Fun fact about the example fingerprint in the article:
On almost any other distro you're just going to see "Linux" for the platform. The reason "Fedora" is in this particular one is that there are packages that are installed by default on both Firefox and Chrome that add it to the useragent string for no reason.
I know this because, for a few glorious days, there was a bug in the Chrome plugin that meant that there was another "Fedora; " added for every redirect in a redirect chain (i.e. "Fedora; " to "Fedora; Fedora; " etc.), which broke a whole bunch of whitelists and fingerprinting bot detection scripts.
There's absolutely no reason for it, there's no benefit to having there, but everytime someone files a bug about it the maintainers don't see what the problem is and WontFix the bug. [1]
I did a little bit of research on browser fingerprinting years ago and even tried to write my own library to do it and ever since, I've always questioned how useful it actually is.
Using the list of measurement points on https://amiunique.org as guide most of the things that are constant about my computer like platform, browser, or requested language are not really unique to me and are shared by a large percentage of the other users who have come to the site.
On the other hand, most of the data points that are unique to my machine change semi-frequently. User agent and version change on browser updates, timezone changes when I travel, screen size and resolution change when I plug into my external monitor, new fonts will slowly be installed over time, and even things like how the canvases are rendered can change slightly depending on how much strain my GPU is under at the time I get fingerprinted.
Just plugging in to my external monitor was enough to get amiunique to treat me as a different user. (if you want to try, be sure to clear your local storage and cookies in between visits as the site saves a uuid there and will serve you your previous results if it finds it).
I'm sure there's some magic formula that gives different weights to different data points that can give a decent guess at who you are, but I doubt it can say with 100% accuracy that you are who it thinks you are.
It seems to me all it would take to defeat fingerprinting is a browser extension that modifies the browser apis to randomly slightly alter the requested data (add a random font to the list, add some nonsense to the user agent, etc). Sure, the fingerprint would still be unique, but it would be unique on every visit which would defeat the ability to track a user across visits.
*I'm not an expert on this subject at all, so if I got something wrong, please correct me
Cookie + IP Address + Fingerprint + URL Referral + Social Media
It’s possible to be anonymous if you only log into websites with proper privacy policies, delete cookies & cache every day, and hide behind carrier NAT.
Adding a random font shouldn’t stop fingerprinting, people install new applications all the time. You make a lot of points, but ad tech can get around it.
Ideally ad corporations would be forced to delete records on people after 30 days.
It is becoming increasingly difficult though. Google captchas everywhere. Authentication requesting 2 factor because it thinks it is a new browser. The web is progressively becoming unusable unless you are loaded with cookies and tracked. And the culprits are the likes of Amazon, Cloudflare, Google, etc. Not easy to move them.
Cloudflare somehow got better lately, I'm curious to know how :) Google search works fine and I'm not using other Google services. I see surprisingly few captchas. Yeah, I'm on VPN too, maybe they treat it differently.
A partial match can still be linked to a unique identify on the backend. Just think of how a fingerprint scanner works, or face / song matching algo's, just need a snippet of data.
I believe a partial match would only be useful if the partial match mapped to a unique record. My point was that the data points that seem to be the most unique to my computer seem to also be the easiest to change.
If I get a fingerprint that contains some super unique font and is requesting the site in Mongolian then yeah, that can probably be mapped to a single record.
If I get a fingerprint in which the only data points that match anything in my database are that the user is on a Mac using Chrome 76 and has cookies and local storage enabled, I don't see how that can be used to track a user.
My point was that the data points that seem most unique to a user also seem like the ones that change the most frequently. If you're only changing one at a time like they would during normal use, then yeah, it's probably still trackable, but if you wrote something to change all of them on every page load, I don't see how you would be able to connect one partial match to another.
I have been wondering for some time if some kind of randomization of the fingerprinting parameters would be better than trying to be standard/anonymous. If the fingerprint changes often wouldn't it become completely useless?
One case of possible fingerprinting I encountered in an ad recently surprised me by how many different obscure tests it seemed to perform. The entire script is 80kB minified, and it looks like it's just hundreds of tests that check for all kinds of properties of the environment.
Many of the test seem to look for the presence of specific APIs, or test various features of the JS environment. Which I'd expect to not give more information than the user agent, but of course is not as easy to fake as the user agent it.
I'm not sure this script is entirely about fingerprinting, but I really can't see any other reason for it. Though the minification of course makes it a bit harder to see exactly what it does.
While it's indeed used for "ad tracking", this snippet is actually closer to a white-hat tool. This is from Integral Ad Science https://integralads.com/ which attempts to detect ad fraud. If you hate ads, it won't matter, but in the fight to make ads less invasive, potentially more useful, and still viable as an economic model for those who want to participate with it, Integral and WhiteOps (https://www.whiteops.com/) both do some great data work to try to stop disruptive bots.
If one hates all ads and tracking, of course, then none of this will matter, but just thought I'd point out the "why" for the fingerprinting in this case.
Tor's anti-fingerprinting measures are available in Firefox. They're off by default, but you can enable them by going to the about:config page, searching "privacy.resistFingerprinting" and setting to "true"
With the option being enabled, there is 1 other guy that creates the exact same fingerprint. I hope he is not a serial killer...
Currently using chrome for HN, but that also creates a completely unique print. I highly doubt it will ever be a focus of this browser to change that issue. And everyone should buy more widescreen monitors, they are awesome.
I wonder if users of standard devices like iPhones fare much better. Not that I would want to use one...
Curiously, Firefox gives me WebGL Vendor = not supported, which isn't true at all, while chrome gives the full driver name, which in my case is very uncommon (using an intel nuc).
It seems to me that the Navigator interface is a pretty rich source of info for fingerprinting. For instance, even if I spoof my user-agent in the HTTP request, Navigator gleefully exposes the real one anyway.
There's also other fingerprinting that you need to be aware of, like keeping the browser a default size rather than maximising it and giving away how big your screen is.
Currently you will need to outright disable Javascript to defeat fingerprinting, and it will stay that way unless browsers actually cooperate and standardize ways to present a unified API and default values.
I wasn't part of that battle. I fall into the camp of believing that clientside logic is often preferable to serverside logic, because users are more able to inspect, modify, and archive locally running code. So not only was I not a part of that battle, I was actively encouraging people to make your life worse.
But I am a part of this battle.
I don't want to start a fight about Javascript; that's a complicated issue. I just want to point out that the "we" you refer to in the privacy battle may be a fair amount larger and more diverse than the "we" was in the Javascript battle.
I get that they are different. It was an analogy. Either way, I don't think there's enough momentum to stop it this time either.
BTW, your argument about being able to inspect local code still seems moot in light of the fact that if you interact with the server, you still have to trust it. 90% of the code might be local, but you still have to worry about that 10% that is opaque to you. And there's no practical difference between 10% of code being opaque and 90% being opaque. The "bad stuff" could happen in that 10%.
> all Tor users should have the exact same fingerprint
Wouldn't it be better to impersonate at random a different combination of fingerprints for each page? Otherwise any browser with this fingerprint would be risking being blocked for being part of the Tor network.
The link to amiunique.com was pretty interesting. In particular, I enjoyed the webgl render. Hardware/driver dependent things such as that are.. a conundrum of anonymity.
As long as browsers are heading into the direction of more and more functionality, APIs and complexity, I get the feeling that being un-fingerprintable is going to be a lost battle. The best you can do is to be a unique device every single time and thereby defeat server-side profile building.
I have "resist fingerprinting" set on Firefox, but it doesn't seem to do much good. Any suggestions other than to entirely turn off JS, which to me seems akin to not using the majority of the web?
I accept that this reply is basically saying "Turn it off", but look at umatrix. You can allow/block JS by default but then add certain hosts or domains to the allow list.
I browse with JS disabled, but when I hit a site which doesn't work properly (and which I want to use still), I can allow only the domains which it needs to work.
It's quite surprising how quickly many sites now load!
I was interested in hearing what they did to prevent fingerprinting with regards to things like window size, but it seems like they just discourage the user from changing it :( It looks like this isn't going to be improved anytime soon.
I would love a button or menu action to RESET my window to the standard size in regular Firefox but so far I can’t find any easy way to do it. You’d think an extension would do it but when I checked, all the extensions related to window size did different things.
As long as browsers are inherently insecure in regards to fingerprinting protection, the only viable protection is to create an extensive list of known JS fingerprinters.
Additionally one needs to disallow all third party javascript sources by default.
Both strategies are possible with a good content blocker.
These strategies protect against all known and almost all unknown fingerprinting scripts. The only scenario where it doesn't work is unknown first-party scripts, but cross-site tracking is impossible.
On almost any other distro you're just going to see "Linux" for the platform. The reason "Fedora" is in this particular one is that there are packages that are installed by default on both Firefox and Chrome that add it to the useragent string for no reason.
I know this because, for a few glorious days, there was a bug in the Chrome plugin that meant that there was another "Fedora; " added for every redirect in a redirect chain (i.e. "Fedora; " to "Fedora; Fedora; " etc.), which broke a whole bunch of whitelists and fingerprinting bot detection scripts.
There's absolutely no reason for it, there's no benefit to having there, but everytime someone files a bug about it the maintainers don't see what the problem is and WontFix the bug. [1]
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1266569