
How Browsers’ Explanations Impact Misconceptions About Private Browsing [pdf] - nailer
https://www.blaseur.com/papers/www18privatebrowsing.pdf
======
turblety
There's a site [1][2] that shows just how bad fingerprinting can get. You
enter your name in private mode, close your browser then visit the site again
and it has remembered you.

It would be great to know exactly what percentage of visitors had your same
fingerprint. It uses clientjs [3] which I guess let's the "tracker" choose how
strict to be.

While it uses a different library, this site [4] can show just how unique you
are amongst other visitors. Again that fingerprint will not change even if you
close your browser ,wipe your history, restart your computer, etc.

1\. [https://www.nothingprivate.ml/](https://www.nothingprivate.ml/)

2\. [https://github.com/gautamkrishnar/nothing-
private](https://github.com/gautamkrishnar/nothing-private)

3\.
[https://github.com/jackspirou/clientjs](https://github.com/jackspirou/clientjs)

4\. [https://amiunique.org/fp](https://amiunique.org/fp)

~~~
craftyguy
Since I roll with JS disabled everywhere except a few sites I trust, I get an
eternal "Loading... please wait...". Fingerprinting defeated, or just defeated
fingerprinting 'test'?

~~~
code_duck
Of course they need to use JavaScript to fingerprint you to test JavaScript
fingerprinting. As far as the whether they keep the information for
themselves, since it’s client side, you could potentially audit that.

~~~
craftyguy
I was under the impression that browsers could be fingerprinted in other ways
that didn't require JS.

------
nailer
From 4.5.1

> A surprising 56.3% of participants believed that even while a user was
> logged into a Google account, their search queries would not be saved while
> in private mode. The large majority of participants (144) believed this to
> be the case because private mode does not save search histories, conflating
> the browser’s local history with Google’s.

~~~
dfee
I first read your comment as: Google associates your browsing history with
your Google account when your not logged in and using private browsing.

They can definitely tell it’s the same user who just opened a new private tab,
but they’re not saving that, right?

~~~
dspillett
_> but they’re not saving that, right?_

If you are logged into your Google account in the "private" session, your
private session will carry session-level data (i.e Google's cookies) that will
persist until the last private window is closed and that data can _and will_
be associated with your account.

So if you are logged in to Google, even in a private window, they will be
tracking you through and and all of their properties. If you don't want to be
tracked as you in private windows, don't log in as you in private windows.

This part isn't Google (or anyone else in their position)'s doing, it is by
browser design. Browsers do what they can to make it difficult to detect the
difference between normal and "private" windows so Google can reliably detect
is that at the start of the private session you have no Google cookies, which
is the same behaviour if you had moved to using a fresh new browser (in
private mode or not). It _is_ currently possible to work out that you are in
private mode in many browsers using various tricks (some browsers/versions
disable cookies in private mode in a manner detectable via
navigator.cookieEnabled, some disable all local storage options in a way that
can be detected by exceptions firing when you try use them, some disable
service workers, ...) but none of these tricks are 100% reliable (even, I
suspect, if you try use them all) and may all become 100% unreliable at a
later date. _If they can 't reliably detect you are in a private window, then
they can't reliably turn off tracking of your logged-in activity in private
windows._

 _> They can definitely tell it’s the same user who just opened a new private
tab_

This is a slightly different matter. Here the link may contain information
that can be used to pollute the private island. So they know opening that
advert link in a private window was done by you because the URL contains a
code that was only given out to use (in a non-private window). But again, if
they can't reliably detect the privacy settings they can't be expected to do
anything about them.

 _> Google associates your browsing history with your Google account when your
not logged in and using private browsing._

This could partly be the case, though not in a practically avoidable manner.
This is the problem because people will assume that Google and their ilk _can
't_ continue to track you, not that it is difficult to know they should stop
tracking you, when you do something like right-click-open-in-private-tab. The
trick is to never log into your account in a private window and never follow
links from non-private windows in private ones (without verifying they don't
carry personal/session data first), but try explaining that to the average
user who barely knows what a cookie is.

~~~
tialaramex
"so they know opening that advert link in a private window was done by you
because the URL contains a code that was only given out to use (in a non-
private window)"

Nope. See, people are idiots and in this case that helps us. They absolutely
will paste that URL (with the code in it) into an email to grandma, or their
Slack channel, or Hacker News.

Now, Google _could_ try to figure out what happened here, and guess if it's
still you to fill out the profile - but that would always be somewhat
inaccurate, and it's also evil, so between those two factors it's not a huge
surprise that they don't do this.

One thing Mozilla has done more recently in Firefox is make available a
"Facebook container" extension, which isolates Facebook inside its own
session. So whenever you follow a Facebook bookmark, or tab-complete it in the
URL bar, or whatever, you get a tab that's inside this special session where
it's logged into Facebook, but your other tabs aren't. So Facebook can't
correlate your non-Facebook activity to Facebook activity. None of this works
if you use the "Login with Facebook" feature on other websites, but too bad,
might as well have labelled that "I hate privacy" when it was invented anyway.

~~~
dspillett
_> people ... will paste that URL (with the code in it) into an email to
grandma, or their Slack channel, or Hacker News. Now, Google _could_ try to
figure out what happened here,_

In all those other cases the is likely to be a significantly larger delay
between the link being generated and it being followed. So while it isn't 100%
reliable they could correctly guess if it is you, or someone else you have
passed the link to, significantly more often than not. Especially because, of
the potentially many signals they get from a given link, the person or was
initially generated for is likely to be the first to follow it.

------
lhuser123
I’m curious about Brave browser’s fingerprinting protection. Does that really
works ? Let’s say I combine that with a VPN, private browsing, tracking
protection, and other protections provided by the browser except disable
scripts, would google still be able to track me ?

------
badrabbit
A quote I read a while ago: "Good UI is like a joke,if you have to explain it
then it's bad"

I've always felt browser security and privacy UI should be more obvios and
verbose with the ability to view increased verbosity as needed. Ideally an
average user should be able to view messages pertaining to privacy and
security relates events on the page in plain english with increasing verbosity
and this format would be a cross-browser standard.

------
wjdp
It doesn't handle screen rotation, so I have two identities? Mr portrait and
Mr Landacape

