Fingerprinting is an exploit, an attack on the person and machine. It is tracking using mechanisms that were not meant for tracking.
It is without consent and it is without user control (you can clear cookies, you can't clear the fingerprint you've let on thousands of website you browse every week).
Cookies, Local Storage (and IP) should be the only legally authorised means of tracking
Ad slots are often sold and resold through various exchanges, platforms and marketplaces. If each entity in this chain is liable if fingerprinting happens, then fingerprinting will quickly be just as toxic as other kinds of exploits and mostly disappear from the ecosystem.
For a site to be completely out of reach of the US/EU, all of the involved companies (site operator, fingerprinting provider, company paying for the advertising, ad network provider + the other middlemen involved in serving that ad) would have to have zero connection to the US/EU.
No, but as a community we have limited resources, and it makes more sense to focus on the technical solution than the legislative, which is usually a long slow process and never gets done what you want after all the lobbyists get their hands in it.
Yes and no; it's still a cat and mouse game. You prevent one way, fingerprinters will find another way. And sometimes, the cure may be worse than the disease.
What also makes this a little different is that there's not many nefarious actors that truly benefit from fingerprinting random people. Fingerprinting is very useful in large scale operations, and it's hard to maintain a large scale web presence as an outlaw.
I fully agree that fingerprinting should be outlawed by privacy directives. But writing such a law correctly is really tough.
Yeah I'm all for better privacy laws. Highly in favor actually. But this seems like the type of problem where you can't tackle from a single direction. I have to imagine there is a way to combat many of these tactics (at least enough to make them difficult) but I don't have the faintest clue of how to combat something like canvas fingerprinting which essentially is exploiting the silicon lottery.
I do not think laws go far enough because we live in a global society and laws don't exactly apply globally.
It's really hard to make it impossible for people to kill each other. That's why we put some protections in place where they make sense, but otherwise rely on making it illegal and punishing people who do it anyways.
Making fingerprinting illegal will solve nothing. GDPR and the cookie law rarely get applied in real life (and when they do the punishment is laughable). The only real solution is a technical one - a browser that respects your privacy.
The only way that I think a law could assist with this would be if the governments would force all websites of legal businesses to work without javascript as well as via tor, but even then it will go unenforced.
That being said, I do not think that fingerprinting is an exploit as browsers come build-in with technologies that are meant for fingerprinting (see the ping attribute for example).
> It is without consent and it is without user control
How is that true? If you don't visit X site then X site can't fingerprint you. I'd say technically it's the user's fault if they run random code on their computer and using a browser that sends this information back to the fingerprinting party.
I'd say most of the best sites of the internet could be read just fine w/o Javascript or even with just wget.
If someone made an application that downloaded web pages and executed the contents with SUDO privileges, would I be exploiting someone if my website was 'rm -rf --no-preserve-root /'?
Getting browser-fingerprinted is technically the user’s fault in the same way it’s technically my fault if I die in a car crash because of some mechanical defect that I could have detected if I’d just made a habit of regularly dismantling my car to inspect every part of it, applying expert engineering knowledge to identify and fix any dangerous problem(s) (including design defects).
Allowing predatory and/or negligent entities to entrap people with less-than-expert knowledge of the relevant industry/technology/whatever is something we should avoid if our goal is to build a society for the common good. The whole point is to watch each other’s backs, not to create a web of obscure threats where only the truly paranoid can remain safe and avoid being exploited.
>Allowing predatory and/or negligent entities to entrap people with less-than-expert knowledge of the relevant industry/technology/whatever
Indeed, a lot of companies are paying a lot of people a lot of money to spend a lot of their working hours figuring out newer and more-resilient ways of doing this stuff. How long has it been since persistent Flash cookies? Looks like sometime around 2009:
I think there's a project out there for an enterprising public-interest researcher to graph how many of these attempts and techniques were developed and popularized after Facebook started allowing people outside of universities to register for an account.
> If someone made an application that downloaded web pages and executed the contents with SUDO privileges, would I be exploiting someone if my website was 'rm -rf --no-preserve-root /'?
“If someone gave me the key to their front door so I could drop off amazon packages but I actually used it to come in and destroy all their valuables would it really be MY fault?”
The action of destroying the valuables is the crime. Writing down instructions on how to destroy them is just speech. If the owner (or someone else) executes those instructions then they are the actor and the responsible party.
Sure, but that's an issue with those websites, not the law. The law doesn't mandate to have a fullscreen modal that says "We value your privacy" with a big button that allows all cookies and myriad tiny buttons to disallow them individually.
If websites choose to sacrifice usability to be able to fingerprint users, that's on them.
The problem with laws is they never get them right in the first place, and that goes double with anything technology, and then once they are law it is almost impossible to get them changed.
Fingerprinting is an exploit, an attack on the person and machine. It is tracking using mechanisms that were not meant for tracking.
It is without consent and it is without user control (you can clear cookies, you can't clear the fingerprint you've let on thousands of website you browse every week).
Cookies, Local Storage (and IP) should be the only legally authorised means of tracking