mighty_orbot@retro.pizza
on 18 Feb 18:25
nextcollapse
@misk I think your federation software is broken. In Mastodon, the urls in your posts just lead back to themselves every time, not out to an external article.
I’m aware but the degree of compatibility differs. Lemmy to Mastodon is pretty smooth but subOP is using some different microblogging platform it seems.
sunzu2@thebrainbin.org
on 18 Feb 19:14
nextcollapse
Mbin will now load pictures within the comment?!
OpenStars@discuss.online
on 18 Feb 19:20
nextcollapse
Your method of accessing this Lemmy community seems not to be working on your side somehow. You might try a different app - I’ve never used Mastodon so I don’t know what might work.
@OpenStars That was my point. I can open the post on its own server and see it as intended. But the federation part of the Lemmy software is clearly not generating the right data. It should embed the Tuta.com link instead of linking back to the post itself.
OpenStars@discuss.online
on 18 Feb 19:29
nextcollapse
@mighty_orbot@retro.pizza
What I mean is, the link in a Lemmy community when viewed from a Lemmy instance works just fine. So it’s not broken at that level.
I can’t speak to how it comes across to Mastodon, or your particular method of access to that, as you showed in your screenshot. In general, instances running the Mbin software seem to work better to access both Lemmy and Mastodon, but overall communication between Mastodon and Lemmy seems not perfect, as you said.
@mighty_orbot@misk I'm using Friendica. From here, the links are normal. As it's also not Lemmy, I guess it's a Mastodon-specific (or even instance-specific) problem.
Would it be possible for a browser or extension to just provide false metadata in order to subvert this type of fingerprinting?
JackAttack@lemmy.dbzer0.com
on 18 Feb 18:40
nextcollapse
So from what I understand, theres 2 common ways that browsers combat this. Someone add to or correct me if I’m wrong.
Browsers such as Mull combat this by looking the same as every other browser. If you all look the same, it’s hard to tell you apart. I believe this is why people recommend using default window size when using Tor.
Ex: Everyone wearing black pants and hoodies with the facemasks. Extremely hard to tell who is who.
Browsers such as Brave randomize metadata that fingerprinting collects so that it’s more difficult to piece it all together and build a trend/profile on someone.
Ex: look like a dog in one place, a cat in another place. They get data for a dog but that doesn’t help build anything if the rest of the data is a cat, hamster, whatever. No way to piece it together to be useful.
In both my examples, there are caveats. Just because everyone dressed the same doesn’t mean someone isn’t taller or shorter, or skinnier or fatter. There can still be tells to help narrow down. Or a cat that barks like a dog suddenly is more linkable to a dog if that makes sense lol.
In other words it still depends user behavior that can contribute to the effectiveness of these tools.
EDIT: got distracted. To answer your question I don’t think so. I think it’s more about user behavior blending in or being randomized. I think the only thing an extension would be able to do is possibly randomize the data but I’m unsure of such an extension yet.
These aren’t the only options, these are just ones I’ve read about recently. Online behavior, browswr window size, and I’m sure so much more also goes into it. But every little bit helps and is better than nothing.
EDIT2: Added examples for each for clarity.
mathemachristian@lemm.ee
on 18 Feb 19:09
nextcollapse
Mull is discontinued unfortunately, although I think it got forked?
sunzu2@thebrainbin.org
on 18 Feb 19:13
nextcollapse
Fennec is similar and is maintained
There is a fork of mull too
sugar_in_your_tea@sh.itjust.works
on 19 Feb 15:12
collapse
I went back to Fennec. We’ll see if a fork survives long term.
I just want Firefox on F-Droid, and Fennec has been that for years. I only switched because I got a new phone and figured I’d try Mull.
JackAttack@lemmy.dbzer0.com
on 18 Feb 19:19
nextcollapse
Yeah maybe Tor Browser was the better example. Just trying to get the point out lol.
masterofn001@lemmy.ca
on 18 Feb 20:44
nextcollapse
For mobile, yes, development stopped.
However, Mullvad (from the actual VPN folk) for desktop still exists.
The two were often conflated because “mull” in the name. They also used many of the same resources for the prefs.js and other tweaks. (Arkenfox, tor uplift, etc)
The first point is flawed and even TOR doesn’t execute javascript because it’s impossible to catch everything when you give the server full code running capabilities.
The second point is more plausible but there’s an incredible amount of work to do to fix this. Like, needing to rework browser engines from ground up and removing all of the legacy cruft. Brave is not capable of this and never will be no matter what they advertise because it doesn’t have it’s own engine.
That being said, these tools will get you quite far against commercial fingerprint products especially ones used for Ads but that will also ruin your browser experience as now you’re just solving captchas everywhere 🫠
JackAttack@lemmy.dbzer0.com
on 19 Feb 16:56
collapse
Thanks for adding! Could you clarify a bit on the points so I can better understand where I was wrong at?
Yes. There is a firefox extension called Chameleon that does this.
fmstrat@lemmy.nowsci.com
on 19 Feb 00:50
nextcollapse
Others have mentioned what Firefox/etc do, but another option is a PiHole. If you can’t look up the IP for an advertiser URL, you don’t load the JavaScript to begin with.
No. Anything that executes Javascript will be fingerprinted.
That being said it depends who are you fighting. For common commercial tools like Cloudflare fingerprinter it might work to some extent but if you want to safeguard against more sophisticated fingerprinting then TOR and no JS is the only way to combat this.
The issue is that browsers are so incredibly complex that it’s impossible to patch everything and you’ll just end up getting infinite captchas and break your browsing experience.
SnotFlickerman@lemmy.blahaj.zone
on 18 Feb 18:28
nextcollapse
Just in time for their prophet, Curtis Yarvin, to be pushing a full-scale surveillance state!
Googlers aren’t on our side. They want to rule. They think being a fucking admin on a server makes them cut out to run society.
They want to tear down democracy and basically replace it with administrator rules and access control lists.
sugar_in_your_tea@sh.itjust.works
on 19 Feb 15:15
collapse
Googlers aren’t on our side
They never were, out interests just aligned while they were growing market share. They have that now, so there’s no more reason to stay aligned.
Corporations aren’t your friend, but they can be momentary allies. People should’ve bailed once IE was dethroned, but here we are…
sunzu2@thebrainbin.org
on 18 Feb 18:32
nextcollapse
And yet the normie still has nothing to hide...
Adult People accepting these material conditions disgust me.
But as society we got what we deserve, get fucked by daddy and asking for seconds because convenience and you can't expect a peasant to have any agency
However, clearly politely explaining shit to them doesn't work so I am just shit posting until I am dead or we hit critical mass of freedom enjoyers which ever one comes first.
JackAttack@lemmy.dbzer0.com
on 18 Feb 18:44
nextcollapse
Great read from Tuta on thia topic. It’s been an issue for a while but Google going full force publicly on it causes this issue to grow greater.
I left a comment replying to someone further down about how this can be at least a little combatted and how it is with browsers. (At least to my minimal knowledge of it)
NuXCOM_90Percent@lemmy.zip
on 18 Feb 19:04
collapse
I just wish Tuta put more effort into their product than their marketing.
I noped out because of them not letting me have any control over my emails outside of asking them for a dump. But reading the support reddit is just brutal.
JackAttack@lemmy.dbzer0.com
on 18 Feb 19:08
nextcollapse
I personally have never used them. I use Proton myself (despite some news) and haven’t had any issues. I’ve heard Tuta is also great but I think one of the cons of privacy mail is that they’re not going to be nearly as polished as the big players like Gmail or outlook.
Do you have a link for those reviews of Tuta email?
Balinares@pawb.social
on 18 Feb 18:56
nextcollapse
You’d THINK the article would link to a source about the fingerprinting in question instead of 90% filler slop and ads for their own service… Anyone got a link?
I’m aware of fingerprinting techniques, thank you. The article is claiming that Google will start using some of those and I’m looking for the source for that claim, hopefully with specifics about which techniques are involved. Confusingly, the article does not appear to provide such a source.
Thanks – that’s an announcement about policy updates. I already read it and it says nothing about fingerprinting. The only change to underlying technologies it mentions is the use of e.g. trusted execution environments (the doc for which, per a further link, is in fact on github). Those seem to claim that they let announcers run ad campaigns through Google ads while keeping their campaign data provably locked away from Google. So, basically, all these links are about purported “privacy-enhancing” techs, and you’d be forgiven for taking that with an enormous grain of salt, but either way, nothing in there about fingerprinting.
The Guardian article basically paraphrases the Tuta one – or it’s the other way around, maybe – but does also not provide actual sources.
I just want a source on what fingerprinting Tuta is claiming Google will start using. I feel like the details of the purported fingerprinting techniques should be front and center to this discussion and I’m frustrated that the article entirely fails to provide that info.
Yeah I also looked into it and there seems no concrete information on that, just speculation about the policy change, like this one:
“While Google doesn’t explicitly state that IP addresses and other fingerprint methods are now allowed, the Privacy Disclosure section of Google’s February 16th Platforms Program Policies now explicitly mentions ‘cookies, web beacons, IP addresses, or other identifiers.’”
When you dive into it, it does look more like companies that sell encryption and VPNs using some potential danger to get more subscribers.
Ah, that Techlicious link is a great find, thanks. It does lay out clearly what the theoretical concern is. That’s still a far cry from the “Google will start fingerprintint you” scenario that seems to have people up in arms.
Thanks for digging out this link, I really appreciate it.
Further evidence that a Republican government in the USA results in private organisations pushing the bar as far as they can.
In Reagan’s time it was Wall Street. Now it’s Silicon Valley.
You want private organisations working for your benefit and not that of their shareholders? You need a government that actually has the gumption to challenge them. The current US government is 4 years of a surrender flag flying on the white house.
Or we could bin off this fucking failed neoliberal experiment, but that’s apparently a bit controversial for far too many people
One_Blue_Shoe@lemmynsfw.com
on 19 Feb 04:26
nextcollapse
Having the gall to suggest we not allow less than 3000 people to own all of the worlds supply lines, media platforms, institutional wealth, construction companies, dissemination platforms, politicians, private equity firms and the single largest interconnected (private or otherwise) espionage and social engineering plot known to mankind?
You fucking tanky you! Go back to Russia!!!
sugar_in_your_tea@sh.itjust.works
on 19 Feb 17:05
collapse
Republicans aren’t the problem here, they’re a natural result of a two party system. If you have a coin, half the time you’ll get the “good” side, and half the time you’ll get the “bad.”
And this isn’t to say either side is consistently “good” or “bad,” parties rarely stick anything. The deregulation you’re complaining about started under Jimmy Carter, affectionately called “the great deregulator.” In fact, many (most?) of Carter’s changes took effect during Reagan’s term, and it was incredibly successful.
However, for some reason Democrats are now against deregulation, probably because Republicans took the credit and Democrats needed to rebrand.
That doesn’t imply that Trump’s deregulation is “good,” it just means deregulation isn’t inherently “bad.”
Good thing I erased Google out of my life a decade ago meaning I can much easier block even more of their everywhere present garbage and not have issues.
sunzu2@thebrainbin.org
on 18 Feb 19:12
nextcollapse
Our work is switching from them and god damn they are so good at things though. I always disliked labels but the layout is top tier.
But yeah they are awful people
homesweethomeMrL@lemmy.world
on 18 Feb 19:20
nextcollapse
Digital fingerprinting is a method of data collection – one that in the past has been refused by Google itself because it “subverts user choice and is wrong.” But, we all remember that Google removed “Don’t be evil” from its Code of Conduct in 2018. Now, the Silicon Valley tech giant has taken the next step by introducing digital fingerprinting.
Oh, forgot to mention - we’re evil now. Ha! Okay, into the chutes.
They can block domains known to collect fingerprinting data but yes, they don’t block fingerprinting itself.
When you go to The Verge and there’s a full-screen pop-up about “our 872 partners store and access personal data, like browsing data or unique identifiers” those are all databrokers, and it’s not just them, it’s a fucking epidemic on the internet of sites that sell user data. The web has a cancer and it’s called advertising.
FosterMolasses@leminal.space
on 19 Feb 17:48
collapse
PopUpOff gets rid of the box on most sites without having to give your consent. Can’t remember the last time an annoying cookie disclaimer blocked me from web content.
I wasn’t complaining about annoying cookie banners, I was complaining about data collection.
You can get rid of cookie banners with a normal ad blocker like uBO
balder1991@lemmy.world
on 19 Feb 02:40
nextcollapse
Like, why not? The article says:
“And this is exactly why Google wants to use digital fingerprinting: It is way more powerful than cookie-based tracking, and it can’t be blocked for instance by switching to a privacy-first browser.”
If I use Firefox and Firefox doesn’t send any fingerprint to the website, then how is it identifying me?
I get that if you use Android (which is normally tied to Google), you’re still subject to see it on Google websites, but how will it work otherwise?
Basically you send your user agent, browser and OS configuration like screen resolution, your primary system language, timezone, installed plugins and so forth as you browse the internet. Not so easy to block. In fact, avoiding fingerprinting 100% is almost impossible, because there are so many configurations. It is hard not be somewhat unique. Still there are ways to minimize the identifying information. Using Firefox, this is what you might want to read: support.mozilla.org/…/resist-fingerprinting. Note, though, that even there it says that such techniques can “help prevent websites from uniquely identifying you”, not prevent it entirely.
Sure, but look at it this way. Fingerprints are benefiting the advertisers, and their purpose is to better target ads. Well I say fingerprint the hell out of everything, but I’ll make sure no ads get through. If we all do that, what’s the added value of fingerprinting then?
Sure. You can still be profiled, though. That can open doors for discrimination or other unsavory agendas. One also loses a measure of anonymity. Users don’t clearly see how and know that they are tracked, meaning there’s a loss of transparency.
No argument from me. But we’re talking about a byproduct of a commercial endeavour, without financial gain there would be less reason to do it in the first place.
If nothing else, at least they make less money and I have a better experience online.
ookiiBoy@lemmy.blahaj.zone
on 18 Feb 20:16
nextcollapse
It annoys me that this is not on by default…
perfectly_boiled_pizza@lemmy.world
on 18 Feb 22:36
collapse
It’s a nice feature for those that actively enable it and know that it’s enabled, but not for the average user. Most people never change the default settings. Firefox breaking stuff by default would only decrease their market share even further. And this breaks so much stuff. Weird stuff. The average user wants a browser that “just works” and would simply just switch back to Chrome if their favourite website didn’t work as expected after installing Firefox. Chrome can be used by people who don’t even know what a browser is.
But does privacy badger also act on the canvas APIs & cie. ?
masterofn001@lemmy.ca
on 18 Feb 21:04
nextcollapse
You can also use canvas blocker add-on.
Use their containers (firefox multi-account container add-on) feature and make a google container so that all google domains go to that container.
If you want to get crazy, in either set in about:config or make yourself a user.is file in your Firefox profile directory and eliminate all communication with google. And some other privacy tweaks below.
google shit and some extra privacy/security settings
I’m still trying to wrap my head around fingerprinting, so excuse my ignorance. Doesn’t an installed plugin such as Canvas Blocker make you more uniquely identifiable? My reasoning is that very few people have this plugin relatively speaking.
Maybe if they can connect you to your other usage but it’s probably more of their resources and such a small % of the population that it isn’t worth the time to subvert? Idk just guessing here
Further: the Canvas API doesn’t have any requirements on rendering accuracy.
By deferring to the GPU, font library, etc, tracking code can generate an image that is in most cases unique to your machine.
So blocking the Canvas API would return a 0. Which is less unique than what it would be normally.
oaklandnative@lemmy.world
on 19 Feb 09:37
collapse
I use (and love) Firefox containers, and I keep all Google domains in one container. However, I never know what to do about other websites that use Google sign in.
If I’m signing into XYZ website and it uses my Google account to sign in, should I put that website in the Google container? That’s what I’ve been doing, but I don’t know the right answer.
And automatic darkmode isn’t respected, and a lot of other little annoyances. That’s why this is so difficult. These are all incredibly useful features we would have to sacrifice for privacy.
unwarlikeExtortion@lemmy.ml
on 19 Feb 14:13
collapse
Dark mode can be recreated using extensions, although the colors most likely won’t be as legible as “native support”.
I don’t see why a similar extrnsion couldn’t change the timezones of clocks.
Additionally, I don’t see why the server should bother with either (pragmatically) - Dark mode is just a CSS switch and timezones could be flagged to be “localized” by the browser. No need for extra bandwidth or computing power on the server end, and the overhead would be very low (a few more lines of CSS sent).
Of course, I know why they bother - Ad networks do a lot more than “just” show ads, and most websites also like to gobble any data they can.
I mean it doesn’t hurt but as far as I can tell, it doesn’t actually block fingerprinting, it blocks domains known to collect and track your activity. The entire web is run on Google domains so that would be nearly impossible to block.
The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That’s why the main strategy is to “blend in”.
The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That’s why the main strategy is to “blend in”.
So, essentially the best way to actually resist fingerprinting would be to spoof the results to look more common - for example when I checked amiunique.org one of the most unique elements was my font list. But for 99% of sites you could spoof a font list that has the most common fonts (which you have) and no others and that would make you “blend in” without harming functionality. Barring a handful of specific sites that rely on having a special font, that might need to be set as exceptions.
I wasn’t suggesting it as “font list and you’re done”. I was using it as an example because it’s one where I’m apparently really unusual.
I would think you’d basically want to spoof all known fingerprinting metrics to be whatever is the most common and doesn’t break compatibility with the actual setup too much. Randomizing them seems way more likely to break a ton of sites, but inconsistently, which seems like a bad solution.
I mean hypothetically you could also set up exceptions for specific sites that need different answers for specific fields, essentially telling the site whatever it wants to hear to work but that’s going to be a lot of ongoing work.
Some math functions have slightly different results depending on architecture and OS, so they fuzz the results a little. Here’s a tor issue discussing the problem: gitlab.torproject.org/legacy/trac/-/issues/13018
But one question I’ve been asking myself is : then, wouldn’t I be fingerprinted as one of the few nerds who activated the resist fingerprinting option?
Yes. But it’s better than being identified as a unique user which is much more likely without it. You can test it yourself on amiunique.org/fingerprint
sugar_in_your_tea@sh.itjust.works
on 19 Feb 15:08
collapse
Just use Tor browser if you want to blend in. Some sites will probably not work, and I don’t suggest accessing banks with it, but it works well for regular browsing.
Please don’t enable this blindly. A lot of modern websites depend on a bunch of features which will simply not work with that flag enabled. Only do it, if you’re willing to compromise and debug things a bit
And recaptcha. And Google-hosted Javascript libraries. And youtube embeds.
werefreeatlast@lemmy.world
on 18 Feb 20:56
nextcollapse
I go to pornhub every morning to check out the articles. Lately I’ve noticed that they have exactly the kind of articles I’m interested in always at the top two rows and then a bunch of stuff I’m not really into elsewhere. They are definitely testing stuff.
It was never about privacy, it was supposedly about security, which there is some evidence for. There were a lot of malicious extensions. The sensible thing to do would be to crack down on malicious extensions but I guess that costs too much money and this method also conveniently partially breaks adblockers.
This has been the case for years. I develop fingerprinting services so AMA but it’s basically a long lost battle and browser are beyond the point of saving without a major resolution taking place.
The only way to resist effective fingerprint is to disable Javascript in its entirity and use a shared connection pool like wireguard VPN or TOR. Period. Nothing else works.
I know right. I was offered a job at a betting site and online casino with those addictive games and shit. Gave that a hard pass, said no thanks, don’t think that’s the right business area for me. I would feel so dirty going to and coming from work every damn day.
This is what I’ve been saying for months in the reddit privacy sub and to people IRL. Some people seem perfectly happy to just block ads so they don’t see the tracking. Literal ignorance is bliss. Most simply don’t have time or wherewithal to do the minimal work it takes to enjoy relative “privacy” online.
FWIW, any VPN where you can switch locations should do the job since the exit node IPs ought to get re-used. My practice is to give BigG a vanilla treat because my spouse hasn’t DeGoogled, and leave anything attached to our real names with location A. Then a whole second non-IRL-name set of accounts usually with location B with NoScript and Chameleon. Then anything else locations C, D, E, etc.
Yeah unfortunately disabling JS is not viable option tho onion websites are perfectly functional without JS and it just shows how unnecessarily JS had been expanded without regard for safety but theres no stopping the web.
unemployedclaquer@sopuli.xyz
on 19 Feb 16:57
collapse
I disable JS with noscript.net and it really is an enormous pain. It has some security advantages, like I don’t get ambushed so easily by an unfamiliar site and pop ups. I often will just skip a site if it seems too needy
So… how effective is it? The fingerprinting. I’m guessing there are studies? Also don’t know whether there’s been legal precedent, ie whether fingerprinting has been recognized as valid means of user identification in a court case.
It’s super effective but there are very few real use cases for it outside of security and ad tracking. For example you can’t replace cookies with it because while good fingerprint is unique it can still be fragile (browser update etc.) which would cause data loss and require reauth.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
As for court cases and things like GDPR - the officials are still sleeping on this and obviously nobody wants to talk about it because it’s super complex and really effective and effects soo many systems that are not ad tech.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
I’ve been wondering about those “click here” captchas and their purpose 🤔
Yes, and even before js fingerprint happens the connection is fingerprinted through HTTP and TLS protocol fingerprints as each system is slightly different like supporting different encryption ciphers, different http engine and how requests are performed etc.
So even before you see the page itself the server has a pretty good understanding of your client which determines whether you see this captcha box at all. That’s why on public wifi and rare operating systems (like linux) and web browsers you almost always get these captcha verifications.
The more complex the web becomes the easier it is to gather this data and currently the web is very complex with no sight of stopping.
Huh had no idea. I still wonder how accurate this is though, like whether it can be used forensically as the word “fingerprint” suggests to identify a specific person/private machine. It’s kind of fascinating as a topic. I would think that given that most people use similar setups, similar hardware and software, similar routers and settings, it would be impossible, but perhaps with enough details of a particular setup, a specific machine and user can be identified with decent accuracy.
So I thought this is never going to fly under GDPR. Then the article goes on to say:
Many privacy laws, including the EU’s GDPR and California’s CCPA, require user consent for tracking. However, because fingerprinting works without explicit storage of user data on a device, companies may argue that existing laws do not apply which creates a legal gray area that benefits advertisers over consumers.
Oh come on Google, seriously? I remember a time when Google were the good guys, can’t believe how they’ve changed…
Oh absolutely. At this point I’m not surprised anymore that they turned to shit, it’s more like I think they’ve hit rock bottom already but they manage to surprise me with new ways to dig their hole even deeper.
Google were maybe seen as the good guys back in the days of Yahoo search, and perhaps the very early days of Android.
But those times are so long passed. Google has been a tax-avoiding, anti-consumer rights, search-rigging, anti-privacy behemoth for decades now, and they only get worse with each passing year.
Schadrach@lemmy.sdf.org
on 19 Feb 12:32
nextcollapse
In other words, they went public and must now maximize gains for shareholders.
boards of directors have a fiduciary duty to the shareholders. If they did something they knew wasn’t going to result in the max short term profits they can be found in violation. Just a race to the bottom.
You should drop that S. The company has only existed for a little over 2 decades and Android hasn’t been around for much more than 1. Yes they’ve become an evil fucking corporation but let’s not exaggerate for how long.
I’ve been using Google since 1998, and everyone loved them because their search indexed sites quicker than others and the search results were more useful than the competition at the time like Yahoo and Altavista and AskJeeves. They started turning nasty as soon as they gained steam & commercial success with AdWords… around 2003-2004. So no, while they get worae each year they haven’t been ‘the good guys’ for decades.
You’re mad cause they started putting ads into your search results? Like that was always going to happen. Having ads doesn’t make them evil. The shit they’re doing right now, and have been doing for the last half a dozen years or so, that makes them evil.
What? Maybe you should just stop trying to guess what people think or tell them what they know.
You’re welcome to your opinion that it’s only been a dozen years of bad behaviour but I do not share it and nor do many, many others. Feel free to have a browse, much of this goes back to 2001, many lawsuits filed in the early 2010s had evidence going back a decade.
en.m.wikipedia.org/wiki/Criticism_of_Google
its captcha v3, its the same thing reddit uses to catch bots and ban evaders, apparently its expensive for reddit so they only mostly use it for ban waves.
Using Mullvad Browser + Mullvad VPN could mitigate this a little bit. Because if you use it as intended (don’t modify Mullvad browser after installation) , all Mullvad users would have the same browser fingerprint and IPs from the same pool.
AHemlocksLie@lemmy.zip
on 19 Feb 09:28
nextcollapse
And now Mullvad has all the data
Eyedust@lemmy.dbzer0.com
on 19 Feb 09:57
nextcollapse
Mullvad, (the vpn, I have not tried the browser) uses a single account number as both name and password, no emails. It allows for multiple anonymous payment methods and it’s open source.
The problem is it’s all or nothing. You must foil IP address, fingerprint, and cookies - all three at once.
Mullvad browser might make your fingerprint look similar to other users, but it’s not common is the problem. Test it with the EFF Cover your tracks site.
potentiallynotfelix@lemmy.fish
on 19 Feb 06:45
nextcollapse
We’re all gonna need to use whonix for basic shit now
Which is why I had hoped the EU would ban all forms of fingerprinting and non-essential data tracking. But they somehow got lobbied into selecting cookies as the only possible mechanism that can be used, leaving ample room to track using other methods.
bestboyfriendintheworld@sh.itjust.works
on 19 Feb 10:25
collapse
How would that even be enforced?
TomasEkeli@programming.dev
on 19 Feb 10:33
collapse
same way other regulations are enforced: fines
bestboyfriendintheworld@sh.itjust.works
on 19 Feb 12:39
nextcollapse
How do you prove they’re doing it?
AnUnusualRelic@lemmy.world
on 19 Feb 14:23
nextcollapse
They’re making money aren’t they? They have to be doing something weird.
TomasEkeli@programming.dev
on 19 Feb 19:42
nextcollapse
Investigation, witnesses, gather evidence, build a case and present the evidence. Same as any other thing.
I don’t get why this would be harder to prove than other things?
If you have reason to believe they are, you explain that reasoning to a court and if the reasoning is sufficiently persuasive the company can be compelled to provide internal information that could show whatever is going on.
Hiding this information or destroying it typically carries personal penalties for the individuals involved in it’s destruction, as well as itself being evidence against the organization. “If your company didn’t collect this information, why are four IT administrators and their manager serving 10 years in prison for intentionally deleting relevant business records?”
The European Commission has fined Apple over €1.8 billion for abusing its dominant position on the market for the distribution of music streaming apps to iPhone and iPad users (‘iOS users’) through its App Store
its more mike judge prophecy stuff. So much of whats going on now was covered in that show.
Waldschrat@lemmy.world
on 19 Feb 12:26
nextcollapse
But why would any browser accept access to those metadata so freely? I get that programming languages can find out about the environment they are operating in, but why would a browser agree to something like reading installed fonts or extensions without asking the user first? I understand why Chrome does this, but all of the mayor ones and even Firefox?
jenesaisquoi@feddit.org
on 19 Feb 12:39
nextcollapse
I know that it has that in theory, but my Firefox just reached a lower score on coveryourtracks.eff.org (which was posted in this threat, thanks!) than a Safari. Firefox has good tracking protection but has an absolute unique fingerprint, was 100% identifiable as the first on the site, as to Safari, which scored a bit less in tracking but had a not unique fingerprint.
sugar_in_your_tea@sh.itjust.works
on 19 Feb 15:03
collapse
Probably because Safari is default macOS and most people leave it at default settings. I doubt Apple is doing anything special here.
Because the data used in browser fingerprinting is also used to render pages. Example: a site needs to know the size of browser window to properly fit all design elements.
Just for an example that isn’t visible to the user: the server needs to know how it can communicate responses to the browser.
So it’s not just “what fonts do you have”, it also needs to know "what type of image can you render? What type of data compression do you speak? Can I hold this connection open for a few seconds to avoid having to spend a bunch of time establishing a new connection? We all agree that basic text can be represented using 7-bit ASCII, but can you parse something from this millennium?”.
Beyond that there’s all the parameters of the actual connection that lives beneath http. What tls ciphers do you support? What extensions?
The exposure of the basic information needed to make a request reveals information which may be sufficient to significantly track a user.
Waldschrat@lemmy.world
on 19 Feb 12:42
nextcollapse
It would be nice to hammer a manually created fingerprint into the browser and share that fingerprint around. When everyone has the same fingerprint, no one can be uniquely identified. Could we make such a thing possible?
Canuck@sh.itjust.works
on 19 Feb 13:04
nextcollapse
This is called Tor
OhNoMoreLemmy@lemmy.ml
on 19 Feb 13:34
nextcollapse
No it isn’t.
And this is really important. If you go on Google tracked websites without tor, Google will still know it’s you when you use tor, even if you’ve cleared all your cookies.
Tor means people don’t know your IP address. It doesn’t protect against other channels of privacy attack.
Yes, it is… Tor prevents against fingerprinting as well. It isn’t just relay plumbing to protect your IP… This can easily be tested on any fingerprinting site with default config of Tor demonstrating a low entropy
blog.torproject.org/browser-fingerprinting-introd…
brygphilomena@lemmy.dbzer0.com
on 19 Feb 13:58
nextcollapse
It’s been a long while since I looked, but I remember it being a thing in tails to specifically not resize your browser window or only have it full screen to match a ton of other fingerprints.
Plus since it was a live distro that reset on every reboot it would only have the same fonts and other data as other people using tails. Honestly, I hate that all that info is even available to browsers and web sites at all.
I don’t quite understand – does this feature let you resize the window again to the size you want, and you are still sharing the same fingerprint with everyone else? Or do you still have to keep the browser window the default size to minimize your unique fingerprint?
It rounds the browser window to the nearest 100x100 window size. Using the default will likely be the biggest dataset to hide yourself in, but maximizing the window will still have some amount of obfuscation.
Tor browser is an additional piece of software built on top of it. Using the network(what everyone else means when they say tor) is unfortunately not enough to prevent fingerprinting.
Good point, that difference does matter. I guess other browsers like Brave use the Tor Network, and it would be misleading to suggest Brave has good anti-fingerprinting.
What kind of fingerprint avoidance are you suggesting then that the Tor browser cannot do that makes a difference?
sugar_in_your_tea@sh.itjust.works
on 20 Feb 03:18
collapse
If you enable JavaScript, you open Pandora’s box to fingerprinting (e.g. tracking mouse movements, certain hardware details, etc). If you don’t, half (or more) of the internet is unusable.
sugar_in_your_tea@sh.itjust.works
on 19 Feb 15:00
collapse
*Tor browse
Leave everything default and you’ll look like every other Tor browser user.
ChairmanMeow@programming.dev
on 19 Feb 13:08
nextcollapse
Not really. The “fingerprint” is not one thing, it’s many, e.g. what fonts are installed, what extensions are used, screen size, results of drawing on a canvas, etc… Most of this stuff is also in some way related to the regular operation of a website, so many of these can’t be blocked.
You could maybe spoof all these things, but some websites may stop behaving correctly.
I get that some things like screen resolution and basic stuff is needed, however most websites don’t need to know how many ram I have, or which CPU I use and so on.
I would wish for an opt-in on this topics: So only make the bare minimum available and ask the user, when more is needed. For example playing games in the browser, for that case it could be useful to know how much ram is available, however for most other things it is not.
ChairmanMeow@programming.dev
on 19 Feb 14:08
collapse
Unfortunately the bare minimum is in most cases already enough to uniquely fingerprint you.
Wildly_Utilize@infosec.pub
on 19 Feb 19:50
collapse
Tor browser
And Mullvad browser
AnimalsDream@slrpnk.net
on 19 Feb 13:53
nextcollapse
Time for meshnet?
lost_screwdriver@thelemmy.club
on 19 Feb 14:29
nextcollapse
Time for a user agent switcher. Like “Yeah, I swear, I’m a PS5, that has only monospaced comic sans insrelled”
shortrounddev@lemmy.world
on 19 Feb 15:14
nextcollapse
Fingerprinting unfortunately uses more than useragent strings. It takes hashes of data in your browser from a javascript context that is not easily masked or removed. For example, it might render a gradient of colors projected onto a curved 3d plane. The specific result of this will create a unique hash for your GPU. They can also approximate your geolocation by abusing the time-to-live information within a TCP packet, which is something you can’t control on the clientside at all. If you TRULY want to avoid tracking by google, you need to block google domains in your hosts file and maybe consider disabling javascript on all sites by default until you trust them. Also don’t use google.
JackFrostNCola@lemmy.world
on 21 Feb 10:15
collapse
How must it feel being clever enough to come up with these ideas and then implement them for companies invading everyones privacy for advertisement revenue and malicious information serving or stealing.
I guess they sleep soundly on a fat bank account.
Jokes aside, keep in mind that the idea of fingerprinting is that your computer’s configuration is as unique as a fingerprint (e.g., your monitor is x resolution, you are on this operating system, you are using these following extensions in this browser, you have these fonts on your system).
Setting your user agent to something super unique is basically shining a spotlight on yourself.
I have a novice coding question using the mouse tracking as an example: Is it possible to intercept and replace mouse tracking data with generic inputs? For example, could you implement an overlay that blocks mouse interactions, and instead of physically clicking on elements, send a direct packet to the application to simulate selecting those elements?
BradleyUffner@lemmy.world
on 19 Feb 17:30
collapse
Yes, it’s possible. That’s the way a lot of automated web UI testing tools work. The problem with doing it during normal browser use is that your intentional actions with the real mouse wouldn’t work right, or the page would start acting like you clicked on things you didn’t click on.
Yeah, I have an anti fingerprint extension installed in Firefox, and immediately no Google site will work anymore, all google sessions break with it while most other sites just continue to work.
I’m working to rid myself completely from Google, my target being that I will completely DNS block all google (and Microsoft and Facebook) domains within a year or so. Wish I could do it faster but I only have a few hours per weekend for this
Gorillazrule@lemmy.dbzer0.com
on 19 Feb 16:09
nextcollapse
Hi, here are the extensions I use in FireFox/Librewolf (all will work in Chromium too, but I don’t recommend Chromium browsers):
Privacy and Security-focused
uBlock Origin: A lightweight and efficient wide-spectrum content blocker.
Decentraleyes: Protects you from tracking through free, centralized content delivery. (not recommended alongside uBlock Origin; see the reply below)
CanvasBlocker: Protects your privacy by preventing websites from fingerprinting you using the Canvas API.
Ghostery Tracker & Ad Blocker - Privacy AdBlock: Blocks trackers and ads to protect your privacy and speed up browsing. Also has a handy feature that automatically rejects cookies for you. (not recommended alongside uBlock Origin; see the reply below. You can disable the ad blocking functionality and keep the cookie rejection function).
KeePassXC-Browser: Integrates KeePassXC password manager with your browser.
NoScript: Blocks JavaScript, Flash, and other executable content to protect against XSS and other web-based attacks (note: you will be required to manually activate javascript on each web page that you visit, but this is a good practice that you should get used to).
Privacy Badger: Automatically learns to block trackers based on their behavior. (not recommended alongside uBlock Origin; see the reply below)
User-Agent Switcher and Manager: Allows you to spoof your browser’s user-agent string (avoid creating a unique configuration; opt for something common, such as Chrome on Windows 10).
Violentmonkey: A user script manager for running custom scripts on websites (allows you to execute your own JavaScript code, usually to modify how a website behaves or block behavior that you don’t like. VERY useful. Check out greasyfork for UserScripts).
Other useful extensions (non-privacy/security)
Firefox Translations: Provides on-demand translation of web pages directly within Firefox.
Flagfox: Displays a flag depicting the location of the current website’s server.
xBrowserSync: Syncs your browser data (bookmarks, passwords, etc.) across devices with end-to-end encryption.
Plasma Integration: Integrates Firefox with the KDE Plasma desktop environment (for linux users).
Thanks for the list!
Although most of the time it’s advised to not use multiple adblocker in tandem, because they might conflict with each other and get detected by the website. For example, uBlock origin has, in its settings, an option to disable JavaScript and in the filter list, an option to block cookie banners “Cookie notices”. But if all of these work for you that’s great!
They work well on desktop and mobile (firefox). As the other replier stated, you may want to avoid using multiple ad blockers (decentraleyes, privacy badger, and ghostery) alongside UBlock; and NoScript’s functionality can be achieved with UBlock.
Lol the name came from a ironscape clan member from my osrs days. I don’t suppose that’s you?
I want to do this but really the only thing holding me back is my phone.
brucethemoose@lemmy.world
on 19 Feb 19:11
nextcollapse
Daily plug for Cromite, which is explicity built for anti-fingerprinting (through not just blocking, but spoofing and stripping systems out) and de-Googling:
This breaks all kinds of stuff though. A ton of sites use Google for captchas.
_cryptagion@lemmy.dbzer0.com
on 20 Feb 16:50
collapse
I just don’t use any sites like that. If a site is using something other than Turnstile from Cloudflare, then I refuse to use it. I haven’t really experienced any inconvenience myself with this policy, but obviously I don’t depend on any sites that require recaptcha.
But you can allow/block any elements per site, or globally, which makes it trivial to block all unwanted scripts except on specific sites. So there is nothing preventing you from only exposing yourself to Google on the few sites you use that need those scripts.
ricecake@sh.itjust.works
on 19 Feb 20:44
nextcollapse
threaded - newest
@misk I think your federation software is broken. In Mastodon, the urls in your posts just lead back to themselves every time, not out to an external article.
Sir, this is a Lemmy’s.
I loled
It’s all Fediverse. You can follow things on lemmy on mastodon and vice versa and so on.
I’m aware but the degree of compatibility differs. Lemmy to Mastodon is pretty smooth but subOP is using some different microblogging platform it seems.
Mbin will now load pictures within the comment?!
I’m not sure if you’ll get this reply @mighty_orbot@retro.pizza, but here’s the link visible from Lemmy itself: tuta.com/…/digital-fingerprinting-worse-than-cook….
Your method of accessing this Lemmy community seems not to be working on your side somehow. You might try a different app - I’ve never used Mastodon so I don’t know what might work.
@OpenStars That was my point. I can open the post on its own server and see it as intended. But the federation part of the Lemmy software is clearly not generating the right data. It should embed the Tuta.com link instead of linking back to the post itself.
@mighty_orbot@retro.pizza
What I mean is, the link in a Lemmy community when viewed from a Lemmy instance works just fine. So it’s not broken at that level.
I can’t speak to how it comes across to Mastodon, or your particular method of access to that, as you showed in your screenshot. In general, instances running the Mbin software seem to work better to access both Lemmy and Mastodon, but overall communication between Mastodon and Lemmy seems not perfect, as you said.
What is it like, reading Lemmy on Mastodon? Is it like one post with many replies? Or do they nest like in Lemmy?
@mighty_orbot @misk I'm using Friendica. From here, the links are normal. As it's also not Lemmy, I guess it's a Mastodon-specific (or even instance-specific) problem.
Would it be possible for a browser or extension to just provide false metadata in order to subvert this type of fingerprinting?
So from what I understand, theres 2 common ways that browsers combat this. Someone add to or correct me if I’m wrong.
Ex: Everyone wearing black pants and hoodies with the facemasks. Extremely hard to tell who is who.
Ex: look like a dog in one place, a cat in another place. They get data for a dog but that doesn’t help build anything if the rest of the data is a cat, hamster, whatever. No way to piece it together to be useful.
In both my examples, there are caveats. Just because everyone dressed the same doesn’t mean someone isn’t taller or shorter, or skinnier or fatter. There can still be tells to help narrow down. Or a cat that barks like a dog suddenly is more linkable to a dog if that makes sense lol.
In other words it still depends user behavior that can contribute to the effectiveness of these tools.
EDIT: got distracted. To answer your question I don’t think so. I think it’s more about user behavior blending in or being randomized. I think the only thing an extension would be able to do is possibly randomize the data but I’m unsure of such an extension yet. These aren’t the only options, these are just ones I’ve read about recently. Online behavior, browswr window size, and I’m sure so much more also goes into it. But every little bit helps and is better than nothing.
EDIT2: Added examples for each for clarity.
Mull is discontinued unfortunately, although I think it got forked?
Fennec is similar and is maintained
There is a fork of mull too
I went back to Fennec. We’ll see if a fork survives long term.
I just want Firefox on F-Droid, and Fennec has been that for years. I only switched because I got a new phone and figured I’d try Mull.
Yeah maybe Tor Browser was the better example. Just trying to get the point out lol.
For mobile, yes, development stopped.
However, Mullvad (from the actual VPN folk) for desktop still exists.
mullvad.net/en/browser
Mullvad browser and Mull were not affiliated.
That’s why I said (from the actual vpn folk)
The two were often conflated because “mull” in the name. They also used many of the same resources for the prefs.js and other tweaks. (Arkenfox, tor uplift, etc)
Yep. It’s fork is called ironfox
The first point is flawed and even TOR doesn’t execute javascript because it’s impossible to catch everything when you give the server full code running capabilities.
The second point is more plausible but there’s an incredible amount of work to do to fix this. Like, needing to rework browser engines from ground up and removing all of the legacy cruft. Brave is not capable of this and never will be no matter what they advertise because it doesn’t have it’s own engine.
That being said, these tools will get you quite far against commercial fingerprint products especially ones used for Ads but that will also ruin your browser experience as now you’re just solving captchas everywhere 🫠
Thanks for adding! Could you clarify a bit on the points so I can better understand where I was wrong at?
Yes but that metadata is also used to serve you the webpage, so if you spoof it, the page may not load properly.
Yes. There is a firefox extension called Chameleon that does this.
Others have mentioned what Firefox/etc do, but another option is a PiHole. If you can’t look up the IP for an advertiser URL, you don’t load the JavaScript to begin with.
No. Anything that executes Javascript will be fingerprinted.
That being said it depends who are you fighting. For common commercial tools like Cloudflare fingerprinter it might work to some extent but if you want to safeguard against more sophisticated fingerprinting then TOR and no JS is the only way to combat this.
The issue is that browsers are so incredibly complex that it’s impossible to patch everything and you’ll just end up getting infinite captchas and break your browsing experience.
Just in time for their prophet, Curtis Yarvin, to be pushing a full-scale surveillance state!
Googlers aren’t on our side. They want to rule. They think being a fucking admin on a server makes them cut out to run society.
They want to tear down democracy and basically replace it with administrator rules and access control lists.
They never were, out interests just aligned while they were growing market share. They have that now, so there’s no more reason to stay aligned.
Corporations aren’t your friend, but they can be momentary allies. People should’ve bailed once IE was dethroned, but here we are…
And yet the normie still has nothing to hide...
Adult People accepting these material conditions disgust me.
But as society we got what we deserve, get fucked by daddy and asking for seconds because convenience and you can't expect a peasant to have any agency
Not sure why youre being downvoted your not wrong. The peasants need to sack up and help dismantle this shit
These statements appear to be insulting to them?
However, clearly politely explaining shit to them doesn't work so I am just shit posting until I am dead or we hit critical mass of freedom enjoyers which ever one comes first.
Great read from Tuta on thia topic. It’s been an issue for a while but Google going full force publicly on it causes this issue to grow greater.
I left a comment replying to someone further down about how this can be at least a little combatted and how it is with browsers. (At least to my minimal knowledge of it)
I just wish Tuta put more effort into their product than their marketing.
I noped out because of them not letting me have any control over my emails outside of asking them for a dump. But reading the support reddit is just brutal.
I personally have never used them. I use Proton myself (despite some news) and haven’t had any issues. I’ve heard Tuta is also great but I think one of the cons of privacy mail is that they’re not going to be nearly as polished as the big players like Gmail or outlook.
Do you have a link for those reviews of Tuta email?
You’d THINK the article would link to a source about the fingerprinting in question instead of 90% filler slop and ads for their own service… Anyone got a link?
What is it you’re looking for? Do you want to know what kinds of information is used for fingerprinting?
If so, check out coveryourtracks.eff.org and amiunique.org.
I’m aware of fingerprinting techniques, thank you. The article is claiming that Google will start using some of those and I’m looking for the source for that claim, hopefully with specifics about which techniques are involved. Confusingly, the article does not appear to provide such a source.
I think the true source is this one?
Some reactions to it.
Thanks – that’s an announcement about policy updates. I already read it and it says nothing about fingerprinting. The only change to underlying technologies it mentions is the use of e.g. trusted execution environments (the doc for which, per a further link, is in fact on github). Those seem to claim that they let announcers run ad campaigns through Google ads while keeping their campaign data provably locked away from Google. So, basically, all these links are about purported “privacy-enhancing” techs, and you’d be forgiven for taking that with an enormous grain of salt, but either way, nothing in there about fingerprinting.
The Guardian article basically paraphrases the Tuta one – or it’s the other way around, maybe – but does also not provide actual sources.
I just want a source on what fingerprinting Tuta is claiming Google will start using. I feel like the details of the purported fingerprinting techniques should be front and center to this discussion and I’m frustrated that the article entirely fails to provide that info.
Yeah I also looked into it and there seems no concrete information on that, just speculation about the policy change, like this one:
When you dive into it, it does look more like companies that sell encryption and VPNs using some potential danger to get more subscribers.
Ah, that Techlicious link is a great find, thanks. It does lay out clearly what the theoretical concern is. That’s still a far cry from the “Google will start fingerprintint you” scenario that seems to have people up in arms.
Thanks for digging out this link, I really appreciate it.
Further evidence that a Republican government in the USA results in private organisations pushing the bar as far as they can.
In Reagan’s time it was Wall Street. Now it’s Silicon Valley.
You want private organisations working for your benefit and not that of their shareholders? You need a government that actually has the gumption to challenge them. The current US government is 4 years of a surrender flag flying on the white house.
Or we could bin off this fucking failed neoliberal experiment, but that’s apparently a bit controversial for far too many people
Having the gall to suggest we not allow less than 3000 people to own all of the worlds supply lines, media platforms, institutional wealth, construction companies, dissemination platforms, politicians, private equity firms and the single largest interconnected (private or otherwise) espionage and social engineering plot known to mankind?
You fucking tanky you! Go back to Russia!!!
Republicans aren’t the problem here, they’re a natural result of a two party system. If you have a coin, half the time you’ll get the “good” side, and half the time you’ll get the “bad.”
And this isn’t to say either side is consistently “good” or “bad,” parties rarely stick anything. The deregulation you’re complaining about started under Jimmy Carter, affectionately called “the great deregulator.” In fact, many (most?) of Carter’s changes took effect during Reagan’s term, and it was incredibly successful.
However, for some reason Democrats are now against deregulation, probably because Republicans took the credit and Democrats needed to rebrand.
That doesn’t imply that Trump’s deregulation is “good,” it just means deregulation isn’t inherently “bad.”
Good thing I erased Google out of my life a decade ago meaning I can much easier block even more of their everywhere present garbage and not have issues.
Dropped your 👑, king
Beware, the current administration might send you to Gitmo if you don’t kneel to King Trump!
Ditching gmail remains one of the best choices I’ve made in years.
What did you switch to?
Posteo.
Our work is switching from them and god damn they are so good at things though. I always disliked labels but the layout is top tier.
But yeah they are awful people
Oh, forgot to mention - we’re evil now. Ha! Okay, into the chutes.
Still parading that lie around? It’s easily verified as false. Their code of conduct ends with:
Still parading that lie around? It was removed and then added back later.
Really? Because the articles that noticed it back then said it was retained at the end of the document, it was only removed from the preface:
www.searchenginejournal.com/…/254019/
gizmodo.com/google-removes-nearly-all-mentions-of…
PiHole
AdAway
Burn the ads down.
Sadly, neither will truly protect you from fingerprinting.
They can block domains known to collect fingerprinting data but yes, they don’t block fingerprinting itself.
When you go to The Verge and there’s a full-screen pop-up about “our 872 partners store and access personal data, like browsing data or unique identifiers” those are all databrokers, and it’s not just them, it’s a fucking epidemic on the internet of sites that sell user data. The web has a cancer and it’s called advertising.
.
PopUpOff gets rid of the box on most sites without having to give your consent. Can’t remember the last time an annoying cookie disclaimer blocked me from web content.
I wasn’t complaining about annoying cookie banners, I was complaining about data collection.
You can get rid of cookie banners with a normal ad blocker like uBO
Like, why not? The article says:
If I use Firefox and Firefox doesn’t send any fingerprint to the website, then how is it identifying me?
I get that if you use Android (which is normally tied to Google), you’re still subject to see it on Google websites, but how will it work otherwise?
This website explains it: pixelprivacy.com/…/browser-fingerprinting/
Basically you send your user agent, browser and OS configuration like screen resolution, your primary system language, timezone, installed plugins and so forth as you browse the internet. Not so easy to block. In fact, avoiding fingerprinting 100% is almost impossible, because there are so many configurations. It is hard not be somewhat unique. Still there are ways to minimize the identifying information. Using Firefox, this is what you might want to read: support.mozilla.org/…/resist-fingerprinting. Note, though, that even there it says that such techniques can “help prevent websites from uniquely identifying you”, not prevent it entirely.
Sure, but look at it this way. Fingerprints are benefiting the advertisers, and their purpose is to better target ads. Well I say fingerprint the hell out of everything, but I’ll make sure no ads get through. If we all do that, what’s the added value of fingerprinting then?
Sure. You can still be profiled, though. That can open doors for discrimination or other unsavory agendas. One also loses a measure of anonymity. Users don’t clearly see how and know that they are tracked, meaning there’s a loss of transparency.
It’s not just about ads.
No argument from me. But we’re talking about a byproduct of a commercial endeavour, without financial gain there would be less reason to do it in the first place.
If nothing else, at least they make less money and I have a better experience online.
So I guess for Firefox users it’s time to enable the resist fingerprinting option ? support.mozilla.org/…/resist-fingerprinting
It annoys me that this is not on by default…
It’s a nice feature for those that actively enable it and know that it’s enabled, but not for the average user. Most people never change the default settings. Firefox breaking stuff by default would only decrease their market share even further. And this breaks so much stuff. Weird stuff. The average user wants a browser that “just works” and would simply just switch back to Chrome if their favourite website didn’t work as expected after installing Firefox. Chrome can be used by people who don’t even know what a browser is.
Privacy Badger anyone?
But does privacy badger also act on the canvas APIs & cie. ?
You can also use canvas blocker add-on.
Use their containers (firefox multi-account container add-on) feature and make a google container so that all google domains go to that container.
If you want to get crazy, in either set in about:config or make yourself a user.is file in your Firefox profile directory and eliminate all communication with google. And some other privacy tweaks below.
google shit and some extra privacy/security settings
Google domains and services: user_pref(“browser.safebrowsing.allowOverride”, false);
user_pref(“browser.safebrowsing.blockedURIs.enabled”, false);
user_pref(“browser.safebrowsing.downloads.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_dangerous”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_dangerous_host”, false);
user_pref(“browser.safebrowsing.downloads.remote.block_potentially_unwanted”, false):
user_pref(“browser.safebrowsing.downloads.remote.block_uncommon”, false);
user_pref(“browser.safebrowsing.downloads.remote.enabled”, false);
user_pref(“browser.safebrowsing.downloads.remote.url”, “”);
user_pref(“browser.safebrowsing.malware.enabled”, false);
user_pref(“browser.safebrowsing.phishing.enabled”, false);
user_pref(“browser.safebrowsing.provider.google.advisoryName”, “”);
user_pref(“browser.safebrowsing.provider.google.advisoryURL”, “”);
user_pref(“browser.safebrowsing.provider.google.gethashURL”, “”);
user_pref(“browser.safebrowsing.provider.google.lists”, “”);
user_pref(“browser.safebrowsing.provider.google.reportURL”, “”);
user_pref(“browser.safebrowsing.provider.google.updateURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.advisoryName”, “”);
user_pref(“browser.safebrowsing.provider.google4.advisoryURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.dataSharingURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.gethashURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.lists”, “”);
user_pref(“browser.safebrowsing.provider.google4.pver”, “”);
user_pref(“browser.safebrowsing.provider.google4.reportURL”, “”);
user_pref(“browser.safebrowsing.provider.google4.updateURL”, “”);
Privacy and security stuff: user_pref(“dom.push.enabled”, false);
user_pref(“dom.push.connection.enabled”, false); user_pref(“layout.css.visited_links_enabled”, false);
user_pref(“media.navigator.enabled”, false); user_pref(“network.proxy.allow_bypass”, false);
user_pref(“network.proxy.failover_direct”, false);
user_pref(“network.http.referer.spoofSource”, true); user_pref(“security.ssl.disable_session_identifiers”, true);
user_pref(“security.ssl.enable_false_start”, false);
user_pref(“security.ssl.treat_unsafe_negotiation_as_broken”, true);
user_pref(“security.tls.enable_0rtt_data”, false); user_pref(“privacy.partition.network_state.connection_with_proxy”, true); user_pref(“privacy.resistFingerprinting”, true);
user_pref(“privacy.resistFingerprinting.block_mozAddonManager”, true);
user_pref(“privacy.resistFingerprinting.letterboxing”, true);
user_pref(“privacy.resistFingerprinting.randomization.daily_reset.enabled”, true);
user_pref(“privacy.resistFingerprinting.randomization.enabled”, true); user_pref(“screenshots.browser.component.enabled”, false); user_pref(“privacy.spoof_english”, 2); user_pref(“webgl.enable-debug-renderer-info”, false); user_pref(“webgl.enable-renderer-query”, false);
This is why I like Lemmy, never knew canvas blocker was a thing. Thank you.
Or you just switch to LibreWolf where all these settings are already set. It even comes with uBlock preinstalled.
Or Mullvad Browser, which is just the Tor Browser without Tor.
There’s also IronFox on Android which is more similar to LibreWolf than MV Browser.
I’m still trying to wrap my head around fingerprinting, so excuse my ignorance. Doesn’t an installed plugin such as Canvas Blocker make you more uniquely identifiable? My reasoning is that very few people have this plugin relatively speaking.
Maybe if they can connect you to your other usage but it’s probably more of their resources and such a small % of the population that it isn’t worth the time to subvert? Idk just guessing here
Iirc, Websites can’t query addons unless those addons manipulate the DOM in a way that exposes themselves.
They can query extensions.
Addons are things installed inside the browser. Like uBlock, HTTPS Everywhere, Firefox Containerr, etc.
Extensions are installed outside the browser. Such as Flashplayer, the Gnome extensions installer, etc.
Further: the Canvas API doesn’t have any requirements on rendering accuracy.
By deferring to the GPU, font library, etc, tracking code can generate an image that is in most cases unique to your machine.
So blocking the Canvas API would return a 0. Which is less unique than what it would be normally.
I use (and love) Firefox containers, and I keep all Google domains in one container. However, I never know what to do about other websites that use Google sign in.
If I’m signing into XYZ website and it uses my Google account to sign in, should I put that website in the Google container? That’s what I’ve been doing, but I don’t know the right answer.
Yes, that’s right. Also seriously consider ditching Single
StalkSign On entirely.Thank you. I agree re ditching it and have been working on that.
I’ve used this. The only annoyance is that all the on-screen timestamps remain in UTC because JS has no idea what timesone you’re in.
I get that TZ provides a piece of the fingerprint puzzle, but damn it feels excessive.
And automatic darkmode isn’t respected, and a lot of other little annoyances. That’s why this is so difficult. These are all incredibly useful features we would have to sacrifice for privacy.
Dark mode can be recreated using extensions, although the colors most likely won’t be as legible as “native support”.
I don’t see why a similar extrnsion couldn’t change the timezones of clocks.
Additionally, I don’t see why the server should bother with either (pragmatically) - Dark mode is just a CSS switch and timezones could be flagged to be “localized” by the browser. No need for extra bandwidth or computing power on the server end, and the overhead would be very low (a few more lines of CSS sent).
Of course, I know why they bother - Ad networks do a lot more than “just” show ads, and most websites also like to gobble any data they can.
Wait is that why my Firefox giving me errors when I try to log into websites with 2FA?
I mean it doesn’t hurt but as far as I can tell, it doesn’t actually block fingerprinting, it blocks domains known to collect and track your activity. The entire web is run on Google domains so that would be nearly impossible to block.
The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That’s why the main strategy is to “blend in”.
So, essentially the best way to actually resist fingerprinting would be to spoof the results to look more common - for example when I checked amiunique.org one of the most unique elements was my font list. But for 99% of sites you could spoof a font list that has the most common fonts (which you have) and no others and that would make you “blend in” without harming functionality. Barring a handful of specific sites that rely on having a special font, that might need to be set as exceptions.
No, the best way is to randomly vary fingerprinting data, which is exactly what some browsers do.
Font list is just one of a hundred different identifying data points so just changing that alone won’t do much.
I wasn’t suggesting it as “font list and you’re done”. I was using it as an example because it’s one where I’m apparently really unusual.
I would think you’d basically want to spoof all known fingerprinting metrics to be whatever is the most common and doesn’t break compatibility with the actual setup too much. Randomizing them seems way more likely to break a ton of sites, but inconsistently, which seems like a bad solution.
I mean hypothetically you could also set up exceptions for specific sites that need different answers for specific fields, essentially telling the site whatever it wants to hear to work but that’s going to be a lot of ongoing work.
It’s a combination of both.
Does ublock do this?
Why does it do this?
PS grateful for this option!
Some math functions have slightly different results depending on architecture and OS, so they fuzz the results a little. Here’s a tor issue discussing the problem: gitlab.torproject.org/legacy/trac/-/issues/13018
But one question I’ve been asking myself is : then, wouldn’t I be fingerprinted as one of the few nerds who activated the resist fingerprinting option?
Yes. But it’s better than being identified as a unique user which is much more likely without it. You can test it yourself on amiunique.org/fingerprint
Just use Tor browser if you want to blend in. Some sites will probably not work, and I don’t suggest accessing banks with it, but it works well for regular browsing.
Please don’t enable this blindly. A lot of modern websites depend on a bunch of features which will simply not work with that flag enabled. Only do it, if you’re willing to compromise and debug things a bit
I know nothing, but isn’t some pieces of Google software to be found on many sites that aren’t Google or YouTube?
what?
Yes, mainly Analytics, sometimes Maps.
Yes, a lot of websites embed Google Analytics, or more nefariously Google Fonts.
And recaptcha. And Google-hosted Javascript libraries. And youtube embeds.
I go to pornhub every morning to check out the articles. Lately I’ve noticed that they have exactly the kind of articles I’m interested in always at the top two rows and then a bunch of stuff I’m not really into elsewhere. They are definitely testing stuff.
I too go to pornhub for the articles.
I thought people go to pornhub for the lack of articles
I go to pornhub for the definite article
Idk, I see a lot of “a”, “an”, and “the” there.
So, manifest v3 was all about preventing Google’s competitors from tracking you so that Google could forge ahead.
It was never about privacy, it was supposedly about security, which there is some evidence for. There were a lot of malicious extensions. The sensible thing to do would be to crack down on malicious extensions but I guess that costs too much money and this method also conveniently partially breaks adblockers.
The fewer of your competitors who have the data the more valuable that data is.
This has been the case for years. I develop fingerprinting services so AMA but it’s basically a long lost battle and browser are beyond the point of saving without a major resolution taking place.
The only way to resist effective fingerprint is to disable Javascript in its entirity and use a shared connection pool like wireguard VPN or TOR. Period. Nothing else works.
Hello grease monkey and no script, my old friends
What are some good scripts for grease monkey?
Wouldn’t selective disabling of JavaScript make fingerprinting easier? Your block and white list are likely to be unique.
Tracking scripts are usually separate from the scripts that do stuff. But also giving them less info is always just better.
How can you live with yourself?
I do it as a security measure for private institutions and everyone involved has signed contracts. It’s not on the public web.
I know right. I was offered a job at a betting site and online casino with those addictive games and shit. Gave that a hard pass, said no thanks, don’t think that’s the right business area for me. I would feel so dirty going to and coming from work every damn day.
This is what I’ve been saying for months in the reddit privacy sub and to people IRL. Some people seem perfectly happy to just block ads so they don’t see the tracking. Literal ignorance is bliss. Most simply don’t have time or wherewithal to do the minimal work it takes to enjoy relative “privacy” online.
FWIW, any VPN where you can switch locations should do the job since the exit node IPs ought to get re-used. My practice is to give BigG a vanilla treat because my spouse hasn’t DeGoogled, and leave anything attached to our real names with location A. Then a whole second non-IRL-name set of accounts usually with location B with NoScript and Chameleon. Then anything else locations C, D, E, etc.
Ugh… This all sucks.
What are you people trying to hide ??? /s
Disabling JavaScript entirely is another data point for fingerprinting. Only a tiny fraction of users do it.
Besides, without JavaScript most websites are not functional anymore. Those that are are likely not tracking you much in the first place.
Yeah unfortunately disabling JS is not viable option tho onion websites are perfectly functional without JS and it just shows how unnecessarily JS had been expanded without regard for safety but theres no stopping the web.
I disable JS with noscript.net and it really is an enormous pain. It has some security advantages, like I don’t get ambushed so easily by an unfamiliar site and pop ups. I often will just skip a site if it seems too needy
So… how effective is it? The fingerprinting. I’m guessing there are studies? Also don’t know whether there’s been legal precedent, ie whether fingerprinting has been recognized as valid means of user identification in a court case.
It’s super effective but there are very few real use cases for it outside of security and ad tracking. For example you can’t replace cookies with it because while good fingerprint is unique it can still be fragile (browser update etc.) which would cause data loss and require reauth.
Usually fingerprint plays a supporting role for example when you do those “click here” captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
As for court cases and things like GDPR - the officials are still sleeping on this and obviously nobody wants to talk about it because it’s super complex and really effective and effects soo many systems that are not ad tech.
I’ve been wondering about those “click here” captchas and their purpose 🤔
Yes, and even before js fingerprint happens the connection is fingerprinted through HTTP and TLS protocol fingerprints as each system is slightly different like supporting different encryption ciphers, different http engine and how requests are performed etc.
So even before you see the page itself the server has a pretty good understanding of your client which determines whether you see this captcha box at all. That’s why on public wifi and rare operating systems (like linux) and web browsers you almost always get these captcha verifications.
The more complex the web becomes the easier it is to gather this data and currently the web is very complex with no sight of stopping.
Huh had no idea. I still wonder how accurate this is though, like whether it can be used forensically as the word “fingerprint” suggests to identify a specific person/private machine. It’s kind of fascinating as a topic. I would think that given that most people use similar setups, similar hardware and software, similar routers and settings, it would be impossible, but perhaps with enough details of a particular setup, a specific machine and user can be identified with decent accuracy.
Unlock Origin, Ghostery, and what else? Scriptmonkey maybe?
They’ll stop it.
Nope. Try Creep.js. It is real creepy.
Ooooh, no they won’t stop this. It’s the workaround for tracking with all the things you just mentioned.
You have to either mask the fingerprint like how Brave does, or spoof the headers and block JS to make the fingerprint useless.
If that’s what it takes. It’s worth it.
So I thought this is never going to fly under GDPR. Then the article goes on to say:
Oh come on Google, seriously? I remember a time when Google were the good guys, can’t believe how they’ve changed…
That time was like 20 years ago, dude
It’s still sad to see the development. We’re allowed to mourn things that happened long ago, you know.
Oh absolutely. At this point I’m not surprised anymore that they turned to shit, it’s more like I think they’ve hit rock bottom already but they manage to surprise me with new ways to dig their hole even deeper.
Google were maybe seen as the good guys back in the days of Yahoo search, and perhaps the very early days of Android.
But those times are so long passed. Google has been a tax-avoiding, anti-consumer rights, search-rigging, anti-privacy behemoth for decades now, and they only get worse with each passing year.
In other words, they went public and must now maximize gains for shareholders.
boards of directors have a fiduciary duty to the shareholders. If they did something they knew wasn’t going to result in the max short term profits they can be found in violation. Just a race to the bottom.
You should drop that S. The company has only existed for a little over 2 decades and Android hasn’t been around for much more than 1. Yes they’ve become an evil fucking corporation but let’s not exaggerate for how long.
I’ve been using Google since 1998, and everyone loved them because their search indexed sites quicker than others and the search results were more useful than the competition at the time like Yahoo and Altavista and AskJeeves. They started turning nasty as soon as they gained steam & commercial success with AdWords… around 2003-2004. So no, while they get worae each year they haven’t been ‘the good guys’ for decades.
You’re mad cause they started putting ads into your search results? Like that was always going to happen. Having ads doesn’t make them evil. The shit they’re doing right now, and have been doing for the last half a dozen years or so, that makes them evil.
What? Maybe you should just stop trying to guess what people think or tell them what they know.
You’re welcome to your opinion that it’s only been a dozen years of bad behaviour but I do not share it and nor do many, many others. Feel free to have a browse, much of this goes back to 2001, many lawsuits filed in the early 2010s had evidence going back a decade. en.m.wikipedia.org/wiki/Criticism_of_Google
I’m not responding any further.
its captcha v3, its the same thing reddit uses to catch bots and ban evaders, apparently its expensive for reddit so they only mostly use it for ban waves.
Using Mullvad Browser + Mullvad VPN could mitigate this a little bit. Because if you use it as intended (don’t modify Mullvad browser after installation) , all Mullvad users would have the same browser fingerprint and IPs from the same pool.
And now Mullvad has all the data
Mullvad, (the vpn, I have not tried the browser) uses a single account number as both name and password, no emails. It allows for multiple anonymous payment methods and it’s open source.
Sliiiiightly more trustworthy than Google imo.
The random dude on the corner is more trustworthy than Google, it’s not that hard to be sadly.
Big corp facts.
If you don’t trust anyone the internet (or any net you don’t fully control yourself) is not something you will use.
Practical security is a matter of threat-modeling and calculated risks.
Mullvad has a good track record, but if you know of better alternatives that don’t require building it yourself, please share!
Tor browser. It’s probably more popular, and they lead the charge in standardizing everything so you know it’ll be top tier.
And Mullvad is not in business if selling user profiles to advertisers, at least as far as we know
The problem is it’s all or nothing. You must foil IP address, fingerprint, and cookies - all three at once.
Mullvad browser might make your fingerprint look similar to other users, but it’s not common is the problem. Test it with the EFF Cover your tracks site.
We’re all gonna need to use whonix for basic shit now
Which is why I had hoped the EU would ban all forms of fingerprinting and non-essential data tracking. But they somehow got lobbied into selecting cookies as the only possible mechanism that can be used, leaving ample room to track using other methods.
How would that even be enforced?
same way other regulations are enforced: fines
How do you prove they’re doing it?
They’re making money aren’t they? They have to be doing something weird.
Investigation, witnesses, gather evidence, build a case and present the evidence. Same as any other thing.
I don’t get why this would be harder to prove than other things?
If you have reason to believe they are, you explain that reasoning to a court and if the reasoning is sufficiently persuasive the company can be compelled to provide internal information that could show whatever is going on.
Hiding this information or destroying it typically carries personal penalties for the individuals involved in it’s destruction, as well as itself being evidence against the organization. “If your company didn’t collect this information, why are four IT administrators and their manager serving 10 years in prison for intentionally deleting relevant business records?”
The courts are allowed to go through your stuff.
That might work if the fine was say $1.5 B
EU knows how to get it done
God bless those European MF’rs
new? isn’t this at least like a decade old method of tracking?
We need Richard Hendricks and his new internet asap
What’s this about? Fill me in? 🙏
He was the main character on Silicon Valley
Oh okay. I should pick that show up again, finish what I started.
Thanks!
its more mike judge prophecy stuff. So much of whats going on now was covered in that show.
But why would any browser accept access to those metadata so freely? I get that programming languages can find out about the environment they are operating in, but why would a browser agree to something like reading installed fonts or extensions without asking the user first? I understand why Chrome does this, but all of the mayor ones and even Firefox?
Firefox has built-in tracking protection.
I know that it has that in theory, but my Firefox just reached a lower score on coveryourtracks.eff.org (which was posted in this threat, thanks!) than a Safari. Firefox has good tracking protection but has an absolute unique fingerprint, was 100% identifiable as the first on the site, as to Safari, which scored a bit less in tracking but had a not unique fingerprint.
Probably because Safari is default macOS and most people leave it at default settings. I doubt Apple is doing anything special here.
Apple is doing good on the privacy browser front because it makes the data they collect more valuable
Because the data used in browser fingerprinting is also used to render pages. Example: a site needs to know the size of browser window to properly fit all design elements.
I fucking hate this. Let me zoom, stop reacting and centering omfg.
Just for an example that isn’t visible to the user: the server needs to know how it can communicate responses to the browser.
So it’s not just “what fonts do you have”, it also needs to know "what type of image can you render? What type of data compression do you speak? Can I hold this connection open for a few seconds to avoid having to spend a bunch of time establishing a new connection? We all agree that basic text can be represented using 7-bit ASCII, but can you parse something from this millennium?”.
Beyond that there’s all the parameters of the actual connection that lives beneath http. What tls ciphers do you support? What extensions?
The exposure of the basic information needed to make a request reveals information which may be sufficient to significantly track a user.
It would be nice to hammer a manually created fingerprint into the browser and share that fingerprint around. When everyone has the same fingerprint, no one can be uniquely identified. Could we make such a thing possible?
This is called Tor
No it isn’t.
And this is really important. If you go on Google tracked websites without tor, Google will still know it’s you when you use tor, even if you’ve cleared all your cookies.
Tor means people don’t know your IP address. It doesn’t protect against other channels of privacy attack.
Yes, it is… Tor prevents against fingerprinting as well. It isn’t just relay plumbing to protect your IP… This can easily be tested on any fingerprinting site with default config of Tor demonstrating a low entropy blog.torproject.org/browser-fingerprinting-introd…
It’s been a long while since I looked, but I remember it being a thing in tails to specifically not resize your browser window or only have it full screen to match a ton of other fingerprints.
Plus since it was a live distro that reset on every reboot it would only have the same fonts and other data as other people using tails. Honestly, I hate that all that info is even available to browsers and web sites at all.
Letterboxing has significantly reduced threat presented by window sizing. support.torproject.org/glossary/letterboxing/
I don’t quite understand – does this feature let you resize the window again to the size you want, and you are still sharing the same fingerprint with everyone else? Or do you still have to keep the browser window the default size to minimize your unique fingerprint?
It rounds the browser window to the nearest 100x100 window size. Using the default will likely be the biggest dataset to hide yourself in, but maximizing the window will still have some amount of obfuscation.
Tor browser is not Tor.
This is Tor en.m.wikipedia.org/wiki/Tor_(network)
Tor browser is an additional piece of software built on top of it. Using the network(what everyone else means when they say tor) is unfortunately not enough to prevent fingerprinting.
Good point, that difference does matter. I guess other browsers like Brave use the Tor Network, and it would be misleading to suggest Brave has good anti-fingerprinting.
What kind of fingerprint avoidance are you suggesting then that the Tor browser cannot do that makes a difference?
If you enable JavaScript, you open Pandora’s box to fingerprinting (e.g. tracking mouse movements, certain hardware details, etc). If you don’t, half (or more) of the internet is unusable.
*Tor browse
Leave everything default and you’ll look like every other Tor browser user.
Not really. The “fingerprint” is not one thing, it’s many, e.g. what fonts are installed, what extensions are used, screen size, results of drawing on a canvas, etc… Most of this stuff is also in some way related to the regular operation of a website, so many of these can’t be blocked.
You could maybe spoof all these things, but some websites may stop behaving correctly.
I get that some things like screen resolution and basic stuff is needed, however most websites don’t need to know how many ram I have, or which CPU I use and so on. I would wish for an opt-in on this topics: So only make the bare minimum available and ask the user, when more is needed. For example playing games in the browser, for that case it could be useful to know how much ram is available, however for most other things it is not.
Unfortunately the bare minimum is in most cases already enough to uniquely fingerprint you.
Tor browser
And Mullvad browser
Time for meshnet?
Time for a user agent switcher. Like “Yeah, I swear, I’m a PS5, that has only monospaced comic sans insrelled”
Fingerprinting unfortunately uses more than useragent strings. It takes hashes of data in your browser from a javascript context that is not easily masked or removed. For example, it might render a gradient of colors projected onto a curved 3d plane. The specific result of this will create a unique hash for your GPU. They can also approximate your geolocation by abusing the time-to-live information within a TCP packet, which is something you can’t control on the clientside at all. If you TRULY want to avoid tracking by google, you need to block google domains in your hosts file and maybe consider disabling javascript on all sites by default until you trust them. Also don’t use google.
How must it feel being clever enough to come up with these ideas and then implement them for companies invading everyones privacy for advertisement revenue and malicious information serving or stealing.
I guess they sleep soundly on a fat bank account.
Jokes aside, keep in mind that the idea of fingerprinting is that your computer’s configuration is as unique as a fingerprint (e.g., your monitor is x resolution, you are on this operating system, you are using these following extensions in this browser, you have these fonts on your system).
Setting your user agent to something super unique is basically shining a spotlight on yourself.
I recommend this user agent switcher extension (firefox)
It’s way worse than that.
Even if you somehow magically have the same settings as everyone else, you’re mouse movement will still be unique.
You can even render something on a canvas out of view and depending on your GPU, your graphics driver, etc the text will look different…
There is no real way to escape fingerprinting.
I have a novice coding question using the mouse tracking as an example: Is it possible to intercept and replace mouse tracking data with generic inputs? For example, could you implement an overlay that blocks mouse interactions, and instead of physically clicking on elements, send a direct packet to the application to simulate selecting those elements?
Yes, it’s possible. That’s the way a lot of automated web UI testing tools work. The problem with doing it during normal browser use is that your intentional actions with the real mouse wouldn’t work right, or the page would start acting like you clicked on things you didn’t click on.
Yeah, I have an anti fingerprint extension installed in Firefox, and immediately no Google site will work anymore, all google sessions break with it while most other sites just continue to work.
I’m working to rid myself completely from Google, my target being that I will completely DNS block all google (and Microsoft and Facebook) domains within a year or so. Wish I could do it faster but I only have a few hours per weekend for this
Mind sharing what extension you use?
Hi, here are the extensions I use in FireFox/Librewolf (all will work in Chromium too, but I don’t recommend Chromium browsers):
Privacy and Security-focused
uBlock Origin: A lightweight and efficient wide-spectrum content blocker.
Decentraleyes: Protects you from tracking through free, centralized content delivery. (not recommended alongside uBlock Origin; see the reply below)
CanvasBlocker: Protects your privacy by preventing websites from fingerprinting you using the Canvas API.
Ghostery Tracker & Ad Blocker - Privacy AdBlock: Blocks trackers and ads to protect your privacy and speed up browsing. Also has a handy feature that automatically rejects cookies for you. (not recommended alongside uBlock Origin; see the reply below. You can disable the ad blocking functionality and keep the cookie rejection function).
KeePassXC-Browser: Integrates KeePassXC password manager with your browser.
NoScript: Blocks JavaScript, Flash, and other executable content to protect against XSS and other web-based attacks (note: you will be required to manually activate javascript on each web page that you visit, but this is a good practice that you should get used to).
Privacy Badger: Automatically learns to block trackers based on their behavior. (not recommended alongside uBlock Origin; see the reply below)
User-Agent Switcher and Manager: Allows you to spoof your browser’s user-agent string (avoid creating a unique configuration; opt for something common, such as Chrome on Windows 10).
Violentmonkey: A user script manager for running custom scripts on websites (allows you to execute your own JavaScript code, usually to modify how a website behaves or block behavior that you don’t like. VERY useful. Check out greasyfork for UserScripts).
Other useful extensions (non-privacy/security)
Firefox Translations: Provides on-demand translation of web pages directly within Firefox.
Flagfox: Displays a flag depicting the location of the current website’s server.
xBrowserSync: Syncs your browser data (bookmarks, passwords, etc.) across devices with end-to-end encryption.
Plasma Integration: Integrates Firefox with the KDE Plasma desktop environment (for linux users).
Thanks for the list! Although most of the time it’s advised to not use multiple adblocker in tandem, because they might conflict with each other and get detected by the website. For example, uBlock origin has, in its settings, an option to disable JavaScript and in the filter list, an option to block cookie banners “Cookie notices”. But if all of these work for you that’s great!
How do these extensions work with ubo?
On a different note. Your name used to be my nickname lol thanks for that memory.
They work well on desktop and mobile (firefox). As the other replier stated, you may want to avoid using multiple ad blockers (decentraleyes, privacy badger, and ghostery) alongside UBlock; and NoScript’s functionality can be achieved with UBlock.
Lol the name came from a ironscape clan member from my osrs days. I don’t suppose that’s you?
Nope. Just a fan of South Park.
“Decentraleyes” is such a good name, damn!
Port Authority is a good one too, I think. Need to check that it is still maintained.
Thanks for this list! Just got off chrome and this helped speed things along!
What search engine do you use?
I want to do this but really the only thing holding me back is my phone.
Daily plug for Cromite, which is explicity built for anti-fingerprinting (through not just blocking, but spoofing and stripping systems out) and de-Googling:
github.com/uazo/cromite
Google can’t fingerprint you very well if you block all scripts from Google.
Considering how few people block all scripts, this could also make it trivial for them to fingerprint you.
Anyone who uses uBlock blocks Google scripts.
uBlock Origin + PiHole FTW.
plus Random User Agent.
I love this.
I’ve checked, its true. Linux plus Firefox already puts you in the 2 percent category.
This breaks all kinds of stuff though. A ton of sites use Google for captchas.
I just don’t use any sites like that. If a site is using something other than Turnstile from Cloudflare, then I refuse to use it. I haven’t really experienced any inconvenience myself with this policy, but obviously I don’t depend on any sites that require recaptcha.
But you can allow/block any elements per site, or globally, which makes it trivial to block all unwanted scripts except on specific sites. So there is nothing preventing you from only exposing yourself to Google on the few sites you use that need those scripts.
blog.lukaszolejnik.com/biggest-privacy-erosion-in…
This article actually shares what changed, as opposed to just asserting that there was a change.
I don’t bother. I know they know everything about me already, and that I’m not an important person. As such, I wonder why it matters.
Username checks out.
The only thing that matters in government politics is public opinion.
Behaviour is tracked in order to be influenced.
I wonder how safe is Apple ecosystem from this.
Lol