- cross-posted to:
- privacy@lemmy.world
- cross-posted to:
- privacy@lemmy.world
You must log in or register to comment.
So I thought this is never going to fly under GDPR. Then the article goes on to say:
Many privacy laws, including the EU’s GDPR and California’s CCPA, require user consent for tracking. However, because fingerprinting works without explicit storage of user data on a device, companies may argue that existing laws do not apply which creates a legal gray area that benefits advertisers over consumers.
Oh come on Google, seriously? I remember a time when Google were the good guys, can’t believe how they’ve changed…
That time was like 20 years ago, dude
Oh absolutely. At this point I’m not surprised anymore that they turned to shit, it’s more like I think they’ve hit rock bottom already but they manage to surprise me with new ways to dig their hole even deeper.
It’s still sad to see the development. We’re allowed to mourn things that happened long ago, you know.
Google were maybe seen as the good guys back in the days of Yahoo search, and perhaps the very early days of Android.
But those times are so long passed. Google has been a tax-avoiding, anti-consumer rights, search-rigging, anti-privacy behemoth for decades now, and they only get worse with each passing year.
for decades now
You should drop that S. The company has only existed for a little over 2 decades and Android hasn’t been around for much more than 1. Yes they’ve become an evil fucking corporation but let’s not exaggerate for how long.
I’ve been using Google since 1998, and everyone loved them because their search indexed sites quicker than others and the search results were more useful than the competition at the time like Yahoo and Altavista and AskJeeves. They started turning nasty as soon as they gained steam & commercial success with AdWords… around 2003-2004. So no, while they get worae each year they haven’t been ‘the good guys’ for decades.
You’re mad cause they started putting ads into your search results? Like that was always going to happen. Having ads doesn’t make them evil. The shit they’re doing right now, and have been doing for the last half a dozen years or so, that makes them evil.
In other words, they went public and must now maximize gains for shareholders.
Would it be possible for a browser or extension to just provide false metadata in order to subvert this type of fingerprinting?
No. Anything that executes Javascript will be fingerprinted.
That being said it depends who are you fighting. For common commercial tools like Cloudflare fingerprinter it might work to some extent but if you want to safeguard against more sophisticated fingerprinting then TOR and no JS is the only way to combat this.
The issue is that browsers are so incredibly complex that it’s impossible to patch everything and you’ll just end up getting infinite captchas and break your browsing experience.
So from what I understand, theres 2 common ways that browsers combat this. Someone add to or correct me if I’m wrong.
-
Browsers such as Mull combat this by looking the same as every other browser. If you all look the same, it’s hard to tell you apart.
-
Browsers such as Brave randomize metadata that fingerprinting collects so that it’s more difficult to piece it all together and build a trend/profile on someone.
EDIT: got distracted. To answer your question I don’t think so. I think it’s more about user behavior blending in or being randomized. I think the only thing an extension would be able to do is possibly randomize the data but I’m unsure of such an extension yet. These aren’t the only options, these are just ones I’ve read about recently. Online behavior, browswr window size, and I’m sure so much more also goes into it. But every little bit helps and is better than nothing.
Mull is discontinued unfortunately, although I think it got forked?
For mobile, yes, development stopped.
However, Mullvad (from the actual VPN folk) for desktop still exists.
Mullvad browser and Mull were not affiliated.
That’s why I said (from the actual vpn folk)
The two were often conflated because “mull” in the name. They also used many of the same resources for the prefs.js and other tweaks. (Arkenfox, tor uplift, etc)
Fennec is similar and is maintained
There is a fork of mull too
I went back to Fennec. We’ll see if a fork survives long term.
I just want Firefox on F-Droid, and Fennec has been that for years. I only switched because I got a new phone and figured I’d try Mull.
Yeah maybe Tor Browser was the better example. Just trying to get the point out lol.
Yep. It’s fork is called ironfox
The first point is flawed and even TOR doesn’t execute javascript because it’s impossible to catch everything when you give the server full code running capabilities.
The second point is more plausible but there’s an incredible amount of work to do to fix this. Like, needing to rework browser engines from ground up and removing all of the legacy cruft. Brave is not capable of this and never will be no matter what they advertise because it doesn’t have it’s own engine.
That being said, these tools will get you quite far against commercial fingerprint products especially ones used for Ads but that will also ruin your browser experience as now you’re just solving captchas everywhere 🫠
-
Yes but that metadata is also used to serve you the webpage, so if you spoof it, the page may not load properly.
Yes. There is a firefox extension called Chameleon that does this.
Others have mentioned what Firefox/etc do, but another option is a PiHole. If you can’t look up the IP for an advertiser URL, you don’t load the JavaScript to begin with.
Just in time for their prophet, Curtis Yarvin, to be pushing a full-scale surveillance state!
Googlers aren’t on our side. They want to rule. They think being a fucking admin on a server makes them cut out to run society.
They want to tear down democracy and basically replace it with administrator rules and access control lists.
Googlers aren’t on our side
They never were, out interests just aligned while they were growing market share. They have that now, so there’s no more reason to stay aligned.
Corporations aren’t your friend, but they can be momentary allies. People should’ve bailed once IE was dethroned, but here we are…
I wonder how safe is Apple ecosystem from this.
Lol
I don’t bother. I know they know everything about me already, and that I’m not an important person. As such, I wonder why it matters.
Username checks out.
Behaviour is tracked in order to be influenced.
The only thing that matters in government politics is public opinion.
This article actually shares what changed, as opposed to just asserting that there was a change.
We need Richard Hendricks and his new internet asap
What’s this about? Fill me in? 🙏
He was the main character on Silicon Valley
Google can’t fingerprint you very well if you block all scripts from Google.
This breaks all kinds of stuff though. A ton of sites use Google for captchas.
I just don’t use any sites like that. If a site is using something other than Turnstile from Cloudflare, then I refuse to use it. I haven’t really experienced any inconvenience myself with this policy, but obviously I don’t depend on any sites that require recaptcha.
But you can allow/block any elements per site, or globally, which makes it trivial to block all unwanted scripts except on specific sites. So there is nothing preventing you from only exposing yourself to Google on the few sites you use that need those scripts.
Considering how few people block all scripts, this could also make it trivial for them to fingerprint you.
plus Random User Agent.
Random User Agent.
I love this.
I’ve checked, its true. Linux plus Firefox already puts you in the 2 percent category.
Anyone who uses uBlock blocks Google scripts.
uBlock Origin + PiHole FTW.
@misk I think your federation software is broken. In Mastodon, the urls in your posts just lead back to themselves every time, not out to an external article.
Sir, this is a Lemmy’s.
It’s all Fediverse. You can follow things on lemmy on mastodon and vice versa and so on.
I’m aware but the degree of compatibility differs. Lemmy to Mastodon is pretty smooth but subOP is using some different microblogging platform it seems.
I loled
@mighty_orbot @misk I’m using Friendica. From here, the links are normal. As it’s also not Lemmy, I guess it’s a Mastodon-specific (or even instance-specific) problem.
I’m not sure if you’ll get this reply @mighty_orbot@retro.pizza, but here’s the link visible from Lemmy itself: https://tuta.com/blog/digital-fingerprinting-worse-than-cookies.
Your method of accessing this Lemmy community seems not to be working on your side somehow. You might try a different app - I’ve never used Mastodon so I don’t know what might work.
@OpenStars That was my point. I can open the post on its own server and see it as intended. But the federation part of the Lemmy (?) software is clearly not generating the right data.
@mighty_orbot@retro.pizza
What I mean is, the link in a Lemmy community when viewed from a Lemmy instance works just fine. So it’s not broken at that level.
I can’t speak to how it comes across to Mastodon, or your particular method of access to that, as you showed in your screenshot. In general, instances running the Mbin software seem to work better to access both Lemmy and Mastodon, but overall communication between Mastodon and Lemmy seems not perfect, as you said.
@mighty_orbot@retro.pizza @misk@sopuli.xyz same thing happens for me, i use sharkey on my instance (misskey fork) and i have to go to that linked post and click the link there to access it
So, manifest v3 was all about preventing Google’s competitors from tracking you so that Google could forge ahead.
The fewer of your competitors who have the data the more valuable that data is.
It was never about privacy, it was supposedly about security, which there is some evidence for. There were a lot of malicious extensions. The sensible thing to do would be to crack down on malicious extensions but I guess that costs too much money and this method also conveniently partially breaks adblockers.
It would be nice to hammer a manually created fingerprint into the browser and share that fingerprint around. When everyone has the same fingerprint, no one can be uniquely identified. Could we make such a thing possible?
This is called Tor
No it isn’t.
And this is really important. If you go on Google tracked websites without tor, Google will still know it’s you when you use tor, even if you’ve cleared all your cookies.
Tor means people don’t know your IP address. It doesn’t protect against other channels of privacy attack.
Yes, it is… Tor prevents against fingerprinting as well. It isn’t just relay plumbing to protect your IP… This can easily be tested on any fingerprinting site with default config of Tor demonstrating a low entropy https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead/
No, it is not. Tor Browser != Tor. Get your shit right or be pwned.
It’s been a long while since I looked, but I remember it being a thing in tails to specifically not resize your browser window or only have it full screen to match a ton of other fingerprints.
Plus since it was a live distro that reset on every reboot it would only have the same fonts and other data as other people using tails. Honestly, I hate that all that info is even available to browsers and web sites at all.
Letterboxing has significantly reduced threat presented by window sizing. https://support.torproject.org/glossary/letterboxing/
I don’t quite understand – does this feature let you resize the window again to the size you want, and you are still sharing the same fingerprint with everyone else? Or do you still have to keep the browser window the default size to minimize your unique fingerprint?
It rounds the browser window to the nearest 100x100 window size. Using the default will likely be the biggest dataset to hide yourself in, but maximizing the window will still have some amount of obfuscation.
Tor browser is not Tor.
This is Tor https://en.m.wikipedia.org/wiki/Tor_(network)
Tor browser is an additional piece of software built on top of it. Using the network(what everyone else means when they say tor) is unfortunately not enough to prevent fingerprinting.
Good point, that difference does matter. I guess other browsers like Brave use the Tor Network, and it would be misleading to suggest Brave has good anti-fingerprinting.
What kind of fingerprint avoidance are you suggesting then that the Tor browser cannot do that makes a difference?
If you enable JavaScript, you open Pandora’s box to fingerprinting (e.g. tracking mouse movements, certain hardware details, etc). If you don’t, half (or more) of the internet is unusable.
Not really. The “fingerprint” is not one thing, it’s many, e.g. what fonts are installed, what extensions are used, screen size, results of drawing on a canvas, etc… Most of this stuff is also in some way related to the regular operation of a website, so many of these can’t be blocked.
You could maybe spoof all these things, but some websites may stop behaving correctly.
I get that some things like screen resolution and basic stuff is needed, however most websites don’t need to know how many ram I have, or which CPU I use and so on. I would wish for an opt-in on this topics: So only make the bare minimum available and ask the user, when more is needed. For example playing games in the browser, for that case it could be useful to know how much ram is available, however for most other things it is not.
Unfortunately the bare minimum is in most cases already enough to uniquely fingerprint you.
Tor browser
And Mullvad browser
Daily plug for Cromite, which is explicity built for anti-fingerprinting (through not just blocking, but spoofing and stripping systems out) and de-Googling:
And yet the normie still has nothing to hide…
Adult People accepting these material conditions disgust me.
But as society we got what we deserve, get fucked by daddy and asking for secondd because convenience and you can’t expect a pleasant to have any agency
Not sure why youre being downvoted your not wrong. The peasants need to sack up and help dismantle this shit
These statements appear to be insulting to them?
However, clearly politely explaining shit to them doesn’t work so I am just shit posting until I am dead or we hit critical mass of freedom enjoyers which one comes first.
Time for a user agent switcher. Like “Yeah, I swear, I’m a PS5, that has only monospaced comic sans insrelled”
Fingerprinting unfortunately uses more than useragent strings. It takes hashes of data in your browser from a javascript context that is not easily masked or removed. For example, it might render a gradient of colors projected onto a curved 3d plane. The specific result of this will create a unique hash for your GPU. They can also approximate your geolocation by abusing the time-to-live information within a TCP packet, which is something you can’t control on the clientside at all. If you TRULY want to avoid tracking by google, you need to block google domains in your hosts file and maybe consider disabling javascript on all sites by default until you trust them. Also don’t use google.
How must it feel being clever enough to come up with these ideas and then implement them for companies invading everyones privacy for advertisement revenue and malicious information serving or stealing.
I guess they sleep soundly on a fat bank account.
Jokes aside, keep in mind that the idea of fingerprinting is that your computer’s configuration is as unique as a fingerprint (e.g., your monitor is x resolution, you are on this operating system, you are using these following extensions in this browser, you have these fonts on your system).
Setting your user agent to something super unique is basically shining a spotlight on yourself.
It’s way worse than that.
Even if you somehow magically have the same settings as everyone else, you’re mouse movement will still be unique.
You can even render something on a canvas out of view and depending on your GPU, your graphics driver, etc the text will look different…
There is no real way to escape fingerprinting.
I have a novice coding question using the mouse tracking as an example: Is it possible to intercept and replace mouse tracking data with generic inputs? For example, could you implement an overlay that blocks mouse interactions, and instead of physically clicking on elements, send a direct packet to the application to simulate selecting those elements?
Yes, it’s possible. That’s the way a lot of automated web UI testing tools work. The problem with doing it during normal browser use is that your intentional actions with the real mouse wouldn’t work right, or the page would start acting like you clicked on things you didn’t click on.
Great read from Tuta on thia topic. It’s been an issue for a while but Google going full force publicly on it causes this issue to grow greater.
I left a comment replying to someone further down about how this can be at least a little combatted and how it is with browsers. (At least to my minimal knowledge of it)
I just wish Tuta put more effort into their product than their marketing.
I noped out because of them not letting me have any control over my emails outside of asking them for a dump. But reading the support reddit is just brutal.
Do you have a link for those reviews of Tuta email?
I personally have never used them. I use Proton myself (despite some news) and haven’t had any issues. I’ve heard Tuta is also great but I think one of the cons of privacy mail is that they’re not going to be nearly as polished as the big players like Gmail or outlook.
