This isn't exactly browser fingerprinting (though it may involve browser fingerprinting.) But the biggest open question I have right now is: what is Meta doing to get around Apple's iOS privacy protections?
A couple of years ago, Apple launched App Tracking Transparency as a way to reduce tracking across their iOS app ecosystem. People predicted that this would be devastating for companies like Meta and Snap, and it was -- briefly, for Meta. But Meta seems to have rebounded very quickly, maybe Snap not so quickly. The rumor I've heard is that Meta threw every brain they had against the problem of finding new ways to track app users, which presumably involves some similar type of fingerprinting. The revenue success strongly indicates were successful. But if this is true, nobody has much written about it.
It always freaked me out that WhatsApp found the SMS code sent to verify the phone number without requiring any action from me.
Also, WhatsApp refuses to be usable without giving it Contacts access. I had to use the app, login to the web client, and then I was finally able to type a phone number to start a new chat.
I ended up uninstalling it, but there's plenty of people AND business that nowadays mainly or even only use WhatsApp that it's painful to be on the privacy-first side.
That's nice for the careless user, but without any system request or notification it's impossible for the user to tell whether the app used a workaround or the system just cooperated.
On iOS this is an OS facility and works for all apps (also for email codes if using apple mail on the iPhone)
For WhatsApp, WhatsApp business lets you easily start conversations just by entering any phone number. But yeah it’s still WhatsApp and meta, I personally avoid it as much as I can.
I share your woes regarding WhatsApp; my family overseas uses it, so I have to use it when visiting them, and I also had to do the weird workaround of creating a Whatsapp URL with the destination phone number, and then opening it in the browser, and then having it redirect me to the app.
Whose interests corporations act in is not arbitrary, it’s tied to how they make money.
Meta and Google make their money primarily from advertisers, Apple makes money from consumers buying iPhones. One of the upsides to paying for something is that the company is incentivized to keep you paying or get you to pay more.
Something I remind people who buy cheaper Android phones and then complain about ads - the OS development is being subsidized by those ads. From Google’s perspective, securing their revenue stream is the justification for Chrome and Android’s existence. It’s not a purely altruistic move to fund their open source development.
Charts of the revenue stream for some major tech companies:
I get the impression that Apple would rather have lower hardware manufacturing costs than ensure fair working conditions, as an example of harming people in the pursuit of profit. [1]
Perhaps that's not "bad enough" but I think the general sentiment that corporations value profits over harms to people (especially since they often try to distance themselves by offshoring, etc) applies to Apple as well.
Not really. Meta is kind of the most corrupt towards users of the big tech companies imho. All companies want to make a profit but Meta has very few scruples.
"But companies found another way to uniquely identify you across different sessions and websites without using cookies or other persistent storage. It’s called web fingerprinting. Fingerprinting is a more sophisticated approach to identify a user among millions of others. It works by studying your web browser and hardware configuration. Many websites use a fingerprinting library to generate a unique ID. This library collects data from multiple JavaScript APIs offered by your web browser. For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details that you would not want a typical news website to see."
My "rugged" browser for regular browsing has plug-ins that randomize all this data.
I can see this as an argument for avoiding unusual properties, but how can they identify you using random properties? Even if it is just one user doing this how can they match the fingerprints?
Also, its unusual enough that its unlikely they will bother trying.
The fact that the properties are randomized (and which properties are randomized) identifies the extension that you’re using, and if that extension has like 10 users, that uniquely identifies you across sites.
All of this is overkill anyway unless you actually think you’re up against a determined actor targeting you personally. If you are, they will bother trying.
> The fact that the properties are randomized (and which properties are randomized) identifies the extension that you’re using, and if that extension has like 10 users, that uniquely identifies you across sites.
How do they know they are randomised rather than actual properties?
And if the site loads 100 iframes, it can figure out the distribution of values that your browser returns, which doesn’t change, and is likely to be close to unique until many people are using the same setup as you.
(Or it can just use properties of the extension like monkey-patched function toString() outputs to identify its users, which, again, narrows it down to a very small group.)
Yeah, you get the exact same results in two separate incognito sessions in stock Chrome. They don't immediately add your fingerprint to their database. (And that site isn't using the state of the art in fingerprinting - check https://fingerprint.com/ for a slightly better indicator.)
Yes, fingerprint.com realizes that I am the same visitor. But ONLY IF I access it from the same IP address. This is impressive, but in the end not so much. They claim VPN does not matter for them. It does. Probably one of the last things that makes my browser identifiable.
On stock Mac OS Safari (no plugins, no hardened config), I did what they asked and visited their site in incognito mode via a VPN. It gave me a different id, with a message gleefully announcing that "your ID is the same when you're in incognito mode!" It even showed me some supposed visit from a minute ago.
Hi, I work at Fingerprint. Our demo accuracy is actually much lower than in production. You're welcome to try it yourself for free: https://dashboard.fingerprint.com/signup
Not all sites will work with it. For banking and plan ticket booking, I always recommend a separate, but major (e.g. Chrome) browser without any plug-ins.
Don't bother. User agent spoofing is easily detectable and it's trivial to figure out your real user-agent based on js implementation differences or TLS fingerprinting. All this does is get you banned/flagged by security vendors, on top of sticking out like a sore thumb.
>Canvas Blocker
>Font Fingerprint Defender
Also easy to easy to detect because randomized values will put you in the bucket of "uses privacy extension" users, which is probably a smaller bucket than whatever hardware profile you're on (eg. macbook pro m3 14").
>>Random User-Agent Switcher
>Don't bother. User agent spoofing is easily detectable and it's trivial to figure out your real user-agent based on js implementation differences or TLS fingerprinting.
JS is blocked by default on my browser.
>Canvas Blocker
>Font Fingerprint Defender
> Also easy to easy to detect because randomized values will put you in the bucket of "uses privacy extension"
Hm. How are they going to detect it is randomized? They would have to identify me first again as the same user and then conclude I randomize these values.
The major browsers can still be differentiated via default headers and TLS fingerprints, none of which requires js. Moreover if they're inconsistent you'd get flagged with "spoofs user agent", which makes you more identifiable than something like "firefox on mac".
>Hm. How are they going to detect it is randomized? They would have to identify me first again as the same user and then conclude I randomize these values.
Because a given canvas/font metrics value should return the same result given the same graphics hardware/font set. If you randomize the results it basically guarantees that your fingerprint has never been seen before. This might seem like a good thing (because you're randomized every time), but any competent fingerprinting implementation is just going to flag you as "spoofs canvas/font information". The point isn't necessarily to identify you as any particular user, it's to use the fact you're spoofing canvas/font/user-agent to fingerprint you further.
IP addresses are quite static. Most phones and laptops come "home" once a day and get attached to the home IP. Do it for long enough and you can household all the other IP v6s, MACs etc. that are untethered.
MAC addresses don't leave the local network, so it's not relevant to web tracking. Moreover it's randomized by default on ios/android so the tracking potential is limited.
>what is Meta doing to get around Apple's iOS privacy protections?
A strong relationship to Apple and cross-value marketing.
Surely these rules only apply to middle sized and smaller companies. We've seen Apple get caught bending the rules for big players, even if they don't admit it.
> what is Meta doing to get around Apple's iOS privacy protections?
Money always finds a way. Everyone thought the changes made a few years ago would hurt Meta but they make $70 billion net profit. At a minimum, they only need a good relationship with advertisers, and a (sort of measurable) increase from a campaign. Also ads are different now. One address may see the same five seconds of an ad hundreds of times. That is a much easier ecosystem to correlate targets through data enrichment.
Let’s pretend that the Apple restriction is 100% effective- how much impact would you expect to Meta’s bottom line? Sure, Meta would love to know every spicy detail of your life, but just following in app activity probably reveals more than enough to sway advertisers.
Meta hoovers up every detail because they can. Knowing that user #7227724 spends 23 minutes a day in Spotify might make the ad targeting 0.4% more accurate, but does not seem like the lynchpin for the entire business.
Not on iOS, as I understand it. If you "Ask app not to track" on iOS then the app cannot access your IDFA, which was the ID that previously was used to track a device across apps.
The consequences for lying about revenue as a public company are many orders of magnitude worse than lying about compliance with some private contract or TOS.
Good luck arguing "defrauding the entire investment market to the tune of potentially billions of dollars and submitting fraudulent 10K form(s) under penalty of perjury" is not on its face worse than violating a private company's terms of service.
There's a company, currently called Tie (meettie.com), formerly known as Revenue Roll, who promises to "de-anonymize your highest value web traffic", which in practice means that they give you an email address for retargeting, for a user who visited your site without ever explicitly providing any identifying info.
The old site had a blog post [0] where they explicitly said they were using fingerprinting, and even called it "privacy-compliant".
I'm sure they're not unique in the service they provide, but that was the first time I'd seen someone brag about browser fingerprinting.
It's pretty hilarious legalese and tells you nothing about what it even achieves. Maybe makes you a Very Important Marketing Target.
One thing that struck me was the 'Under penalty of perjury, I declare all the above information to be true and accurate'. Shame they seem to require validating request by email. It'd be fun to take a PII breach and throw all the emails you find at 'em.
Their opt-in doesn't work - go to a few of their customer sites (listed in their blog/success stories) and they make a lot of calls to revenueroll IPs without asking. Some of those call contain PII responses too. Trying to contact them, but they've been brushing me off
If you find the right API endpoint, you can spoof the `Forwarded` header to get different results. Big PII leak IMO but they seem to think it's intended behavior?
I'm considering it a good thing at this point that I'm getting captcha-walled with increasing frequency. It means that my setup and behavior looks more like the billions of anonymous bots flooding the web rather than a lucrative mark.
Same, but to access so many websites now, you have to turn on JS (i.e. turn on fingerprinting). Even for sites where this isn't on purpose, it's true because they're behind Cloudflare.
Firefox, VPN, UBlock Origin, Privacy Badger, and UMatrix plugin to block cookies and javascript by default. (You can easily whitelist first and/or third-party cookies and/or JS on sites of your choice.)
Actually, usually librewolf instead of firefox, but not a big difference I suspect.
When I test with Librewolf (anti-fingerprinting enabled) and uBlock Origin as only addon installed, it manages to retain my fingerprint across sessions. Perhaps it's my static IP.
It also might be (as it proved in my case) that your address block (including the whole neighborhood from an ISP perspective) includes a compromised device. I discovered one of my neighbors has a compromised device that's sending a couple million spam emails per month, and it tainted the reputation of the entire network address block.
Well it happens on both my laptop and my phone, both of which are firefox with a lot of the fingerprinting stuff like useragent knocked out, as well as adblock, etc.
Browser fingerprinting is one of those things that should be outright illegal - it is far more of a threat than tracking cookies ever were. But it hasn't permeated the public consciousness like cookies have, so regulators seem to ignore it.
This is a technical problem, not a legal one. The solution is for browsers to provide users with the ability to limit the information being sent. There's no need for the vast majority of websites to know my OS, number of CPUs, screen or window size, or most of the other fingerprinting metrics.
I think it's both. It wasn't a problem when browsers were simple content display engines, but now that they are full VMs for application software, they need some of that capability just to function. FWIW, I think this was a mistake, but the genie is out of the bottle.
I suppose one technical mitigation might be a permissions dialog when a script requests access to a high-risk API like canvas or WebGL. But that's unfortunately something that won't work for most users, who will just click through the dialog.
I'm loathe to suggest it, but perhaps LLM's could help here? Once local LLMs are a couple orders of magnitude better and resource efficient, a user agent LLM could decide what features are actually needed for each page.
Making it a technical problem means it’s an arms race forever. Making it a regulation problem, if done right, can simply end the arms race.
Not to mention the big players on the users’ team in the technical arms race (google, ms, apple) are also advertising companies.
By all means let’s solve it from the technical side - but also lets regulate privacy so everyone gets it not just people paranoid/technical enough to use the latest/best privacy respecting tools.
> Making it a technical problem means it’s an arms race forever. Making it a regulation problem, if done right, can simply end the arms race.
“If done right” is doing a lot of work in that sentence.
The way hypothetical regulation is spoken of in abstract terms where it’s perfect, solves everything, and everyone complies perfectly is at odds with how regulation works in the real world.
I agree entirely, but I think that’s a problem because gov is captured by corporate interests / neoliberal ideas.
They try to balance keeping corporate donors happy with keeping people happy, and create regulations that are toothless empty gestures that only serve as employment opportunities for lawyers and consultants.
So yes, “if done right” is doing a lot of work. But i refuse to cede gov to the corps and retreat to anarcho-capitalist ideas like “this is a technical problem”. We attack on all fronts - regulation and technological solutions.
It can't be made entirely illegal so IMO a better way would be to remove or restrict the APIs that fingerprinting scripts abuse. Make browsers hypertext viewers again!
Why can't it be made illegal? And from the article, a very succinct explanation as to why browsers will never be fingerprint-resilient:
> Chromium (Chrome) is built by Google, an advertisement company which tracks its users for showing relevant ads. So naturally it doesn’t have any inbuilt protection against fingerprinting.
Even if they make it illegal, it won't stop bad actors especially from foreign countries to abuse stuff like this. It's better to build better systems that fix this issue instead of relying on government laws.
You could compare it to the concept of security by obscurity which is obviously bad.
It should be illegal, but we also need technical prevention of it, because the internet is global and goes through too many jurisdictions to really regulate.
Plus, fingerprinting tech would get developed for criminal organizations or intelligence agencies anyway.
there are some more or less legit causes for fingerprinting.
like bot protection or to identifying scammers that just create another account when previous is banned.
The core issue is that politically you gain nearly no votes and definitely no money by running with regulation as a pillar of your campaign.
In fact, doing so will often times end up bringing donations from relevant industries directly to your opponent.
Now, this system of perverse incentive and legal bribery should be fixed at the constitutional level but thats a gigantic can of worms.
In the current system there are two methods that can circumvent the issue. The first is one deployed by the likes of Elizabeth Warren; run your campaign on a broad array of "fighting for your constituents" and don't get specific until you see already elected and drafting a bill.
The second path is underutilized and should be done more: lie out your ass to the moneyed interests. Take their money, make them promises, eat at their fancy dinners, befriend them, laugh at their awful jokes. Then just fucking dunk on them in the legislature, as quietly as possible. Make a big show of being forced to, keep the charade going as long as possible.
The inverse of this has been done a lot recently, with Sinema, with Fetterman. But the good version is quite rare, and a good opportunity to make our country a better place.
Key notes: tough to do in bigger positions because they're rarely the first public office seats people hold, so track records build. Tough to do in many districts because voters can be rubes who actively agree with the corporations stomping on their nards. Tough to do if you make too large of a profile(not really a concern).
> The core issue is that politically you gain nearly no votes and definitely no money by running with regulation as a pillar of your campaign.
Proof of Domain Expertise: Name the famous presidential campaign which focused directly on combating "this system of perverse incentive and legal bribery" as its core campaign message.
Since fingerprinting is mostly client side, it should be detectable. If you serve a web page with a fingerprinting script, that should be an automatic big fine.
Sites would then avoid running purpose-built fingerprint scripts and collect fingerprint metrics as a side-effect of necessary activities. Lots of sites need to know window/screen size, DPI, installed fonts, timezone/locale, etc. as a matter of being able to function properly. It would be impossible to know whether a site is also using this information to fingerprint users.
The unsolvable problem is that modern websites are not simply documents but rather full-blown software with web browsers their runtime environments, and you simply cannot enable that amount of power without also enabling the power to fingerprint that runtime environment and thus fingerprint the user.
Which is a very intentional (and successful) marketing ploy by companies to get users to not care about them. It sounds like a boring technical thing instead of "we need your permission to let massive advertising networks track you around the internet" (consent isn't needed for site functionality; you can use cookies and never mention it if you don't use them for tracking).
Unfortunately this is a challenge with regulation; companies find a way to break the spirit of it as much as possible while following the letter. It's better that companies need consent to track us than not, but consent managers are dark patterns designed to deeply annoy us at the prospect of saying no.
Yes, almost certainly so. You did not consent, they have no legitimate interest to track you, and you were never informed about the what and why in plain language.
The GDPR isn’t the complex legislation monster people make it out to be, but for the most part common sense about handling sensitive data.
The Internet is a war zone: demanding made up rules for behavior online is as ineffectual as pleading for peace with the enemy during battle. Strap on a helmet if you're shell-shocked.
It's isn't the default because the countermeasures cause a lot of side-effects. If it were on by default, new users would probably think the browser is broken or buggy.
Here's what the settings do and what sort of side-effects you might experience:
- Timezone is set to UTC which means any web calendar input becomes confusing at best
- Canvases turn into random stripes, which leaves artefacts all over many websites
- Some websites outright block you as bots (twitch does this)
- Some web APIs break, which can be a pain if you're web apps that rely on them
You can add websites to a whitelist to avoid the downsides on some sites (privacy.resistFingerprinting.exemptedDomains) but it's a pain to do that for every website.
other downsides, cloudflare, PayPal and all kinds of finance related sites will assign high threat level for you and you will make your life miserable for causes ranging from captcha through rejecting your purchases to even blocking you access.
and the worst part is that this didn't changed the fingerprint generated by mentioned here site just increases suspect level to 9
I haven't encountered too many problems with Cloudflare yet. Having a dedicated (rather than CGNAT), non-rotating IPv4 address and IPv6 subnet to access the internet probably helps.
resistFingerprinting does seem to work against fingerprint.com in my experiments after clearing its website data and a browser restart.
In my case it stayed the same, but I tested it on android Firefox, maybe it works better on desktop, but I do not have access to it right now to verify
You probably need to quit/force close and reopen. At the very least it randomizes your canvas results and timezone, which should mess with most fingerprinting sites.
It's actually part of the privacy preferences in the normal settings, and they supply this warning
> This setting may cause some websites to not display content or work correctly. If a site seems broken, you may want to turn off tracking protection for that site to load all content.
Some sites use light fingerprinting to provide features
Some websites prefilled username to allow quicker re-login - this kind of features. Worst case scenario, you will get a first-time visit experience all over again
That one at least is easy to fix, since firefox shows a little icon in url bar if it is blocking canvas data, and the remote site asked for it. You just click on it to whitelist that site.
I've had more issues personally with resist fingerprinting making major sites completely unusable (drupal.com, walmart.com..)
So, one thing I don't quite get about fingerprinting:
> For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details
If, for example, I upgrade my web browser in two weeks (i.e. I get a new version number), doesn't that mean that the site has lost me?
Sites like https://coveryourtracks.eff.org seem to focus on how unique your fingerprint is, but doesn't it also matter how stable it is over time?
But how many features then remain? For example, I've seen people discuss font size, version numbers, viewport size, etc. Do the remaining features still make a unique identifier?
In most cases yes. If you upgrade your browser, the only thing that changes is the user agent data. The underlying device remains the same and it is this that leaks a lot of fingerprinting attributes (screen, gfx card, fonts, timezone, language, operating system, battery status, audio setup, bluetooth, installed video codecs, TCP data, IP address if static etc.).
It depends if they hash the data points or send them unprocessed. If they're unprocessed, they can associate two fingerprints where only the browser has changed.
Safari will assign you a random ip address on a per tab basis if private relay is on. With chrome there is zero plausible deniability as to who you are. You are who you are today, yesterday, and a year before, in every tab, window, incognito or not.
This comes with some downside because to protect privacy Safari blocks some useful APIs. For example, you can't tell if the user is running Apple silicon or Intel. That means you have to ask them whether they want the Intel or Apple silicon version of a download. This is a non-trivial question for a lot of Mac users. And, sure, you can always publish through the App store but that comes with its own drawbacks.
There are a whole lot of downsides to that approach. Most applications don't do it, although perhaps it does make sense for the general audience like mine. Fortunately, however, a lot of Macs are using Chrome or Firefox that expose this info.
It’s also worth noting that nobody’s going to be shipping Intel binaries in a short 2-5 years so this problem will just go away on its own.
The user base won’t even be there anymore.
This is not just because people will be retiring old Intel systems, it’s also because Apple’s marketshare exploded when the M1 chip came out, so a very large portion of the userbase never owned an Intel Mac.
A price I’ll gladly pay in favor of increased privacy, and I haven’t heard of too many people stumped by the question. In the worst case, you can just try it out.
The browser version will have some variance because releases are rolled out to clients over time, and users don't restart their browser immediately. I don't know all the signals FingerprintJS use but they obviously depend significantly on the user agent string (which has the precise version) seen by how the author could spoof it with Tor's UA randomizer.
BTW, the article is incorrect that Chrome doesn't allow for user agent modification or other fingerprint resistance; you can: https://developer.chrome.com/docs/devtools/device-mode/overr... and there are extensions for more convenience. The article is also incorrect about third party cookie leakage from ads but it was possible to sniff the session ID in some cases, back a decade ago before everything went cookieless and dropped session identifiers from the protocol entirely. However, it is possible for advertisers to parameterize their campaigns and analytics to such a detail that they can link demographics to their internal user IDs, though it's against policy it is easy to go unnoticed. And things like location exfiltration in too many Android apps, I'm not trying to give Google a complete pass on privacy but it's clear the author made some assumptions based on bias.
Back to your question, though, there are other things you can use as part of the fingerprint. The fonts that are installed are a proxy for which applications have been installed. The artifacts at the edge of text rendered onto a canvas can indicate which graphics chip and drivers are installed, sometimes with differences even within the same GPU model and driver version. Touch tracking can tell whether you swipe with your left hand or your right hand. Timing signals can indicate CPU specs and even hint at whether you're in a VM or behind a VPN, etc. There are more, accessible from JS in most cases, and really most of it is more reliable than what's in the user agent string.
It depends exactly what they do and what you're trying to prevent. If Brave shows you ads but does it without tracking you, then that might be better than them not showing ads and letting you be tracked. So the question is: Are they tracking you?
I just turn off all the news, ads, crypto wallet, etc. stuff in Brave and it honestly feels just like Chrome but with really good ad-blocking. I'm just a little disappointed to see that it isn't as good at blocking fingerprinting as they claim to be.
Tested with Brave on my phone using fingerprint.com. Visited the website, took note of the ID, closed the tab, cleared browsing data, and opened the website again. The ID remained the same.
This is on Android, so Brave is using their own browser engine, so I don't think things will be different on desktop.
Adding the other side; we use ja3/ja4 * for rate limiting and it works a treat, especially when we set our rate limits to much higher than normal traffic.
I've pushed back any attempts for any kind of tracking for business purposes (e.g. fancy charts).
* ja3 seems to be slightly better, ja4 sometimes groups too many "people".
I have just tried this with a fresh Firefox and `privacy.resistFingerprinting` set to True, still this site detects me, and coveryourtracks.eff.org tells me "Your browser has a unique fingerprint". Speak, I can not reproduce the results of this article. Can you?
Edit: Have also set all other `fingerprinting` bools to False. uBlock, uMatrix, Privacy Badger installed.
Under Settings → Privacy and security: Enhanced Tracking Protection = strict. Tell websites not to sell or share my data. Delete cookies and site data when Firefox is closed. Enable HTTPS-Only Mode in all windows. Enable DNS over HTTPS using: Max Protection – I still can be detected.
Edit 2: Just tried with Brave, strictest settings. No effect, I am detected.
Bigger question: why isn't Firefox and Tor Browser modifying the JavaScript reporting calls to lie?
All machines would have 16 cores and 32GB ram, running windows 10, and 1 point-touch or mouse. And the resolution would also be fixed as reporting, and only on client would change.
The user-agent should be acting on our behalf. So, why isn't it (Firefox, TBB) utterly lying and acting in our interest? We know why Chrome wouldn't.
Tor also gave up this web fingerprinting fight without even really trying. Editing the JavaScript calls to consistently lie the same way was "too hard". https://m.youtube.com/watch?v=3wlNemFwbwE
It's really "cool" when you get vendors like 6sense that combine browser fingerprinting with semi-licit data brokers to do full deanonymization of visitor traffic. Why bother doing marketing when you can just get a report of the name, email address, mailing address, and creditworthiness of every person who's visited your website?
I've seen people argue with a straight face that these tools and their reports don't run afoul of GDPR/CCPA because they don't involve information that a user gave you on purpose, so it's not protected. Ghouls, all of them.
People who are recommending Tor/torBrowser the last versions are enabling system spoofing which helps to fingerprints you. Also Javascript can just help to fingerprint you easily even if the browser doesn't
Yes. As a site owner who keep fighting with bots and malicious traffic, I wish web browsers provide me a way to identify real users from bot traffic. Otherwise I'll have to put everything behind account registration.
I turned on resistfingerprinting and started getting sites in light mode. The horror!
This doesn't look to be among the available toggles, and I hope that changes. I realize the light/dark setting is a data point for fingerprinting, but it's also something I have a genuine strong preference about.
Brave has built in fingerprinting protection (https://github.com/brave/brave-browser/wiki/Fingerprinting-P...), that's enabled by default. It seems like it's less aggressive than firefox's though (since firefox's fingerprint protection is disabled by default because it breaks things), and it doesn't seem to be able to block this companies fingerprinting tech. I got the same ID in a regular window and private browsing window.
The brave shields setting section also has an option for blocking scripts, which may work. It prevents the demo from being able to show an identifier for the user at all, but I'm not sure if it's preventing identification or just preventing the displaying of the identification.
I tried that site with Brave and it detected me. I was not able to escape fingerprinting with Brave, Firefox, Chrome, hardest settings. Only Tor works :-(
I cleared my cookies, went to private mode (on Edge) and fingerprint.com knew it was me. Now I wonder how much was a good guess from IP address and things that are other than browser-supplied information.
Those obnoxious "cookie" dialogs? Yes, they cover fingerprinting as well. E.g. some innocent company wants to keep your precise geolocation data for 12 years: https://x.com/dmitriid/status/1817122117093056541
Cookie banners were never about cookies or privacy. The industry designed them with some very explicit goals in mind: to force users to opt-in to pervasive tracking, and to blame "how unusable web has become" on GDPR
The law has been around for almost 10 years now. If browser vendors wanted, they could have come up with such a switch themselves.
Guess which company is coincidentally is the world's largest advertiser, largest ad broker, largest data tracker and owns world's most popular browser?
This falls into the same problem as the DNT header, while being a good technology it will be used by so few people that is might very well increase fingerprinting capabilities in some ways.
How would you ever find out/enforce this though? With cookies, you can examine the local cookie storage but with fingerprinting everything happens server-side (as I understand).
programmers really have a hard time understanding the law, how does any violation of the law ever get found out, or any law enforced? Generally someone says hey this company is doing X, and then the government gets a warrant to say let us look through your stuff to find out if you are doing X.
As a normal rule most companies work something like:
"excuse me, we have reports you are doing X"
"Not exactly, this is what we are doing - we call it X1, which is why we are totally ok under the rules governing X. Our legal dept. can totally explain"
Court case instantiates.
If the company is doing something that they will actually say "no we are doing nothing of the sort!" then it is likely someone in the company will at some time say "hey they are really doing X" and then the warrant thing I discussed first happens.
At any rate finding out enforcing things can happen without perfect technical access to everything, that's how justice systems have managed to work for centuries.
The fingerprint collection happens mostly using client-side JS (a bit of server side with HTTP headers, but the really high entropy stuff is client side).
Conceivably you could develop some sort of heuristic that detects when a script is simultaneously poking at a whole bunch of APIs associated with common fingerprinting techniques (canvas capabilities, WebGL, screen size, installed fonts, etc) and then kill it. But it is certainly much harder than blocking cookies.
sure but anyway the data collection is not that important, it is actually the data storage and data deletion parts that are going to make or break a GDPR case.
on edit: better clarify, I mean if you are fingerprinting, but not storing in such a way that you can actually identify someone (although not sure why you would use fingerprinting then) then I don't think there is a case.
This really saddens me. The fingerprinting even works when using Mullvad browser with VPN. I am so tired of this new internet, I hope someone is working on figuring out an alternative to this type of fingerprinting. I understand it is a cat and mouse game, but whatever, this is absolutely shitty.
I was wondering why can't browsers just fake the hardware (assuming that is what it is using to recognize)? I understand sometimes these javascripts run some type of algorithm to detect how fast it was processed to fingerprint, but even those could potentially be faked by the browser. Is anyone working on such stuff?
Every now and then, news like this pops up and sparks some discussion.
But in reality, I believe any internet-based business—every single app to some extent—tracks users in this way.
It’s just the nature of the internet.
Tor Browser is the only last remaining bastion for a semblance of privacy online, both through the network and hardened Firefox. Any other attempts, through VPN or otherwise, are frankly futile and only increase attack surface.
A couple of years ago, Apple launched App Tracking Transparency as a way to reduce tracking across their iOS app ecosystem. People predicted that this would be devastating for companies like Meta and Snap, and it was -- briefly, for Meta. But Meta seems to have rebounded very quickly, maybe Snap not so quickly. The rumor I've heard is that Meta threw every brain they had against the problem of finding new ways to track app users, which presumably involves some similar type of fingerprinting. The revenue success strongly indicates were successful. But if this is true, nobody has much written about it.