
Online tracking: A 1-million-site measurement and analysis - itg
https://webtransparency.cs.princeton.edu/webcensus/index.html
======
randomwalker
Coauthor here. I lead the research team at Princeton working to uncover online
tracking. Happy to answer questions.

The tool we built to do this research is open-source
[https://github.com/citp/OpenWPM/](https://github.com/citp/OpenWPM/) We'd love
to work with outside developers to improve it and do new things with it. We've
also released the raw data from our study.

~~~
projectramo
I am going to ask about a really basic question: what is fingerprinting?

I had to dig around, from the paper is sounds like a stateless form of
tracking.

The audio example made sense:

1\. the mic comes on, and it identifies a particular background noise.

2\. I browse to another site, or a different page without a cookie.

3\. The mic comes on again, matches the ambient noise and realizes I am the
same person.

Is that what you mean? If this is the case, how can the "canvas
fingerprinting" work since I had to browse to a new page and all the old
pixels from the previous page are no longer there.

Anyway, if it is what I understand it to be, then it sounds very interesting.
I bet some science fiction author wishes they had though to use it.

~~~
Fradow
I'm going to answer the basic question: fingerprinting is about trying to
identify your device as uniquely as possible using available APIs, in order to
track you cross-site, without cookies.

To do that, you first try to identify API that have different results
depending on the browser or the device, and then track their result. For
example, the User agent have some identifying information. It's not unique for
each person, but you can start having a bit of identifying information. Do
that with multiple APIs (available fonts, installed plugins ...), and you
start having enough identifying informations to uniquely identify some
browsers, without having an actual ID provided by the browser.

To test your browser, you can visit
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

~~~
jordache
Which API reveals my system fonts to a website?

Edit: The fingerprint test at
[https://panopticlick.eff.org/](https://panopticlick.eff.org/) shows my System
Fonts

~~~
tangent128
I don't think you can enumerate them these days, but you can test for them by
trying to use them in CSS (which font is used would affect the width of a span
of text, use a wildly different fallback font and you can guess which is
installed) or <canvas> (where you can inspect the actual pixels rendered).

~~~
Freak_NL
Or use @font-face and detect calls to a remote URL — which happens when the
named local font is missing:

    
    
        @font-face {
          font-family: "Roboto";
          src: local("Roboto"), url("https://example.com/user-does-not-have-roboto") format("woff2");
        }

------
ultramancool
As soon as I saw these APIs being added I immediately dropped into
about:config and disabled them. How the hell do these people think this is a
good idea to do without asking any permissions?

Put these in your user prefs.js file on Firefox:

user_pref("dom.battery.enabled", false);

user_pref("device.sensors.enabled", false);

user_pref("dom.vibrator.enabled", false);

user_pref("dom.enable_performance", false);

user_pref("dom.network.enabled", false);

user_pref("toolkit.metrics.ping.enabled", false);

user_pref("dom.gamepad.enabled", false);

Here's my full firefox config currently:

[https://up1.ca/#nUSA1WtY13ECfmYC5c825w](https://up1.ca/#nUSA1WtY13ECfmYC5c825w)

Privacy on the web keeps getting harder and harder. Of course this should only
be used in conjunction with maxed out ad blockers, anti-anti-adblockers,
privacy badger and disconnect.

We need browsers to start asking permission. When you install an app on
Android or iOS it says "here's what it's going to use, do you want this?". The
mere presence of the popup would annoy people and prevent them from using
these APIs.

~~~
Zooper
Thank you, user, for making your fingerprint hash more unique by disabling
certain default features, given your user-agent string, thus opting into cat-
facts.

~~~
shostack
Disabling them probably makes you significantly more unique than those that
don't just because the vast majority of people never will disable them.

------
brudgers
Google has a vested interest in information leakage. I have a suspicion that
the Chromium project expresses a strategic desire to shape the direction of
browser development away from stopping those leaks. The idea of signing into
the browser with an identity is a core feature and in Google's branded
version, Chrome, the big idea is that the user is signed into Google's
services.

Google only pitches the idea of multiple identities in the context of sharing
devices among several people:
[https://support.google.com/chrome/answer/2364824?hl=en](https://support.google.com/chrome/answer/2364824?hl=en)
and even then doesn't do much to surface the idea.
[https://www.google.com/search?hl=en&as_q=multiple+identities...](https://www.google.com/search?hl=en&as_q=multiple+identities+in+chrome&as_epq=&as_oq=&as_eq=&as_nlo=&as_nhi=&lr=&cr=&as_qdr=all&as_sitesearch=google.com&as_occt=any&safe=images&as_filetype=&as_rights=)

~~~
exelius
This is why Firefox is gaining momentum; they seem to be the only browser
interested in user privacy. Users are definitely interested.

~~~
DavideNL
Indeed. i even use FF despite its terrible terrible "pinch to zoom"
functionality - which works perfectly in other browsers (Safari, Chromium,
Chrome).

Zooming is such a basic thing... i don't understand why they implement it in
such a crappy way. Certainly doesn't attract users.

~~~
gruez
Can you elaborate what's so bad about Firefox's pinch to zoom?

~~~
DavideNL
Take a look at this movement:
[https://up1.ca/#q07x8mFjrGtXR6ju1r3EQw](https://up1.ca/#q07x8mFjrGtXR6ju1r3EQw)

In Safari, this is what it does:
[https://up1.ca/#Lu0r_cI_v0vXvzpa9nUmEg](https://up1.ca/#Lu0r_cI_v0vXvzpa9nUmEg)
So in Safari it lets me zoom all the way in and/or out with 1 smooth movement.

This is what the same movement does in Firefox:
[https://up1.ca/#SEKWNOm1BSQnkntxj_v53w](https://up1.ca/#SEKWNOm1BSQnkntxj_v53w)
In Firefox, if i want to zoom all the way in, i have to pinch in like 10 times
(very annoying) and then to zoom out pinch out another 10 times...

------
rdancer
This is the kind of nonconsensual sureptitious user tracking that the EU
privacy directive 2002/58/EC concerns itself with, not those redundant, stupid
cookie consent overlays.

~~~
nailer
So a regular site using, say, mixpanel doesn't need to show a warning?

~~~
kuschku
If the cookies are purely technical (say, login cookies), no.

If the cookies are used for tracking, like Google Analytics, then yes, it
needs to ask the user for consent.

And that’s not a warning, but actual "yes/no", and in the no case, it may not
set a tracking cookie, or have set a tracking cookie already.

Most sites (except for a few dozen German and Dutch ones) just redirect you
somewhere else, though, if you refuse to be tracked.

~~~
JohnTHaller
Something that is best left to the browser to handle... by allowing the user
to enable/disable 3rd party cookies. Which we already have. But no, the EU has
stupid notifications on basically every single website as a result since
everyone uses third party analytics. Why? If you want your analytics to be
believed by anyone who wants to advertise with you, invest in you, partner
with you, or buy you, they'd damn well better be third party analytics.

~~~
rdancer
The EU Commission and the regulatory agencies actually agree with you. The
stupidity is 100% with the web devs and customers.

~~~
carlesfe
What do you mean with "The stupidity is 100% with the web devs and customers"?

The law requires user consent, in form of a click on a banner or scrolling the
page, before setting any cookie.

~~~
rdancer
Which law? The 2002/58/EC doesn't.

~~~
carlesfe
Not that one.

[http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:320...](http://eur-
lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32009L0136)

Complete law: [http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX...](http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN)

Paragraph 66 talks about cookies.

A later exception was made by the EU for session cookies.

Guidelines for webmasters:

[http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#se...](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#section_4)

It has a sample banner which is similar to those which most users display.

Spanish official directives (with further protection because of a local law
called LSSI):
[https://www.agpd.es/portalwebAGPD/canaldocumentacion/publica...](https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/common/Guias/Guia_Cookies.pdf),
page 17. Also comes with a sample banner

Did you really think that everyone else was wrong or didn't read the law and
is programming these banners as some sort of fad?

------
f-
Although the emphasis on the actual abuse of newly-introduced APIs is much
needed, it is probably important to note that they are _not_ uniquely suited
for fingerprinting, and that the existence of these properties is not
necessarily a product of the ignorance of browser developers or standards
bodies. For most part, these design decisions were made simply because the
underlying features were badly needed to provide an attractive development
platform - and introducing them did not make the existing browser
fingerprinting potential substantially worse.

Conversely, going after that small set of APIs and ripping them out or
slapping permission prompts in front of them is unlikely to meaningfully
improve your privacy when visiting adversarial websites.

Few years back, we put together a less publicized paper that explored the
fingerprintable "attack surface" of modern browsers:

[https://www.chromium.org/Home/chromium-security/client-
ident...](https://www.chromium.org/Home/chromium-security/client-
identification-mechanisms)

Overall, the picture is incredibly nuanced, and purely technical solutions to
fingerprinting probably require breaking quite a few core properties of the
web.

------
pmlnr
So... what we need is a browser, which says it supports these things but
blocks or provides false data on request and looks as ordinary as possible for
"regular" browser fingerprinting.

Is anyone aware of the existence of one?

~~~
madeofpalk
The problem here is Canvas fingerprinting - that's what I found the most
surprising and interesting.

How do you prevent that, apart from working on 'fixing' browsers to create
pixel-perfect renders across different browsers/platforms/configurations.
Would that even be possible?

Edit:

> Tor Browser notifies the user for canvas read attempts and provides the
> option to return blank image data to prevent fingerprinting.

Huh. I guess that's one attempt, but being able to read pixel data out of a
canvas is completely reasonable.

~~~
Freak_NL
> […] but being able to read pixel data out of a canvas is completely
> reasonable.

Not for every website. Most websites don't need canvas at all. One option
would be to ask users to activate canvas support for a website that does need
it, so users can judge for themselves if the request is legitimate. This is
how the geo-location API works after all.

I am not convinced that this will work very well though.

~~~
madeofpalk
Seems like just another vector to fingerprint that browser by :)

~~~
Freak_NL
It is! But a disabled setting has a much lower entropy in terms of identifying
bits than the hash generated with an active canvas.

------
anexprogrammer
Colour me unsurprised. Disappointed though.

I'm glad I disabled WebRTC when I first discovered it could be used to expose
local IP on a VPN.

These "extension" technologies should all be optional plugins. Preferably
install on demand, but a simple, obvious way to disable would be acceptable.
(ie more obvious than about:config)

Not a great deal can be done about font metrics other than my belief that
websites shouldn't be able to ferret around my fonts to see what I have. Not
like it's a critical need for any site.

~~~
moron4hire
What would anyone do with your internal network IP?

Having these features as optional plugins means they are basically impossible
to count on having in the basic web platform, meaning you're going to fight a
losing battle to gain adoption for any applications that need them.

And the open web platform is the only platform right now that is enabling
developers to create cross-platform applications outside of the restrictions
of walled-garden app stores.

~~~
anexprogrammer
Not just internal network IP, but also public IP. There were quite a few test
sites popped up when the issue came to light.

> Having these features as optional plugins means they are basically
> impossible to count on having

Funny. Didn't seem to prevent flash, acrobat or others becoming extensively
adopted. If I want browser video chat I can install WebRTC etc.

If the cost of having that universal platform is compromising everyone's
privacy, on any site that wants to check, it's not a fair or acceptable trade.

Seems to me we have this ass backwards.

~~~
moron4hire
You know every site you ever go to sees your public IP, right?

Seems to me you're just being paranoid.

~~~
anexprogrammer
Not when connected to a VPN, they should see the vpn public IP. The issue was
that WebRTC enabled snooping on ISP-provided IP whilst on a VPN.

See [https://github.com/diafygi/webrtc-ips](https://github.com/diafygi/webrtc-
ips) or [https://www.purevpn.com/blog/disable-webrtc-in-chrome-and-
fi...](https://www.purevpn.com/blog/disable-webrtc-in-chrome-and-firefox-to-
protect-anonymity/)

------
jimktrains2
NoScript is an all-or-nothing approach. Are there any JS-blockers that allow
API-level blocks?

~~~
phaer
If you use Firefox or Iceweasel, you can disable most of those apis in
about:config or user.js. For example, media.peerconnection.enabled = false, to
disable WebRTC. dom.battery.enabled = false for battery, etc.

~~~
cichli2
Or you could use the privacy settings addon, which adds a toolbar button to
enable/disable most of those settings.

~~~
cm3
While that works, it's reset whenever you clear your history and data
completely. Isn't there a way to whitelist this in user.js permanently?

------
cptskippy
All of this makes me wonder how some of these interfaces should be more
closely guarded by the user agent.

Perhaps instead of a site probing for capabilities, they should instead
publish a list of what the site/page can leverage and what it absolutely needs
to work. Maybe meta tags in the head or something like the robots.txt.
Browsers can then pull the list and present it to the end user for white-
listing.

You could have a series of tags similar to noscript to decorate broken
portions of sites if you wanted to advertise missing features to users and,
based on what features they chose to enable/disable for the site, the browser
would selectively render them.

~~~
maxerickson
Users don't want to do this though.

I mean, how many people are dealing with the hassle of noscript? That's
probably most of the users that are going to do anything other than tell the
browser to stop asking questions.

~~~
cptskippy
Users are familiar with managing permissions, they do it all of the time.
Users have to manage location services and the camera in browser. iOS and
Android also prompt for access to resources.

Why is it unrealistic to expect the same for other interfaces like audio,
video, WebRTC, and other potentially exploitable functionality?

~~~
recursive
Most permission management most users do is click the "accept" button when
installing an app without reading anything on the list. I don't see how that
helps.

------
kardos
So given this information, how can we poison the results that the trackers
get?

~~~
englehardt
There have been a couple plugins which try to address this question: Chameleon
([https://github.com/ghostwords/chameleon](https://github.com/ghostwords/chameleon)),
which is still in early stages, and FireGloves ([https://fingerprint.pet-
portal.eu/?menu=6](https://fingerprint.pet-portal.eu/?menu=6)), which was
built by a research group (not sure it's still supported).

Also a great paper on this topic:
[http://research.microsoft.com/pubs/209989/tr1.pdf](http://research.microsoft.com/pubs/209989/tr1.pdf)

------
codedokode
Some methods of fingerprinting are probably used to distinct between real
users and bots. Bots can use patched headless browsers that are masquaraded as
desktop browsers (for example as latest Firefox or Chrome running on Windows).
Subtle differences in font rendering or missing audio support can be useful to
detect underlying libraries and platform. Hashing is used to hide exact
matching algorithm from scammers.

There is a lot of people trying to earn on clicking ads with bots.

Edit: and by the way disabling JS is an effective method against most of the
fingerprinting techniques.

~~~
dsl
As someone who has written code to detect bots, exactly this. We don't care
about fingerprinting the user, we care about fingerprinting to verify the user
agent you claim to be.

------
wodenokoto
What annoys me the most is how many useless cycles these trackers use to track
me.

------
MichaelGG
WebRTC guys get around this by stating fingerprinting is game over, so don't
even bother. They ignore that they are going against the explicitly defined
networking (proxy) settings. Browsers are complicit in this. If the
application asks "should I use a proxy", then ignores it, silently, wherever
it wants, that's deceptive and broken.

There's still zero (0) use cases to have WebRTC data channels enabled in the
background with no indicator.

If all these APIs are added, the web will turn into a bigger mess than it is.
They can't prompt for permissions too much. So they'll skip that, like WebRTC
does.

------
ape4
Seems like browsers should ask the user's permission to use these html5
features. Then whitelist. For example, a site that does nothing with audio
should be denied access to the audio stack.

------
pjc50
I think it's time for HTML--, which would contain no active content at all and
simply be a reflowable document display format.

~~~
xg15
SO basically AMP minus the Google-sourced JS...

~~~
manigandham
...which is just HTML then.

------
aub3bhat
There is an acceptable tradeoff between pseudo anonymous access through
browsers vs non-anonymous access through native apps.

To interpret this research as reason for crippling web or browsers would be a
giant mistake. Crippling browsers will only work against users, who will be
then forced into installing apps by companies.

Two popular shopping companies in India exactly did this, they completely
abandoned their websites and went native app only. This combined with large
set of permission requested by apps lead to worse experience in terms of
privacy for consumers. As the announcement for Instant Apps at Google I/O
demonstrate, web as an open platform is in peril and its demise will be only
hastened by blindly adopting these types of recommendations.

Essentially web as open platform will be destroyed in the name of perfect
privacy. Only to be replaced by inescapable walled gardens. Rather consider
that web allows a motivated user to employ evasion tactics, while still
offering usability to those who are not interested in privacy. While with
native apps where Apple needs a credit card on file to install, offer no such
opportunity.

I am happy that Arvind (author of the paper) in another comment recommends a
similar approach:

""" Personally I think there are so many of these APIs that for the browser to
try to prevent the ability to fingerprint is putting the genie back in the
bottle. But there is one powerful step browsers can take: put stronger privacy
protections into private browsing mode, even at the expense of some
functionality. Firefox has taken steps in this direction
[https://blog.mozilla.org/blog/2015/11/03/firefox-now-
offers-...](https://blog.mozilla.org/blog/2015/11/03/firefox-now-offers-..).
Traditionally all browsers viewed private browsing mode as protecting against
local adversaries and not trackers / network adversaries, and in my opinion
this was a mistake. """

[https://news.ycombinator.com/item?id=11730373](https://news.ycombinator.com/item?id=11730373)

~~~
crdb
> Two popular shopping companies in India exactly did this, they completely
> abandoned their websites and went native app only. This combined with large
> set of permission requested by apps lead to worse experience in terms of
> privacy for consumers.

I'm surprised nobody has commented on your comment yet. I was in a meeting
just this morning where my interlocutor assured me that over 70% of
advertising in 10 years will be native apps since everything else is getting
blocked or abandoned (and presenting it as an opportunity to do all the stuff
you "can't do anymore" on browser).

------
makecheck
Over 3,000 top sites using the font technique, and from the description this
sounds really wasteful (choosing and drawing in a variety of fonts for no
reason other than to sniff out the user).

Each font is probably associated with a non-trivial caching scheme and other
OS resources, not to mention the use of anti-aliasing in rendering, etc. So a
web page, doing something you don’t even want, is able to cause the OS to
devote maybe 100x more resources to fonts than it otherwise would?

A simple solution would be to set a hard limit, such as “4 fonts maximum”, for
any web site; and, to completely disallow linked domains from using more.

------
cdnsteve
After reading this it makes me want to disable JavaScript entirely, along with
cookies, and go back to text browsing. I've been using Ghostery on my phone,
it's been pretty good.

~~~
kowdermeister
I'd say that's pretty needless. I run ghostery and ABP simultaneously and they
do a great job catching these trackers.

The downside of having no JS compared to accidentally a getting fingerprinted
is a no brainer for me. Modern web is pretty useless without JS for me.

------
wyldfire
Whoa, what's the use case for exposing battery information?

~~~
erlichmen
Some application want access to the battery info as they might want to disable
some functionality in case your battery runs low. It would be smarter if
instead of giving exact battery level it will get a callback once the battery
runs low.

~~~
raarts
The Great Suspender is an example of this. Auto-sleeps browser tabs when on
battery.

[https://chrome.google.com/webstore/detail/the-great-
suspende...](https://chrome.google.com/webstore/detail/the-great-
suspender/klbibkeccnjlkjkiokjodocebajanakg?hl=en)

~~~
cpeterso
Sharing the battery information with a browser extension seems reasonable, but
are there any websites that actually use the battery information for
legitimate user benefit?

------
radicalbyte
Of course this is something you do. Throw it together with all of the other
information you can clean from a browser (referrer, ip) and you can get a
match with a very high confidence level.

Shops can do the same with baskets, you find that people are either identified
by one very rare feature which reoccurs often or their little graph of 4-5
items which correlate 99% to them.

------
buremba
All these things make the websites the new apps. Most probably we won't need
to use many desktop applications a few years later.

~~~
cptskippy
That's the line Apple took with iOS shortly before it introduced the App
store. Mozilla, Palm/HP, and even Microsoft with it's Win 8 Metro Apps tried
to make websites the new apps. It has some short comings.

Web apps are definitely getting better, I haven't used an actual email client
in 10 years, but they have a long way to go before they can replace dedicated
clients entirely.

~~~
metasean
> Web apps are definitely getting better, ... but they have a long way to go
> before they can replace dedicated clients entirely.

And yet, just yesterday there was a great discussion on Virtual Desktop
Infrastructures, where entire operating systems are accessed and operated
virtually through just the browser [0].

The current top comment indicates that while there are some setup hoops to
jump through to use a specific OS, the performance itself "works very well"
[1]. Does this not qualify as a web app replacing a client entirely?

[0]
[https://news.ycombinator.com/item?id=11721466](https://news.ycombinator.com/item?id=11721466)
[1]
[https://news.ycombinator.com/item?id=11722141](https://news.ycombinator.com/item?id=11722141)

~~~
dceddia
That doesn't sound too far from Desktop Computing as a Service. It will be a
sad day when I have to pay $9/month to be able to log into my desktop.

~~~
metasean
I mostly agree.

Ideally I'd like to have a minimal OS and file set on my local machine (for
offline and poor connectivity scenarios), that automatically syncs with my
own, encrypted cloud system, such that I can (at my own discretion) update the
OS from controlled sources (e.g. git). But I don't think there is enough
interest from others for such a system, and I'm occupied with enough other
projects that I won't be able to set up such a system.

~~~
buremba
I think that it depends on your use-case. I use Google Photos to store my
media files, Github to store application configuration & source code of my
applications, Chrome to store bookmarks, passwords, Spotify to save & listen
music etc. Even if I lost my computer now, I would easily setup my desktop
environment again.

~~~
metasean
For me, I don't use Google Photos or Spotify, I have my own local copies and
maintain my own backups.

I do use Github for some projects, but I also maintain local copies and
maintain my own backups for all my projects.

If pinboard.in ever disappeared, it'd be like loosing an appendage! It might
not be as bad as loosing an entire arm or leg, but its loss would be
equivalent to at least a finger or two!

------
chatmasta
If you want to see a live demo of all the ways your browser can fingerprint
you, this is a great website:
[https://www.browserleaks.com/](https://www.browserleaks.com/)

------
youaretracked
Since the original web based ad campaigns were launched we have been tracked.
Serious web analytics companies know these tactics already.

So what exactly is the research contribution being made here? What's new and
interesting?

------
id122015
I think its similar to how Absolute Computrace rootkit identifies Android and
Lenovo devices. Each hardware compoment has a unique ID, like your ethernet,
bluetooth, even microphones and batteries.

------
coygui
Would it be more secure to use tor than traditional browser. The only drawback
is the longer RTT.

------
jkot
Malware filtering is needed.

~~~
rickycook
that's why we have things like ublock and ghostery; it's essentially the same

------
tomkin
Ahhh. Remember when this was just a Flash problem, and getting rid of Flash
was going to rid the world of evil?

Spoiler: that didn't happen.

~~~
CyberDildonics
Things like this happened with flash but you had no control over them since
flash was all or nothing and closed source.

~~~
tomkin
I agree with that (technical person's) perspective, but that was not the
mainline argument. Steve Jobs got on stage and said it was a hunk of battery
wasting crap that invaded your privacy. I'm saying you can make that case
regardless of your platform de jour.

------
ysleepy
Well, who would have guessed. Surprise surprise.

The web is such a shit technology.

~~~
oblio
And how would Silverlight or Java applets or Flash or any other client side
technology be better in this regard?

You have to expose capabilities and those capabilities can be used to create
an unique fingerprint based on your device.

How would you design the stack so that this kind of thing is impossible? Feel
free to use your favorite tech stack as a base.

~~~
ysleepy
How about not developing applications in the browser? Its about linked
documents. Not angular-17 MVVM async session persistence in indexdb with
websql and asm.js rendering webgl for a spinning teapot.

~~~
andybak
OK. So you get your 'document only' internet. Where do we put all the other
stuff? I have a bunch of 'non-document' websites that are essential to me now.

What happens under your new regime? Someone reimplements them all as native
apps?

The point I'm making is just because your internet is document-only please
don't assume mine or other people's are.

~~~
ysleepy
Because it is so, it must be so.

Every web app is written in perl/php, therefore we will keep using perl/php. -
What will you do, rewrite the apps? </..

internet != web.

This cludge of in-browser tech everyone is pursuing already comes with so much
suffering for the developer. But the enthusiasm to embrace garbage like
religion is just unbelievable. (yeah js everything, spotify lol)

I think the current webapp tech stack is not doing our generation justice. Yes
google has very strong interests in maintaining status quo since it dominates
it and so do many other giants. But good, user friendly and maintainable
software looks different.

Why not break the completely misused model of documents for apps ? there is no
document semantics in 1000x <div> elements riddled with js callbacks.

But dont let my cynicism annoy you, its the resignation talking. Imagine what
cool tech we would have if something was started in the 90s (no, not java
applets) and was all grown up now.

But every big company is now a walled garden provider. Just think about UI
toolkits, would spotify be in Chromeframe otherwise?.

