FRESH
Hacker News
Hacker News Hacker NewsMy header ended up looking like a permuted version of this:
en-US,en;q=0.9,zh-CN;q=0.8,de;q=0.7,ja;q=0.6
I'd be surprised if anyone in my vicinity share my exact combination of languages in that exact order, so this seems like a pretty strong fingerprinting vector.
There was even a proposal to reduce this surface area, but it wasn't adopted:
https://github.com/explainers-by-googlers/reduce-accept-lang...
From a pragmatic perspective, we are forcing two very different networks to run on the same protocols:
The Business Internet: Banking, SaaS, and VC-funded content (Meta/Google).
The Fun Internet: Hobby blogs, Lego fan sites, and the "GeoCities" spirit.
You cannot have a functioning "Business Internet" without identity verification. If you try to perform a transaction (or even just use a subsidized "free" tool like Gmail) while hiding behind a generic, non-unique fingerprint, you look indistinguishable from a bot or a fraudster.
Fingerprinting is often just the immune system of the commercial web trying to verify you are human.
The friction arises because we expect the "Fun Internet" to play by different rules. A Lego fan site shouldn't need to know who I am. But because we access both the Lego site and our Bank using the same browser, the same IP, and the same free tools (Chrome/Search), the "Fun Internet" becomes collateral damage of the "Business Internet's" need for security and monetization.
We can't have it both ways. We accepted the SLA for the "Business Internet" in exchange for free, billion-dollar tools. If you want 100% anonymity, you are effectively asking to use the commercial web's infrastructure without providing the identity signal it runs on.
As the OP notes, mitigation is hard. But that’s not just because advertisers are "evil"—it's because on the modern web, anonymity looks exactly like a security threat.
In addition, I block most known advertizing/tracking domains at the DNS level (I run my own server, and use Hagezi's blacklists).
Finally, another suggestion would be to block all third party content by default using uBlock Origin and/or uMatrix. This will break a lot of websites, but automatically rules out most forms of tracking through things such as fonts hosted by Google, Adobe and others. I manually whitelist required third party domains (CDNs) for websites I frequently visit.
So what do we care about? If you care about being untrackable, then you have a couple of options, rotate VPNs, or cycle your public facing IP often. Additionally, every request you make MUST change up the request headers. You could cycle between 50 different sets of headers. Combine these two and you will likely be very hard to fingerprint.
If you only care about being identified, use Tor + the Tor browser which makes A LOT of traffic look identical.
With like 12 students, that's 4 bits, and it often ends up with 2-3 questions. It starts off with the obvious ones - man/woman/diverse, but then a realization comes in: An answer usually contains more information than just that one bit. If you have long hair, you're most likely a woman and/or a metalhead for example. That part will get shaken out later on.
And those thoughts make these browser fingerprinting techniques all the more scary: They contain a lot of information and that quickly cuts the possible amount of people down. Like, I'm a Linux Firefox user with a screen on the left. I wouldn't be suprised if that put me in a 5-6 digit bucket of people already.
I'm 100% in the need for personal privacy camp, but mention this only because without addressing the underlying issues, it's hard to come up with larger solutions.
And the big issues really come down to fraud and cyber attacks:
- Years ago, the NYTimes was found to be doing some kind of homegrown fingerprinting with canvas. They have plenty of ways of doing analytics and tracking subscribers, they were trying to root out ad fraud.
- When Spotify has people every day putting up AI-generated streams and attempting to "listen" to them with bot networks, they start to look at things like fingerprinting.
- Massive credential stuffing attacks on sites are often thwarted at the technical level by fingerprinting.
- Bot traffic (and in particular AI indexing bots not respecting robots.txt) has shot up dramatically in the last year, and fingerprinting is one of the strongest ways of bot identification.
Again, want the personal privacy, but think we need to fix the professional problems to get there.
I do block ads on the web with UBlock Origin because there’s no pay option to opt-out of it and ads ruin the experience. But I don’t give a fig about tracking. Change my mind. Why would the average person enjoy a better life if they became untrackable on the Web?
Basically they are used as spy-tools. Many anti-features are pushed into them - a simple example is the disable-right-click functionality. I do understand that some of this have a useful functionality (for instance during an exam on-campus-site, to restrict what the students may do), but I always hate that I need e. g. a browser extension just to disable this antifeature. That's a super-simple example; there are many more severe examples such as fingerprint spy-sniffing here.
I am concerned about the detail here: does this mean per hardware class (e.g. same model of GPU), or per each individual device?
Is the implication that there are certain graphical operations that - perhaps unintentionally - end up becoming akin to a physically unclonable function in hardware?
It's been obvious for a decade and a half that technical solutions won't be practical to implement.
This feels like a regulatory question, not a technical one. We've repeatedly proven that with math and code alone, we can fingerprint and identify almost every unique person on the planet, given enough data points. The long-term solution seems like it should be severe consequences for data breaches (as in, corporation-destroying penalties for disclosure of PII, including fingerprint data) such that everyone only collects the data they need to provide the service in question and not a single bit more, deleting it as soon as it's no longer necessary. Right now there's no consequence if Google or Meta disclose huge swaths of user data, and thus no disincentive to collecting as much as they possibly can.
Punish the leaking of data, and suddenly you've raised it's cost to the point that casual players will nope out entirely. From there, it's the eternal back and forth of governments waffling between business and electorate interests.
The best browser for protection is https://mullvad.net/en/browser because it makes the connection uniform, to better blend in.
I don't understand how temporary containers are still not a built-in Firefox feature, it seems like such a no-brainer solution for privacy.
I know one particular online car store that shares user data with insurance companies and they use that in their models to compute a "willingness" to pay more for insurance as well as of establishing the user profile. Let's say you look a sports car but you end up buying a family van, they charge you more for that.
The very interesting part is that they create a "customer profile score" they is just a number and sell that number to other companies. So, by pipping your habits they aggregate data and technically do not violate some local laws.8
Firstly, on the counter argument side, when you visit a website, you are using their hardware, they have every right to make any requirements they want to use their hardware, they are not public spaces.
But more importantly, the fix is actually easy, use more than one browser, use private browsing sessions, use more than one device, only log in to services you dont mind tracking you, use ad blocking. everywhere. Dont use sites that dont behave. All things you should be doing anyway.
However, I also think the whole concept of browser fingerprinting is exaggerated. None of the things that can be used for fingerprinting are long lived, meaning any fingerprint probably has a shorter life span than the average cookie, and also far less reliable than say an IP address, which absolutely doesnt personally identify you.
meanwhile, it is quite rediculous to log in to all these services with 2FA, then expect any kind of technical or legal measure to prevent them from knowing exactly who you are with 100% accuracy.
Mostly thinking out loud, truly anonymous browsing is a tor node away, but a long time since I used that, there wasn't anything there I was interested in after intel exchange went down.
Any particularly interesting angles to this that you wished there was research on?
I'm sick to death of companies thinking they have any right to keep tabs on me because they think it'll make them a buck.
Basically, we can identify browsers based on the supported ciphers in TLS handshake (order matters too AFAIK). Then when your declared identity is not matching the ja3 hash, you're automatically suspicious, if not blocked right away. I think that's the reason for so many Capchas.
The last time I looked at this seriously I was trying to find out how much fidelity (if it was possible at all) was necessary to identify someone by their mouse and keyboard input.
It's not just what you do but how you do it.
Now shameless adverting: of course I present the solution: https://counter.dev
Given the scale of scrapers these days (AI companies with VC money have no problem spinning up thousands of VMs running Chrome), fingerprinting at the browser level is the only realistic option.
(obligatory: my personal opinion, not necessarily my employer's)
I switched to the Mullvad browser. The other recommendation, LibreWolf, provides the following warning on install which scared me away: "Warning: librewolf has been deprecated because it does not pass the macOS Gatekeeper check! It will be disabled on 2026-09-01."
I'm going to steal this nice analogy, for when I try to explain this point and some related points.
There are pros/cons.
It should be obvious by now that using any free service of scale is being paid for by your interactions which are made more valuable through fingerprinting.
Trying to circumvent that just makes it more expensive for the rest of us.
Just make sure it’s sufficiently illegal to keep this info. Find and make big visible examples of fining companies that trade in this info. If a company sells a product that fetches ads based on an ”identifier” their little js snippet computed then just pay them a visit. Fine both them and their customers to the max extent of the gdpr (or equivalent).
Unfortunately there is no way to tell advertisers, "No, I'm not interested in your product. I never will be. Don't waste your money."
The top offender is Hims. No, I don't have hair loss. I don't want hair loss supplements. I also don't have ED, and I object strongly to ads for that showing up unexpectedly when I'm showing a YouTube video to someone else.
The second top offender is whoever it is (they keep changing their name) who thinks that I need some kind of Christian motivational course to get control of "the P-word". (Their phrase, not mine.) No, I don't have a problem with pornography. I am very rarely interested in it. And when it comes up every few months, I don't feel any guilt about it afterwards. Furthermore I'm an atheist. A Christian motivational course isn't going to work well for me regardless.
Yes, Google does offer a report function, and a block function, for ads. The report function seems to have gotten rid of the unwanted ED ads. The block really doesn't work when the ads are all very similar AI slop that is rotated frequently. Block this ad, and then next unwanted ad from the same source will be coming along soon enough. (The reason why I particularly dislike Hims is that they are more aggressively rotating their ads.)
Back in the early days of Privacy Sandbox, before that crashed and burned against the UK CMA not even letting Google remove third-party cookie support [0], there was a lot of optimism about how we were going to completely solve cross-site tracking, even in the face of determined adversaries. This had several ingredients; the biggest ones I can remember are:
1. Remove third-party cookie support 2. Remove unpartitioned storage support 3. IP protection at scale 4. Solving fingerprinting
In the end, well... at least we got 2, which has some security benefits, even if Chrome gave up on 1, 3, and 4, and thus on privacy. Anyway, everyone could tell that 4 was going to be the hardest.
The closest I saw to an overarching plan was the "privacy budget" proposal [1], which would catalogue all the APIs that could be used for fingerprinting, and start breaking them (or hiding them behind a permission prompt, maybe?) if a site used too many of them in a row. I think most people were pretty skeptical of this, and the main person driving it moved off of Chrome in 2022. Mozilla has an analysis suggesting it's impractical at [2]. Some code seems to still exist! [3]
A key prerequisite of the privacy budget proposal was trying to remove passive fingerprinting surfaces in favor of active ones. That involved removing data that is sent to the server automatically, or freezing APIs like `navigator.userAgent` which are assumed infallible, and then trying to replace them with flows like client hints where the server needed to request data, or promise-based APIs which could more clearly fail or even generate a permissions prompt. This was quite an uphill battle, as web developers (both in ad tech and outside) would fight us every step of the way, because it made various APIs less convenient. Elsewhere people have cited one example, of reducing Accept-Language [4]. The other big one was the user agent client hints headers/API [5], which generated whole new genres of trolls on the W3C forums.
As Privacy Sandbox slumped more and more towards its current defeated state, people backed off from the original vision of a brilliant technical solution that worked even in the face of determined adversaries. Instead they retreated to stances like "if we just make it hard enough to fingerprint, it'll be obvious that fingerprinting scripts are doing something wrong, and we can block those scripts"; see e.g. [6]. Maybe that would have worked, I don't know, but it becomes much more of a cat-and-mouse game, e.g. needing to detect bundled or obfuscated scripts.
And now of course it's all over; the ad tech industry, backed by the UK CMA, has won and forced Google to keep third-party cookies forever, and with those in place, there's not really any point in funding the anti-fingerprinting work, so it's getting wound down [7]. The individual engineers and teams are probably still passionate about launching opt-in or Incognito-only privacy protections, but I doubt that align with product plans. I'm sure Google doesn't mind the end result all that much either, as having to migrate the world to privacy-preserving ad tech was going to be a big lift. Now all that eng power can instead focus on AI instead of privacy.
[0]: https://privacysandbox.com/news/privacy-sandbox-next-steps/
[1]: https://github.com/mikewest/privacy-budget
[2]: https://mozilla.github.io/ppa-docs/privacy-budget.pdf
[3]: https://chromium.googlesource.com/chromium/src/+/36dc3642bee...
[4]: https://github.com/explainers-by-googlers/reduce-accept-lang...
[5]: https://developer.mozilla.org/en-US/docs/Web/API/User-Agent_...
[6]: https://privacysandbox.google.com/protections/script-blockin...
[7]: https://privacysandbox.com/news/update-on-plans-for-privacy-...
The whole article never mentions the gold standard of anti-fingerprinting, Tor Browser. It just shows how shallow the article is when it mentions Mullvad Browser, a fork of TBB, instead of TBB itself! There's also no mention of using an upto-date DNS block list to thwart fingerprinting attempts even more
Seems like we all need to come together and use the same technique to "we are borg, we are browsing your internet as one, tracking is futile"
Email validation doesn't work. Ip blocking doesn't work. Captcha? Kind of. Fingerprinting? Very efficient.
Because the sites that still offer feeds, at least those for which a feed makes sense, well, you can read them comfortably via RSS.
Yes, I know that's ski-mask bla bla bla, but I still don't want my browser to be doing this nonsense.
Giving the surveillance economy access to your habits means making them slightly better informed about everyone. That won't directly endanger you; the SE will just become slightly better informed about how people like you function.
This will enable it to increase the amount of risk faced by some other person that you will never hear of (and vice versa) if any of you is even suspected of endangering the SE, in proportion to the risk to the SE which people like you may hypothetically pose, as quantified by the methods of nepotism-powered pseudoscience.
Perhaps what is missing is a criminal law that forbids deliberate non-consensual tracking of a person's activity. Even in public.
Recording someone as you happen to be recording something in public (including CCTV) is not deliberate or targeted towards an individual. But even in public, if someone followed you around tracking what you're doing (even without recording you), that shouldn't be lawful. Public figures and law enforcement activity based on probable cause being the exceptions.
Can anyone think of any reasonable counter-arguments to this?