Everyone talks about how evil browser fingerprinting is, and it is, but I don’t get why people are only blaming the companies doing it and not putting equal blame on browsers for letting it happen.
Go to Am I Unique and look at the kind of data browsers let JavaScript access unconditionally with no user prompting. Here’s a selection of ridiculous ones that pretty much no website needs:
- Your operating system (Isn’t the whole damn point of the internet that it’s platform independent?)
- Your CPU architecture (JS runs on the most virtual of virtual environments why the hell does it need to know what processor you have?)
- Your JS interpreter’s version and build ID
- List of plugins you have installed
- List of extensions you have installed
- Your accelerometer and gyroscope (so any website can figure out what you’re doing by analyzing how you move your phone, i.e. running vs walking vs driving vs standing still)
- Your magnetic field sensor AKA the phone’s compass (so websites can figure out which direction you’re facing)
- Your proximity sensor
- Your keyboard layout
- How your mouse moves every moment it’s in the webpage window, including how far you scroll, what bit of text you hovered on or selected, both left and right clicks, etc.
- Everything you type on your keyboard when the window is active. You don’t need to be typing into a text box or anything, you can set a general event listener for keystrokes like you can for the mouse.
If you’re wondering how sensors are used to fingerprint you, I think it has to do with manufacturing imperfections that skew their readings in unique ways for each device, but websites could just as easily straight up record those sensors without you knowing. It’s not a lot of data all things considered so you likely wouldn’t notice.
Also, canvas and webGL rendering differences are each more than enough to 100% identify your browser instance. Not a bit of effort put into making their results more consistent I guess.
All of these are accessible to any website by default. Actually, there’s not even a way to turn most of these off. WHY?! All of these are niche features that only a tiny fraction of websites need. Browser companies know that fingerprinting is a problem and have done nothing about it. Not even Firefox.
Why is the web, where you’re by far the most likely to execute malicious code, not built on zero trust policies? Let me allow the functionality I need on a per site basis.
Fuck everything about modern websites.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 124 users / day
- 1.05K users / week
- 1.3K users / month
- 4.58K users / 6 months
- 1 subscriber
- 3.85K Posts
- 97.3K Comments
- Modlog
Just tried it. Am I Unique says yes.
Tor still reports your operating system and processor architecture which is dumb as hell. If you’re on Linux for example, that’s probably one of the biggest things making you unique. Why not just make everyone “Windows x64” since that’s the most common?
It also still reports extensions. Apparently it’s definitely possible to tell vanilla Tor and Tails users apart because Tails has uBlock Origin installed by default, and the generally accepted advice is to never install extensions on Tor, one reason being it could make you unique.
Also, apparently the default window size Tor chooses in an attempt to prevent the window size from being used in fingerprinting isn’t all that common, I got 1% and 5% on screen width and height respectively.
Tor doesn’t seem to have WebGL enabled by default so it can’t be used to fingerprint (though having it disabled is unique in itself).
Tor’s canvas data is unique but I’ve heard that it generates a new canvas fingerprint each time you restart it. I don’t know if that’s true or how well it works though.
Tor, like every other browser, also has something called “audio data” that’s a weird graph of numbers without units. No browser I’ve seen has ever not been unique for that category and Tor is no different. I didn’t mention it in the post because I don’t know what it is or if it has a genuine purpose or not.
I didn’t try Tor on my phone but I would hope it would block sensor access?
I suppose it also still has noscript enabled by default (preventing the execution of javascript).
Awesome, thanks for sharing.