break sites" and it's still recording the same visitor ID from Brave, even with incognito.
Based on this test I'm surprised Brave's fingerprint resister did not work for you. But on firefox the enhanced privacy protection (strict) and the resistfingerprinting option are two different knobs.
Maybe this is the case with some very complicated SPA type sites, but personally, I've never seen this.
wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" ...
I am continously baffled by how most people just accept media companies controlling the video player you are allowed to use and thereby the UX. Don't let them.
The solution would be dedicated laws that hold the company at the top directly accountable for the actions of all sub-contractor layers, but these laws are rare and often hotly contested (e.g. with a German law mandating responsibility of the top-layer company for wage theft and other labor law violations [1]).
[1] https://www.ihk.de/regensburg/fachthemen/recht/arbeitsrecht/...
But I probably interpret too far here and it seems that in some industries e.g. secret agencies need to use unconventional methods.
Any educated person with sufficient math knows the mathematical structure of a hash will never be unique. Its a Galois field, or 'finite field' after all.
The core of this issue is the flawed but convincing belief promoted by an entire industry that if the probability is sufficiently low, its unique, and following these axioms if its unique its an individual person (eyeball).
Under that assumption, all you need to do is collect fields of information that are variable, and group them together such that it yields to a sufficiently low threshold, I think currently that threshold is about 1 per million. Its a very clever way to defraud advertisers if you think about it. You create an exaggerated market, and charge for each advertisement view.
In my opinion its just flawed thinking but there are some real fanatics out there that subscribe to this dogmatically.
For example applied probability is used as part of the protocol design when accounting for binary erasure channels in things like cell phones. You shouldn't be able to have communications blocked in only one direction, or altered without it being noticeable, but stingrays may have the ability to do this according to the limited documentation that has been released so far.
Probabilities in general have real problems fundamentally with validity. I think the most common approach today is the Axiomatic approach, or the Frequentist Approach, both have significant limitations and often devolve when self reference is indirectly introduced.
So I guess I'll ask, are you a believer?
Maybe these? https://browserleaks.com/webrtc But at least FF in private mode should randomize these IDs on restart.
When people don't understand the implications or full ramifications then governments and lawmakers have to step in as they have a duty of care to protect citizens. It's one of the principal reasons for having government.
There are any number of examples, regulating the use of poisons, putting protection fences around cliff top lookouts, specifying the breaking strain of elevator cables, aircraft compliance design, removing lead from petroleum, and so on.
Unfortunately, governments have failed to act despite many warnings about these privacy matters.
Incidentally, there's an uncanny parallel between this example of governments failing to act even when in presence of the facts and my last example. In 1923 when Thomas Midgley and cohorts—engine makers and petroleum companies—sought permission to put tetraethyllead in fuel governments already knew the dangers of lead poisoning. Not only did they ignore all scientific warnings about the dangers of using the additive but also they embraced Big Business and approved the move at the citizenry's great expense.
As the techno elite, it’s actually our job to create the underlying reality everyone else participates in when using technology. So, it is our responsibility to care, if you care. It’s not theirs - they’re just here for the party. But that doesn’t mean they’re sheep for slaughter, because there are plenty of folks ready to slaughter them for money.
It’s our ability to understand the issues and to actually improve them that uniquely makes it important for us to care. But we can’t expect people to turn off the cat video for long enough to listen to us nerd at them, and we really can’t expect them to do something complex to avoid something they don’t understand or care about. What our challenge is is - how do we improve internet technologies sufficiently that everyone enjoys what we know is important but we don’t require them to care? That’s how you build a better emergent reality.
I’m glad to have had a hand in the Netscape and Mozilla’s launch and have watched Firefox for years with pride. They are the closest to a mainstream any man product that even remotely cares. WebKit safari is a close second. I hope we all find ways to develop the tech platforms that protect as well.
Yes, I'm absolutely sure. Do I really need to justify myself here on HN of all places? On a thread about the fingerprinting implements of the surveillance capitalism industry?
> that doesn’t mean they’re sheep for slaughter
Welp. If they don't want to be slaughtered like sheep, they better start caring then. I'm done with that.
At this point what I really care about is strengthening my own privacy by having more users in the anonymity set. The more indistinguishable users there are, the more effectively we are protected. I figure that if they're apathetic enough to allow corporations to exploit them with absolute impunity, they're also apathetic enough to join the anonymity set. Browsers just need to make that choice for them. It needs to be the new default.
> we can’t expect people to turn off the cat video for long enough to listen to us
I can and I do. What we're saying about this matter is important. People should listen, join the discussion even. When we reach out to people about matters we consider important, we do it with the best of intentions. We expect they'll at least put some thought into it. If not that, we expect they'll at least treat us with some respect, not like some schizophrenic off his meds. Can't expect anyone to continue caring after multiple instances of that.
> What our challenge is is - how do we improve internet technologies sufficiently that everyone enjoys what we know is important but we don’t require them to care?
Someone's gonna need to have the balls to make the choice for them. I don't have the resources to just make a better browser though. I do what I can by installing uBlock Origin on every single browser I come across. Everyone loves it and tells me that the web "feels" much better, though they can't quite explain why.
It shouldn't be confusing because its really fairly simple.
The gist is this... so long as determinism as a systems property holds true in a system, you can leak information by the absence of something when compared to another expected thing. This is how inference works in many respects, you have properties and you can deduce or infer from whether those are present additional information that is not necessarily given.
Most gifted problem solvers probably couldn't tell you that is what they are doing because its unconscious often a result of years of observation.
Computers fundamentally require certain system properties such as determinism to do work in the first place, and you can inject non-determinism into those processes in ways that won't break underlying subsystems as long as its within an expected range and that can make it indeterminate. An indeterminate fingerprint is useless.
In the case of outright blocking the code from running, you leak information that you are blocking it by preventing it from running since they expect a range of values back and a null (the response when nothing gets sent back) is itself a value (or state if you want to be technical).
The site then only has to test for this semi-unique case (i.e a null represents a single group of people who are blocking it) and then prevent the site from responding to you. They are the gatekeepers because they control their infrastructure.
Incidentally this is how almost all the Are you human tests work. It collects an intrusive fingerprint, and if its within a range that corresponds to a known user spectrum of values then it allows you to continue to the site.
This is a rough boiled down explanation, it can get quite a bit more abstract and technical when talking about whether determinism is present (i.e. how do you test for it).
Ultimately, if you can understand determinism, you fundamentally understand the limits of computation and how computers work at a barebones level. It also gives you the ability to find whether certain types of problems are impossible (and thus you don't waste your time on them, or unproductive avenues).
In principle you could build a browser that - to a good approximation, you will, for example, realistically not be able to prevent timing leaks - does not leak any information about the system it is running on, just isolate it from the host system. With more effort you could let details about the host system leak into the browser but not out into the network. Well, some information has to flow from the host system into the browser and out over the network, for example key strokes and mouse movements, otherwise you could not do much with this browser.
So you could still try to fingerprint users by their choice of words, typing patterns and things like that, maybe made a bit harder by filtering out high frequency timing information. But at least one could no longer simply fingerprint the host system. Which would again be a trade-off, your screen resolution is not only good for a few bits of a fingerprint but can also be legitimately used to serve content at a proper resolution.
As for the effectiveness of blocking what they are doing, you can block them by giving them bogus but plausible data. There's a range of accepted values for those interfaces. If its within that range, they can't tell the difference, but their entire assumption is its determinate, when it can never be determinate because a hash is a finite field.
Their assumption is based on applied probability which has validity issues in an adversarial environment.
Neither requires solving the halting problem.
No, I don’t care about the one time you downloaded a gentoo iso over tor.
So carriers (ISPs) still would need to do NAT, the RFC didn't seem (I skimmed) explicit?
Isn't the removal of processing traffic a large part of the sell for IPv6.
Also, surely the ISP can sell IP-to-user correlation lists as I assume they do now? They can presumably do it anonymously bit with some other party seeking the other part of the data that allows deobfuscation of users (eg to comply with GDRP)?
Only the router needs an IPv6-to-MAC-address map (it always needed that, this was no different with IPv4). The ISP just has a static route that sends all traffic matching the prefix to the router.
With this you can still easily recognize households by IPv6 prefix, but at least you cannot reliably distinguish devices within that household.
They can do subnet to customer correlation. The IPv6 is randomly generated by your device if you use SLAAC. But if your ISP is an adversary you have pretty much lost anyway. If they provide you with a router they can see all devices in your network (MAC and hostname) and they could also map certain devices to certain port ranges and sell that too.
AIUI ISPs provide a fixed prefix to customers. So I'd need to look how SLAAC would work if it uses a random IPv6 address; surely your ISP only has allowance to use a limited set of numbers that are allocated to them by IANA or whoever.
Unfortunately, much of that signal persists across sessions as well as websites and can therefore be aggregated into a hash that works as a "super cookie". The signal is based on the device, the connection, not so much the HTTP/HTML you're looking at.
The best approach to mitigate is therefore: adding noise: add random gibberish to User-Agent, tunnel IP though VPN/NAT, lie about codecs or screen resolution.
While that degrades user experience, it give no guarantees to actually preventing fingerprinting. So, the good news, if that fingerprinting is hard too, and doesn't work as well as is usually claimed!
Compare that to tracking users across multiple sites for proper signal without randomization.
Asking for users permission should and is slowly becoming the default on phones as well.
More importantly, was he charged and convicted with anything?
I am getting really tired of this public opinion tribunal, where mere accusation is enough to get a person out of their position. This is not how this is supposed to work at all.
The only questionable thing he did was try to rationalise pedophilia, which he has since changed his mind about. Given that he's clearly _not all there in the head_ (i.e neurodiverse) and assuming he hasn't tried to access child pornography or similar I couldn't care less. All of the other accusations against him are nonsense[0] and all center around unsubstantiated rumors of him being a "creep." People being anti-Stallman is insane to me considering how much he has contributed and advocates for not only free software but also gender equality.
[0] https://stallmansupport.org/debunking-false-accusations-agai...
The disingenuous nature of this all is why he's back in his foundations again.
No, I was referring only to my own legislators (in the US, and not specifically California). Many other places in the world are doing better.
Websites don't need cookie consent dialogs if they only use cookies to do things that don't need to be consented to, like providing the service they are offering. Look at Apple's website, they don't have any.
My other argument is, if you detect DNT, the cookie consent dialog shouldn't be shown at all.
It looks like it is using heavy obfuscation.
.... adGuardGerman:[u("LmJhbm5lcml0ZW13ZXJidW5nX2hlYWRfMQ==") ....
I see things hat look like font fingerprinting, CSS, Apple pay detection, ... , msPointerEnabled, ..., webkitResolveLocalFileSystemURL, ... cookie settings... ... used mathematical library (sinus, cosinus, ...) serviceworkers, ...RTCPeerConnection, hardwareConcurrency,
Maybe we could dissect it and analyze the full list?
At some other place, they documented e.g. you can get the light/dark theme information out of the CSS. Doesn't even need JS to do it.
Machine-ID in /etc being one, but there's various other items that can be used in the same way from d-bus activation, and something like 20 different other places, another large number in snap.
(2) The server gets send the password via the default communication channel, the browser, TLS hopefully, not via e-mail, possibly into an inbox, that is third-party controlled (say some google mail inbox for example).
(3) That does not make it right. Did they even ask the users for their consent? Did they learn anything from GDPR or in general discussions about consent? Or are they just a higher being, allowed to decide for their users, what data about them they track?
Many things can be done using technology. The question is always: Should we do them? That is a question about ethics, not technological possibility. We already have far too many businesses not caring about ethics at all, we do not need any additional ones.
(2) That is how it usually works.
(3) You can collect the information for security purposes just fine under the GDPR.
Providing a better user experience while maintaining a similar amount of security is a net positive
(2) Are you missing the point? "That is how it usually works." -- So why then send a password to an e-mail inbox, like I said a location often controlled by third party and often one with no good record of respecting privacy, if you can completely avoid that?
(3) OK, seems like we did not learn about consent. Why don't you ask your users, whether they are OK with it first, instead of assuming and basing on what is legally possible? Is ethics something too far out of reach?
Lastly a word about what you call security: Your so called security is observed often enough to result in inaccessible accounts. "Extra strict" usually means something along the lines of "oh, now I am going to require your phone number, to send you a message on a second channel to make sure" or "solve these captchas for this untrustworthy third party provider and I will trust their word about you having solved it correctly" (again being tracked of course ...) or similar things. Again circumventing consent, because now it becomes an extortion, extracting more personal data, so that the user can access their account. Your so called security makes for a real shitty user experience and punishes the user for ever switchting their browser.
So what does your "extra strict" mode entail? How are you going to be "extra strict", without any extortion? Are you implementing your own captachas by any chance? Or something similar?
Yes they get a /32 by default (at least in RIPE) larger allocations need justification. But there are 2^32 /64 subnets in a /32 so every ISP gets a complete IPv4 internet of /64 they can assign to their customers at will. Your devices assigns itself a random IP address from that /64 network your ISP gave you via prefix delegation.
Regardless it's still adding an extra bit of information leaked, so you may as well forge a common value rather than make something new up.
That, or the game against pervasive web tracking is lost.
It doesn’t matter if you are using a VPN or Private Browsing mode, they can accurately identify you.
Also note that VPNs does not help with fingerprinting. They only masks IP address.My point was that fingerprinting is much more practical and useful as a positive form of identity verification than it is as a tracking device, as long as it isn't (and hopefully never will be) mandatory to lock into browsers.
And as for this
> using a VPN plus a fresh VM running Ubuntu can mostly do the trick. In a pinch, just keep a few different versions of various browsers around when you plan to surf a site that you don't want associated with you. Or change your screen resolution or turn off your fonts
How do you plan to do all that on your mobile device for example? Fingerpirinting is a problem exactly like invasive tracking is a problem.
Cliche example/ I want to be able to buy a pregnancy test online but don’t want that information shared and re marketed to me. There is plenty of stuff like this. The impact of privacy violation is small and often boring but on aggregate corrosive to public discourse and individual wellbeing.
Browsers should ensure all <canvas> operations produce identical results across platforms and hardware, and anything in the spec that prevents this should be removed from the spec.
Now, I recognize some of that functionality is handy for certain apps. In that case do like Android and put it behind an opt-in API, so the user can deny.
Basically I think browsers need a "web app" mode and a "surf mode". Just using visiting my local news outlet shouldn't require all the fingerprinting stuff.
Agree. It will be hard to define a standard for "surf mode", but in addition to privacy benefits there would be security benefits for the browser container as well.
You would basically have to kill all hardware accelerated features and run everything in an interpreter. Also make sure that turbo button is set to slow, to get consistent behavior across all CPUs.
The only real way to prevent finger printing is to lock these features away by default and force websites to beg for every single one of them, not a "accept all" screen, make the process so painful that 90% of users would rather avoid those abusive sites entirely, basically the same dark pattern shit every site pulled with the cookie and GDPR accept popups, just in reverse.
The biggest reason is if course cost saving. Store and transfer smaller images. This could be done client side with a server side check on max size.
Another big reason is metadata stripping. Both to protect the user (can be done client side) and to avoid unintentional data channels being provided.
Another reason is to avoid triggering exploits. If a major browser has a JPEG rendering exploit Facebook doesn't want you to be able to pwn everyone who sees your post. By using a trusted encoded it is very likely that the produced image is more or less following the standards and not likely to trigger any exploits (as exploits usually require invalid files).
iPhone defaults to uploading a large image which can take ages to upload. We implemented a canvas based solution which sends a base64 string representing a compressed image and reduced the upload file size by about 90%. We don't need high quality original images in the backend.
I may have missed a trick, this has been in place for a few years now but at the time I couldn't find a better solution.
Neurodiverse people are "not all there in the head"?
gtfo.
It's exactly this eggshell stepping that people are expected to adhere to that has people treating him the way they are.
Fingerprinting is inherently opaque. That's why it's such a good third level security measure. It's a lot harder to spoof and, if someone tries, a lot easier to isolate the attempt.
Fingerprinting is by definition a lot more imprecise and vague. It's always going to be an issue if surveillance networks use it to pick out individual users. Whining about that is useless. It's also a valuable security tool and part of the landscape. Do with it what you can.
If they don't care about privacy, they don't deserve it.
Ask yourself how long have those consumer laws been in effect. Has this technology problem progressed during that time (increased or decreased). Have the fines against the large tech companies actually been collected and were they sufficient to curb that behavior or are they still being administrated or adjudicated (decades later)? Have the large tech companies provided all of the information they collect for review (including the intermediates they generate from processing for derivation internally, in a way that discloses all the ways they use it), or did they only provide a plausible alternative, or just the base information collected without explanation. Do you have a way to prove its the former and not the latter?
I'm sure consumer law has been effective at eliminating the provable abuses domestically. If they were effective internationally, why would the problem be progressing to ever more complicated ways of ubiquitous tracking (which are against that law), or even domestically for those multinationals.
Its business as usual and these people know centralized power structures suffer structurally from corruption and malign influence, and as a market force they exploit that.
There's enough money in people's futures that no fine will actually solve the issue because fraud gets baked into the process. Privacy, communication, and agency are what largely compose people's future.
Due process from corporate sovereignty guarantees they can draw it out as long as they need to while continuing to make money off their actions, both increasing costs to regulatory (as a resource drain), and increasing revenue.
The real cost is borne on either the individual or on the public, and corporations have incentive to lie in ways that are difficult or impossible to prove. A lie of omission, is a lie.
In my opinion, for certain critical societal protections, its necessary to have a guilty by default, for 'people' whose only possible motive is profit incentive. The corporations or the firm are considered people in most locales, but they only adjust behavior based on profit or future profit (through monopoly).
Placing the burden of proof on the company to prove they are complying, instead of compliant with good faith protections by default, would eliminate most benefits they might receive from deceit, or lying through omission.
Am I correct?
Granted, I didn't go directly to the regulatory site because who can sit down and analyze multiple legalese documents that have thousands of pages with crossreferencing requirements.
- living in the UK, I barely ever receive spam calls or messages. I can be reasonably sure that companies don't sell my contacts to third parties, I can withdraw my consent to marketing communications and spam will stop, I did it multiple times. My American friends seem to have way more problems with that, to the extent of buying burner phones to buy insurance. Considering that the tech is exactly the same across the pond, the difference is entirely in the legislation and consumer protection.
- cars became much cleaner and more efficient over the last three decades thanks to the ever ratcheting Euro standards. I only need an old car passing by to be reminded of that, you can just smell the difference.
- my broadband connection has a minimum average speed guaranteed by law, which protects me from the line being oversubscribed. This actually works, and a friend of mine got a sizeable compensation for a period when they didn't get the full speed.
So consumer laws work, and saying that enforcement can't be done is a bit of a post-hoc rationalisation. It is true that GDPR can and should be enforced harsher, but it's just one example in a long and successful history of consumer protections.
As for cars, how do we know that's true. There was Dieselgate, but from what I've heard they only got them because of whistleblowers.
Many VOCs which these laws are designed to reduce are odorless. The ones are visible are larger particle size and generally less of an issue from an environmental perspective from most accounts.
How did the EU cookie laws and GDPR solved this problem? It's as widespread as before, except that now you are annoyed by prompts too.
We need better regulation to temper capitalism.
You've misused that term.
We need limits to prevent capitalism from doing its worst.
It's only fair that we all live and work with the same limits.
This is the type of regulation that is necessary.
Parent explained that the base64 encoding held compressed data.
> Making the standard is easy, it is getting anyone to follow it that is difficult
That's my point, those two parts aren't disconnected. The standard isn't useful (or a standard really) until people follow it, and in this case that's most of the internet connected world. Both people building for the a new default subset, and users accepting a default subset with opt in "web app" bells and whistles.
Without removing JS, in my head it's along the lines of starting with a freeze of a current ECMA version, define the API's that are stripped out, force low fidelity timers, remove JIT, limit some cross origin options. Stop adding shiny new feature's every 8 weeks. Keep it there for 3-4 years. Or maybe a similar concept with a WASM container when it gains some browser usefulness. Then there's the html and css subset too. So, defining that stock subset navigator at the right level is what I see as the "hard" part.
I think the lack of buy in is because the people who would need to buy in are the ones pushing the tracking. Rather than a new standard something like a directory of sites that work well without javascript (and search engine just searching those sites) with enough people using it for it to be an advantage to be listed seems to me to be more likely to be effective.
Finally, you can see it numbers: https://www.asm-autos.co.uk/workspace/images/yearly-co2-emis...
There is no fundamental reason why all those changes had to happen, it wasn't the market driving them. It was the regulation.
With a technique which you described, you could probably abuse a phone with this SIM as a "free" hot spot with infinite data.
So it costs at least 83 cents per month. Still might be worth it compared to the insane mobile data charges here if you can get a usable bandwidth. I suspect in practice they will just ban you if you abuse it like that.
In the early 2000s I was working at an insurance company. They used some kind of blocker in their outgoing firewall that prevented access to certain sites. At one point the blocklist included sourceforge, which threw my team's work a wrench because at the time a lot of the packages we depended on were hosted there. It took a few days to get that removed from the blocklist.
This same insurance company shut down for multiple days when a virus, I think it was ILOVEYOU, infested their email system so bad that nobody could work, and everyone (except the poor IT folks) got a long weekend. And then a while later, it happened again, but with a different virus, possibly Nimda. The company was very bad about updating its systems, and even in 2003 most users were stuck on Win95.
I recall we had a crappy firewall that would collapse under the load of NAT for the 100ish employees and so executives got static IPs mapped to their machines. The late 90s and 00s were crazy.
In my Uni days, all our department's machines had public IPs; no NAT, no firewall(!)
So much simpler to able to telnet, FTP and/or remote desktop straight from home to the office :)
At least it taught me how to detect attempted hacks early because every machine had to be monitored for attacks.
I just looked and they still have a /16 (65k public addresses). This is for a school that has maybe 15k students, not all of them living on the campus. And I’m sure most of the computing takes place in the cloud now anyway.
I know there are a lot of places who were on the Net early besides the military that have excess address capacity.
I have been browsing with JavaScript disabled by default for the past 6 months. Based on my experience, no-JavaScript ads are rarer than four-leaf clover.
But if you never see ads how do you sell ads to them and how do you meaningfully discover enough about the person to feed them valuable ads?
then you are not safe by just turning off JS.
And of course its not enough, but the situation is even more hopeless with JS on.
That's adorable. I guess you're not old enough to remember when we used to track people with things like invisible pixels. Or todays equivalent: testing CSS parameters.
Neither require JavaScript, and there are a hundred other non-JavaScript methods.
In the era of CGNAT that means you now only know which city I'm from and whether I use Chrome or Firefox. People mostly use browsers in maximized and resolutions are relatively standardized nowadays.
Compared to the data you get from canvas and webgl, that's much less unique.
(Aside: this mobile navigation is, incidentally, the worst implementation I have ever encountered: instead of twiddling some classes or such, which would happen instantly, it makes an HTTP request that responds with the new navbar. For me, this means at least half a second’s latency on clicking the button, more if time has passed so that the HTTP connection is no longer open (1.5–2 seconds). It also fails the no-JS test, as the unintercepted form-submit just serves the page with the closed mobile navbar again, not switching out the navbar as I expected it might, and which would have been enough to avoid an unconditional “worst implementation” award. Sorry if you made this and it hurts your feelings, but… ugh, this is just a baffling misapplication of hx-post and naive Tailwind use, and just unconditionally a bad approach.)
Edit: better link which shows what I suppose you probably meant: https://once.getswytch.com/app
It’s mostly a tech demo, so the things it does are intentionally weird/strange.
Not true. Especially if you mean a default browser with Canvas/WebRTC APIs enabled.
It is much more difficult for fingerprinting companies to get a high entropy fingerprint from a no-JS user.
IMO the GDPR is good. But… it is poorly understood by many affected people . IMO if a law is poorly understood by the people it affects, then one should assume the law to be at fault, not the people. IMO it's good but I'm not happy.
4×IMO! Wow.
You are assuming that it has to be either of them who is at fault. In reality there are third-parties who have been spewing FUD in order to confuse people about the law.
