
Browser Fingerprinting: A Survey - Anon84
https://arxiv.org/abs/1905.01051
======
paulus_magnus2
[https://en.wikipedia.org/wiki/Stalking](https://en.wikipedia.org/wiki/Stalking)

Stalking is unwanted and/or repeated surveillance by an individual or group
towards another person.[1] Stalking behaviors are interrelated to harassment
and intimidation and may include following the victim in person or monitoring
them. The term stalking is used with some differing definitions in psychiatry
and psychology, as well as in some legal jurisdictions as a term for a
criminal offense.

This should also apply in the digital world. Doesn't it?

~~~
closeparen
Noticing and remembering people's faces, clothes, tics, etc. when they walk up
to you and interact is not stalking.

~~~
Panino
That is a fair point, for sure. But I don't think it's the whole story.

What about this: Noticing and remembering people's faces, clothes, tics, etc.
when they walk up to you. Also you have blanketed the planet in cameras that
all feed back to a giant database that builds a detailed dossier on almost
everyone, based on faces, clothes, tics, etc.

The way you put it sounds almost accidental, like no effort was made, with no
real goal in mind. That's not a faithful analogy of the pervasiveness of
Google Analytics, Facebook buttons, etc.

~~~
dwild
Stalking is toward another person, that person is specific and it's
voluntarily towards that person.

------
wongarsu
According to the paper the most useful attributes for browser fingerprinting
are:

\- User agent

\- List of Plugins

\- Screen resolution and color depth

\- Canvas

\- WebGL Renderer (~GPU Model)

Maybe Canvas can be fixed to a degree, but the others feel like things that
will inherently be different. Firefox with the privacy.resistfingerprinting
setting solves all of these at least partially (and more), but not without
some usability tradeoffs.

~~~
Jonnax
Browser plugins really need to go away. If it's not implementable normally
then it shouldn't be on the web. In my opinion at least.

GPU models also should not be given, browsers need to abstract features and
performance into something else. Like if I'm writing a WebGL app, I should
just be able to test a few baselines configs.

User agent is a tricky one, Chrome on Android gives too much info because it's
built by an advertising company.

~~~
Ajedi32
Is there any reason why we couldn't have all browsers on all platforms use the
same user agent header? I realize some sites use the user agent as a crude
form of feature detection, but it's my understanding that that's generally
considered to be bad practice.

~~~
dumbmatter
Sometimes there are browser bugs that are impossible to do feature detection
for, in which case have no better option than looking at the user agent.

For instance, several versions of Firefox had a serious bug in shared workers,
which appeared intermittently when users opened your site in multiple tabs
[https://stackoverflow.com/questions/51092596/feature-
detecti...](https://stackoverflow.com/questions/51092596/feature-detection-
for-firefox-57-shared-worker-bug) \- I had to use the user agent to work
around this.

~~~
EastSmith
Sure, this is a fair use case. But then can't the browser tell the end user
that someone wants to read this browser data so the user has a chance to say
"no"?

~~~
dredmorbius
Changing user-agent is virtually always possible, though a vanishingly small
fraction of users will do so.

Bundling into adblockers or browsers directly would help.

------
titzer
I've given up on technological solutions to this. We need a "do not track" bit
for browsers and it needs to carry the weight of law behind it. Violators need
to be named, shamed, and fined.

~~~
gregw134
Ironically, the do not track setting itself can be used in browser
fingerprinting.

~~~
55555
In fact, it is _primarily_ used as a point of entropy for tracking, and does
almost nothing to prevent tracking, so all-in-all it's a huge net negative.
And because it's mostly turned off, turning it on to be tracked less actually
causes you to be tracked more.

~~~
titzer
Exactly, this is why it needs the force of law behind it.

------
Santosh83
Can the major browser vendors not get together and implement a set of standard
values and defaults that can be activated to reduce one's fingerprint, at
least enough to make it non-unique? Something like what Tor Browser does but
expanded to include all the major browsers. The way is open, the question is
if there is will.

~~~
wongarsu
You can have what Tof browser does by using Firefox and setting
privacy.resistfingerprinting in about:config. But be prepared to solve a lot
of recaptchas, and don't hold your breath on Google implementing something
similar in Chrome. Google is still an adtech company. They didn't spend
millions (if not billions) on making and promoting Chrome only to support
fingerprint resistance.

~~~
muxator
Maybe minor nuisance (probably major for some): with
privacy.resistfingerprinting, Wastsapp web does not even allow authentication.

------
overcast
Out of curiosity, how are you guys handling anonymous user actions without
fingerprinting? For example if you want to setup a user poll, without
requiring a user account? Storing it in a cookie can just be deleted, which
the agent can just clear and resubmit.

~~~
TheAceOfHearts
Fingerprinting is not an effective deterrent either, as you can just open a
different browser. The user could also have multiple devices with internet
access.

You could use IP address, although that only works if the user isn't on a
public / shared network. It's also easily bypassed by spinning up a VM on a
cloud service provider and using an SSH tunnel.

Since you used polls as an example: StrawPoll.me [0] is an online poll site
which lets you select different duplication checks based on your requirements.
The choices are: IP, browser cookie, none, or require user sign in. They also
give you an option to add a CAPTCHA.

[0] [https://www.strawpoll.me/](https://www.strawpoll.me/)

~~~
OrgNet
I can change my semi-static IP address whenever I want by spoofing my router's
MAC address (Comcast)

------
bfirsh
If you’re on a phone, here’s a web version: [https://www.arxiv-
vanity.com/papers/1905.01051/](https://www.arxiv-
vanity.com/papers/1905.01051/) (now with linked citations!)

------
user17843
It looks like the prevalence is low and it can easily be blocked with blocking
the scripts in question.

Nevertheless, what needs to happen is that all major browser makers come
together and simply create a set of standard API values that do not harm daily
browsing and make it possible for users to blend in with the masses, if they
opt-in to activate

It would be sufficient to create a couple of uniform user agents, list of
fonts, list of plugins, canvas hash, platform and webgl data to bring the
uniqueness down.

~~~
viseztrance
There are SaSS companies that have their entire business model around creating
databases of fingerprints - for example determining bots. These scripts track
you over multiple websites and are very well concealed, so you won't find them
on any ad blocker blacklist.

Also, living in the EU won't protect you from getting fingerprinted.

~~~
user17843
why do the studies referenced in the above study only show a very low <1%
prevalence? Do they omitt the "good fingerprinters"?

~~~
viseztrance
I don't think so. A good fingerprinter will use a honeypot - an easy to detect
fingerpriting script in addition to the real one.

------
FabHK
Is anyone aware of fingerprinting mitigation (extensions?) for Safari on
macOS? I'd rather not abandon Safari.

------
harryking
Well a nice initiative i would say

------
badrabbit
Can anyone with a legal background explain to me why I can't file a
restraining order that prevents companies from stalking me online?

Primarily for companies that develop shadow profiles of users but also
companies like google and cloudflare where their tracking is a result of an
opt-in by the site operator.

Would it be difficult to prove I am in fear (rational) as a result of their
stalking?

~~~
Erik816
I don't believe you can get a restraining order against a company (just an
actual person). You would ask for injunctive relief, which is basically the
court telling the company not to do something, in this case, tracking you
online.

I'm not aware of the law in this area. I'm a lawyer, and I could at least see
a plausible argument, but the only way to know for sure would be to try to sue
them, or find other cases where someone has successfully done so.

------
amelius
Can't we give penalties to companies that use fingerprinting scripts (or
include them by third parties)?

I'd like to see an organization that checks for this, and gives fines, and
perhaps even withdraws the right to use a domain name. And I'd like to see
more responsibility with site owners for using third party code.

By the way, I think a withdrawal of the right to use a name (brand) is a very
appropriate way to penalize a serious privacy violations. Brands are all about
customer trust, and if that trust is violated, then it seems to me only fair
that the right to use a name is taken away.

~~~
user17843
One of the referenced studies (1-million study withOpenWPM, the most recent
from 2016) notes that the usual fingerprinting scripts have basically
disappeared since a public outcry and media attention following a lawsuit.

Prevalence:

\- 1.4% for canvasfingerprinting

\- 0.325% for canvasfont probing

\- 0.0715% for WebRTC

\- 0.0067% forAudioContext

The above were found only on the most shady of all websites, and good content
blockers block all those scripts.

My bet is GDPR was the death blow for this kind of scripts. For small
companies without a room full of lawyers data has become a liability.

So fingerprinting is now basically in the hands of google, amazon, etc.

~~~
mobjack
Browser fingerprinting has been overhyped and is not a reliable method of
tracking.

If it was useful, it would be much more prevalent but too many people have the
same fingerprint.

IP address is a better method of tracking for comparison.

~~~
user17843
It is not in use because it's basically illegal, and due to relieance on
JavaScrip, a simple script blocker can take down your entire business.

The industry used fingerprinters, but for one it didn't really help them make
more money (because you want to track users, not systems), and there was a big
backlash.

