This isn't exactly browser fingerprinting (though it may involve browser fingerprinting.) But the biggest open question I have right now is: what is Meta doing to get around Apple's iOS privacy protections?
A couple of years ago, Apple launched App Tracking Transparency as a way to reduce tracking across their iOS app ecosystem. People predicted that this would be devastating for companies like Meta and Snap, and it was -- briefly, for Meta. But Meta seems to have rebounded very quickly, maybe Snap not so quickly. The rumor I've heard is that Meta threw every brain they had against the problem of finding new ways to track app users, which presumably involves some similar type of fingerprinting. The revenue success strongly indicates were successful. But if this is true, nobody has much written about it.
It always freaked me out that WhatsApp found the SMS code sent to verify the phone number without requiring any action from me.
Also, WhatsApp refuses to be usable without giving it Contacts access. I had to use the app, login to the web client, and then I was finally able to type a phone number to start a new chat.
I ended up uninstalling it, but there's plenty of people AND business that nowadays mainly or even only use WhatsApp that it's painful to be on the privacy-first side.
"But companies found another way to uniquely identify you across different sessions and websites without using cookies or other persistent storage. It’s called web fingerprinting. Fingerprinting is a more sophisticated approach to identify a user among millions of others. It works by studying your web browser and hardware configuration. Many websites use a fingerprinting library to generate a unique ID. This library collects data from multiple JavaScript APIs offered by your web browser. For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details that you would not want a typical news website to see."
My "rugged" browser for regular browsing has plug-ins that randomize all this data.
IP addresses are quite static. Most phones and laptops come "home" once a day and get attached to the home IP. Do it for long enough and you can household all the other IP v6s, MACs etc. that are untethered.
MAC addresses don't leave the local network, so it's not relevant to web tracking. Moreover it's randomized by default on ios/android so the tracking potential is limited.
>what is Meta doing to get around Apple's iOS privacy protections?
A strong relationship to Apple and cross-value marketing.
Surely these rules only apply to middle sized and smaller companies. We've seen Apple get caught bending the rules for big players, even if they don't admit it.
> what is Meta doing to get around Apple's iOS privacy protections?
Money always finds a way. Everyone thought the changes made a few years ago would hurt Meta but they make $70 billion net profit. At a minimum, they only need a good relationship with advertisers, and a (sort of measurable) increase from a campaign. Also ads are different now. One address may see the same five seconds of an ad hundreds of times. That is a much easier ecosystem to correlate targets through data enrichment.
Let’s pretend that the Apple restriction is 100% effective- how much impact would you expect to Meta’s bottom line? Sure, Meta would love to know every spicy detail of your life, but just following in app activity probably reveals more than enough to sway advertisers.
Meta hoovers up every detail because they can. Knowing that user #7227724 spends 23 minutes a day in Spotify might make the ad targeting 0.4% more accurate, but does not seem like the lynchpin for the entire business.
Not on iOS, as I understand it. If you "Ask app not to track" on iOS then the app cannot access your IDFA, which was the ID that previously was used to track a device across apps.
There's a company, currently called Tie (meettie.com), formerly known as Revenue Roll, who promises to "de-anonymize your highest value web traffic", which in practice means that they give you an email address for retargeting, for a user who visited your site without ever explicitly providing any identifying info.
The old site had a blog post [0] where they explicitly said they were using fingerprinting, and even called it "privacy-compliant".
I'm sure they're not unique in the service they provide, but that was the first time I'd seen someone brag about browser fingerprinting.
It's pretty hilarious legalese and tells you nothing about what it even achieves. Maybe makes you a Very Important Marketing Target.
One thing that struck me was the 'Under penalty of perjury, I declare all the above information to be true and accurate'. Shame they seem to require validating request by email. It'd be fun to take a PII breach and throw all the emails you find at 'em.
Their opt-in doesn't work - go to a few of their customer sites (listed in their blog/success stories) and they make a lot of calls to revenueroll IPs without asking. Some of those call contain PII responses too. Trying to contact them, but they've been brushing me off
If you find the right API endpoint, you can spoof the `Forwarded` header to get different results. Big PII leak IMO but they seem to think it's intended behavior?
I'm considering it a good thing at this point that I'm getting captcha-walled with increasing frequency. It means that my setup and behavior looks more like the billions of anonymous bots flooding the web rather than a lucrative mark.
Same, but to access so many websites now, you have to turn on JS (i.e. turn on fingerprinting). Even for sites where this isn't on purpose, it's true because they're behind Cloudflare.
Firefox, VPN, UBlock Origin, Privacy Badger, and UMatrix plugin to block cookies and javascript by default. (You can easily whitelist first and/or third-party cookies and/or JS on sites of your choice.)
Actually, usually librewolf instead of firefox, but not a big difference I suspect.
Browser fingerprinting is one of those things that should be outright illegal - it is far more of a threat than tracking cookies ever were. But it hasn't permeated the public consciousness like cookies have, so regulators seem to ignore it.
This is a technical problem, not a legal one. The solution is for browsers to provide users with the ability to limit the information being sent. There's no need for the vast majority of websites to know my OS, number of CPUs, screen or window size, or most of the other fingerprinting metrics.
I think it's both. It wasn't a problem when browsers were simple content display engines, but now that they are full VMs for application software, they need some of that capability just to function. FWIW, I think this was a mistake, but the genie is out of the bottle.
I suppose one technical mitigation might be a permissions dialog when a script requests access to a high-risk API like canvas or WebGL. But that's unfortunately something that won't work for most users, who will just click through the dialog.
Making it a technical problem means it’s an arms race forever. Making it a regulation problem, if done right, can simply end the arms race.
Not to mention the big players on the users’ team in the technical arms race (google, ms, apple) are also advertising companies.
By all means let’s solve it from the technical side - but also lets regulate privacy so everyone gets it not just people paranoid/technical enough to use the latest/best privacy respecting tools.
It can't be made entirely illegal so IMO a better way would be to remove or restrict the APIs that fingerprinting scripts abuse. Make browsers hypertext viewers again!
Why can't it be made illegal? And from the article, a very succinct explanation as to why browsers will never be fingerprint-resilient:
> Chromium (Chrome) is built by Google, an advertisement company which tracks its users for showing relevant ads. So naturally it doesn’t have any inbuilt protection against fingerprinting.
It should be illegal, but we also need technical prevention of it, because the internet is global and goes through too many jurisdictions to really regulate.
Plus, fingerprinting tech would get developed for criminal organizations or intelligence agencies anyway.
there are some more or less legit causes for fingerprinting.
like bot protection or to identifying scammers that just create another account when previous is banned.
The core issue is that politically you gain nearly no votes and definitely no money by running with regulation as a pillar of your campaign.
In fact, doing so will often times end up bringing donations from relevant industries directly to your opponent.
Now, this system of perverse incentive and legal bribery should be fixed at the constitutional level but thats a gigantic can of worms.
In the current system there are two methods that can circumvent the issue. The first is one deployed by the likes of Elizabeth Warren; run your campaign on a broad array of "fighting for your constituents" and don't get specific until you see already elected and drafting a bill.
The second path is underutilized and should be done more: lie out your ass to the moneyed interests. Take their money, make them promises, eat at their fancy dinners, befriend them, laugh at their awful jokes. Then just fucking dunk on them in the legislature, as quietly as possible. Make a big show of being forced to, keep the charade going as long as possible.
The inverse of this has been done a lot recently, with Sinema, with Fetterman. But the good version is quite rare, and a good opportunity to make our country a better place.
Key notes: tough to do in bigger positions because they're rarely the first public office seats people hold, so track records build. Tough to do in many districts because voters can be rubes who actively agree with the corporations stomping on their nards. Tough to do if you make too large of a profile(not really a concern).
Since fingerprinting is mostly client side, it should be detectable. If you serve a web page with a fingerprinting script, that should be an automatic big fine.
The Internet is a war zone: demanding made up rules for behavior online is as ineffectual as pleading for peace with the enemy during battle. Strap on a helmet if you're shell-shocked.
It's isn't the default because the countermeasures cause a lot of side-effects. If it were on by default, new users would probably think the browser is broken or buggy.
Here's what the settings do and what sort of side-effects you might experience:
- Timezone is set to UTC which means any web calendar input becomes confusing at best
- Canvases turn into random stripes, which leaves artefacts all over many websites
- Some websites outright block you as bots (twitch does this)
- Some web APIs break, which can be a pain if you're web apps that rely on them
You can add websites to a whitelist to avoid the downsides on some sites (privacy.resistFingerprinting.exemptedDomains) but it's a pain to do that for every website.
other downsides, cloudflare, PayPal and all kinds of finance related sites will assign high threat level for you and you will make your life miserable for causes ranging from captcha through rejecting your purchases to even blocking you access.
and the worst part is that this didn't changed the fingerprint generated by mentioned here site just increases suspect level to 9
It's actually part of the privacy preferences in the normal settings, and they supply this warning
> This setting may cause some websites to not display content or work correctly. If a site seems broken, you may want to turn off tracking protection for that site to load all content.
Some sites use light fingerprinting to provide features
Some websites prefilled username to allow quicker re-login - this kind of features. Worst case scenario, you will get a first-time visit experience all over again
That one at least is easy to fix, since firefox shows a little icon in url bar if it is blocking canvas data, and the remote site asked for it. You just click on it to whitelist that site.
I've had more issues personally with resist fingerprinting making major sites completely unusable (drupal.com, walmart.com..)
So, one thing I don't quite get about fingerprinting:
> For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details
If, for example, I upgrade my web browser in two weeks (i.e. I get a new version number), doesn't that mean that the site has lost me?
Sites like https://coveryourtracks.eff.org seem to focus on how unique your fingerprint is, but doesn't it also matter how stable it is over time?
But how many features then remain? For example, I've seen people discuss font size, version numbers, viewport size, etc. Do the remaining features still make a unique identifier?
It depends if they hash the data points or send them unprocessed. If they're unprocessed, they can associate two fingerprints where only the browser has changed.
Readit News
A couple of years ago, Apple launched App Tracking Transparency as a way to reduce tracking across their iOS app ecosystem. People predicted that this would be devastating for companies like Meta and Snap, and it was -- briefly, for Meta. But Meta seems to have rebounded very quickly, maybe Snap not so quickly. The rumor I've heard is that Meta threw every brain they had against the problem of finding new ways to track app users, which presumably involves some similar type of fingerprinting. The revenue success strongly indicates were successful. But if this is true, nobody has much written about it.
They found sneaky ways on Android. There is no way they aren't trying to do so on iOS. One must always assume malice with anything Meta.
Also, WhatsApp refuses to be usable without giving it Contacts access. I had to use the app, login to the web client, and then I was finally able to type a phone number to start a new chat.
I ended up uninstalling it, but there's plenty of people AND business that nowadays mainly or even only use WhatsApp that it's painful to be on the privacy-first side.
My "rugged" browser for regular browsing has plug-ins that randomize all this data.
MAC addresses don't leave the local network, so it's not relevant to web tracking. Moreover it's randomized by default on ios/android so the tracking potential is limited.
MACs are always randomized, even when connecting to the same network. At least as far as modern devices go.
Am I wrong?
A strong relationship to Apple and cross-value marketing.
Surely these rules only apply to middle sized and smaller companies. We've seen Apple get caught bending the rules for big players, even if they don't admit it.
Money always finds a way. Everyone thought the changes made a few years ago would hurt Meta but they make $70 billion net profit. At a minimum, they only need a good relationship with advertisers, and a (sort of measurable) increase from a campaign. Also ads are different now. One address may see the same five seconds of an ad hundreds of times. That is a much easier ecosystem to correlate targets through data enrichment.
Meta hoovers up every detail because they can. Knowing that user #7227724 spends 23 minutes a day in Spotify might make the ad targeting 0.4% more accurate, but does not seem like the lynchpin for the entire business.
The old site had a blog post [0] where they explicitly said they were using fingerprinting, and even called it "privacy-compliant".
I'm sure they're not unique in the service they provide, but that was the first time I'd seen someone brag about browser fingerprinting.
[0] https://web.archive.org/web/20240527125312/https://www.reven...
It's pretty hilarious legalese and tells you nothing about what it even achieves. Maybe makes you a Very Important Marketing Target.
One thing that struck me was the 'Under penalty of perjury, I declare all the above information to be true and accurate'. Shame they seem to require validating request by email. It'd be fun to take a PII breach and throw all the emails you find at 'em.
Deleted Comment
Deleted Comment
Firefox, VPN, UBlock Origin, Privacy Badger, and UMatrix plugin to block cookies and javascript by default. (You can easily whitelist first and/or third-party cookies and/or JS on sites of your choice.)
Actually, usually librewolf instead of firefox, but not a big difference I suspect.
I suppose one technical mitigation might be a permissions dialog when a script requests access to a high-risk API like canvas or WebGL. But that's unfortunately something that won't work for most users, who will just click through the dialog.
Not to mention the big players on the users’ team in the technical arms race (google, ms, apple) are also advertising companies.
By all means let’s solve it from the technical side - but also lets regulate privacy so everyone gets it not just people paranoid/technical enough to use the latest/best privacy respecting tools.
To whatever degree this is, indeed, a technical problem. There’s a simple choke point that is being intentionally unutilized.
It isn't trivial to craft legislation to separate these use cases, but it also is far from impossible if there would be political will to do it.
I think the latter is far more interested in surveillance of users where tracking is one building block.
And of course legislation is needed to criminalize tracking without user consent. It would just be an internet stalking law being applied.
> Chromium (Chrome) is built by Google, an advertisement company which tracks its users for showing relevant ads. So naturally it doesn’t have any inbuilt protection against fingerprinting.
Plus, fingerprinting tech would get developed for criminal organizations or intelligence agencies anyway.
whether this is justified is of course subjective
In fact, doing so will often times end up bringing donations from relevant industries directly to your opponent.
Now, this system of perverse incentive and legal bribery should be fixed at the constitutional level but thats a gigantic can of worms.
In the current system there are two methods that can circumvent the issue. The first is one deployed by the likes of Elizabeth Warren; run your campaign on a broad array of "fighting for your constituents" and don't get specific until you see already elected and drafting a bill.
The second path is underutilized and should be done more: lie out your ass to the moneyed interests. Take their money, make them promises, eat at their fancy dinners, befriend them, laugh at their awful jokes. Then just fucking dunk on them in the legislature, as quietly as possible. Make a big show of being forced to, keep the charade going as long as possible.
The inverse of this has been done a lot recently, with Sinema, with Fetterman. But the good version is quite rare, and a good opportunity to make our country a better place.
Key notes: tough to do in bigger positions because they're rarely the first public office seats people hold, so track records build. Tough to do in many districts because voters can be rubes who actively agree with the corporations stomping on their nards. Tough to do if you make too large of a profile(not really a concern).
Deleted Comment
https://abrahamjuliot.github.io/creepjs/
[0]https://news.ycombinator.com/item?id=44670308
Two questions jump to mind:
Why isn't this the default in Firefox?
What is the downside? I.e., what can break by enabling this parameter?
Here's what the settings do and what sort of side-effects you might experience:
https://support.mozilla.org/en-US/kb/resist-fingerprinting
Just of the top of my head:
- Timezone is set to UTC which means any web calendar input becomes confusing at best
- Canvases turn into random stripes, which leaves artefacts all over many websites
- Some websites outright block you as bots (twitch does this)
- Some web APIs break, which can be a pain if you're web apps that rely on them
You can add websites to a whitelist to avoid the downsides on some sites (privacy.resistFingerprinting.exemptedDomains) but it's a pain to do that for every website.
and the worst part is that this didn't changed the fingerprint generated by mentioned here site just increases suspect level to 9
> This setting may cause some websites to not display content or work correctly. If a site seems broken, you may want to turn off tracking protection for that site to load all content.
Some sites use light fingerprinting to provide features
I've had more issues personally with resist fingerprinting making major sites completely unusable (drupal.com, walmart.com..)
> For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details
If, for example, I upgrade my web browser in two weeks (i.e. I get a new version number), doesn't that mean that the site has lost me?
Sites like https://coveryourtracks.eff.org seem to focus on how unique your fingerprint is, but doesn't it also matter how stable it is over time?