I exclusively use private browsing, but I know that doesn't do much in preventing tracking, so it's nice to see this finally starting to roll out.
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
The "Temporary Containers" extension is great here, allowing pretty easy compromise between different buckets of sites. I'll have some personal ones that I log into, others go specifically into a snoop container, and the rest get temporary ones that evaporate when closed. https://addons.mozilla.org/en-CA/firefox/addon/temporary-con...
stoically, the maintainer and creator of this extension unfortunately passed in early 2023. There's a new fork available[0], linked from github[1].
I briefly discussed this extension and how to proceed after the passing of a maintainer with Mozilla staff in their Extensions and People teams at FOSDEM this year, but there was no real procedures in place at the time of our chat.
I am dreaming for righteous 'small' employees too, those who carry out the dishonourable practice of implementing privacy intrusion following instructions, for money. Corporates are built by thousands of ignorant grey workers.
> I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). So the banner is not only about cookies. And I think nowadays there are similar regulations elsewhere.
The last thing I want to see is more banners that don't actually do anything for your privacy. Let's be real, websites/companies will do whatever they want with your data, the banner is just for show.
Out of curiousity, how would you steelman the argument that fingerprinting is no different than a store owner, standing behind the counter, taking note of the faces of who enters his store, and maintaining a log?
To make that analogy closer to the Internet reality, I would say that Internet tracking is more like a cabal of shop-keepers, librarians, neighbors, utility pole workers, and so on who are keeping track of all the faces, all their habits, what they look at, what they say, who they interact with, and share this information amongst themselves, recording it in perpetuity. They also share details with the police and anyone who cares to purchase them.
When you talk about a "shopkeeper" it gives it a small community charm. The Internet is anything but that.
The difference is scale and intent. A mom and pop store owner “remembering” my face versus big tech tracking is like comparing a nosy neighbor to the CIA.
One of them might peer out their window, the other will infiltrate every aspect of your life. One of them is bored, the other has no qualms about doing significant harm to you if it serves their interests.
I'm fairly confident I could sue that store owner for stalking if they were logging every time I entered that store and left, along with all my activities.
I'm absolutely positive I could if they were getting other store owners to help them track me.
What I don't understand is why this is unacceptable if they do it to a single person but perfectly normal if they do it to all their customers. IMO that should make things worse, not better.
Let's put it this way. You'd get a restraining order against someone if they followed you around all day, logging when you woke up, ate, who you talked with (even if they don't hear the conversation), where you went, and when you went to bed. That's clearly stalking, right? So why us it suddenly acceptable when it's being done by some guy named Mark who is stalking a billion people instead of just one?
We clearly differentiate this from being a regular customer at a store. If I'm a regular at Joe's Corner Market and get a sandwich every Wednesday for lunch then he remembers me because we're talking face to face and making conversation. It's personal. There's clear consent in what I'm sharing and there's a clear expectation that Joe isn't going to use that information to manipulate me or follow me around town. Our interaction is limited to the store and maybe bumping into each other on the street. It's clearly not stalking, we're just friendly. The same way your partner might know about when you wake up, go to sleep, eat for breakfast, and all that same stuff. Your partner isn't stalking you.
[Edit]: I want to encourage the above comments. Doesn't matter if recursive4 believes the other side or not, I want these conversations to be front and center. I like to see the other responses than mine as well and I think these help us refine our arguments and by being prominent they help others be convinced and join us. So while I know we don't usually talk about how to upvote/downvote, I'll just say "vote strategically rather than agreeability" :)
The store owner visibly responds to the customers differently.
Fingerprinting is invisible. It's more like the store owner recording everyone on hidden camera.
It's automated data processing at scale rather than a local mom and pop country general store. The profit seeking, decision making, management culture driving decisions is a fundamentally different relationship. Also I don't think store owners do that?
Rather than presupposing an analogy to something importantly different, I would propose that the steelman would be along the lines of noting that ads and hyperpersonalization are effective at meeting and predicting your needs, and steering you towards an interpretation of your own needs that finds their fulfillment in deepening a consumer relationship. And if you get steered into lock-in with one company's ecosystem, you get the convenience of a stack of vertically integrated services.
Lots of moral values/legal rules are based on magnitudes and scale.
You can talk at a normal voice inside your own home at night, and even if the neighbor can hear you through the thin walls, they have no legal recourse. If you start blasting music, the police will (in principle) come and stop you.
Some things are okay in moderation and simply bad in excess.
This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
There was a commenter some time back showing that browser statistics were easy to skew. Safari and Firefox are less likely to show up in analytics, so website owners think they're less important than they really are. Conflating client-side with server-side analytics showed quite a gap.
Most of the people who are just looking at browser statistics for the purpose of managing a website are using simple tools that just simply collect data from user agent strings. Determining browser from this isn't 100% straightforward, but it's enough to give website operators a rough idea of what browser to target. This data was more important in the days when everything wasn't Chrome/Android/iOS, and it actually mattered what version of IE your users were running.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
>This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
You're more trackable by using NoScipt and there's no good reason to use it if you know how to properly use uBlock: https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-don...
uBlock is a content blocker so it can do everything NoScript can if you learn its advanced UI usage. Using additional extensions makes you more trackable.
I often think about this in connection with my user agent. I am sure it helps identify me. If I spoofed a Chrome/Windows UA that would probably be better from a privacy perspective. But if we all do that then web designers will never know that we exist. I want people to know there are Firefox and Linux users out there.
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
One thing I found that broke tracking algorithms was the ‘every tab is a new random profile’ extension. I can’t remember the name as I haven’t used it in a while and it broke a lot of logins.
They could not build a profile on you and it would break their system of tracking user login per device.
I've recently switched from Containerise + Temporary Containers to Auto Containers. Brand new addon, but the dev is responsive and IMO it works much better for creating new containers on the fly as you browse.
In my case the single largest contributor to my fingerprint is ... canvas size. I run full screen with a custom Firefox setup that basically makes my canvas size unique :/ The "protection" Firefox uses for this is to always open a new window at a default size, which does nothing in my case since my toolbar config still makes the canvas size unique.
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
Doesn't seem to work... reported canvas size is still some odd value (2200x1283x24). I think it uses a fixed size for the letterbox, which is useless. Right general idea though.
Now I understand why I'm getting paywall limits even in private browsing :) I use Tree Style Tab, so my canvas is also of unusual size and ratio. I guess I can try making it more narrow or wider to combat that :)
I wish them the best. When I last tested it on fingerprint.com, the hash remained stable even with resistFingerprinting and letterboxing from a VPN, only changing between profiles. When I daily-drove resistFingerprinting (not reduceFingerprinting that permits exceptions like dark mode) in 2021, my hash changed every restart.
Perhaps fingerprint.com has stepped up their detection game and have new heuristics to identify you, thwarting the resistFingerprinting measures.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
Unfortunately, Cloudflare and other protections will keep working even less than they used to. I have started to not use Cloudflare protected websites because they don’t work with Firefox. But that is a fight I am going to lose.
Symptoms? Is it limited to when a site has Cloudflare's more aggressive protection turned on? I haven't noticed any problems I've attributed to Cloudflare, and I use Firefox exclusively.
I have more restrictive protections on. If you use just loose settings, it completes, but advanced fingerprint protection, for example, breaks captcha completion.
This matches my experience as well. As a FF user, I very occasionally encounter problems, but these don't seem to be correlated to their using CF protections. Much more often I find sites broken that rely on cloud domains with bad reputations, which my DNS filters block.
I was actually wondering if the stuff that Mozilla's talking about here will be used by bad bot people to try to circumvent CF's abuse protections. As I recall from when I was working with them, CF's service relies in part on being able to identify botnet attacks by doing its own fingerprinting.
I'm sorry whatever problem you've run into, but it's definitely not true that no cloudflare protected websites work with any Firefox. You've run into something more specific, I guess.
It’s a bit annoying that Firefox by default breaks all sites that use canvas imageData API. There is no permission for that, so no user-friendly way to ask for consent either.
Readit News
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
I briefly discussed this extension and how to proceed after the passing of a maintainer with Mozilla staff in their Extensions and People teams at FOSDEM this year, but there was no real procedures in place at the time of our chat.
[0]: https://addons.mozilla.org/en-GB/firefox/addon/temporary-con...
[1]: https://github.com/stoically/temporary-containers/issues/634
Given that /usr/bin/firefox is just a shell script, you can
If you use an icon to run firefox (say, /usr/share/applications/firefox.desktop), you'll need to do copy/adjust line for the icon.You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). So the banner is not only about cookies. And I think nowadays there are similar regulations elsewhere.
When you talk about a "shopkeeper" it gives it a small community charm. The Internet is anything but that.
One of them might peer out their window, the other will infiltrate every aspect of your life. One of them is bored, the other has no qualms about doing significant harm to you if it serves their interests.
I'm absolutely positive I could if they were getting other store owners to help them track me.
What I don't understand is why this is unacceptable if they do it to a single person but perfectly normal if they do it to all their customers. IMO that should make things worse, not better.
Let's put it this way. You'd get a restraining order against someone if they followed you around all day, logging when you woke up, ate, who you talked with (even if they don't hear the conversation), where you went, and when you went to bed. That's clearly stalking, right? So why us it suddenly acceptable when it's being done by some guy named Mark who is stalking a billion people instead of just one?
We clearly differentiate this from being a regular customer at a store. If I'm a regular at Joe's Corner Market and get a sandwich every Wednesday for lunch then he remembers me because we're talking face to face and making conversation. It's personal. There's clear consent in what I'm sharing and there's a clear expectation that Joe isn't going to use that information to manipulate me or follow me around town. Our interaction is limited to the store and maybe bumping into each other on the street. It's clearly not stalking, we're just friendly. The same way your partner might know about when you wake up, go to sleep, eat for breakfast, and all that same stuff. Your partner isn't stalking you.
[Edit]: I want to encourage the above comments. Doesn't matter if recursive4 believes the other side or not, I want these conversations to be front and center. I like to see the other responses than mine as well and I think these help us refine our arguments and by being prominent they help others be convinced and join us. So while I know we don't usually talk about how to upvote/downvote, I'll just say "vote strategically rather than agreeability" :)
So no, you cannot steelman a broken analogy.
Rather than presupposing an analogy to something importantly different, I would propose that the steelman would be along the lines of noting that ads and hyperpersonalization are effective at meeting and predicting your needs, and steering you towards an interpretation of your own needs that finds their fulfillment in deepening a consumer relationship. And if you get steered into lock-in with one company's ecosystem, you get the convenience of a stack of vertically integrated services.
You can talk at a normal voice inside your own home at night, and even if the neighbor can hear you through the thin walls, they have no legal recourse. If you start blasting music, the police will (in principle) come and stop you.
Some things are okay in moderation and simply bad in excess.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
[1] https://en.wikipedia.org/wiki/Malvertising#Examples_of_malic...
Only things uBlock doesn’t replicate:
NoScript’s anti-XSS and anti-clickjacking heuristics (uBlock just blocks the sources, not sanitize payloads).
NoScript’s control over other active content types (e.g., WebGL, media codecs, etc).
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
https://xkcd.com/1105/
They could not build a profile on you and it would break their system of tracking user login per device.
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
https://addons.mozilla.org/en-GB/firefox/addon/auto-containe...
https://github.com/Shajirr/FF-Auto-Containers
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
about:config -> set privacy.resistFingerprinting to true
about:config -> create new boolean key privacy.resistFingerprinting.letterboxing set to true
this will set your canvas to a common size which fits in the viewport and display a grey "letterbox" border in the surrounding space.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
I have more restrictive protections on. If you use just loose settings, it completes, but advanced fingerprint protection, for example, breaks captcha completion.
This is very known issue.
https://news.ycombinator.com/item?id=35742606
I was actually wondering if the stuff that Mozilla's talking about here will be used by bad bot people to try to circumvent CF's abuse protections. As I recall from when I was working with them, CF's service relies in part on being able to identify botnet attacks by doing its own fingerprinting.
https://news.ycombinator.com/item?id=35742606
https://support.mozilla.org/en-US/kb/firefox-protection-agai...
They are... surprising to me. And as a developer, some of them seem kind of horrible. Altering canvas data, really?