A few weeks ago, I was using my mothers PC. Google was erroneously in French, and no language chooser available. So I checked. Firefox sent a HTTP header with a Dutch preference. She was logged in with her Google account, which had a Dutch language preference. Some geolocation providers put her in Dutch speaking cities of Belgium. Still, the Google Algorithm had decided she would speak French. Plenty of other sites make similar errors, especially the biggest ones
So I wonder: Why are we sending out all this info. Fingerprinting is the only actual use. The number of sites using it as it should is minimal. Lets just stop giving it. They don't need a list of audio or video devices. They don't need my installed fonts. They don't believe my language settings when I whack them over the head with it. Let's just fill in defaults everywhere. Maybe provide a whitelist for legitimate sites.
Sites preferring geolocation over Accept-Language as a means of picking the language is one of my pet peeves. Preferring geolocation over a logged in user's stored setting is beyond absurd.
There's a trend in commercial software where folks keep adding epicycles on epicycles, often based on barely stat-sig wins in A/B tests, to the point of systems becoming completely impenetrable. I bet this was a result of that.
With weirdly sticky behavior too once you’ve left that area. My google sign in prompt was in Italian for over a decade after logging in there once on a family vacation. Only with the latest login revamp did that setting finally get purged. Everything else was always english, profile set to english etc.
Ha, I even started to receive spam mail in Polish (kind of "we got your webcam, give us money").
They're clearly using the collected data and are subject to the same problems.
Prime video is amazing for this; in Germany but only dubs available? Admit defeat that the orig audio is somehow not available but not even English subtitles?!
With video I think that it’s sometimes a licensing thing. As in, the streaming service licenses subtitles from a third party and the rights are limited to specific countries.
Germany has a very strong culture of dubbing essentially everything. Just finding any showing of a film in its original language at a cinema is very difficult outside of major cities for example.
And geolocation is often wrong. Half of IP locators locate my VPS in one country, a quarter in another country, 1000 miles away, and another quarter in a third country, 1000 miles away from the first two.
Yeah I live in Spain but don't speak the language so well. It's super frustrating when I get redirected to Spanish versions of sites. Sometimes they even redirect me back to Spanish after I deliberately choose English.
Agreed. I live in Finland, but my preferred language is English. Many many sites send me Finnish by default, although Google directions will always be in Swedish.
I seem to have to "change results to English" on google searches at least once a week when it forgets which language I've setup and used for the past ten years!
If you set the language to something that isn't the default anywhere, and isn't standard for your country (so for you, English followed by Danish would do) Google seems to respect the preference.
But you add a lot of entropy to the privacy violators.
One time, I set a self-checkout machine to French to immerse myself in French training in Canada. This happened to set the payment terminal to French as well, which must have set a bit in the on-card chip.
Now, all my pay-at-the-pump interactions at gas stations are all in French. A website I was purchasing from flipped to French when I entered my card info. There were a few surprise interactions where my language preference was clearly derived from my bank card setting.
I’m just hoping that being classed as bilingual is doing wonders for my “social” score at some clandestine data clearinghouse.
A while ago a LinkedIn request from a Chinese person hit my inbox. I reluctantly pressed Accept Connection (in the email) only to find out that my LinkedIn language setting had changed to Chinese.
Now, I don't speak or read Chinese and couldn't immediately find a way to change the setting back to English. Could probably find it on the internet but .. Oh well, I don't really use LinkedIn so it's just stayed that way now.
Why anyone would use Chrome blows my mind a bit. Brave is a superior browser in every single aspect of a browser and as of rn - you do not see ads on the Internet.
You are generalizing. Google and big providers do that, usually (US)services that need to cater to the whole world.
But a huge part of the normal web still uses and _needs_ preferred language. No one wants to be forced to use geolocation.
Just one very common example are info pages for sightseeing, they are usually available in all languages that people commonly visit from and just work if you browse to them. Not to mention that geolocation would be useless anyway in that case.
It would be nice if Google actually used the preferred language. They don't give a shit. I'm still getting maps and other stuff in local language based on IP.
This is one of the main reasons why I use (and pay) for another search engine than Google. It just keeps translating everything it can to the country I’m connecting from. Even results from Reddit go to an automatically translated page.
Google is really bad at handling multilingual users, or even just users that don’t want to use the language of the place they connect from. Now by default Youtube even translates the audio automatically, it’s unbearable.
And I have declared the languages I speak in my Google profile. It doesn’t seem to matter.
This article doesn’t explain what change Google is supposed to be making and they don’t link to anything that explains it either. (There is a link to what seems to be to a policy change for the ads platform.) Does anyone know what they’re talking about?
Read it more carefully (it is easy to miss). They’re going to start using and allowing third party device fingerprinting throughout their ad ecosystem.
This is obviously illegal in Europe, the UK and California (no consent), and an unnnamed regulator warns that it intends to take action.
Combined with other news story [0] it sure feels like google is switching from trying to comply with regulation & instead doing what they want with a "Well what are you going to do about it?" attitude.
Regulators really need to cut them down to size. Was bad enough during anti-trust era in the US...now we're dealing with multinational entities the size of countries. Can't let that get out of hand or we'll end up living under corporations not governments.
> it sure feels like google is switching from trying to comply with regulation & instead doing what they want with a "Well what are you going to do about it?" attitude.
Congress creates, empowers and funds regulatory bodies based on the demands of the people (voters, lobbyists). You either grant licenses to operate within a framework or you have to follow people around scooping up shit and work through the legal system as enforcement mechanisms.
Big tech or big business very much prefers the scoop shit and fight it out in court method as it gives them a huge advantage.
Every browser information leak that can contribute to fingerprinting needs to be plainly considered a security vulnerability in need of fixing/mitigation, period. This class of vulnerabilities has continued to get a huge pass, only being taken seriously by projects like TOR browser and then still only the convenient fixes getting backported.
I do realize this is a tall ask, as many of these vulnerabilities arise from standards promulgated by the surveillance industry itself (chiefly Google, of course), and so are not easily mitigated. For example font lists and ask-to-use-microphone are straightforward to fix for general web browsing, whereas the fix for browser viewport size requires some kind of thoughtful design that subsumes the old model.
In general I'd say that browsers (or at least their operating modes) need to start differentiating into different things for the open [season] web versus app runtimes, so that vulnerability mitigations can be stronger for the open [season] web and sidestep complaints that it disrupts legitimate apps. Of course the two modes need to be indistinguishable by websites, lest every two-bit xitter-summarizing "news" site insists that it's some special snowflake needing app functionality to run its surveillance code.
Also since I'm apparently writing my Christmas list, we desperately need widespread privacy laws in the US. If you want a "value add" feature of your product to be shoving ads in people's faces, fine - people at least get immediate and actionable feedback from that. But persistent tracking supported by pervasive surveillance is completely at odds with individual liberty. And taking away the largest consumer surveillance market would mean much less being invested in new ways to attack users.
OT but anyone else finds it ironic that we had multiple articles telling us how Forbes publishes AI generated articles way outside their expertise and still we're seeing Forbes articles regularly on HN?
Like, I know that apparently this one is a personal blog, but why does anyone even set up a blog at Forbes. Sometimes I wonder about this.
And actually, even when knowing it's a personal blog and me a serious, I cannot really take it serious anymore when seeing the Forbes URL. I am more inclined to skip chapters, to look for AI slop, and to not take the views of the author as independent. Not consciously, but subconsciously.
I don't even bother clicking on Forbes links anymore. Opinion pieces are fine but it seems like Forbes is entirely being used for the legacy of its name to make random blogs sound authoritative and respectable.
>“also giving people the privacy protections they expect.”
My expectation is you don't fucking store any data about me to be used for advertisements/AI/etc and everything is opt-in, period. Where is that option?
I'm so done with the advertising industry. They will keep trying to follow us. Not even because it works, but because it's Google's the other companies' moat. Only with their pervasive tracking networks can they sell tracked ads.
If there was no tracking, anonymous content sensitive ads would be more popular and thus valuable.
Unfortunately even Mozilla is now trying to appease advertisers with their PPA initiative. I don't want purchases to be attributed.
I will continue blocking all ads forever and circumventing them in other ways possible (like pirating content and using paywall blockers). I'm done trying to fix the system.
The site you're talking to can still read your data, but most third party sites can be cut off. Privacy Badger will let you block Google Tag Manager, and while it warns you that some sites will break, few do.
I don't think there's a universal answer there, it would depend on how accurately they can fingerprint you without GTM. Blocking it does remove an identifier that would make it easier, but blocking it is also a piece of data that could feed into the fingerprinting algorithm.
It would be interesting to purposely feed a bogus GTM cookie though. It might actually throw their tracking and fingerprinting off if somehow you were able to send random GTM tags on every request.
Its not clear to me how much this will help; but based on how tags work, it seems like it should help at least somewhat. I use Privacy Badger on both Firefox on PC and Android and haven't run into any sites that break, other than maybe something like Ticketmaster? I'm sure it makes less of a difference on an Android device, where Google has other hooks to track me, but any little bit helps.
- nowadays (iirc) you can serve/proxy those scripts via your own domain (to circumvent ad blocker blocklists)
- there are limitations re the number of blocking rules in Manifest V3
It’s cat and mouse at this stage, we’re getting to the point where blocking ads will be as hard/annoying as, say, installing 3rd party apps on your iPhone. Too much of a hassle even for fairly techie users
> there are limitations re the number of blocking rules in Manifest V3
Use Firefox. uBlock Origin on Firefox also gets around CNAME cloaking to make advertiser domains appear as first party, which Chrome does not give sufficient access to do that.
It doesn't get around actually serving these endpoints mixed directly in with first party endpoints, but these are a hard sell on the advertising side too, from the technical effort from the publisher to implement it to the advertisers reluctance to trust the stats when the publisher gets to be the man in the middle.
Manifest V3 can even work with unlimited blocking rules and in-page content blocking. Firefox' implementation of it does that. So yeah the fact that Google doesn't makes it very deliberate.
I wonder if at this point an AI-based ad blocker that would actually look at the DOM, or maybe even the image, would be viable.
Obviously, this requires significantly more resources. But it feels like a more productive use of the hardware power that we already have, compared to the most recent Electron monstrosity.
(And yes, this is all kinda silly in a sense that it's an insane amount of effort and resources to spend on, basically, blocking unwanted shouting. Obviously the long-term sustainable option is to just kill ads altogether.)
Which is, depending on your perspective, either terrifying or just stupid.
Right now anti-fingerprinting security is not very high on anyone's minds, but remember that your digital fingerprints follow you EVERYWHERE. You can't turn them off or disable them on your side like cookies.
It's sort of like the wholesale elimination of privacy as a concept, you might say.
But hence the stupidity! It's too bold a move not to elicit a reaction from developers and users (who have the power to discover just how many bits of information they are leaking about themselves using tools like https://pbtest.org/).
So on one hand I can have websites that offer richer functionality by being aware of my time zone and locally installed fonts, or on the other hand I can have privacy. Hmm, which is worth more?
> but remember that your digital fingerprints follow you EVERYWHERE. You can't turn them off or disable them on your side like cookies.
I'm honestly curious, if you don't mind clarifying a bit more. How do your digital fingerprints follow you everywhere without your being able to erase them? This thread goes into device fingerprinting, but if one rigorously changes devices and certain use/account practices, how can they still be tracked so totally?
> if one rigorously changes devices and certain use/account practices
Your account practices will need to include only using an account on one device. Every time you use an account that identifies you on a device, that device can be associated to you; at that point its fingerprint is your fingerprint. Rotating devices faster just adds more devices to your identity.
TIL about Web Audio, an API that allows any web page to find out about the user's sound setup (e.g. channel count and some kind of transfer function of the audio subsystem?) despite there being no legitimate purpose for that.
> Your browser fingerprint appears to be unique among the 183,020 tested in the past 45 days.
Damn how is this possible when I'm using a stock iPhone? I look at the characteristics and apart from timezone and language, how can they tell the same model iPhone apart?
Tor browser asks you if you want to allow fingerprinting or not when a site attempts to query your HW info. Not sure why other browsers can't do the same.
This isn't new. Most advertising companies have had some sort of "Cross device targeting" or "household targeting" solution for going on almost a decade now. It's also why the suggestion of "repeal GDPR, just use cookie blockers" is so misguided.
Google's philosophy seems to be that intrusive tracking and behavioral advertising are OK as long as they only happen on the user's device.
The result is a worst-of-both-worlds: To an end user, it will still feel as if you're being tracked, with ads following you around, etc, but no worries, your privacy is safe because the advertiser doesn't have access to the data...
We have kernel level anti cheat systems for games. So how about kernel level anti tracking?
Browsers use system calls to provide the information used for fingerprinting the device, so why not intercept these calls and lie. Have all users present an identical fingerprints and we're back to pre google times. Yes, we lose some important functionality, but maybe it's a price worth paying?
Never mind the other elephants in the room that do worse than track your browsing habits...
This page only works on digitally signed supported operating systems. Please consider migrating to a supported system by Microsoft, Apple or an Android device officially supported by Google.
It's more complicated than that. You can use subtle differences in hardware and GPU rendering so that syscalls aren't even relevant. And you can never really prevent timing attacks, because you can just use a network request to get the current time from the server.
I've been wondering how hard it would be to make a completely fingerprint-proof browser.
One idea would be to run it in a deterministic emulator. All machine code instructions would be guaranteed to take exactly the same amount of time to execute on every machine, as far as is observable to the browser, and threads would be scheduled in the same order every time. Zero access to the host system through fonts, WebGL etc.
This would mean a massive performance penalty, but modern computers are fast enough that it might be usable for many sites. You could have a small number of discrete speed tiers, where you use the fastest tier that your computer is capable of.
I first read it as a joke, but come to think of it...this would be actually quite awesome for malware isolation and sandboxing. Giving software/apps different fake profiles that look like different identities on the filesystem would be quite the feature.
You would have to have some kind of launcher where you can select the isolated chroot/sandbox you want to run that specific program in.
Implementation-wise this could actually be done with eBPF, as most if not all syscalls can be intercepted and "farbled" (Brave's terminology) there. Features-wise this would probably be a separate filesystem for each program context, plus the things that firejail implements in userspace. Shared libraries would have to be loaded separately into memory, and glibc would have to be changed to not use any environment variables or debugging related function calls.
This is what the Tor Browser is designed to do, and it does it very well (all in userspace no less). The main drawback is that some sites don't render as nicely and occasionally a site simply doesn't work.
The most important anti-tracking feature Tor has other than IP masking is disabling JavaScript by default. That's a complete non-starter for the modern web.
The outcome will be that many sites simply refuse to work on any browser that does this. Users will blame the browser for not working and switch to one that is supported. Most people are happy to trade their privacy for convenience - especially since most people don't even realize they are doing it.
So, if I use a device that doesn’t support tracking, and they track it anyway, how do they get it to present the “do not sell my personal information” button?
Also, are there any decent plugins that block all of google instead of just the ads? I imagine they’d need to MITM static font assets, etc.
I also wonder if / when this means Google will start fingerprinting and tracking tenants’ customers on GCP.
What I think is one thing that would be helpful is the ability to define unencrypted proxies for encrypted connections (which is especially useful if the proxy is on the same computer), where the browser does not encrypt the request being sent to the proxy and does not expect an encrypted response; so that the encryption with the server will be handled by the proxy instead. This will save power, as well as allow blocking without needing to encrypt and decrypt the data twice.
Presumably you set your router to intercept all UDP/53 traffic, but remember the whole point of DoH is to prevent that and ensure nothing gets between the advertising surface and the advert source.
This works until you start living with someone who gets frustrated by things like sponsored results not working (completely fair, because they are often highly relevant).
I came back home to my parents house this christmas and my parents and my brother complained to my why the Google sponsored links don't work anymore (because I've set their DNS to an adblock DNS).
I couldn't believe what they were saying. Their words didn't make sense to me. I ended up in removing all adblock- and privacy-related settings in our router - it felt like a defeat.
You can set blocking per-device. I have strict blocking for my own devices, super-heavy blocking for IoT and other untrusted devices, and a lighter blocking as default. If they complain, I can disable blocking for them, or even set up a guest VLAN.
I believe Mozilla's funding comes from the search team at Google, not the browser team. (It's nominally compensation for including Google as the default search engine.) If anything, I'd be more concerned about Chrome, since it might be difficult for Google Search to fund Google Chrome to its current levels without raising arm's-length concerns (i.e. "is this a bona fide payment for services rendered?").
good, as long as chrome has such an overwhelming marketshare, reducing its funding sounds like a good idea. the companies that build on chrome can contribute to the funding to keep chrome alive.
So Google's value proposition is to be the central tracking authority that knows who you are and enforces compliance on the advertising industry by keeping your name secret but letting advertisers know that: person x did this and then did that?
I have a script which runs a random browser in incognito mode with a random user agent and a random search website every time I click a shortcut. Then another script changes the DOH dns setting for my connection every hour. Next up I will set a socks proxy setting on each browser via command line params to a ssh connection located in Europe. Oh and I also change my computer name on every logon and have random hw address enabled.
https://archive.ph/6TmKa
A few weeks ago, I was using my mothers PC. Google was erroneously in French, and no language chooser available. So I checked. Firefox sent a HTTP header with a Dutch preference. She was logged in with her Google account, which had a Dutch language preference. Some geolocation providers put her in Dutch speaking cities of Belgium. Still, the Google Algorithm had decided she would speak French. Plenty of other sites make similar errors, especially the biggest ones
So I wonder: Why are we sending out all this info. Fingerprinting is the only actual use. The number of sites using it as it should is minimal. Lets just stop giving it. They don't need a list of audio or video devices. They don't need my installed fonts. They don't believe my language settings when I whack them over the head with it. Let's just fill in defaults everywhere. Maybe provide a whitelist for legitimate sites.
Sites preferring geolocation over Accept-Language as a means of picking the language is one of my pet peeves. Preferring geolocation over a logged in user's stored setting is beyond absurd.
There's a trend in commercial software where folks keep adding epicycles on epicycles, often based on barely stat-sig wins in A/B tests, to the point of systems becoming completely impenetrable. I bet this was a result of that.
With weirdly sticky behavior too once you’ve left that area. My google sign in prompt was in Italian for over a decade after logging in there once on a family vacation. Only with the latest login revamp did that setting finally get purged. Everything else was always english, profile set to english etc.
I’ve just had an issue where my google searches were stuck defaulting to Sydney, Australia after being there for one week.
[flagged]
This was so annoying when visiting Poland recently. I don't speak Polish.
Even after setting my preferred language on my Google account, Google Search was still speaking Polish to me.
Ha, I even started to receive spam mail in Polish (kind of "we got your webcam, give us money"). They're clearly using the collected data and are subject to the same problems.
Wait, how would that work for scammers?
Scammers can also buy aggregate information, just like advertisers
Prime video is amazing for this; in Germany but only dubs available? Admit defeat that the orig audio is somehow not available but not even English subtitles?!
Same in Spain. Often only the Spanish dubbed audio is available making the content useless to me.
With the increase in ads on streaming platforms I've just reverted back to piracy. The enshittification has gone too far.
With video I think that it’s sometimes a licensing thing. As in, the streaming service licenses subtitles from a third party and the rights are limited to specific countries.
That's a weird one. It's common for people to prefer the original audio, and most Germans understand English.
Germany has a very strong culture of dubbing essentially everything. Just finding any showing of a film in its original language at a cinema is very difficult outside of major cities for example.
Same in the Netherlands. It gave me everything in Dutch, even after I logged in.
And geolocation is often wrong. Half of IP locators locate my VPS in one country, a quarter in another country, 1000 miles away, and another quarter in a third country, 1000 miles away from the first two.
Yeah I live in Spain but don't speak the language so well. It's super frustrating when I get redirected to Spanish versions of sites. Sometimes they even redirect me back to Spanish after I deliberately choose English.
Agreed. I live in Finland, but my preferred language is English. Many many sites send me Finnish by default, although Google directions will always be in Swedish.
I seem to have to "change results to English" on google searches at least once a week when it forgets which language I've setup and used for the past ten years!
If you set the language to something that isn't the default anywhere, and isn't standard for your country (so for you, English followed by Danish would do) Google seems to respect the preference.
But you add a lot of entropy to the privacy violators.
Now that google is offering translated Reddit posts my flow on my iPhone when I google something is
Google -> Reddit -> open translated post in app -> share in app with browser again -> click on show original.
I’ve never ever let any involved websites actually use my native language. Neither Google nor Reddit.
When you think that 90% of browsing devices are phones or laptops… beyond any possible comprehension
One time, I set a self-checkout machine to French to immerse myself in French training in Canada. This happened to set the payment terminal to French as well, which must have set a bit in the on-card chip.
Now, all my pay-at-the-pump interactions at gas stations are all in French. A website I was purchasing from flipped to French when I entered my card info. There were a few surprise interactions where my language preference was clearly derived from my bank card setting.
I’m just hoping that being classed as bilingual is doing wonders for my “social” score at some clandestine data clearinghouse.
A while ago a LinkedIn request from a Chinese person hit my inbox. I reluctantly pressed Accept Connection (in the email) only to find out that my LinkedIn language setting had changed to Chinese.
Now, I don't speak or read Chinese and couldn't immediately find a way to change the setting back to English. Could probably find it on the internet but .. Oh well, I don't really use LinkedIn so it's just stayed that way now.
Funny, my friend in Wallonia complains about the opposite, he wants Google in French and gets it in Dutch.
Yes. The browser innocently gives away tons of information for surveillance capitalism corporations to leech.
It is a if the web and browser developers lived in an innocent world
The largest browser is owned by a surveillance firm
Why anyone would use Chrome blows my mind a bit. Brave is a superior browser in every single aspect of a browser and as of rn - you do not see ads on the Internet.
It's such a no brainer, I can't comprehend it.
Brave is still Chrome, you’re just kidding yourself.
Are you OK with Brave using Chromium as their base?
I still see stuff in Spanish on my phone and have not yet figured out how to reset it. Talking about Google updates like calendar, weather
> Why are we sending out all this info.
You are generalizing. Google and big providers do that, usually (US)services that need to cater to the whole world. But a huge part of the normal web still uses and _needs_ preferred language. No one wants to be forced to use geolocation.
Just one very common example are info pages for sightseeing, they are usually available in all languages that people commonly visit from and just work if you browse to them. Not to mention that geolocation would be useless anyway in that case.
It would be nice if Google actually used the preferred language. They don't give a shit. I'm still getting maps and other stuff in local language based on IP.
This is one of the main reasons why I use (and pay) for another search engine than Google. It just keeps translating everything it can to the country I’m connecting from. Even results from Reddit go to an automatically translated page.
Google is really bad at handling multilingual users, or even just users that don’t want to use the language of the place they connect from. Now by default Youtube even translates the audio automatically, it’s unbearable.
And I have declared the languages I speak in my Google profile. It doesn’t seem to matter.
This article doesn’t explain what change Google is supposed to be making and they don’t link to anything that explains it either. (There is a link to what seems to be to a policy change for the ads platform.) Does anyone know what they’re talking about?
Read it more carefully (it is easy to miss). They’re going to start using and allowing third party device fingerprinting throughout their ad ecosystem.
This is obviously illegal in Europe, the UK and California (no consent), and an unnnamed regulator warns that it intends to take action.
Since it’s a policy that Google’s advertisers have to agree to, it seems like it’s silent on whatever Google might do themselves?
(Yes, that’s contrary to the headline. That’s why I find it confusing.)
Current "Platforms program policies": https://support.google.com/platformspolicy/answer/3013851
>You must not use device fingerprints...
Compare to the update: https://support.google.com/platformspolicy/answer/15738904
[no mention of device fingerprints]
>The changes... [are] less prescriptive with partners in how they target and measure ads.
Combined with other news story [0] it sure feels like google is switching from trying to comply with regulation & instead doing what they want with a "Well what are you going to do about it?" attitude.
Regulators really need to cut them down to size. Was bad enough during anti-trust era in the US...now we're dealing with multinational entities the size of countries. Can't let that get out of hand or we'll end up living under corporations not governments.
[0] https://news.ycombinator.com/item?id=42482509
> it sure feels like google is switching from trying to comply with regulation & instead doing what they want with a "Well what are you going to do about it?" attitude.
I got one link for ya buddy.
https://x.com/sundarpichai/status/1854207788290850888
Congress creates, empowers and funds regulatory bodies based on the demands of the people (voters, lobbyists). You either grant licenses to operate within a framework or you have to follow people around scooping up shit and work through the legal system as enforcement mechanisms.
Big tech or big business very much prefers the scoop shit and fight it out in court method as it gives them a huge advantage.
Every browser information leak that can contribute to fingerprinting needs to be plainly considered a security vulnerability in need of fixing/mitigation, period. This class of vulnerabilities has continued to get a huge pass, only being taken seriously by projects like TOR browser and then still only the convenient fixes getting backported.
I do realize this is a tall ask, as many of these vulnerabilities arise from standards promulgated by the surveillance industry itself (chiefly Google, of course), and so are not easily mitigated. For example font lists and ask-to-use-microphone are straightforward to fix for general web browsing, whereas the fix for browser viewport size requires some kind of thoughtful design that subsumes the old model.
In general I'd say that browsers (or at least their operating modes) need to start differentiating into different things for the open [season] web versus app runtimes, so that vulnerability mitigations can be stronger for the open [season] web and sidestep complaints that it disrupts legitimate apps. Of course the two modes need to be indistinguishable by websites, lest every two-bit xitter-summarizing "news" site insists that it's some special snowflake needing app functionality to run its surveillance code.
Also since I'm apparently writing my Christmas list, we desperately need widespread privacy laws in the US. If you want a "value add" feature of your product to be shoving ads in people's faces, fine - people at least get immediate and actionable feedback from that. But persistent tracking supported by pervasive surveillance is completely at odds with individual liberty. And taking away the largest consumer surveillance market would mean much less being invested in new ways to attack users.
OT but anyone else finds it ironic that we had multiple articles telling us how Forbes publishes AI generated articles way outside their expertise and still we're seeing Forbes articles regularly on HN?
Like, I know that apparently this one is a personal blog, but why does anyone even set up a blog at Forbes. Sometimes I wonder about this.
And actually, even when knowing it's a personal blog and me a serious, I cannot really take it serious anymore when seeing the Forbes URL. I am more inclined to skip chapters, to look for AI slop, and to not take the views of the author as independent. Not consciously, but subconsciously.
I don't even bother clicking on Forbes links anymore. Opinion pieces are fine but it seems like Forbes is entirely being used for the legacy of its name to make random blogs sound authoritative and respectable.
>“also giving people the privacy protections they expect.”
My expectation is you don't fucking store any data about me to be used for advertisements/AI/etc and everything is opt-in, period. Where is that option?
"We will tell you what to expect, and you will like it."
I'm so done with the advertising industry. They will keep trying to follow us. Not even because it works, but because it's Google's the other companies' moat. Only with their pervasive tracking networks can they sell tracked ads.
If there was no tracking, anonymous content sensitive ads would be more popular and thus valuable.
Unfortunately even Mozilla is now trying to appease advertisers with their PPA initiative. I don't want purchases to be attributed.
I will continue blocking all ads forever and circumventing them in other ways possible (like pirating content and using paywall blockers). I'm done trying to fix the system.
https://archive.ph/6TmKa
I wish HN would support creating snapshots on some sites by default
I'm tired of the constant attacks on our privacy and sovereignty. Be it technical or political
Does blocking Google Tag Manager help?
The site you're talking to can still read your data, but most third party sites can be cut off. Privacy Badger will let you block Google Tag Manager, and while it warns you that some sites will break, few do.
I don't think there's a universal answer there, it would depend on how accurately they can fingerprint you without GTM. Blocking it does remove an identifier that would make it easier, but blocking it is also a piece of data that could feed into the fingerprinting algorithm.
It would be interesting to purposely feed a bogus GTM cookie though. It might actually throw their tracking and fingerprinting off if somehow you were able to send random GTM tags on every request.
Its not clear to me how much this will help; but based on how tags work, it seems like it should help at least somewhat. I use Privacy Badger on both Firefox on PC and Android and haven't run into any sites that break, other than maybe something like Ticketmaster? I'm sure it makes less of a difference on an Android device, where Google has other hooks to track me, but any little bit helps.
Adblocking google's ad ecosystem so the third-party scripts don't load in the first place should still fix this, if I read it right?
This is getting trickier:
- nowadays (iirc) you can serve/proxy those scripts via your own domain (to circumvent ad blocker blocklists) - there are limitations re the number of blocking rules in Manifest V3
It’s cat and mouse at this stage, we’re getting to the point where blocking ads will be as hard/annoying as, say, installing 3rd party apps on your iPhone. Too much of a hassle even for fairly techie users
> there are limitations re the number of blocking rules in Manifest V3
Use Firefox. uBlock Origin on Firefox also gets around CNAME cloaking to make advertiser domains appear as first party, which Chrome does not give sufficient access to do that.
It doesn't get around actually serving these endpoints mixed directly in with first party endpoints, but these are a hard sell on the advertising side too, from the technical effort from the publisher to implement it to the advertisers reluctance to trust the stats when the publisher gets to be the man in the middle.
> limitations re the number of blocking rules in Manifest V3
Which of course was the whole purpose for google pushing for this v3, to benefits ads and hurt users.
Manifest V3 can even work with unlimited blocking rules and in-page content blocking. Firefox' implementation of it does that. So yeah the fact that Google doesn't makes it very deliberate.
I wonder if at this point an AI-based ad blocker that would actually look at the DOM, or maybe even the image, would be viable.
Obviously, this requires significantly more resources. But it feels like a more productive use of the hardware power that we already have, compared to the most recent Electron monstrosity.
An AI ad blocker could mute embedded ads and cover them with interest information you want to learn.
Hehe, so I made a (semi) serious project in a similar vein some time ago actually:
Https://butter.sonnet.io
(Because you deserve butter.)
Very nice.
(And yes, this is all kinda silly in a sense that it's an insane amount of effort and resources to spend on, basically, blocking unwanted shouting. Obviously the long-term sustainable option is to just kill ads altogether.)
> Google Starts Tracking All Your Devices in 8 Weeks
Those "journalists" were living in a bubble ? Google (and Facebook, and Apple, and Microfost) have been tracking our devices for years.
The article is about Google's new focus on tracking users via device fingerprint, instead of (primarily) via cookies.
Which is, depending on your perspective, either terrifying or just stupid.
Right now anti-fingerprinting security is not very high on anyone's minds, but remember that your digital fingerprints follow you EVERYWHERE. You can't turn them off or disable them on your side like cookies.
It's sort of like the wholesale elimination of privacy as a concept, you might say.
But hence the stupidity! It's too bold a move not to elicit a reaction from developers and users (who have the power to discover just how many bits of information they are leaking about themselves using tools like https://pbtest.org/).
So on one hand I can have websites that offer richer functionality by being aware of my time zone and locally installed fonts, or on the other hand I can have privacy. Hmm, which is worth more?
> but remember that your digital fingerprints follow you EVERYWHERE. You can't turn them off or disable them on your side like cookies.
I'm honestly curious, if you don't mind clarifying a bit more. How do your digital fingerprints follow you everywhere without your being able to erase them? This thread goes into device fingerprinting, but if one rigorously changes devices and certain use/account practices, how can they still be tracked so totally?
> if one rigorously changes devices and certain use/account practices
Your account practices will need to include only using an account on one device. Every time you use an account that identifies you on a device, that device can be associated to you; at that point its fingerprint is your fingerprint. Rotating devices faster just adds more devices to your identity.
It's unfortunate that the pbtest.org tool links out to a service with an expired cert.
Alternative:
https://coveryourtracks.eff.org/
TIL about Web Audio, an API that allows any web page to find out about the user's sound setup (e.g. channel count and some kind of transfer function of the audio subsystem?) despite there being no legitimate purpose for that.
Is it really a surprise it gets implemented when all browser development outside of Webkit is financed by Google Ads revenue?
> Your browser fingerprint appears to be unique among the 183,020 tested in the past 45 days.
Damn how is this possible when I'm using a stock iPhone? I look at the characteristics and apart from timezone and language, how can they tell the same model iPhone apart?
Have you looked at the detailed breakdown that they give you?
It Tells me it’s unique despite we visit two weeks ago.
certs are not necessary, they are a tradeoff
Tor browser asks you if you want to allow fingerprinting or not when a site attempts to query your HW info. Not sure why other browsers can't do the same.
The problem with Tor browser: You’re that guy with the Tor browser.
https://xkcd.com/1105/
This isn't new. Most advertising companies have had some sort of "Cross device targeting" or "household targeting" solution for going on almost a decade now. It's also why the suggestion of "repeal GDPR, just use cookie blockers" is so misguided.
Google's philosophy seems to be that intrusive tracking and behavioral advertising are OK as long as they only happen on the user's device.
The result is a worst-of-both-worlds: To an end user, it will still feel as if you're being tracked, with ads following you around, etc, but no worries, your privacy is safe because the advertiser doesn't have access to the data...
To be clear, Google has the data, and despite acting like they allow opting out from tracking, they do not.
Yes, Google is positioning themselves to be the regulator.
We have kernel level anti cheat systems for games. So how about kernel level anti tracking?
Browsers use system calls to provide the information used for fingerprinting the device, so why not intercept these calls and lie. Have all users present an identical fingerprints and we're back to pre google times. Yes, we lose some important functionality, but maybe it's a price worth paying?
Never mind the other elephants in the room that do worse than track your browsing habits...
I see this going in the opposite direction first - TPM-backed kernel level fingerprinting. Surely you have nothing to hide…
This page only works on digitally signed supported operating systems. Please consider migrating to a supported system by Microsoft, Apple or an Android device officially supported by Google.
Fingerprinting or attestation?
This is my conspiracy theory as to why Win11 made TPMs mandatory hardware.
It's more complicated than that. You can use subtle differences in hardware and GPU rendering so that syscalls aren't even relevant. And you can never really prevent timing attacks, because you can just use a network request to get the current time from the server.
I've been wondering how hard it would be to make a completely fingerprint-proof browser.
One idea would be to run it in a deterministic emulator. All machine code instructions would be guaranteed to take exactly the same amount of time to execute on every machine, as far as is observable to the browser, and threads would be scheduled in the same order every time. Zero access to the host system through fonts, WebGL etc.
This would mean a massive performance penalty, but modern computers are fast enough that it might be usable for many sites. You could have a small number of discrete speed tiers, where you use the fastest tier that your computer is capable of.
I first read it as a joke, but come to think of it...this would be actually quite awesome for malware isolation and sandboxing. Giving software/apps different fake profiles that look like different identities on the filesystem would be quite the feature.
You would have to have some kind of launcher where you can select the isolated chroot/sandbox you want to run that specific program in.
Implementation-wise this could actually be done with eBPF, as most if not all syscalls can be intercepted and "farbled" (Brave's terminology) there. Features-wise this would probably be a separate filesystem for each program context, plus the things that firejail implements in userspace. Shared libraries would have to be loaded separately into memory, and glibc would have to be changed to not use any environment variables or debugging related function calls.
Welp, maybe docker+xorg is easier.
This is what the Tor Browser is designed to do, and it does it very well (all in userspace no less). The main drawback is that some sites don't render as nicely and occasionally a site simply doesn't work.
The most important anti-tracking feature Tor has other than IP masking is disabling JavaScript by default. That's a complete non-starter for the modern web.
The outcome will be that many sites simply refuse to work on any browser that does this. Users will blame the browser for not working and switch to one that is supported. Most people are happy to trade their privacy for convenience - especially since most people don't even realize they are doing it.
How would they know? The point of returning “standard” values, is that you are indistinguishable from any number of legitimate users.
They start blocking any fingerprint that looks like you're hiding it. Similar to sites blocking known Tor exit nodes and proxies.
It doesn't have to be blocking fingerprint, just whatever garbage data that works and the cat/mouse game will continue as usual.
So, if I use a device that doesn’t support tracking, and they track it anyway, how do they get it to present the “do not sell my personal information” button?
Also, are there any decent plugins that block all of google instead of just the ads? I imagine they’d need to MITM static font assets, etc.
I also wonder if / when this means Google will start fingerprinting and tracking tenants’ customers on GCP.
What I think is one thing that would be helpful is the ability to define unencrypted proxies for encrypted connections (which is especially useful if the proxy is on the same computer), where the browser does not encrypt the request being sent to the proxy and does not expect an encrypted response; so that the encryption with the server will be handled by the proxy instead. This will save power, as well as allow blocking without needing to encrypt and decrypt the data twice.
Personally, I went the nuclear route with a Pihole. My devices can’t talk to Google.
What if they use IPs instead of domain names?
Presumably you set your router to intercept all UDP/53 traffic, but remember the whole point of DoH is to prevent that and ensure nothing gets between the advertising surface and the advert source.
This works until you start living with someone who gets frustrated by things like sponsored results not working (completely fair, because they are often highly relevant).
I came back home to my parents house this christmas and my parents and my brother complained to my why the Google sponsored links don't work anymore (because I've set their DNS to an adblock DNS).
I couldn't believe what they were saying. Their words didn't make sense to me. I ended up in removing all adblock- and privacy-related settings in our router - it felt like a defeat.
To be fair to your family, Google have spent billions making the Google sponsored links look like organic search results.
You can set blocking per-device. I have strict blocking for my own devices, super-heavy blocking for IoT and other untrusted devices, and a lighter blocking as default. If they complain, I can disable blocking for them, or even set up a guest VLAN.
Source: https://web.archive.org/web/20241220192229/https://support.g...
Time to break them up.
breaking up chrome would be a blunder though, because of their massive funding to mozilla, it could kill FF
I believe Mozilla's funding comes from the search team at Google, not the browser team. (It's nominally compensation for including Google as the default search engine.) If anything, I'd be more concerned about Chrome, since it might be difficult for Google Search to fund Google Chrome to its current levels without raising arm's-length concerns (i.e. "is this a bona fide payment for services rendered?").
good, as long as chrome has such an overwhelming marketshare, reducing its funding sounds like a good idea. the companies that build on chrome can contribute to the funding to keep chrome alive.
it could most certainly kill Mozilla, but it will surely not kill Firefox
A good result.
Now that Mozilla is trying to appease the ad industry? Yeah for sure.
Oh no!
So Google's value proposition is to be the central tracking authority that knows who you are and enforces compliance on the advertising industry by keeping your name secret but letting advertisers know that: person x did this and then did that?
How convenient.
So what to do? Buy a Huawei device? Does Firefox's anti-fingerprinting help?
We are cattle at the farm for Google. Not humans. Sources of a profitable product they can broker: attention and purchasing power.
just google? :)
They weren’t before?
I hope they catch terrorists and criminals with this
lollllllllllllllll here's $2.49 off a thing you're maybe likely to buy tho
How do we disable?
I have a script which runs a random browser in incognito mode with a random user agent and a random search website every time I click a shortcut. Then another script changes the DOH dns setting for my connection every hour. Next up I will set a socks proxy setting on each browser via command line params to a ssh connection located in Europe. Oh and I also change my computer name on every logon and have random hw address enabled.
And I use Firefox with uBlock Origin and really nothing else. I suspect everybody’s threat models and risk tolerance is a little different.
[dead]
[dead]