Few people seem to try to reconcile this, since neither side cares about the other.

I personally think that discussion about fingerprinting as raw tech, without mentioning the size of the company collecting the date or the purpose is meaningless, and only leads to a few tech savy users having less data collected on them.

Most people want to use Javascript, use the default setting and not be afraid of clicking on links. I can't really see a good solution without a coordination of regulation and tech standards, so I'm hopeful at least for decent solutions.

Mouse movement data is a fairly potent fingerprinting vector. Bucketing the average spouse speed and acceleration rates could provide provide useful information. This may imply specific OS speed settings, or physical mouse DPI. A machine learning system would likely be able to distinguish traditional mouse, vs trackpoint, vs touchpad, vs trackball. Etc.

Also it is not just bots that have non-human like mouse movement. Many assistive technologies would have no mouse movement, or would auto snap the mouse to relevant spot. That is actually a quite powerful for fingerprinting, since assistive technology users are a pretty small subset of internet users, so only a relatively small amount of additional data is needed to uniquely fingerprint that user/machine.

Edit: The required FaaS implementation is trivial too. I could launch an endpoint that performs exactly this function in 30-60 minutes.

Totally agree that this is perfectly within the government's purview, and they should be doing something about it. But, as with anything else in the US, until a Fortune 100, some few 1%-ers, or the deep state MIC wants it, we're not going to be getting it.

I thought having an ad campaign that targeted subgroups very specifically and boldly might be enough drum up public interest. Something like: “Hello $name from $city. How did $recent_embarrasing_purchase work out? I hope you enjoy your birthday in $birth_month.” And then a link to the proposed policy.

Unfortunately, marketers have neither scruples nor the ability to control themselves and have captured an asymmetric advantage. Technologists do what they do, preoccupied with whether or not they could, not stopping to think if they should. It seems like legislation may be the only remaining option.

[1] https://signal.org/blog/the-instagram-ads-you-will-never-see...

Techie people are convinced non-techie people don't know they're being tracked. They do! Ask your smart non-techie friends what they think about online privacy. I guarantee you they'll say something like "yeah, I know it's probably tracking me, but whachya gonna do".

Thanks to this disconnect, we have so many privacy campaigns with a message like "Did you know you can be uniquely identified on the web?", but so few (none?) that actually proceed to explain why that's bad, and what someone could do with that information. That's the missing piece. Give average people an actual reason to dislike or fear tracking, not just the mere curio that it exists.

edit: It is still impressive. Even with the firefox settings on, the website was able to identify me. I am not entirely certain how I want to approach this.

None of these should be available to websites by default. The first two come from simpler times when people were not as concerned with privacy implications. The third has been and continues to be pushed by advertising companies (Google, Apple, Microsoft).

So quick update since I am mildly obsessive.

I was sure it was either GPU, CPU or addons that were giving me away ( I do have a mildly unique setup ).

I ran few tests in VM and the moment I dropped GPU passthrough ( left CPU passthrough ), I was no longer ( based on that website anyway ) tracked across sessions.

In other words, cat and mouse game continues.

Some people want to do those things and for very specific websites. Most people don't even know what MIDI or serial ports are.

I know what to think about this… I fucking hate it.

• https://apps.apple.com/nl/app/snowhaze/id1121026941?l=en

• https://github.com/snowhaze/SnowHaze-iOS

  Settings > Safari > Advanced > Experimental Features

FTFY: People already know; nothing will change.

Many of the things that are happening (at least in the US) are deeply, deeply unpopular, but are not changing, and show no signs that they are even susceptible to change. Fortune-sized companies, the 1%, and the deep state are calling the shots, despite how much can be seen in real time, through things like Twitter and TikTok. I've actually had to pull back from Twitter because of all the things that are obviously beyond the pale, yet will never change. (Snowden, Assange, et. al.)

This has been tried by a guy who placed Facebook ads like these. FB blocked his account in a few hours.

So good in theory, wont work in practice

People are such dumb fucking cattle that they'll lash out at you rather than the data brokers or the software vendors who ratted them out though

Not only that, but they might have a legal case against you. I've been slowly working through Seek and Hide: The Tangled History of the Right to Privacy, and my main takeaways have been:

(1) The constitutional right to free speech and a free press is not as broad as most people probably think.

(2) Truth is not necessarily an air-tight defense in a case of libel, as courts at various times and places have decided against publishers for true but embarrassing things intended to humiliate or harm.

I have five different browsers on my smartphone and three on the PC all sans JS and none of them are Chrome. Also, normal operation is to automatically delete all cookies at session's end.

My smartphone and PCs are de-googleized and firewalled and I never see ads in my browsers nor in apps. The apps are mainly from F-Droid and sans ads and the few Playstore ones I use are via Aurora Store and are firewalled from the internet when in use. Honestly, I cannot remember when I last saw an app display an ad, it has to be years back.

In the past I used to go to more extensive measures to stop the spying but I found it was unnecessary as the spy leakage was essentially negligible with much less stringent efforts.

It's pretty easy to render one's online personal data essentially wothlesss if one wants to. On the other hand if you insist on using JS, Gmail, Google search, Facebook etc. then you're fair game and you only have yourself to blame if your personal data is stolen.

They describe their approach[1]. They use HTTP headers and conditional request triggered by CSS conditional media queries to gather data. Something like @media(...) {background: url(/tracking/$clientid)}. But in principle, they could also try and fingerprint the TCP/IP stack or the TLS implementation. I'm not sure it would get them more data than OS+Browser, though.

[0] https://noscriptfingerprint.com/

[1] https://fingerprint.com/blog/disabling-javascript-wont-stop-...

I didn't detail every protection I've put in place or the post would have been too long. However, I'd suggest that spreading my browsing over at least eight browsers (and I actually use more than two machines and do so at different locations and with different ISPs) effectively reduces my profile across the net.

I also use randomized browser user agents and clean links, occasionally I'll even cut-and-paste links between multiple browsers in a single session. I often do this on HN not to hide from HN but for convenience when multitasking. (Having worked in surveillance professionally, this modus operandi just comes naturally, it's now second nature for me to work this way.)

Working with multiple browsers and multiple machines also solves the problem when on rare occasions I have to use JS. That said, I never watch YouTube with a JS-enabled browser, instead I'll use NewPipe or similar. There are other measures I could list but you get the idea. Oh, and I never use the internet on a smartphone with a SIM enabled, instead the SIM resides in a separate portable router and my 'real' phone is a dumb feature phone, it's only capable of making phone calls.

I really don't care if some stuff leaks but I've satisfied myself it's pretty trivial, as frankly, I've not had one indication over the past 20 or so years that I've been targeted as a result of fingerprinting. It's not necessary to make things completely watertight, I'm not trying to hide from the NSA or GCHQ, etc. (and it'd be unsuccessful and a complete waste of time to bother trying).

Moreover, even if something were to leak, I'm simply not a revenue-making target—that means I never respond to any targeted marketing because I simply never receive any.

I also notice that the no-JS hash changes when I move the window to a different monitor.

For example: I have set up the systems of family members for whom i am some sort of digital janitor with a nice collection of firefox plugins to get rid of the worst offenders.

If you continue to willingly use socials like FB, TikTok, et al, your complaints about stolen personal data fall on deaf ears. Show me that you don't have those apps installed or do not visit their websites, then we can talk about being serious on deserving to not have data stolen.

Right, it probably is. But the issue of stolen personal data has been around for so long that nontechnical people have had years to develop political lobbying and to swing elections to put a stop to it.

The fact is that most people don't give a damn about such matters, if most did then the problems would be behind us by now.

Thus, unfortunately, with the internet it's every man and woman for him or herself. QED!

At this point I'm 100% OK with us being the only ones able to protect ourselves. We warned them and they didn't care. Allow them to remain uncaring. We don't have to help everyone. People must want to be helped.

When people don't understand the implications or full ramifications then governments and lawmakers have to step in as they have a duty of care to protect citizens. It's one of the principal reasons for having government.

There are any number of examples, regulating the use of poisons, putting protection fences around cliff top lookouts, specifying the breaking strain of elevator cables, aircraft compliance design, removing lead from petroleum, and so on.

Unfortunately, governments have failed to act despite many warnings about these privacy matters.

Incidentally, there's an uncanny parallel between this example of governments failing to act even when in presence of the facts and my last example. In 1923 when Thomas Midgley and cohorts—engine makers and petroleum companies—sought permission to put tetraethyllead in fuel governments already knew the dangers of lead poisoning. Not only did they ignore all scientific warnings about the dangers of using the additive but also they embraced Big Business and approved the move at the citizenry's great expense.

As the techno elite, it’s actually our job to create the underlying reality everyone else participates in when using technology. So, it is our responsibility to care, if you care. It’s not theirs - they’re just here for the party. But that doesn’t mean they’re sheep for slaughter, because there are plenty of folks ready to slaughter them for money.

It’s our ability to understand the issues and to actually improve them that uniquely makes it important for us to care. But we can’t expect people to turn off the cat video for long enough to listen to us nerd at them, and we really can’t expect them to do something complex to avoid something they don’t understand or care about. What our challenge is is - how do we improve internet technologies sufficiently that everyone enjoys what we know is important but we don’t require them to care? That’s how you build a better emergent reality.

I’m glad to have had a hand in the Netscape and Mozilla’s launch and have watched Firefox for years with pride. They are the closest to a mainstream any man product that even remotely cares. WebKit safari is a close second. I hope we all find ways to develop the tech platforms that protect as well.

Yes, I'm absolutely sure. Do I really need to justify myself here on HN of all places? On a thread about the fingerprinting implements of the surveillance capitalism industry?

> that doesn’t mean they’re sheep for slaughter

Welp. If they don't want to be slaughtered like sheep, they better start caring then. I'm done with that.

At this point what I really care about is strengthening my own privacy by having more users in the anonymity set. The more indistinguishable users there are, the more effectively we are protected. I figure that if they're apathetic enough to allow corporations to exploit them with absolute impunity, they're also apathetic enough to join the anonymity set. Browsers just need to make that choice for them. It needs to be the new default.

> we can’t expect people to turn off the cat video for long enough to listen to us

I can and I do. What we're saying about this matter is important. People should listen, join the discussion even. When we reach out to people about matters we consider important, we do it with the best of intentions. We expect they'll at least put some thought into it. If not that, we expect they'll at least treat us with some respect, not like some schizophrenic off his meds. Can't expect anyone to continue caring after multiple instances of that.

> What our challenge is is - how do we improve internet technologies sufficiently that everyone enjoys what we know is important but we don’t require them to care?

Someone's gonna need to have the balls to make the choice for them. I don't have the resources to just make a better browser though. I do what I can by installing uBlock Origin on every single browser I come across. Everyone loves it and tells me that the web "feels" much better, though they can't quite explain why.

Nobody said that. "My defenses work" != "my defenses should be necessary".

I have been browsing with JavaScript disabled by default for the past 6 months. Based on my experience, no-JavaScript ads are rarer than four-leaf clover.

https://amiunique.org/fpnojs

But if you never see ads how do you sell ads to them and how do you meaningfully discover enough about the person to feed them valuable ads?

then you are not safe by just turning off JS.

And of course its not enough, but the situation is even more hopeless with JS on.

That's adorable. I guess you're not old enough to remember when we used to track people with things like invisible pixels. Or todays equivalent: testing CSS parameters.

Neither require JavaScript, and there are a hundred other non-JavaScript methods.

In the era of CGNAT that means you now only know which city I'm from and whether I use Chrome or Firefox. People mostly use browsers in maximized and resolutions are relatively standardized nowadays.

Compared to the data you get from canvas and webgl, that's much less unique.

(Aside: this mobile navigation is, incidentally, the worst implementation I have ever encountered: instead of twiddling some classes or such, which would happen instantly, it makes an HTTP request that responds with the new navbar. For me, this means at least half a second’s latency on clicking the button, more if time has passed so that the HTTP connection is no longer open (1.5–2 seconds). It also fails the no-JS test, as the unintercepted form-submit just serves the page with the closed mobile navbar again, not switching out the navbar as I expected it might, and which would have been enough to avoid an unconditional “worst implementation” award. Sorry if you made this and it hurts your feelings, but… ugh, this is just a baffling misapplication of hx-post and naive Tailwind use, and just unconditionally a bad approach.)

Edit: better link which shows what I suppose you probably meant: https://once.getswytch.com/app

It’s mostly a tech demo, so the things it does are intentionally weird/strange.

Not true. Especially if you mean a default browser with Canvas/WebRTC APIs enabled.

It is much more difficult for fingerprinting companies to get a high entropy fingerprint from a no-JS user.

Examples include the back button, uploading photos on some websites uploads random data instead of the photo, etc.

Surely there could be valid reasons for doing so?

I imagine for example that:

1. It ensures the selected file is a valid image before uploading it

2. It strips meta data like GPS position from the image before uploading it

3. It could reduce the size of the image, by either scaling it down, or compressing it more, or both, before uploading it

Browsers should ensure all <canvas> operations produce identical results across platforms and hardware, and anything in the spec that prevents this should be removed from the spec.

Now, I recognize some of that functionality is handy for certain apps. In that case do like Android and put it behind an opt-in API, so the user can deny.

Basically I think browsers need a "web app" mode and a "surf mode". Just using visiting my local news outlet shouldn't require all the fingerprinting stuff.

Agree. It will be hard to define a standard for "surf mode", but in addition to privacy benefits there would be security benefits for the browser container as well.

> Making the standard is easy, it is getting anyone to follow it that is difficult

That's my point, those two parts aren't disconnected. The standard isn't useful (or a standard really) until people follow it, and in this case that's most of the internet connected world. Both people building for the a new default subset, and users accepting a default subset with opt in "web app" bells and whistles.

Without removing JS, in my head it's along the lines of starting with a freeze of a current ECMA version, define the API's that are stripped out, force low fidelity timers, remove JIT, limit some cross origin options. Stop adding shiny new feature's every 8 weeks. Keep it there for 3-4 years. Or maybe a similar concept with a WASM container when it gains some browser usefulness. Then there's the html and css subset too. So, defining that stock subset navigator at the right level is what I see as the "hard" part.

I think the lack of buy in is because the people who would need to buy in are the ones pushing the tracking. Rather than a new standard something like a directory of sites that work well without javascript (and search engine just searching those sites) with enough people using it for it to be an advantage to be listed seems to me to be more likely to be effective.

You would basically have to kill all hardware accelerated features and run everything in an interpreter. Also make sure that turbo button is set to slow, to get consistent behavior across all CPUs.

The only real way to prevent finger printing is to lock these features away by default and force websites to beg for every single one of them, not a "accept all" screen, make the process so painful that 90% of users would rather avoid those abusive sites entirely, basically the same dark pattern shit every site pulled with the cookie and GDPR accept popups, just in reverse.

The biggest reason is if course cost saving. Store and transfer smaller images. This could be done client side with a server side check on max size.

Another big reason is metadata stripping. Both to protect the user (can be done client side) and to avoid unintentional data channels being provided.

Another reason is to avoid triggering exploits. If a major browser has a JPEG rendering exploit Facebook doesn't want you to be able to pwn everyone who sees your post. By using a trusted encoded it is very likely that the produced image is more or less following the standards and not likely to trigger any exploits (as exploits usually require invalid files).

iPhone defaults to uploading a large image which can take ages to upload. We implemented a canvas based solution which sends a base64 string representing a compressed image and reduced the upload file size by about 90%. We don't need high quality original images in the backend.

I may have missed a trick, this has been in place for a few years now but at the time I couldn't find a better solution.

Parent explained that the base64 encoding held compressed data.

Or it might not be strictly necessary, but Instagram does it anyway.

No, this is how most pre-upload image editors work. Why upload a 5MB avatar photo that's you're going to have the user crop and scale on the client-side to a few hundred KB first?

Using canvas for this is much more friendly to their bandwidth, no nefarious intent needed.

(I'm guessing it was too much implementation work to separate out this feature: to preserve normal, expected UI behavior client-side, while presenting a fake pagezoom value to scripts. That would degrade only a handful of (poorly-designed, script-layout) websites, rather than the whole accessible browser experience).

I really like the idea behind this feature, but it seems the Web API might have become too complex to counteract bad actors like this. It's particularly scary that it can correlate your activity in private mode with your identity in normal mode.

Maybe this is the case with some very complicated SPA type sites, but personally, I've never seen this.

_______________________

0. https://www.bleepingcomputer.com/news/security/researchers-u...

> For personal reasons, I do not browse the web from my computer. (I also have not net connection much of the time.) To look at page I send mail to a demon which runs wget and mails the page back to me. It is very efficient use of my time, but it is slow in real time.

It was in the early 2000, and smartphones weren't a thing. It also was a time where companies were paranoid into letting employees access the internet, but at the same time had abysmal security. By that I mean viruses ran free on shared folders, undetected because their antivirus software was years outdated. Very different times...

With a technique which you described, you could probably abuse a phone with this SIM as a "free" hot spot with infinite data.

[1] https://www.whatsappsim.de/

So it costs at least 83 cents per month. Still might be worth it compared to the insane mobile data charges here if you can get a usable bandwidth. I suspect in practice they will just ban you if you abuse it like that.

In the early 2000s I was working at an insurance company. They used some kind of blocker in their outgoing firewall that prevented access to certain sites. At one point the blocklist included sourceforge, which threw my team's work a wrench because at the time a lot of the packages we depended on were hosted there. It took a few days to get that removed from the blocklist.

This same insurance company shut down for multiple days when a virus, I think it was ILOVEYOU, infested their email system so bad that nobody could work, and everyone (except the poor IT folks) got a long weekend. And then a while later, it happened again, but with a different virus, possibly Nimda. The company was very bad about updating its systems, and even in 2003 most users were stuck on Win95.

I recall we had a crappy firewall that would collapse under the load of NAT for the 100ish employees and so executives got static IPs mapped to their machines. The late 90s and 00s were crazy.

In my Uni days, all our department's machines had public IPs; no NAT, no firewall(!)

So much simpler to able to telnet, FTP and/or remote desktop straight from home to the office :)

At least it taught me how to detect attempted hacks early because every machine had to be monitored for attacks.

I just looked and they still have a /16 (65k public addresses). This is for a school that has maybe 15k students, not all of them living on the campus. And I’m sure most of the computing takes place in the cloud now anyway.

I know there are a lot of places who were on the Net early besides the military that have excess address capacity.

More importantly, was he charged and convicted with anything?

I am getting really tired of this public opinion tribunal, where mere accusation is enough to get a person out of their position. This is not how this is supposed to work at all.

The only questionable thing he did was try to rationalise pedophilia, which he has since changed his mind about. Given that he's clearly _not all there in the head_ (i.e neurodiverse) and assuming he hasn't tried to access child pornography or similar I couldn't care less. All of the other accusations against him are nonsense[0] and all center around unsubstantiated rumors of him being a "creep." People being anti-Stallman is insane to me considering how much he has contributed and advocates for not only free software but also gender equality.

[0] https://stallmansupport.org/debunking-false-accusations-agai...

It's exactly this eggshell stepping that people are expected to adhere to that has people treating him the way they are.

https://www.youtube.com/watch?v=I25UeVXrEHQ&t=110s

The disingenuous nature of this all is why he's back in his foundations again.

[1] https://github.com/lwthiker/curl-impersonate

    wget --user-agent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" ...

I am continously baffled by how most people just accept media companies controlling the video player you are allowed to use and thereby the UX. Don't let them.

"Mail for you, sir!"

EDIT: Note that you can do BOTH - but one without the other is just a game of whack-a-mole.

Granted, the enforcement should be stepped up.

No, I was referring only to my own legislators (in the US, and not specifically California). Many other places in the world are doing better.

Websites don't need cookie consent dialogs if they only use cookies to do things that don't need to be consented to, like providing the service they are offering. Look at Apple's website, they don't have any.

My other argument is, if you detect DNT, the cookie consent dialog shouldn't be shown at all.

Example please

IMO the GDPR is good. But… it is poorly understood by many affected people . IMO if a law is poorly understood by the people it affects, then one should assume the law to be at fault, not the people. IMO it's good but I'm not happy.

4×IMO! Wow.

You are assuming that it has to be either of them who is at fault. In reality there are third-parties who have been spewing FUD in order to confuse people about the law.

The burden of proof is on the claimant, and with proper information control you can't ever meet that burden of proof. It becomes an ant versus a gorilla instead of David vs. Goliath.

Tell me, how do you differentiate a simple random alpha-numeric string from another random string that may have been generated as a fingerprint.

Mathematically do you think there's any way to actually prove one way or the other? If not, how would that bias the system if the person is adversarial and lies.

The only way to prevent this is to make sure the information is nonsensical.

Preventing collection would identify you in a way that they can prevent access. Even though websites are public, you see this happening with any captcha service.

Might be my European outlook, but consumer law has been stupidly effective at curbing abuses from companies here and was much more effective than playing the technology race USA is trying to fight. There's always a next side-step, the next abuse a company can invent - and you keep trying to push the responsibility of avoiding it to users (by adding more and more onerous technology) instead of punishing the abusers.

Ask yourself how long have those consumer laws been in effect. Has this technology problem progressed during that time (increased or decreased). Have the fines against the large tech companies actually been collected and were they sufficient to curb that behavior or are they still being administrated or adjudicated (decades later)? Have the large tech companies provided all of the information they collect for review (including the intermediates they generate from processing for derivation internally, in a way that discloses all the ways they use it), or did they only provide a plausible alternative, or just the base information collected without explanation. Do you have a way to prove its the former and not the latter?

I'm sure consumer law has been effective at eliminating the provable abuses domestically. If they were effective internationally, why would the problem be progressing to ever more complicated ways of ubiquitous tracking (which are against that law), or even domestically for those multinationals.

Its business as usual and these people know centralized power structures suffer structurally from corruption and malign influence, and as a market force they exploit that.

There's enough money in people's futures that no fine will actually solve the issue because fraud gets baked into the process. Privacy, communication, and agency are what largely compose people's future.

Due process from corporate sovereignty guarantees they can draw it out as long as they need to while continuing to make money off their actions, both increasing costs to regulatory (as a resource drain), and increasing revenue.

The real cost is borne on either the individual or on the public, and corporations have incentive to lie in ways that are difficult or impossible to prove. A lie of omission, is a lie.

In my opinion, for certain critical societal protections, its necessary to have a guilty by default, for 'people' whose only possible motive is profit incentive. The corporations or the firm are considered people in most locales, but they only adjust behavior based on profit or future profit (through monopoly).

Placing the burden of proof on the company to prove they are complying, instead of compliant with good faith protections by default, would eliminate most benefits they might receive from deceit, or lying through omission.

Am I correct?

Granted, I didn't go directly to the regulatory site because who can sit down and analyze multiple legalese documents that have thousands of pages with crossreferencing requirements.

- living in the UK, I barely ever receive spam calls or messages. I can be reasonably sure that companies don't sell my contacts to third parties, I can withdraw my consent to marketing communications and spam will stop, I did it multiple times. My American friends seem to have way more problems with that, to the extent of buying burner phones to buy insurance. Considering that the tech is exactly the same across the pond, the difference is entirely in the legislation and consumer protection.

- cars became much cleaner and more efficient over the last three decades thanks to the ever ratcheting Euro standards. I only need an old car passing by to be reminded of that, you can just smell the difference.

- my broadband connection has a minimum average speed guaranteed by law, which protects me from the line being oversubscribed. This actually works, and a friend of mine got a sizeable compensation for a period when they didn't get the full speed.

So consumer laws work, and saying that enforcement can't be done is a bit of a post-hoc rationalisation. It is true that GDPR can and should be enforced harsher, but it's just one example in a long and successful history of consumer protections.

As for cars, how do we know that's true. There was Dieselgate, but from what I've heard they only got them because of whistleblowers.

Many VOCs which these laws are designed to reduce are odorless. The ones are visible are larger particle size and generally less of an issue from an environmental perspective from most accounts.

Finally, you can see it numbers: https://www.asm-autos.co.uk/workspace/images/yearly-co2-emis...

There is no fundamental reason why all those changes had to happen, it wasn't the market driving them. It was the regulation.

How did the EU cookie laws and GDPR solved this problem? It's as widespread as before, except that now you are annoyed by prompts too.

We need better regulation to temper capitalism.

We need limits to prevent capitalism from doing its worst.

It's only fair that we all live and work with the same limits.

This is the type of regulation that is necessary.

FTFY?

The solution would be dedicated laws that hold the company at the top directly accountable for the actions of all sub-contractor layers, but these laws are rare and often hotly contested (e.g. with a German law mandating responsibility of the top-layer company for wage theft and other labor law violations [1]).

[1] https://www.ihk.de/regensburg/fachthemen/recht/arbeitsrecht/...

I use fingerprinting actively in enterprise apps as a form of silent 3FA. It's a useful backstop. If I have a user who forgot their password but retrieves it via email, I'll usually let them pass if their fingerprint matches one of their priors; otherwise my software shoots off an email to their immediate superior to make that manager validate that the machine the employee is using is one they can vouch for.

I've always viewed browser fingerprinting as something that can be leveraged as a security feature. It's far more useful for that than for some sort of distributed tracking. I'd never want to live in a world (ahem ... China) where submitting to such fingerprinting actively was mandatory, or politically punishable if you didn't. No society should be run like an employer/employee organization with that sort of lack of trust. No sane free person would allow their own browser to transmit a fingerprint. But for employer/employee systems management? It's a great tool in the box.

[edit] also, the less trivial it is, the better for corporate security.

     It doesn’t matter if you are using a VPN or Private Browsing mode, they can accurately identify you.


    Also note that VPNs does not help with fingerprinting. They only masks IP address.

My point was that fingerprinting is much more practical and useful as a positive form of identity verification than it is as a tracking device, as long as it isn't (and hopefully never will be) mandatory to lock into browsers.

And as for this

> using a VPN plus a fresh VM running Ubuntu can mostly do the trick. In a pinch, just keep a few different versions of various browsers around when you plan to surf a site that you don't want associated with you. Or change your screen resolution or turn off your fonts

How do you plan to do all that on your mobile device for example? Fingerpirinting is a problem exactly like invasive tracking is a problem.

Fingerprinting is inherently opaque. That's why it's such a good third level security measure. It's a lot harder to spoof and, if someone tries, a lot easier to isolate the attempt.

Cliche example/ I want to be able to buy a pregnancy test online but don’t want that information shared and re marketed to me. There is plenty of stuff like this. The impact of privacy violation is small and often boring but on aggregate corrosive to public discourse and individual wellbeing.

Fingerprinting is by definition a lot more imprecise and vague. It's always going to be an issue if surveillance networks use it to pick out individual users. Whining about that is useless. It's also a valuable security tool and part of the landscape. Do with it what you can.

That said, fingerprinting is only useful as a third security measure because most people don't understand its mechanics. The mechanics of avoiding being tracked are pretty basic. If our country required browsers or computers to transmit their fingerprint, people would find ways around it and it would stop being useful as a security metric.

Put another way, the moment this becomes a feature of an oppressive regime, it's one of the easiest things to work around. The obscurity is what makes it remain somewhat useful.

(2) The server gets sent your password every time you log in. You shouldn't rely on a server operator not knowing your password.

(3) You can tune how sensative the system is in response to changes in the fingerprint. Even if their in a failure to match that just means authentication will be extra strict.

(2) The server gets send the password via the default communication channel, the browser, TLS hopefully, not via e-mail, possibly into an inbox, that is third-party controlled (say some google mail inbox for example).

(3) That does not make it right. Did they even ask the users for their consent? Did they learn anything from GDPR or in general discussions about consent? Or are they just a higher being, allowed to decide for their users, what data about them they track?

Many things can be done using technology. The question is always: Should we do them? That is a question about ethics, not technological possibility. We already have far too many businesses not caring about ethics at all, we do not need any additional ones.

(2) That is how it usually works.

(3) You can collect the information for security purposes just fine under the GDPR.

Providing a better user experience while maintaining a similar amount of security is a net positive

(2) Are you missing the point? "That is how it usually works." -- So why then send a password to an e-mail inbox, like I said a location often controlled by third party and often one with no good record of respecting privacy, if you can completely avoid that?

(3) OK, seems like we did not learn about consent. Why don't you ask your users, whether they are OK with it first, instead of assuming and basing on what is legally possible? Is ethics something too far out of reach?

Lastly a word about what you call security: Your so called security is observed often enough to result in inaccessible accounts. "Extra strict" usually means something along the lines of "oh, now I am going to require your phone number, to send you a message on a second channel to make sure" or "solve these captchas for this untrustworthy third party provider and I will trust their word about you having solved it correctly" (again being tracked of course ...) or similar things. Again circumventing consent, because now it becomes an extortion, extracting more personal data, so that the user can access their account. Your so called security makes for a real shitty user experience and punishes the user for ever switchting their browser.

So what does your "extra strict" mode entail? How are you going to be "extra strict", without any extortion? Are you implementing your own captachas by any chance? Or something similar?

But I probably interpret too far here and it seems that in some industries e.g. secret agencies need to use unconventional methods.

Brave browser, no VPN, they recorded one visit, one IP.

Brave browser, no VPN, incognito, they recorded two visits, one IP.

Brave browser, with VPN, incognito, recorded three visits, two IPs.

I'm pretty impressed / surprised. A fresh incognito session, through a VPN, still matched the same fingerprint. Especially surprising since TFA indicates Brave randomizes the fingerprint. I even changed my fingerprint block setting to "strict, may break sites" and it's still recording the same visitor ID from Brave, even with incognito.

Based on this test I'm surprised Brave's fingerprint resister did not work for you. But on firefox the enhanced privacy protection (strict) and the resistfingerprinting option are two different knobs.

* https://addons.mozilla.org/de/firefox/addon/canvasblocker/

which prevents fingerprinting via Canvas elements, additionally warns you if a site does it. There are more sites out there than you would assume. Some stupid blogs even.

* https://addons.mozilla.org/en-US/firefox/addon/multi-account...

This splits your tabs into different categories, each with their own cookie storage.

The fingerprinting website in the article didn't manage to correlate me visiting the website concurrently from two distinct container tabs.

But that's merely because of the canvasblocker (or something else you have), because just separate containers doesn't cut it?