So, manifest v3 was all about preventing Google’s competitors from tracking you so that Google could forge ahead.
Digital Fingerprinting: Google launched a new era of tracking worse than cookie banners | Tuta
Submitted 2 months ago by misk@sopuli.xyz to technology@lemmy.world
https://tuta.com/blog/digital-fingerprinting-worse-than-cookies
Comments
pHr34kY@lemmy.world 2 months ago
Ulrich@feddit.org 2 months ago
It was never about privacy, it was supposedly about security, which there is some evidence for. There were a lot of malicious extensions.
Zarxrax@lemmy.world 2 months ago
Would it be possible for a browser or extension to just provide false metadata in order to subvert this type of fingerprinting?
JackAttack@lemmy.dbzer0.com 2 months ago
So from what I understand, theres 2 common ways that browsers combat this. Someone add to or correct me if I’m wrong.
-
Browsers such as Mull combat this by looking the same as every other browser. If you all look the same, it’s hard to tell you apart.
-
Browsers such as Brave randomize metadata that fingerprinting collects so that it’s more difficult to piece it all together and build a trend/profile on someone.
These aren’t the only options, these are just ones I’ve read about recently. Online behavior, browswr window size, and I’m sure so much more also goes into it. But every little bit helps and is better than nothing.
mathemachristian@lemm.ee 2 months ago
Mull is discontinued unfortunately, although I think it got forked?
drmoose@lemmy.world 2 months ago
The first point is flawed and even TOR doesn’t execute javascript because it’s impossible to catch everything when you give the server full code running capabilities.
The second point is more plausible but there’s an incredible amount of work to do to fix this. Like, needing to rework browser engines from ground up and removing all of the legacy cruft. Brave is not capable of this and never will be no matter what they advertise because it doesn’t have it’s own engine.
That being said, these tools will get you quite far against commercial fingerprint products especially ones used for Ads but that will also ruin your browser experience as now you’re just solving captchas everywhere 🫠
-
kipo@lemm.ee 2 months ago
Yes. There is a firefox extension called Chameleon that does this.
drmoose@lemmy.world 2 months ago
No. Anything that executes Javascript will be fingerprinted.
That being said it depends who are you fighting. For common commercial tools like Cloudflare fingerprinter it might work to some extent but if you want to safeguard against more sophisticated fingerprinting then TOR and no JS is the only way to combat this.
The issue is that browsers are so incredibly complex that it’s impossible to patch everything and you’ll just end up getting infinite captchas and break your browsing experience.
Ulrich@feddit.org 2 months ago
Yes but that metadata is also used to serve you the webpage, so if you spoof it, the page may not load properly.
fmstrat@lemmy.nowsci.com 2 months ago
Others have mentioned what Firefox/etc do, but another option is a PiHole. If you can’t look up the IP for an advertiser URL, you don’t load the JavaScript to begin with.
phoenixz@lemmy.ca 2 months ago
Yeah, I have an anti fingerprint extension installed in Firefox, and immediately no Google site will work anymore, all google sessions break with it while most other sites just continue to work.
I’m working to rid myself completely from Google, my target being that I will completely DNS block all google (and Microsoft and Facebook) domains within a year or so. Wish I could do it faster but I only have a few hours per weekend for this
Gorillazrule@lemmy.dbzer0.com 2 months ago
Mind sharing what extension you use?
towelie@lemm.ee 2 months ago
Hi, here are the extensions I use in FireFox/Librewolf (all will work in Chromium too, but I don’t recommend Chromium browsers):
Privacy and Security-focused
uBlock Origin: A lightweight and efficient wide-spectrum content blocker.
CanvasBlocker: Protects your privacy by preventing websites from fingerprinting you using the Canvas API.
Ghostery Tracker & Ad Blocker - Privacy AdBlock: Blocks trackers and ads to protect your privacy and speed up browsing. Also has a handy feature that automatically rejects cookies for you.
KeePassXC-Browser: Integrates KeePassXC password manager with your browser.
NoScript: Blocks JavaScript, Flash, and other executable content to protect against XSS and other web-based attacks &**(note: you will be required to manually activate javascript on each web page that you visit, but this is a good practice that you should get used to).
Privacy Badger: Automatically learns to block trackers based on their behavior.
User-Agent Switcher and Manager: Allows you to spoof your browser’s user-agent string.
Violentmonkey: A user script manager for running custom scripts on websites (allows you to execute your own JavaScript code, usually to modify how a website behaves or block behavior that you don’t like. VERY useful. Check out greasyfork for UserScripts).
Other useful extensions (non-privacy/security)
Firefox Translations: Provides on-demand translation of web pages directly within Firefox.
Flagfox: Displays a flag depicting the location of the current website’s server.
xBrowserSync: Syncs your browser data (bookmarks, passwords, etc.) across devices with end-to-end encryption.
Plasma Integration: Integrates Firefox with the KDE Plasma desktop environment (for linux users).
XiELEd@lemmy.world 2 months ago
What search engine do you use?
Ramblingman@lemmy.world 2 months ago
I want to do this but really the only thing holding me back is my phone.
SnotFlickerman@lemmy.blahaj.zone 2 months ago
Just in time for their prophet, Curtis Yarvin, to be pushing a full-scale surveillance state!
Googlers aren’t on our side. They want to rule. They think being a fucking admin on a server makes them cut out to run society.
sugar_in_your_tea@sh.itjust.works 2 months ago
Googlers aren’t on our side
They never were, out interests just aligned while they were growing market share. They have that now, so there’s no more reason to stay aligned.
Corporations aren’t your friend, but that can be momentary allies.
9point6@lemmy.world 2 months ago
Further evidence that a Republican government in the USA results in private organisations pushing the bar as far as they can.
In Reagan’s time it was Wall Street. Now it’s Silicon Valley.
You want private organisations working for your benefit and not that of their shareholders? You need a government that actually has the gumption to challenge them. The current US government is 4 years of a surrender flag flying on the white house.
Or we could bin off this fucking failed neoliberal experiment, but that’s apparently a bit controversial for far too many people
One_Blue_Shoe@lemmynsfw.com 2 months ago
Having the gall to suggest we not allow less than 3000 people to own all of the worlds supply lines, media platforms, institutional wealth, construction companies, dissemination platforms, politicians, private equity firms and the single largest interconnected (private or otherwise) espionage and social engineering plot known to mankind?
You fucking tanky you! Go back to Russia!!!
sugar_in_your_tea@sh.itjust.works 2 months ago
Republicans aren’t the problem here, they’re a natural result of a two party system. If you have a coin, half the time you’ll get the “good” side, and half the time you’ll get the “bad.”
And this isn’t to say either side is consistently “good” or “bad,” parties rarely stick anything. The deregulation you’re complaining about started under Jimmy Carter, affectionately called “the great deregulator.” In fact, many (most?) of Carter’s changes took effect during Reagan’s term, and it was incredibly successful.
However, for some reason Democrats are now against deregulation, probably because Republicans took the credit and Democrats needed to rebrand.
That doesn’t imply that Trump’s deregulation is “good,” it just means deregulation isn’t inherently “bad.”
RejZoR@lemmy.ml 2 months ago
Good thing I erased Google out of my life a decade ago meaning I can much easier block even more of their everywhere present garbage and not have issues.
TheFeatureCreature@lemmy.ca 2 months ago
Ditching gmail remains one of the best choices I’ve made in years.
Squizzy@lemmy.world 2 months ago
Our work is switching from them and god damn they are so good at things though. I always disliked labels but the layout is top tier.
But yeah they are awful people
ricecake@sh.itjust.works 2 months ago
blog.lukaszolejnik.com/biggest-privacy-erosion-in…
This article actually shares what changed, as opposed to just asserting that there was a change.
drmoose@lemmy.world 2 months ago
This has been the case for years. I develop fingerprinting services so AMA but it’s basically a long lost battle and browser are beyond the point of saving without a major resolution taking place.
Lifter@discuss.tchncs.de 2 months ago
How can you live with yourself?
gcheliotis@lemmy.world 2 months ago
So… how effective is it? The fingerprinting. I’m guessing there are studies? Also don’t know whether there’s been legal precedent, ie whether fingerprinting has been recognized as valid means of user identification in a court case.
drmoose@lemmy.world 2 months ago
It’s super effective but there are very few real use cases for it outside of security and ad tracking. For example you can’t replace cookies with it because while good fingerprint is unique it can still be fragile (browser update etc.) which would cause data loss and require reauth.
Usually fingerprint plays a supporting role for example when tou do thos click here captchas that’s actually just giving the browser time to fingerprint you and evaluate your trust to decide whether to give you a full captcha or let you through. So fingerprint is always there in tbe background these days tho mostly for security and ad tracking.
As for court cases and things l like GDPR the officials are still sleeping on this and obviously nobody wants to talk about it because it’s super complex and really effective and effects soo many systems that are not ad tech.
werefreeatlast@lemmy.world 2 months ago
I go to pornhub every morning to check out the articles. Lately I’ve noticed that they have exactly the kind of articles I’m interested in always at the top two rows and then a bunch of stuff I’m not really into elsewhere. They are definitely testing stuff.
Ulrich@feddit.org 2 months ago
I too go to pornhub for the articles.
fogetaboutit@programming.dev 2 months ago
I thought people go to pornhub for the lack of articles
med@sh.itjust.works 2 months ago
I go to pornhub for the definite article
sugar_in_your_tea@sh.itjust.works 2 months ago
Idk, I see a lot of “a”, “an”, and “the” there.
mle86@feddit.org 2 months ago
So I thought this is never going to fly under GDPR. Then the article goes on to say:
Many privacy laws, including the EU’s GDPR and California’s CCPA, require user consent for tracking. However, because fingerprinting works without explicit storage of user data on a device, companies may argue that existing laws do not apply which creates a legal gray area that benefits advertisers over consumers.
Oh come on Google, seriously? I remember a time when Google were the good guys, can’t believe how they’ve changed…
_cryptagion@lemmy.dbzer0.com 2 months ago
Google can’t fingerprint you very well if you block all scripts from Google.
howrar@lemmy.ca 2 months ago
Considering how few people block all scripts, this could also make it trivial for them to fingerprint you.
_cryptagion@lemmy.dbzer0.com 2 months ago
Anyone who uses uBlock blocks Google scripts.
kalpol@lemmy.world 2 months ago
I’ve checked, its true. Linux plus Firefox already puts you in the 2 percent category.
kalpol@lemmy.world 2 months ago
This breaks all kinds of stuff though. A ton of sites use Google for captchas.
_cryptagion@lemmy.dbzer0.com 2 months ago
I just don’t use any sites like that. If a site is using something other than Turnstile from Cloudflare, then I refuse to use it. I haven’t really experienced any inconvenience myself with this policy, but obviously I don’t depend on any sites that require recaptcha.
But you can allow/block any elements per site, or globally, which makes it trivial to block all unwanted scripts except on specific sites. So there is nothing preventing you from only exposing yourself to Google on the few sites you use that need those scripts.
homesweethomeMrL@lemmy.world 2 months ago
Digital fingerprinting is a method of data collection – one that in the past has been refused by Google itself because it “subverts user choice and is wrong.” But, we all remember that Google removed “Don’t be evil” from its Code of Conduct in 2018. Now, the Silicon Valley tech giant has taken the next step by introducing digital fingerprinting.
eRac@lemmings.world 2 months ago
Google removed “Don’t be evil”
Still parading that lie around? It’s easily verified as false. Their code of conduct ends with:
And remember… don’t be evil, and if you see something that you think isn’t right – speak up!
Ulrich@feddit.org 2 months ago
Still parading that lie around? It was removed and then added back later.
Balinares@pawb.social 2 months ago
You’d THINK the article would link to a source about the fingerprinting in question instead of 90% filler slop and ads for their own service… Anyone got a link?
treadful@lemmy.zip 2 months ago
What is it you’re looking for? Do you want to know what kinds of information is used for fingerprinting?
If so, check out coveryourtracks.eff.org and amiunique.org.
Balinares@pawb.social 2 months ago
I’m aware of fingerprinting techniques, thank you. The article is claiming that Google will start using some of those and I’m looking for the source for that claim, hopefully with specifics about which techniques are involved. Confusingly, the article does not appear to provide such a source.
Snowstorm@lemmy.ca 2 months ago
[deleted]semperverus@lemmy.world 2 months ago
Yes, a lot of websites embed Google Analytics, or more nefariously Google Fonts.
oldfart@lemm.ee 2 months ago
And recaptcha. And Google-hosted Javascript libraries. And youtube embeds.
SomethingBurger@jlai.lu 2 months ago
Yes, mainly Analytics, sometimes Maps.
JackAttack@lemmy.dbzer0.com 2 months ago
Great read from Tuta on thia topic. It’s been an issue for a while but Google going full force publicly on it causes this issue to grow greater.
I left a comment replying to someone further down about how this can be at least a little combatted and how it is with browsers. (At least to my minimal knowledge of it)
ZeroGravitas@lemm.ee 2 months ago
PiHole
AdAway
Burn the ads down.
WorldsDumbestMan@lemmy.today 2 months ago
I don’t bother. I know they know everything about me already, and that I’m not an important person. As such, I wonder why it matters.
brucethemoose@lemmy.world 2 months ago
Daily plug for Cromite, which is explicity built for anti-fingerprinting and de-Googling:
Ugurcan@lemmy.world 2 months ago
I wonder how safe is Apple ecosystem from this.
RangerJosey@lemmy.ml 2 months ago
Unlock Origin, Ghostery, and what else? Scriptmonkey maybe?
They’ll stop it.
Ledericas@lemm.ee 2 months ago
its captcha v3, its the same thing reddit uses to catch bots and ban evaders, apparently its expensive for reddit so they only mostly use it for ban waves.
Bogasse@lemmy.ml 2 months ago
So I guess for Firefox users it’s time to enable the resist fingerprinting option ? support.mozilla.org/…/resist-fingerprinting
masterofn001@lemmy.ca 2 months ago
You can also use canvas blocker add-on.
Use their containers feature and make a google container so that all google domains go to that container.
If you want to get crazy, in either set in about:config or make yourself a user.is file in your Firefox profile directory and eliminate all communication with google.
:::spoiler google shit user_pref(“browser.safebrowsing.allowOverride”, false); user_pref(“browser.safebrowsing.blockedURIs.enabled”, false); user_pref(“browser.safebrowsing.downloads.enabled”, false); user_pref(“browser.safebrowsing.downloads.remote.block_dangerous”, false); user_pref(“browser.safebrowsing.downloads.remote.block_dangerous_host”, false); user_pref(“browser.safebrowsing.downloads.remote.block_potentially_unwanted”, > user_pref(“browser.safebrowsing.downloads.remote.block_uncommon”, false); user_pref(“browser.safebrowsing.downloads.remote.enabled”, false); user_pref(“browser.safebrowsing.downloads.remote.url”, “”); user_pref(“browser.safebrowsing.malware.enabled”, false); user_pref(“browser.safebrowsing.phishing.enabled”, false); user_pref(“browser.safebrowsing.provider.google.advisoryName”, “”); user_pref(“browser.safebrowsing.provider.google.advisoryURL”, “”); user_pref(“browser.safebrowsing.provider.google.gethashURL”, “”); user_pref(“browser.safebrowsing.provider.google.lists”, “”); user_pref(“browser.safebrowsing.provider.google.reportURL”, “”); user_pref(“browser.safebrowsing.provider.google.updateURL”, “”); user_pref(“browser.safebrowsing.provider.google4.advisoryName”, “”); user_pref(“browser.safebrowsing.provider.google4.advisoryURL”, “”); user_pref(“browser.safebrowsing.provider.google4.dataSharingURL”, “”); user_pref(“browser.safebrowsing.provider.google4.gethashURL”, “”); user_pref(“browser.safebrowsing.provider.google4.lists”, “”); user_pref(“browser.safebrowsing.provider.google4.pver”, “”); user_pref(“browser.safebrowsing.provider.google4.reportURL”, “”); user_pref(“browser.safebrowsing.provider.google4.updateURL”, “”); :::
Bluefruit@lemmy.world 2 months ago
This is why I like Lemmy, never knew canvas blocker was a thing. Thank you.
Chulk@lemmy.ml 2 months ago
I’m still trying to wrap my head around fingerprinting, so excuse my ignorance. Doesn’t an installed plugin such as Canvas Blocker make you more uniquely identifiable? My reasoning is that very few people have this plugin relatively speaking.
pHr34kY@lemmy.world 2 months ago
I’ve used this. The only annoyance is that all the on-screen timestamps remain in UTC because JS has no idea what timesone you’re in.
I get that TZ provides a piece of the fingerprint puzzle, but damn it feels excessive.
treadful@lemmy.zip 2 months ago
And automatic darkmode isn’t respected, and a lot of other little annoyances. That’s why this is so difficult. These are all incredibly useful features we would have to sacrifice for privacy.
Slax@sh.itjust.works 2 months ago
Wait is that why my Firefox giving me errors when I try to log into websites with 2FA?
sem@lemmy.blahaj.zone 2 months ago
Why does it do this?
PS grateful for this option!
grinde@programming.dev 2 months ago
Some math functions have slightly different results depending on architecture and OS, so they fuzz the results a little. Here’s a tor issue discussing the problem: gitlab.torproject.org/legacy/trac/-/issues/13018
Ulrich@feddit.org 2 months ago
I mean it doesn’t hurt but as far as I can tell, it doesn’t actually block fingerprinting, it blocks domains known to collect and track your activity. The entire web is run on Google domains so that would be nearly impossible to block.
ZiemekZ@lemmy.world 2 months ago
Privacy Badger anyone?
Bogasse@lemmy.ml 2 months ago
But does privacy badger also act on the canvas APIs & cie. ?
ookiiBoy@lemmy.blahaj.zone 2 months ago
It annoys me that this is not on by default…
perfectly_boiled_pizza@lemmy.world 2 months ago
It’s a nice feature for those that actively enable it and know that it’s enabled, but not for the average user. Most people never change the default settings. Firefox breaking stuff by default would only decrease their market share even further. And this breaks so much stuff. Weird stuff. The average user wants a browser that “just works” and would simply just switch back to Chrome if their favourite website didn’t work as expected after installing Firefox. Chrome can be used by people who don’t even know what a browser is.
roscoe@lemmy.dbzer0.com 2 months ago
Does ublock do this?
perfectly_boiled_pizza@lemmy.world 2 months ago
No
fossphi@lemm.ee 2 months ago
Please don’t enable this blindly. A lot of modern websites depend on a bunch of features which will simply not work with that flag enabled. Only do it, if you’re willing to compromise and debug things a bit