K
Story
The privacy nightmare of browser fingerprinting
Some time ago I noticed that in Chrome, every time you click "Never translate $language", $language quietly gets added to the Accept-Language header that Chrome sends to every website!

My header ended up looking like a permuted version of this:

  en-US,en;q=0.9,zh-CN;q=0.8,de;q=0.7,ja;q=0.6
I never manually configured any of those extra languages in the browser settings. All I had done was tell Chrome not to translate a few pages on some foreign news sites. Chrome then turned those one-off choices into persistent signals attached to every request.

I'd be surprised if anyone in my vicinity share my exact combination of languages in that exact order, so this seems like a pretty strong fingerprinting vector.

There was even a proposal to reduce this surface area, but it wasn't adopted:

https://github.com/explainers-by-googlers/reduce-accept-lang...

This is a problem, that the software will try to guess what you mean by such things like this (it is not specific to this feature, but other features of computer programs in general; this is one specific case of that). Just because you do not want it to translate such a language (or any other langage) automatically does not necessarily mean that you can read it or that you want to request documents written in that language. Fingerprinting is not the only issue with this.
Is Chrome trying to assume that, since you don’t want it to translate those pages/languages, that you can read them/want them in your header? Interesting
I'd read it more generously than that. I think Chrome trying to stop the server choosing the language for you. By sending an accepts-language header (which your browser does regardless of what you use; it's not a Chrome thing) the server should return the page in a language you've said you'll accept. By adding the language to what you've told Chrome not to translate, it's attempting to show you pages in languages you want.

I imagine Chrome is really adding the language to your browser preferences when you choose not to translate a page, and the HTTP client in the browser is generating request headers based on your preferred languages. A small (and largely unimportant) semantic point, but it's possible that the Google translate team weren't aware of how adding a preferred language might impact user privacy. That isn't to excuse the behaviour; they should have checked.

PSA Don't use chrome.
Translating pages is literally the only thing I use Chrome for. The built-in translation works way better than other browsers, even though they also use Google Translate.
Firefox does not use Google Translate and performs the translation locally, which works great for the most common languages out there. For the less common ones you still have to go to Google Translate, but IME it's definitely not worth changing the browser to Chrome over.
Yeah I really like the Firefox translate. A rare win for recent Firefox.
I don't really like firefox translate, despite having made the switch many years ago. For a long time it didnt have the (european) language of the country I live in. Now it does have it. Every time I want it to translate I have to manually find both languages in the insanely long dropdowns. It will not save it the way I want it, but impressively seems to manage to always save it in the other direction...
Ditching Chrome is something we need to teach everyone.

The DOJ is totally spineless and refuses to squash Google's absurd monopoly on the internet. We are literally the last line of defense, even though we really don't amount to much.

Perhaps we could start a grassroots movement.

You don’t need a grassroots movement when other movements doing this exact thing already exist. In fact it is likely counterproductive. Mozilla Foundation is the organization you want to support, or EFF.
> Mozilla Foundation is the organization you want to support

Mozilla Foundation is rudderless. I'm convinced the leadership are all Google plants who are keeping the "antitrust litigation sponge" from doing anything damaging to Chrome.

The new built-in translation in Firefox works pretty well! I never need to fallback to others, although forcing it to translate has weird UX.
There is an extension called twp or something like that for firefox. IME it is pretty good
I don’t think safari uses google translate
Sorry but you're using a Google browser and Google translation service, when excellent alternatives to both exist. What did you expect regarding privacy?

A clueless person might not know any better, but you clearly do, and also you seemingly care. So why do you use Google all the same?

PSA only use Mullvad or Tails which are set up to be as bland and uniform as possible
As uniform as possible is exactly the wrong way to go. It only takes one data point overlooked or newly discovered to make every person trying to look identical distinct. New fingerprinting techniques are being implemented all the time, so what's the point in taking chances when it's far easier to randomly change a browsers fingerprint for each site/connection making it much harder to track any one browser over time.
Except I don't want to be flagged as a bot when I'm just visiting some website in my browser. (I also don't want to be flagged as a bot when I'm scraping some website with a bot).
don't use the same browser regardless - the key is to compartmentalise.
That will just make you stand out more.
You can change the reported UA header independently of the UA you use.
If I was a fingerprinting company, I'd be cross-referencing signals between browsers for sure.

If the browser header says windows but the fonts available says linux, that's a very distinctive signal.

And if the UA says Chrome but some other signal says not-chrome, that's very distinctive as well.

Surely this is true, but if you’re a fingerprinting company aren’t you making so much money violating the privacy of the masses that it’s not worth your time going after the tiny set of Freedom Nerds trying to evade you?
They aren't specifically going after you... they just try to create a unique hash from everything they can and by doing weird things to your system you are making a truly unique hash easier
Yeah, and my passwords are so obvious and stupid, nobody's gonna guess them!

I think, you are falling for a technical fallacy. It's not costing them any more time.

You said it better than I did.
You can change the header, but browser developers are not that dumb and they added properties like "navigator.platform" which do not change and immediately give you away. Consider also writing a browser extension to patch these properties. Also, I think that DRM module (widewine), that is bundled with browsers, also can report the actual software version. Sadly it is undocumented so I don't know what information it can provide, but I notice warnings from Firefox about attempts to use DRM on various sites like Yandex Market.
The article also mentions this, and suggests the UA is not a silver bullet. That said, they didn’t go into specifics. I’m assuming there are other details that correlate to particular browsers that will betray a false UA. Plus, having a UA that says Chrome while including an extension that’s exclusive to Safari (tor example) will not only contradict the UA, but it will also be a highly distinctive datapoint for fingerprinting, in and of itself.
  • ·
  • 1 day ago
  • ·
  • [ - ]
Definitely a good STEP1, but it’s not like Firefox and Safari are finger printing secure.
Firefox does pretty damn well though, especially with privacy.resistFingerprinting set to true
Every time I manually touched the "fingerprinting" about:config settings, my entropy went up. I used the EFF site to test: https://coveryourtracks.eff.org/

AFAIK some of these options are there to be used by the Tor browser, which comes with strict configuration assumptions, and it doesn't translate well to normal Firefox usage. Especially if you change the window size on a non-standardized device. Mind you, the goal is not to block fingerprinting, but to not stand out. Safari on a macbook is probably harder to fingerprint than Firefox on your soldering iron.

However, judging by the fact that every data hungry website seemingly has a huge problem with VPN usage, I'd presume they are pretty effective and fingerprinting is not.

I've had good success with tracking tool tests and resistFingerprinting. Granted, I usually use it with uMatrix/NoScript most of the time which cuts down on the available data a lot and maybe makes it an unfair test. One issue, I expect, is simply not enough people using resist fingerprinting to add variation to the mix. Since it's off by default, and only a small % of users use Firefox and an even tinier percentage use resistFingerprinting, unlike your example of Tor where probably most people on the tor network use the tor browser, it's likely that simply blocking things is a fingerprint all on its own. The solution there would be to get more people using it :)

I will say one downside to using it is far more bot detection websites freaking out over generic information being returned to them, causing some sites to break (some of their settings breaking webgl games too due to low values). Using a different profile avoids this, or explicitly whitelisting certain sites in privacy.resistFingerprinting.exemptedDomains - obviously if a site is using a generic tracking service for bot detection, that kills a fair amount of the benefit of the flag, so a separate profile might be best. I wish firefox had a container option for this.

... and. not too sure what you mean by changing window size on a non-standardised device. They do try to ensure the window sizes are at standard intervals, as if they were fullscreened at typical widths to reduce fingerprinting, but surely that applies to using Tor too? I mean, people don't use Tor on dedicated monitors at standard sizes.

privacy.resistFingerprinting has potentially-unwanted side-effects, like wiping out most of your browser history (instead of the more sensible approach of just disabling purple links). I also recall something about it getting removed or nerfed, though I'm not sure whether that was a mere proposal.
It does not wipe your browser history. I can definitely attest to that since my generic JS active + resistFingerprinting profile has a history going back years. It does set your timezone to UTC in JS on websites. I've mostly encountered that when playing Wordle ;)
It also does (or at least used to) mess with dates, due to it attempting to hide what time zone you're in.
The browser should reasonably know what time zone you're in and what time zone you're reporting to the website and translate between them automatically.
what about duck duck go? We need a simple chart: 1. What browsers are good at resisting finger printing 2. tell for each browser, does it work on android ad ios and apple and windows and linux 3. what setting are needed to achieve this

for bonus points, is there no way to strip all headers on chrome on control it better?

This is my question also. I tend to not use apps, use DuckDuckGo browser.

I sometimes do use Safari which is a more convenient browser - it would be ironic if DDG browser is less private than Safari.

Modern Safari is pretty damned good at randomizing fingerprints with Intelligent Tracking Prevention. With IOS 26 and MacOS 26, it's enabled in both private and non private browser windows (used to be only in private mode).

All "fingerprint" tests I've run have returned good results.

Unfortunately, it's closed source and only available on Apple devices.
I haven’t tried 26, but I remember it didn’t used to be so great.
Tor Browser (based on Firefox) is.
I only use it when I want to be tracked.
How does it determine the order?

Clearly it thinks you prefer Chinese to German. Was that correlated with the frequency of your requests on Google Translate? With your browsing history? With your shopping history?

$lang_header = $lang_header + $the_lang_choice_that_was_just_made
Using Chrome and caring about privacy? I thought, after Google killed uBlock Origin, it had become beyond clear these two things were incompatible, https://news.ycombinator.com/item?id=41905368
Most people using chrome are also using Google's DNS servers too which hands them a list of every single domain you visit.
uBlock origin just got replaced with uBlock lite for most people
Which, by design, doesn't protect you from actual spying, https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...
  • anthk
  • ·
  • 1 day ago
  • ·
  • [ - ]
There's a way to enforce loading UBo in Chromium but you need to download the extension by hand (git clone it from GitHub) and load it in "developer mode" in the extension settings. Also, you need to enable some legacy options related to extensions in about:flags.
Which really puts a massive spotlight on you.
  • ·
  • 1 day ago
  • ·
  • [ - ]
Hmmm...YouTube has been getting confused about the language and displaying random languages for the closed captions on videos. This was happening to me across smart TVs but I access YouTube randomly from various devices and browsers...but mostly Chrome when using a browser.
  • ·
  • 1 day ago
  • ·
  • [ - ]
> There was even a proposal to reduce this surface area, but it wasn't adopted:

>> Instead of sending a full list of the users' preferred languages from browsers and letting sites figure out which language to use, we propose a language negotiation process in the browser, which means in addition to the Content-Language header, the site also needs to respond with a header indicating all languages it supports

Who thought that made sense? Show me the website that (1) is available in multiple languages, and also (2) can't display a list of languages to the user for manual selection.

  • jm4
  • ·
  • 1 day ago
  • ·
  • [ - ]
What language do you put that list in? Would you still want to show it to every visitor when you know most of them speak a particular language?

I use to do some work in this area. The first question is difficult and the second is no. We had the best results when we used various methods to detect the preferred language and then put up a language selector with a welcome message in that language. After they made a selection, it would stick on return visits.

You can determine user's language from IP address location. Of course, there are users with VPNs, but they probably are used to seeing foreign content. For example, Youtube shows me advertisement in a language I don't understand despite my language header saying I only understand "en-US" and "en" languages. So this header is unnecessary, even Youtube ignores it.

Also, when using VPN, Google typically uses a language based on IP address, not my language header. I assume the header is only useful for fingerprinting today.

> You can determine user's language from IP address location.

I live in Hyderabad, Telangana, India. I do not yet speak enough Telugu or Hindi or Urdu to be useful, and cannot read Hindi or Urdu at all; but I’m a foreigner who grew up on English only, rather rare around here, so let’s consider native Indians instead. Many can speak these languages but not read them in their native scripts, only romanised (in which case they can probably speak English tolerably). And many (many) come from other parts of India (or even Nepal) and can’t speak Telugu. Or are Muslim and at least prefer to deal in Hindi, often not having very good Telugu. And so on. It’s messy.

Some IP geolocation doesn’t even get the city right—I’ve seen Noida suggested, which is up north in Hindi territory.

> What language do you put that list in? Would you still want to show it to every visitor when you know most of them speak a particular language?

Judging by... a large number of websites, you make the list available in a topbar, and each language is named in itself. You don't apply one language to the entire list.

Here's the first page that popped into my head as one that would probably offer multiple languages (and it does!):

https://www.dyson.com/en

They've got the list in a page footer instead of a header, but otherwise it's an absolutely standard language selector. It does technically identify countries rather than languages. The options range from Azərbaycan to Україна. They are -- of course -- displayed to every visitor.

Why would you want to force someone to consume your website in the wrong language?

And why would the list be in a single language, again?

  • jm4
  • ·
  • 1 day ago
  • ·
  • [ - ]
You’re looking at it with the perspective of someone who understands the language the site defaults to. Most non-native speakers have a hard time finding the link and they leave.
No, I'm looking at it from the perspective of someone who has needed to use that language selector in the past. Understanding the language the site defaults to wouldn't help, because the selector doesn't use that language anyway.

> Most non-native speakers have a hard time finding the link

You might notice the colorful flag right next to it.

More and more international audiences websites literally do this themselves, putting a language (sometimes even currency) select box option on top when they detect your settings don’t match best at first the page you are on.

Why not have this negotiation implemented at the browser level?

Because that prevents all of your users from selecting the language they want. It's a terrible idea with no upside and not-high-but-still-not-no downside.
It doesn't, because that's an optional negotiation. Try Apple.com in a different country/locale than yours, you'll see how it behaves.
It has a remarkably inconspicuous language selector, also using the names of countries rather than languages, located in the page footer. Compared to Dyson, Apple's list of country names is much more willing to use English in preference to whatever someone from that country would call it. This isn't consistent; many countries are rendered in their own language (日本 / Ελλάδα) and many aren't (Georgia / Kazakhstan).

The page defaults to the locale that you request in the URL. https://www.apple.com/ shows up in English, regardless of your country;† https://www.apple.com/bg/ shows up in Bulgarian. Switching your preferred location simply takes you to the page for that location. (Dyson does the same thing.) Some locations support more than one language; there's https://www.apple.com/lae/ for Latin America (English) and https://www.apple.com/la/ for Latin America (Spanish). If you're on the page for a location like this, a language selector (with language names) displays next to the location selector. In the case of Latin America, only two languages are supported, and the language selector automatically displays "Español" if you're on the English site and "English" if you're on the Spanish site, which makes sense but won't generalize.

Apple's selector is inconspicuous because it refuses to display flags, which I would guess is due to much higher political exposure than Dyson. So it's lower-quality in two ways, but fundamentally the same approach. The user asks for a language, and the site honors that.

Given that I presented Dyson as an example of doing language selection correctly, I'm confused about what you wanted me to see on apple.com. They're trying to do the right thing, but less effectively.

† I tested this by accessing the site(s) from Mongolia, Vietnam, and Morocco using ExpressVPN.

That was my point. Not comparing Apple/Dyson/whatever, but showing that website do have this need.

If this was designed and implemented as a standard at the browser level, we would get something better in the end, rather than re-implementations on each and every website.

  • tzury
  • ·
  • 19 hours ago
  • ·
  • [ - ]
The OP argues that fingerprinting is a "privacy nightmare," but we need to look at why it exists.

From a pragmatic perspective, we are forcing two very different networks to run on the same protocols:

The Business Internet: Banking, SaaS, and VC-funded content (Meta/Google).

The Fun Internet: Hobby blogs, Lego fan sites, and the "GeoCities" spirit.

You cannot have a functioning "Business Internet" without identity verification. If you try to perform a transaction (or even just use a subsidized "free" tool like Gmail) while hiding behind a generic, non-unique fingerprint, you look indistinguishable from a bot or a fraudster.

Fingerprinting is often just the immune system of the commercial web trying to verify you are human.

The friction arises because we expect the "Fun Internet" to play by different rules. A Lego fan site shouldn't need to know who I am. But because we access both the Lego site and our Bank using the same browser, the same IP, and the same free tools (Chrome/Search), the "Fun Internet" becomes collateral damage of the "Business Internet's" need for security and monetization.

We can't have it both ways. We accepted the SLA for the "Business Internet" in exchange for free, billion-dollar tools. If you want 100% anonymity, you are effectively asking to use the commercial web's infrastructure without providing the identity signal it runs on.

As the OP notes, mitigation is hard. But that’s not just because advertisers are "evil"—it's because on the modern web, anonymity looks exactly like a security threat.

> You cannot have a functioning "Business Internet" without identity verification.

Yes, you can. Just like you can have a functioning grocery store without checking the identity of each shopper that walks through the door.

What you cannot have is a free and democratic society or an efficient free market without robust protections for individual privacy. Privacy is the best shield the less powerful have from being abused and exploited by the more powerful.

> We accepted the SLA for the "Business Internet" in exchange for free, billion-dollar tools.

No, we did not accept. There was no informed consent. The full consequences of our use of these services was and is still is kept hidden from us. Tracking happens invisibly, without our knowledge or consent. This deprives us of the opportunity to express our true preference and opt out and choose an alternative. It's employing deception in order to subvert the consumer's ability to make a rational choice that represents their best interests.

> on the modern web, anonymity looks exactly like a security threat

An anonymous user who just uses the service normally and does not attempt to access sensitive information without authorization does not look like a security threat.

Then let's get rid of the business internet. Every single thing I dislike about the internet is from the business internet: tracking, cookies, fingerprinting, SPAs, excessive javascript, optimizing for engagement, data brokers, I could go on.

"But won't you miss XYZ?" Nope, don't care, want it gone. If you can't be bothered to go to the store and get it then it probably didn't matter very much.

To me, it would be enough if there existed a search engine which only lists sites which do nothing of the above. But that would require that sites are honestly answering the question "are you tracking?". They won't. Corps have the same thinking as the criminals they try to keep outside.

There would have to be laws which require site owners to answer that question honestly, so that users have a choice and such a search engine can be built. But states are interested in fingerprinting too, so I guess such will never happen.

Those are some rose tinted glasses. Not having to drive a check to the city utility office to pay the power bill is quite the improvement.
Based on your comment it sounds like you rarely travel (booking hotel / flights online), don’t have mobility issues (ordering groceries / household essentials online), don’t participate in online banking (do you write checks? carry cash with you all the time? go to an ATM weekly?), you don’t stream movies or tv shows, and you enjoy looking for apartments to rent in your local newspaper listing, and you enjoy using paper maps when traveling around the city and world. I could go on…

literally everything useful works on the business internet. Also how do you think local businesses near you operate? They don’t call each like the 1900s lol. They order stock from distributors, some local and some overseas. Often they are doing this on the business internet. Today’s global supply chain makes this a non-starter.

It’s OK if YOU personally prefer doing everything slowly and in person and don’t value the convenience of the business internet. No judgment. But don’t pretend this would be an easy transition at all. Or that most people would prefer to live that way.

IMO it would make _way_ more sense to introduce reasonable privacy regulations that are better thought out than GDPR and have proper enforcement.

Maybe a formal “community” version of the internet would be appropriate as well.

>you rarely travel (booking hotel / flights online)

Yes, and I really dislike traveling when I have to. I personally wish that air travel would become unaffordable for most people, including myself.

>don’t have mobility issues (ordering groceries / household essentials online)

No, but mobility issues existed before the modern internet.

>don’t participate in online banking (do you write checks? carry cash with you all the time? go to an ATM weekly?)

I do online banking, but I also write checks and use cash. I don't use Venmo or similar services. Once I can get ahead of my chores & projects I'm thinking about getting a local branch at a credit union and totally avoiding a banking app on my smart phone.

>you don’t stream movies or tv shows

Sometimes, but I'm getting away from it. Interestingly I'm getting a blank screen (but there's still audio) when attempting to stream on Linux. I haven't fully researched it, but some preliminary research suggests that it's anti-Linux blocking. (at least one user reported the problem went away -- in a repeatable fashion -- when switching their use agent to Windows) So although this is not confirmed, I'm preparing for a time when this is unavoidable and I won't stream movies or TV whatsoever at that point.

> and you enjoy looking for apartments to rent in your local newspaper listing

Don't see anything wrong with this. I would actually argue that you don't need authentication in the way discussed in this conversation for this, though -- all you need is the listing, which can be totally anonymous. The actual application for the apartment can happen in person, and that's when verification needs to occur.

>you enjoy using paper maps when traveling around the city and world.

I use an old-fashioned GPS in my car that I paid well over $100 for a number of years ago. There's no tracking whatsoever, unlike the GPS used in a smart phone.

>literally everything useful works on the business internet. >Also how do you think local businesses near you operate? They don’t call each like the 1900s lol. They order stock from distributors, some local and some overseas

Except we did fine for most of human history before all this. And I'm sure there were no such think as stock orders or warehouses or supply chains before the modern internet. They cropped up over night the moment the first tracking cookie existed. /s

Your opinions are totally reasonable IMO, i just hope you realize how outside the norm they are. :)
Note that one very simple mitigation for browser fingerprinting is to simply run different browsers for "the business Internet" and "the fun Internet". You may need to do this anyway, because so many business sites only work on Chrome, with Javascript enabled, no VPN, no adblocker, and pop-ups enabled. But then you might use Chrome (which tracks everything you do anyway) for all your banking, SaaS, government tasks, so they all work, and then say Brave or Opera in an incognito window for all your fun reading. You get the adblocker, you get a different cookie jar for each session, you get easy access to Tor to hide your IP, etc.

Also recommended to have a separate sandbox for "projects" - basically things that you do that each might require their own research, toolchain, files you create, etc. I'd highly recommend doing this in a virtual machine though - oftentimes you need to install apps to do your project work, and that presents its own attack vector. Plus if it's all in a VM you can just backup the VM and start fresh on new hardware without having to install all the dependencies, while if you're just saving random files and backing them up they probably won't work as software gets updated and dependencies get out-of-date.

I don't think separate browsers is a very effective mitigation. If both browsers are running on the same machine, from the same ip address, using the same email address for logins, the same phone number for 2FA, it will be pretty clear that both browsers represent the same person. Even cross-device identity tracking is a real thing.
No. Fingerprinting is a function of the ad network to identify ad-worth aspects of me.

That some aspects may be used to push bots away is a minor effect.

  • tzury
  • ·
  • 14 hours ago
  • ·
  • [ - ]
I am assuming you are not in the bot mitigation business.

An encrypted cookie from a company such as cloudflare encapsulates a multi dimensional datum such that, generating one in a legitimate browser, and letting a botnet using it will get detected and blocked.

  • pu_pe
  • ·
  • 18 hours ago
  • ·
  • [ - ]
I don't see why banks need browser fingerprinting at all. Every credit card I've had in the past 10 years required two-factor authentication. If your theory was correct, trying to do a purchase in a new browser wouldn't work.
This is an excellent insight.

I think there is still some hope that technical solutions could be developed so that only the "Business Internet" gets access to verified identity, with the user somehow understanding this, while the "Fun Internet" doesn't have such capabilities. This is what stood behind, e.g., Google's proposed WEI [1] that got such huge backlash, or Apple's Private Access Tokens [2] which are essentially the same thing but quietly slipped under the community radar.

Other proposals are Google's in-limbo Private State Tokens [3], or the various digital-wallet/age verification proposals (I think Apple and Google both have stuff in that space).

But even basic stuff, like IP protection, can really throw off the anti-fraud and anti-botnet mechanisms. Your Lego fan site wants to be behind a CDN for speed and protection from DDOS? Well, people using VPNs or in Incognito mode might end up inconvenienced, because the CDN thinks it's dealing with bots. Rough stuff.

[1]: https://en.wikipedia.org/wiki/Web_Environment_Integrity

[2]: https://developer.apple.com/news/?id=huqjyh7k

[3]: https://privacysandbox.google.com/protections/private-state-...

> Fingerprinting is often just the immune system of the commercial web trying to verify you are human.

I don't think so.

Yes, it is being used for such purposes, but the older reason for tracking users was the hunger of the ad networks to serve ads with higher impact, and I think 'personalization' is still the big driver here.

I find it a bit hard to relate to the "privacy nightmare". I've not worried about such things in ~27 years of using the web and are yet to notice ill effects from the stuff he worries about. I don't know if my ads are targeted because I have an ad blocker and don't see any. Maybe the answer to the nightmares in general is not to worry about stuff that doesn't affect you?

Re insurers knowing you've been browsing heart disease etc, I have sometimes had issues like that, more you get a cheap initial price from an insurer/airline/car hire and then they jack it up when you visit again. You can sometimes do better by having a go from a different browser. I regard that more as me trying a hack to get a discounted price than a privacy nightmare but whatever I guess.

  • baxuz
  • ·
  • 15 hours ago
  • ·
  • [ - ]
Not only that, but it's becoming increasingly difficult to get to legitimate data advanced web apps need in order to work properly, or to get legitimate analytics.

Everything is obfuscated. And this is not the situation on iOS and Android.

I am working on multiple products which use webassembly and cameras on mobile devices. It's impossible to reliably know how many workers to spin up, what's the safe memory limit and how much memory the device has, which compile-time optimized bundle to load, which camera to select for ideal focus lengths...

Especially on iOS.

And I often get customer complaints that the product is crashing. Eventually it ends up being a single (iPhone) that needs a restart to stop it from aggressively managing memory in Safari. Fingerprinting a device would solve SO MANY issues. And this is, again, possible on native apps.

Firefox w/ the Arkenfox user.js is probably as good as it gets in terms of privacy. By default, this config burns cookies on exit, standardizes the time zone to UTC, spoofs the canvas fingerprint, and does other helpful things. Basically, it makes Firefox expose the same information as the Tor browser.

In addition, I block most known advertizing/tracking domains at the DNS level (I run my own server, and use Hagezi's blacklists).

Finally, another suggestion would be to block all third party content by default using uBlock Origin and/or uMatrix. This will break a lot of websites, but automatically rules out most forms of tracking through things such as fonts hosted by Google, Adobe and others. I manually whitelist required third party domains (CDNs) for websites I frequently visit.

There's no point unless a critical mass of people use these tools. You will be the only one on your IP address using this configuration of masked fingerprinting, which is itself a fingerprint.

That's also why it's indeed useful when using Tor, because you're not identified by your base IP.

Unless we make this part of the culture, you have basically 0 recourse to browser fingerprinting except using Tor. Which can itself still be a useful fingerprint depending on the context.

EDIT: I'll add that using these tools outside of normal browsing use can be useful for obfuscating who's doing specific browsing, but it should be emphasized that using fingerprinting masking in isolation all the time is nearly as useful as not using them at all.

I have packed ff with arkenfox js into container and maybe a handful other people use it https://github.com/grzegorzk/ff_in_podman. Still, most likely the IP address alone is probably the strongest part of fingerprint vector Maybe instead it would be better to have very different vector each time?
> "There's no point unless a critical mass of people use these tools"

That's what Mullvad Browser attempts to solve i guess:

https://mullvad.net/en/browser

Basically the XKCD license plate comic: https://xkcd.com/1105/
Has anyone wrote software that automatically surfaces the relevant XKCD comic for every article this happens under?

I’d like a feature in my HN reader that sticks a red button at the bottom anytime XKCD has already made the points I’m reading.

Randal had a long career of good takes, until around 2016 when they stopped being objectively good.

I’m not kidding at all, that my guess is he was doing drugs and stopped.

Wow. Not liking their political views equals doing drugs.

Must be an interesting place, that originates these "arguments".

I think you misread. They said the opposite: that he was taking drugs and his takes were good, then he stopped taking drugs and now they’re bad.

I’m not saying I agree or that I even think his takes have gotten worse, just clarifying what the other poster said.

1357 (2014-04-18) is pretty bad.

(Bonus points for the alt-text argument being isomorphic to nothing-to-hide.)

He was effectively years early to the “if you don’t like how twitter is run, build your own <smug face>” interesting how that argument isn’t used anymore.
As far as "obligatory xkcd" is concerned: 3154, 3155, 3159, 3160, 3162, 3165 and 3167 are all relevant. (I've found myself citing 3155 a lot, in attempts to deradicalise cranks: it sometimes works, if I can convince them to quit ChatGPT cold-turkey.)

It's fine to like the comics before around 2016, and dislike the ones afterwards, but there's nothing objective about that. Various people have put forward various thresholds for when xkcd "stopped being good", but ultimately it boils down to a combination of what TV Tropes would call "Tone Shift" and "They Changed It, Now It Sucks!".

> Randal had a long career of good takes, until around 2016 when they stopped being objectively good.

Specifically it was at this point in 2016: https://xkcd.com/1756/

> I’m not kidding at all, that my guess is he was doing drugs and stopped.

I don’t know if he stopped or started, but something changed.

A person used their relatively large platform to tell people that they don't support a crazy lunatic millionaire running the world's most powerful country? How scandalous!

In the USA, 2016 and onwards wasn't "just an election". It was something between a mildly harmful establishment candidate or a useless new face on one side, and "holy fucking shit are we actually letting this deranged wannabe monarch run for office?!?" on the other.

Give the man a break, it was (the start of) a crazy time, I'm actually surprised more creators didn't do something like this. If anything, it was barely even a political statement, more of a "hey fellow dems, go vote!" type thing.

Couldn’t have said it better. But hey, they made their bed…
Coming our against a candidate that literally said the words "grab them by the pussy" is a bad thing?
We should go further and make an AI agent that creates counterfeit XKCD comics of dubious quality for literally every scenario.
You can and should be using a good VPN to make the masked fingerprint and IP address non-unique.
Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?

> block all third party content

It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.

Also imagine if browser didn't provide drawing API for canvas (if you would have to ship your own wasm rendering library). Canvas would become useless for fingerprinting and its usage would drop manyfold. And the browser would have less code and smaller attack surface.

> Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?

My GPU is reported as simply "Mozilla" by https://abrahamjuliot.github.io/creepjs/.

The number of cores is also set to 4 for everyone using this config and/or Tor.

> It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.

This may be true, but allowed third party content makes it trivially easy for Google and others to follow people around the Internet through fonts delivery systems among others.

I had forgotten I was running Ublock origin / Privacy Badger / Ghostry so I was a bit confused with the results from that site.

I think it is Ghostry that is faking the responses but I still have a pretty unique fingerprint according to https://coveryourtracks.eff.org/kcarter?aat=1

Isn't ghostry compromised? Having been bought out by an ad company?
As near as I can tell, it’s always been owned by Cliqz, who produced some privacy-focused browsers (named Dawn or Lumen) and a search engine (Tailcat) that was ultimately purchased by Brave. The whole thing is majority owned by a German media group, Hubert Burda Media, and while its missions towards increased privacy seem to be sincere, I don’t know if I’d trust them implicitly.

All that said, the main project looks to be open sourced under a GPL3 license, so distrust and verify: https://github.com/ghostery

Honestly I did not know.

I have had it installed so long I don't even remember when I did it.

Ill look more into it and perhaps re-evaluate

If I infiltrate someone else’s computer, secretly run code in order to to exfiltrate data I risk prison time because objectively it seems to satisfy criminal laws over where I live.

How do prosecutors in any modern country/state not charge this behavior when done by a website owner?

  • gruez
  • ·
  • 1 day ago
  • ·
  • [ - ]
The difference is that there's implied consent to run arbitrary (albeit sandboxed) code when you visit a website. Moreover it's not the website causing the code to be executed, it's your browser. Otherwise if the bar is "code is being run but the user doesn't know about it", it would lead to either any type of web pages with javascript being illegal (or maybe without javascript, given that CSS turing complete), or a cookie banner type situation where site asks for consent and everyone just blindly accepts.
> any type of web pages with javascript being illegal

Inshallah

  • mh-
  • ·
  • 1 day ago
  • ·
  • [ - ]
> if the bar is "code is being run but the user doesn't know about it",

.. would lead to all modern electronics being illegal, not just web pages with javascript.

I guess it’s fortunate that this quote only includes a portion of the assertion they’re making. What happens when you include the rest?
I suppose it depends on what you mean by "modern"

In Europe we have the GDPR which does exactly this

The GPDR is not criminal law. But ignoring that, regulators barely pursue GPDR violations.

Consider the swaths of dark patterns surrounding cookie terror banners. The GPDR language is extremely clear that none of them are legal, but virtually nobody is ever punished.

> The GPDR is not criminal law

While the GDPR does not directly prescribe prison sentences, it absolutely enables countries to establish criminal offences for severe data protection violations, and they will clearly extradite!

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs...

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs...

> But ignoring that,

No don't ignore that. When you're so completely wrong about the first thing you say, everything that follows is going to be even more wrong.

> Consider ... cookie ... banners. The GPDR language is extremely clear that none of them are legal

You are confusing the ePrivacy directive (2002/58/EC) with the GDPR (2016/679).

All javascript based anti-fingerprinting is detectable and is also a major source of uniqueness!
Sure but if you are always unique for every website then you can’t be tracked overtime.
They meant a signal of uniqueness for your setup that could still assist with tracking, not being unique for every site.
> Basically, it makes Firefox expose the same information as the Tor browser.

Is it based on the Tor browser?

Some solutions, like Tor browser or GrapheneOS, are engineered for the purpose.

Some free online tools are an aggregation of ideas from social media and someone's personal understanding. These solutions can have limited benefits or be worse than the problem. Many settings don't work as expected, there are unintended consequences (such as making the browser more unique and easier to fingerprint), unusual combinations of settings can have unintended consequences or break things (Mozilla can't test every combination of about:config settings).

Orion Browser (Kagi Product) prevents fingerprinters from running by default.

https://help.kagi.com/orion/privacy-and-security/preventing-...

Orion browser is also capable of running uBlock Origin (not Lite) on iOS.
How do they reliably detect fingerprinting? Did they solve the Halting Problem? Sounds fishy.
  • gruez
  • ·
  • 1 day ago
  • ·
  • [ - ]
>The only efficient protection against fingerprinting is what Orion is doing — preventing any fingerprinter from running in the first place. Orion is the only browser on the market that comes with full first-party and third-party ad and tracking script blocking, built-in by default, making sure invasive fingerprinters never run on the page.

sounds like they block "known" fingerprinting scripts and call it a day.

This is also covered in the article. I appreciated the analogy they used: You can put on a ski mask when you go to the mall, and it will conceal your identity, but you will also be instantly suspicious to everyone around you, and will likely be asked to leave most of the stores you try to visit.
This is only because there are only 0.001% of people using anonymizers. If you are a minority with specific requirements, you are shown the door almost in any case, not only on the Internet.
  • jorvi
  • ·
  • 1 day ago
  • ·
  • [ - ]
> Orion is the only browser on the market that comes with full first-party and third-party ad and tracking script blocking

I love Kagi, but that is a laughable statement. Brave has been offering ad and fingerprint blocking for years now. The reason why they don't have full first party blocking ("aggressive" mode blocking) on by default is because it tends to break things.

  • 0xy
  • ·
  • 1 day ago
  • ·
  • [ - ]
This makes you inherently trackable, ironically. No trace is a massive trackable attribute, since almost nobody is untraceable.
Hey look it's that invisible guy again!
To ask the obvious question: Doesn't blocking fingerprinters itself fingerprint the browser.

(Also, what is a 'fingerprinter'? Isn't it something that runs server-side, out of reach of the browser, based on data collected?)

No it's usually a javascript script that does weird things like drawing strings on an invisible canvas and sends it back to the server. I'm wondering if a browser extension that intercepts those payloads and randomizes them with other people's payloads is what's called for here.
Firefox already provides this feature in about:config using resist fingerprint - https://support.mozilla.org/en-US/kb/resist-fingerprinting
unfamiliar with the Arkenfox user.js but are any of these things that are beyond what firefox enables out of the box if you turn on privacy.resistFingerprinting ? Because what you describe seems to be all stuff it does just by flipping flag.
Arkenfox does far more than that, just look at the user.js. Among others, it spoofs the time zone, number of cores, window size and many other attributes that assist fingerprinting. It basically mimics the settings of the Tor browser.
privacy.resistFingerprinting = true is basically activating most of the Tor browser features in baseline Firefox. That's why it is turned off by default. It does all the things you listed above only at a lower level than a user script. It's been in Firefox for over a decade.

https://www.ghacks.net/2018/03/01/a-history-of-fingerprintin...

The flag was in fact designed to control the activation of the Tor browser uplift features, and reduce maintenance issues. That way the Tor browser could pretty much just be Firefox with certain flags turned on.

  • 0xy
  • ·
  • 1 day ago
  • ·
  • [ - ]
As someone who utilizes these tools for anti-fraud purposes, Firefox is just as trackable if not more trackable than Chrome (especially because you stand out by using a niche browser in the first place).

Firefox exposes a massive amount of identifiable information via canvas, audio device and feature detection methods. There's also active methods to detect private windows, use of the developer console and more.

Of course. There's data where there isn't data.

-make client load something

-client doesn't load it

-add.fingerprint.point(client,'doesnltloadthings',1)

-detect if client does something only a certain browser does

-client does it

-add.fingerprint.point(client,'doesthisbrowsderthing',1)

-window was resized/moved, send a websocket snitch to the backend

- keep a consistent web socket open, or fetch a backend-api call for updates on X events - more calls are made, means user is probably scrolling, inject more things/different things.

I see some js obfuscators out there where I look at the js file and it's all mumbo jumbo.

It is indeed a privacy nightmare, where whatever we do feeds the algorithms to aide in making other people do things.

But it's also used in network security, organizations etc. Staff/employees will use the system a certain way, if something enters it without the behaviors, it's detectable. I assume that's what you mean in anti-fraud.

Sad part is we don't know what the data is ever used for, and it's often bought and sold and the cycle repeats.

In the end all this shit we have to deal with is probably 99% used for deciding which ads to show you, which we are gonna block anyway, and it's all a complete and utter waste of computing power and electricity. This is how big tech "makes the world a better place" apparently.
If you enable privacy.resistFingerprinting in about:config I believe instead of trying to prevent fingerprinting entirely, it's supposed to make things annoying for the fingerprinters by regularly changing the various spoofed factors.
There is also server side fingerprinting like JA4+ and others. Also, if you somehow evade fingeprinting, you have to prepare yourself to solve some very slow Google and Cloudflare captchas.
Privacy tax, sigh
"This will break a lot of websites, but automatically rules out most forms of tracking…"

Whether one breaks a lot of websites or not depends on the type of user one is. People who regularly use the Google ecosystem, Amazon and Social Media etc. cannot afford to break sites for obvious reasons, they too are those that websites are most interested in tracking and fingerprinting.

Those who use the web in the way advertisers and Big Tech intend users to use it are the most vulnerable, they're the ones who most need protection.

I break websites regularly but it doesn't worry me, I browse with the premise that there are more websites on the internet than I'll ever be able to visit and if I break sites or are blocked by paywalls then there are usually alternatives and workarounds.

But then I'm not a typical user, I block ads, I usually browse with JS off, kill cookies, use block lists, use multiple browsers (there are six on this deGoogled, rooted phone), browse from multiple machines—Windows, Linux and use multiple ISPs. Also, I've no Social media or Google accounts and rarely ever purchase stuff online. Internet access is via dynamic IP addresses and routers are rebooted often. There's more but you get the picture.

I assume browsing sans JS makes me a first-class target for fingerprinting and that websites know about me but it doesn't matter. Whatever I'm doing seems to work, over the years I've had very little trouble doing everything on the web that I want to do. Clearly I'm of little interest to advertisers and I never see ads let alone targeted ones. I used to use uBlock Origin but I don't bother now as browsing sans JS is just so effective at blocking ads.

I'm lucky in the fact that I use no service that would benefit from fingerprinting me. Whilst my web browsing is atypical of most users I reckon many could benefit by being more proactive—using multiple machines, browsers, ISPs etc.—to disrupt the outflow of personal data. For example, this is being written on a rooted Android using Privacy Browser from F-Droid sans JS and with block lists. If I really need to go to a site where JS is required, I can simply hit a toggle and turn on JS or alternatively use another browser.

>Firefox w/ the Arkenfox user.js is probably as good as it gets in terms of privacy.

No. It's LARP. You either don't care or go with Tor Browser and/or commercial antidetect browsers.

But you shouldn't care, this issue of fingerprinting is overblown. (really reminds me of AI)

Unfortunately, recently more and more sites fail to work with Tor Browser. Notably, I am informed by people who are not me, Anna's archive and libgen.
The sites block Tor, not fail to work with Tor browser itself. I know this is a meaningless distinction for end user.

In theory you could use Tor browser with Tor stripped (I heard this is what mullvad browser is?) or go tor-then-proxy (this is what I often do, because I sometimes use whonix at work). I don't know about libgen or Anna's archive, I don't use them.

  • kxrm
  • ·
  • 1 day ago
  • ·
  • [ - ]
So there seems to be some confusion around fingerprinting related to identifying characteristics and tracking. These are two different things. Setting your timezone to UTC, masks that one characteristic of your "identity". But there are better signals for location than timezone, like GeoIP. Same with hiding capabilities. All this does is make the web harder for you but it doesn't make your untrackable. Trackability comes from a combination of factors both within and out of your browser's control. If you share your IP with a family of 4, and you go changing your request headers you are only making yourself MORE trackable. The fact that one request comes across with UTC as a timezone and others come back with EST or other timezones, means I now can track a single user on this single IP. This is made worse if you and your family are using different browsers or different devices.

So what do we care about? If you care about being untrackable, then you have a couple of options, rotate VPNs, or cycle your public facing IP often. Additionally, every request you make MUST change up the request headers. You could cycle between 50 different sets of headers. Combine these two and you will likely be very hard to fingerprint.

If you only care about being identified, use Tor + the Tor browser which makes A LOT of traffic look identical.

I agree with the points in the article. Fingerprinting of any kind is a major risk for personal freedom. At the same time I want to make sure that content creators are compensated for their work. Ad firms that employ fingerprinting stand between me and the content creator. That said, I'm not going to pay $5/month for every blog that I occasionally read. The ad based model provides a more streamlined approach to compensation, but at the unacceptable price of privacy. I'm not quite sure what the answer is.
  • jwr
  • ·
  • 1 day ago
  • ·
  • [ - ]
> content creators are compensated for their work

I have a gut feeling that we've been tricked (by ad companies) into thinking that this is somehow realistic and that casual "content creators" can get meaningful money from us reading their articles.

Realistically, while professional content creators can make a living, writing a blog post every once in a while will not provide meaningful income. Instead of trying to "monetize" everything, we would be better off with free content like on the internet of old. There are other means of making money.

It seems that the current situation means that the "content creators" earn insignificant money, while ad companies earn huge money because of scale, and we all somehow keep believing that this is necessary for content to appear.

You mean I shouldn't make a comfortable living off my valuable HN comments? I was about to consider this comment a good days work. Maybe if I put this comment on my own webpage it would be more valuable?
About as valuable, as many content creators' work. But it all hinges on engagement, so consider this my part in helping you to the next million.
Best I can do is tree fiddy. Perhaps a little ragebait could give it that extra oomph it needs.
You mean tree fiddy per month, right?
> writing a blog post every once in a while will not provide meaningful income

Should people receive meaningful income for writing a blog post every once in a while?

I feel like that's the real question and not everyone agrees on the answer

> we would be better off with free content like on the internet of old

Well as someone who was there you used to need meaningful income to use the Internet of old. Nowadays everyone needs the Internet and it's a pretty big expense in most peoples' budget, and I think that's why so many people are willing to try something at it,

I figure if you just gave everyone meaningful income we could have that again

  • ·
  • 1 day ago
  • ·
  • [ - ]
> writing a blog post every once in a while will not provide meaningful income

Nor, generally, should it. Sitting down one or two Saturday afternoons a month to write a blog post shouldn't be generating the income of a FTE.

Allow me a second to play Devil’s Advocate.

What if it could? Or should (be able to produce FTE or close income)?

In that world, the amount of pointless shite - questing to “go viral” - would be reduced to near zero. That is, if the incentive were more quality, and less quantity, we’d be better off, yes?

  • sfink
  • ·
  • 1 day ago
  • ·
  • [ - ]
That's tempting, but I still don't think it should. There would still be the quest to go viral. "Quality" would still be determined in the aggregate, which means that your income depends on appealing to the widest audience possible, which means high quality niche bloggers still don't get paid much.

Metrics are hard. Just making sure they reward one particular desired outcome doesn't mean you'll escape the unintended consequences.

Also, note that we are past the point of being able to reasonably able to manage any of this. Today, you'd need to come up with a reward function that cannot be maximized by AI. (And lest you think you can fix that by using site visitors to evaluate, most of them will be bots too.)

  • jwr
  • ·
  • 19 hours ago
  • ·
  • [ - ]
Anything that can provide income inevitably leads to a flood of garbage from people trying to game the system. The current ad-driven web resulted in SEO garbage and near-uselessness of search engines.
So there's an element of truth to that. And there are those who can contribute enough value, have enough audience, etc., that they can "coast" on those 2 blog posts a month and make significant income...

... but that's also not, nor should it be the median. I'm not sure how the economy functions if, say 8h/mo effort generates a median living wage.

  • o11c
  • ·
  • 1 day ago
  • ·
  • [ - ]
Tbf in a post-scarcity society, that should be expected, if historical inertia doesn't prevent it.
In that world, a Culture-esque thing, then absolutely so.
  • ·
  • 1 day ago
  • ·
  • [ - ]
> I'm not quite sure what the answer is.

It's very simple, it's what they've been doing in print media for centuries: contextual advertising.

  • Vinnl
  • ·
  • 1 day ago
  • ·
  • [ - ]
Print media did also include e.g. coupons with discount codes with which advertisers could learn which lead led through a sale.
Without any transactions or user tracking it’s difficult to separate ‘legitimate’ content farms from those using bot farms to boost their page views.

Print media was also trying to guarantee their audience was an actual person by charging nominal fees, the difference was how much info required to do so.

  • Vinnl
  • ·
  • 16 hours ago
  • ·
  • [ - ]
Yep, exactly. So ideally, we'd have some technology that would be able to achieve those goals without needing all the info that is gathered nowadays. Though that is pretty unpopular here too.
  • gedy
  • ·
  • 1 day ago
  • ·
  • [ - ]
Yes seriously - I'm old enough to have enjoy reading magazines that had ads throughout them. They were fine.

I'd venture to say contextual advertising would be more effective than whatever we've been trying to squeeze out of fingerprinting etc. All this supposed "data" they are gathering feels like a scam perpetuated by ad companies about how important it is to the people who buy ads. It's not.

Even Facebook and Instagram, which pretty much should know you to a tee is completely ineffectual at advertising to me - like at all.

Same here. By the time I was old enough to have an income, reading comics had already made it possible for me to -not even see any- advertising. That carried over to newspapers, magazines... all those advertisers were wasting their money.

Later on in life I got pissed at cable-TV advertisers shoved into my favorite movies every 5-10 minutes ... ruining any ambience or artistic merit in them ... so I got rid of cable TV. By the time analog TV went away, I'd got rid of my television set. No return address on an envelope? junk mail, into the garbage unopened.

Now the pollution's ruined the 'net ... it's YouTube (re-routed) and some websites (blocked). So long, boing-boing and wired and your 'native ads'. Sites demand subscription? blocked. How much longer before advertisers realize how much they're getting ripped off?

  • sfink
  • ·
  • 1 day ago
  • ·
  • [ - ]
> Sites demand subscription? blocked.

Odd. In the midst of a (well-deserved) anti-ad rant, you throw in the primary non-ad alternative and discard it.

> How much longer before advertisers realize how much they're getting ripped off?

A while longer, if the same people who reject ads are also the people who reject alternatives to ads. The advertisers can safely ignore those people's opinions.

(I'm not saying subscriptions are the answer. I don't have an answer. I'm just saying that companies wanting subscription money is not part of the problem where companies want to shove ads in our faces 24/7.)

The main “problem” with contextualized advertising is that the people producing the content get a larger share of the ad spend.

Targeted ads concentrate control over the market into a few players, which can do things like acquire competitors or run them out of business with loss leaders.

With AI, the supply of ad real estate will go to infinity, so the only thing that will matter is the quality of the places the ads run.

This would be a good time to ban targeted advertising, or for the content producers to form a cartel that only purchases contextual ads.

That cartel will probably be even worse than what we have now, since it’s going to be 2-3 mega conglomerates like Disney, and they already have handed editorial control over to the White House.

Hopefully the invisible hand of capitalism will somehow fix this.

Do you see how the discourse has been shifted here? Some of us have nothing against ads per-se. We care about tracking.

How does tracking me and invading my privacy make ads perform better? In my case it does not. As the tracked ads are usually worse as they will keep advertising me things I don't need anymore. Context based ads worked fine in the past and I don't really see why they cannot.

Also why does every web store need to show me ads? Don't they make money out of selling things? If they really have to, do they have to invade privacy? This is like walking into a physical store and them doing facial recognition, then showing you tailored ads/inventory. That feels creepy to me.

> How does tracking me and invading my privacy make ads perform better?

If you don’t want to be tracked, you shouldn’t be, but how could it not? At a very simple level, an ad targeted towards a 50 year old woman isn’t going to be the same ad to show a 14 year old boy. Different people like different things and ads targeting you as an advertising profile are going to be better than ones that aren’t. You may not like the targeting and think it's invasive, because it is, but let's not pretend the tracking doesn't do something.

A 14-year-old is unlikely to read/look at the same content as a 50-year old woman. That's how contextual advertisement works.
contextual advertising isn't targeted advertising, yes.
Indeed. So no idea what your argument is about.

BTW, targeted ads need to be 100% to 700% more efficient than regular ads to be as profitable: https://www.sciencedirect.com/science/article/pii/S016781162...

> I'm not going to pay $5/month for every blog that I occasionally read

Would you pay per view? Most people (me included) would probably hesitate to say yes, because we’re used to not paying for that. But what if it meant that ad based model is gone and everything you buy is cheaper because the price does not include the cost of running ads?

> what if ... everything you buy is cheaper because the price does not include the cost of running ads?

Except in practice we see the opposite.

There's something interesting going on with companies when they want to get paid directly versus by ads: they demand 3x - 4x or more for subscriptions or pay per view versus what they make from ads.

Easiest place to see this is ad supported non-linear TV in the years you could get without ads, or with ads. You pay significantly more to not see the ads, than they make from the ads.

Perhaps this is justified because ad-free subscriptions reduce the audience size for ad buys, but when you look at the numbers watching with ads versus paying, it wouldn't seem like the "no ads" buyers make a dent in whatever pricing tier.

In the 90s when we were young and naive, we imagined a library card model, with a library fee and then you have fractions of a cent cost to read a post, and using (hand waving) technology to uncouple viewing history from payables to content creators. That, or the British TV license model, an Internet license of some kind.

It's curious to me the ad networks haven't gotten together to preemptively offer this. Arguably Brave tried, but from an adversarial (to the ad companies) stance. It would work better from the inside with a simple regulation: if you serve ads for ad-supported content, you have to participate in the library card system at CPM rates no greater than you receive for ads to skip the ads for card holders.

This is price discrimination. Everybody would love to charge more money to rich people and less money to poor people, since that increases the total profit.

The only companies that we directly allow to do this are schools, but having a premium version lets you approximate this.

Steam also does this. Most games are significantly cheaper in low-income countries like mine because otherwise they wouldn't make a dime here.
That's because you usually pay via credit card (or some other financial mean) which is cumbersome (and may be illegal) to spoof. But yeah, it can be hard to justify a subscription when it's the price of a full meal. Especially when other essential subscriptions (electricity, water, internet, cell services,...) is straining your monthly budget.
  • mh-
  • ·
  • 1 day ago
  • ·
  • [ - ]
Steam is not the one doing that. Publishers decide regional pricing.
If Steam only had one input field for the price tag, then the publishers would only decide one price.
The PPV model has been tried a bunch of times, and it always turns out that the rate people are willing to pay per view is not a rate that is high enough to be a viable revenue source for the content owners.

it takes a lot of $0.10-$0.25 views to make up for the loss of a $5/month recurring revenue stream that might last for years.

I wrote about this exact problem last year. To anyone who disagrees, would you pay me 5 cents to click on the following link?

https://sheep.horse/2024/11/on_micropayments.html

yeah 5cents is nothing and knowing it goes straight to the person who put the effort into writing is better than it going to an advertiser.
The fact that advertising is more profitable doesn't mean that the PPV model is not viable. It could certainly be so. Every site could set their own price, or specific tiers, which users can agree to, just like they do with subscription-based content today.

The problem is skewed incentives, of course. Advertising is acceptable to most users and easy to integrate, so why should website authors go out of their way to please a minority of their users who object to it?

>Every site could set their own price, or specific tiers, which users can agree to, just like they do with subscription-based content today.

you're describing the model of a product called blendle, a service which i loved but which totally failed. they failed to attract users, and they failed to attract publishers. this isn't some new idea that nobody had tried. it's been done. and it failed, not just for blendle. people have tried micropayments, they've tried subscriptions, if you can imagine a PPV model, it's probably been tried. readers and publishers both hate it.

I wasn't aware of Blendle, but I'm not surprised that it failed.

Advertising is ubiquitous on the web. Integrating it into web sites is simple, it works well for generating revenue at scale, and users have been conditioned from every other media industry to accessing content for "free". There is practically no friction for users, save for the degraded user experience, which most people have learned to live with or ignore.

So right off the bat, anyone trying to deploy alternative business models is going against the current of a trillion-dollar industry, and well established consumer expectations.

> readers and publishers both hate it.

Why do you think that is? Is it because the micropayment model is inherently bad, or because implementing it is difficult for website owners, it is annoying to use for users, and ultimately brings little revenue?

What if implementing it were as easy and convenient as advertising is today? What if users had an easy and convenient way to link their payment method into their browser, and from then on it required no maintenance? What if they understood that the web is not "free", but someone on the other end should be paid for their work if they find it valuable? What if this model actually generated significant revenue for publishers? What if all this was simply the way the web operated from the start?

Clearly this model hinges on a bunch of hypotheticals, but hopefully you get the point. There's nothing fundamentally wrong about users paying for consuming content. This is the way business transactions work in most respectable industries. You want something, you pay for it directly. You don't ask a third party to step in between you and the seller, to show you manipulative content that directly benefits them and their associates, while indirectly paying for the thing you actually want to buy. The fact we've accepted this corrupt business model as normal in many facets of life is absolutely insane. Never mind the fact that it's being used to manipulate us into thinking and acting in ways which corrupt democratic processes and cause sociopolitical instability, or that it's abusing our right to privacy and exploiting our data. To hell with all of that.

Do you think the fact that NO major content websites (NYT, substack, WSJ, ...) have settled on a PPV model is simply because they haven't thought of it? Or is it more likely that the numbers absolutely do not work?
No one uses the PPV model because there isn't sufficient payment infrastructure (402 payment required). The friction for entering your credit card information into a website is ridiculous, you might as well target the high end of the market with a monthly subscription.

The PPV model, like Ads, works well for websites that you're not well associated with. Random blogs and websites that you otherwise wouldn't be willing to share your credit card info with.

I think it might be because with ad model you can sell profiling data many times over to different parties. You can’t do the same with a single charge.
That's a false dichotomy.

I can't speak for all web sites, but I reckon a combination of factors could explain why such a solution hasn't been deployed:

1. Advertising is ubiquitous, easy to integrate, and provides a safe revenue stream.

2. There is little to no infrastructure for the PPV model. Whoever builds it would need to maintain their own version of it.

3. People expect the web to be "free". This is even true within technical crowds who understand that it's really not free. And a large part of that group doesn't mind advertising.

So, really, it would require a substantial amount of effort to implement, it would add additional friction to users, and ultimately only a minority would appreciate it.

Had this model been in place from the beginning of the web, things might be different today. Alas, if my grandma had wheels...

And people prefer unlimited subscriptions.
Have any of them actually tried it though? If they have and I missed it, then I apologize, but I can't recall the NYT letting me read an article for $1 with zero friction via Apple or Google Pay or Stripe link or something. It they tried it and the numbers didn't work, that's one thing, but I don't recall that happening.
Doing it via conventional card networks won't work, the fees would eat most/all of the payment.

A critical mass of publishers would need to team up and form a cooperative/etc where a user could register once, deposit some money, and then that money would be spent every time they view an article. But that requires cooperation between competitors, which is already hard enough, and the cancer that is the advertising industry wouldn't like this potential existential threat and would be more than happy to pour fuel onto the fire to ensure it never succeeds.

What's surprising is why the card networks themselves don't get in on it. They could do so in a completely backwards-compatible manner, introducing a new card number range that only works with transactions under a certain amount and have different fraud protection/chargeback rules.

WSJ was available on blendle (pay-per-view microtransactions). Washington Post was available on scroll (monthly subscription, divided up amongst the publishers you read each month). neither service still exists.

i don't believe NYT has ever tried a pay-per-view model.

I would. Or alternatively I'd also pay for a Spotify style model where my monthly amount get redistributed amongst the articles I read.
At the risk of pedantry, though it's still germane to this context, that's more the Tidal model than the Spotify model.

Spotify's model is more that your monthly amount gets disproportionately redistributed to the artists that bring more interest and listens to Spotify, regardless of whether you were one of those listeners. Smaller and niche artists suffer under Spotify's model.

Charge the provider per view. Charge the sender of that spam email per message delivered. The new internet. Would this work?
You're presupposing that these blogs are producing content worth paying for. The unfortunate truth is that the overwhelming majority of blogs (99.9%+) are not.
The PPV model can at least cover the cost of bandwidth. If you are loading the page, it must be at least some value to the user, say 1/10th of a cent.
Then why is everyone so nostalgic for the old days of the blogosphere to return? If blogs are all worthless, then we shouldn't care that they're disappearing and/or being put behind paywalls; we haven't lost anything.
I blog for my own satisfaction, and my blog has no ads on it, and I don't charge visitors. I'm happy to have a few dozen readers.

That's what people are bemoaning the loss of: the before times, when people did interesting stuff without regard for whether it could be monetized or not.

> Would you pay per view?

Yes, but only after viewing, of else I'd pay for "editorial" or AI generated slop which would be generated like link farms pointing to Amazon etc.

And that's the chicken-and-egg problem ...

In theory that could be resolved by registering for free at reputable sites and then paying per view with micropayments. Or by a scheme where one would register and only pay when I actually did read stuff, not with the currently en-vogue monthly fee for each and every site.

How do you track the views?
How do you track ad impressions?
Hard to say, there's no shortage of enticing looking medium articles that are superficial and worthless. I would not pay per view that trash even though there are good ones buried in the pile.
"If you thought click-bait was bad before..."
Brave Inc. gets a lot of flack, some warranted, but their Basic Attention Token allows for exactly this. Users can add credit to their wallet by either consuming privacy-friendly ads or topping it up manually, which then gets distributed to the sites they visit in the proportion they choose, transparently in the background while they browse.

It is a shame that this feature gets lumped together with claims of crypto scams, and similar nonsense. Yet this is precisely the right model that could work at scale to eliminate the advertising middleman, and make the web a safer and more enjoyable experience for everyone.

It's frustrating that humans are stoichastic parrots and the minute you mention crypto they go into conniptions because the rails are basically there. It's not user friendly, but it's possible to build a system where you transfer $0.05 cents of crypto to someone as you scroll down a web page using a special browser.
Brave strips out the ads that the creators put on their site, puts their own ads there, then gives the creators some of that money if and only if the creator realizes they have to sign up for Brave's cryptoshit. It's straightforwardly the kind of racket that would get your knees broken if you tried to do it to somebody in real life, but "it's ok because it's on computers". All the flak is deserved.
But then again, online ads are the physical equivalent of a crowd of paparazzi following you 24/7 including inside your home, which would also prompt physical violence in the real world.

From my perspective I couldn't care less if one bad guy is stealing from another bad guy.

  • EbNar
  • ·
  • 19 hours ago
  • ·
  • [ - ]
Nope, they don't "put ads on the site". That's not how it works.
This is exactly what I want. I don't really care to subscribe to most written media (I do in some cases) but once in awhile an article grabs my attention and I would shell out to read it.
> I'm not going to pay $5/month for every blog that I occasionally read

Why would you assume ads are worth $5 a month? Its more like paying 10cents to read the blog.

The Ad model is exactly the problem. If you had anonymous, cheap micropayments where you pay 1 cent per pageview it would not just solve the surveillance problem but it would solve the DDoS problem too (you set up a web server where the price increases with load and clients bid for bandwidth).
Sadly, I think you are wrong. Micropayments seem attractive but the idea falls apart quickly - there are just too many intractable non-technical problems. It has been tried more than once and each effort has failed.

I wrote a longer post on this[0] but to save you the click I will state the biggest problem from a privacy point of view - if you think privacy is bad now with ads imagine how much worse it would be with a payment processor knowing your every click.

Yes, I know about certain cryptocurrencies that maintain privacy, they are a non-starter for micropayments for different reasons.

Even if a magically technical solution to privacy were to emerge there is nothing more valuable than information about paying customers and sites would use browser fingerprinting anyway.

[0] https://sheep.horse/2024/11/on_micropayments.html

I think it is a technical problem. If you could integrate payment channels on top of private cryptocurrencies that would be enough. Even without the lightning network and just direct 1-to-1 payment channels, it would work.

The article you lists assumes a "conventional" credit card system with chargebacks, massive fees, etc. which makes micropayments ecosystem impractical in the first place. Proposals for micro-payment systems usually describe a way top enable low-fee payments.

The author doesn't take into account modern cryptocurrency tech like payment channels. I really doubt that payments have a natural fixed floor of 10s of cents - Payment providers charge these fees simply because they are in a natural monopoly position, thanks to lock-in and regulation. The need to control fraud is caused by regulatory requirements, which are in turn caused by monopolization.

Despite being technologically less efficient, even traditional cryptocurrency payments are cheaper than bank transfer fees due to competition and low regulation.

Secondly, you assume that no one wants to do micropayments. The infrastructure doesn't exist for it yet. If you don't build it, they will not come.

As for browser fingerprinting, it can be solved on the client side with enough effort. Look at tor browser. Just have a system where cookies, WebGL, etc. are opt in on a browser level in the same way that WebUSB is. Artificially limit the performance of javascript to prevent bench-marking. I think it is possible to solve this architecturally.

Check it out!

https://en.bitcoin.it/wiki/Payment_channels

https://lightning.network/lightning-network-paper.pdf

Also, there are GNU Taler/Chaumian cash type systems that inherit the efficiency of centralized systems with an added privacy benefit.

> If you could integrate payment channels on top of private cryptocurrencies that would be enough.

That “if” is doing a lot of heavy lifting there.

But my point is that even if a magical technical solution existed tomorrow then the same sites that collect data for ads would continue to do so for the much more valuable data on paying users.

People have been hacking on this "if" for a while, and I suspect we will break through to the other side eventually, probably by the end of the decade. The problem is really just that cryptocurrencies like monero want to minimize their use of scripting, because transactions with scripts are a heuristic that can be used to de-anonymize you. But payment channels require some sort of timelock, in bitcoin this is done with HTLC script.

There have been a number of proposals, I think the oldest is DLSAG: https://eprint.iacr.org/2019/595.pdf There are other ones based on time-lock puzzles, but those have always been kinda crappy.

It may be possible with some ZK magic I'm unfamiliar with. But the core of the problem is that we need to find a way to make a transaction valid but only after a certain block height, and make it so that validators can't learn any specific heuristics about the transaction (like what the block height is exactly).

>But my point is that even if a magical technical solution existed tomorrow then the same sites that collect data for ads would continue to do so for the much more valuable data on paying users.

Sure, but after the micropayments revolution there will also be a change in the types of sites people use, enabled by the new form of monetization. You could rely more on people posting things like videos to their personal blogs and interlinking them instead of having to shack up with one of the few sites large enough to support ad-funded monetization. The internet would have a basic spam-resistance function, so it would be less reliant on the existing players to gatekeep (for example, email, forum moderators, etc).

I think it would be more competitive. Let's say you have a site like twitter that says "now that there are micropayments, we will charge you 1 cent per pageview AND force you to login and collect your data", well then you will have a competitor like xcancel.com which can charge 2 cents per pageview and not require login. The market would decide what the best model is. Right now proxy sites like xcancel have to do it for free. Even if they wanted to run ads, the ad market isn't competitive in the same sense because it is more profitable for larger players.

I think you mention in your blogpost that no one would want to support micropayments because of piracy. I consider this a massive advantage of the micropayment system. It's pro-piracy by default. If you look at the origins of ad-funded sites like youtube, they started out as hubs of (light) piracy. The content of social media sites should be pirated and mirrored: they are just getting rich off of network effects in the first place. If you combine micropayments with some sort of bittorrent-like system, this could be very powerful. Imagine a decentralized archive site, where you take advantage of TLS to archive a verifiably timestamped version of a page, and anyone else can send you money that is conditional on you providing them a copy of that archive in return.

Micropayments don't fund the development of new intellectual work, but they let you recoup the cost of bandwidth. He who does not host, also does not earn. If you want to fund the development of new work, I think you need patronage. We are already seeing this with a lot of videographers from youtube depending mostly on sites like patreon and donations from dedicated fans. In a micropayments world, you wouldn't have sites like patreon taking a cut. Aside from just having ~0.1c micropayments-per-pageview, you could have very easy p2p "mini-payments" on the order of ~$1 in exchange for donation rewards.

With less money in the annoying ads economy, google and others would have less power to alter the web standards to their whim, and we could claw back features that enable fingerprinting. I don't know, that is just my dream.

  • yegle
  • ·
  • 1 day ago
  • ·
  • [ - ]
https://en.wikipedia.org/wiki/Google_Contributor was the ideal solution IMHO.
Ideal for what problem? Certainly not for reducing Google's data collection and improving privacy. It would only work with tons of small payment providers, but then you are back at square 1 that users need to subscribe with tons of services for just pennies.
Give each of them $0.25/mo, and you’ll probably 10x-100x what they’re currently getting from you watching ads.
Pay $5/month to buy credits that let you read content behind that network. Every blog you read gets $0.10. Top up with credits if you run out.

Sending emails costs $0.50.

  • ako
  • ·
  • 1 day ago
  • ·
  • [ - ]
I read from too many different sources through aggregators like hackernews. With a network you'd probably still have too many subscriptions.

Also wonder if it will really work out, i open too many articles that are pretty bad when you start reading them. So i quit after 1 or 2 paragraphs.

Now if you get the first 2 paragraphs for free, contents writers will start to optimize for good first 2 paragraphs, and afterwards quality will drop. Also, many blog posts or news articles don't have more than 2 paragraphs of good content.

Eh, that's too expensive unless the recipient can authorize refunds for non-spam emails.

But yes, I always thought some form of network syndication would emerge on the Web, where creators could register for their share of aggregated periodic payments made by users.

Still not sure why that's not a thing. I would pay $50/month to a syndicate in return for never having to deal with paywalls on any sites affiliated with them. But only as long as the vast majority of sites participated, and that is probably the showstopper, I guess. We'd end up paying 20 different 'syndicates' for absolutely no good reason, just as we now have to deal with 20 different streaming services.

  • tgv
  • ·
  • 1 day ago
  • ·
  • [ - ]
They don't get $5 per month from ads. So the true subscription price must be a lot lower.

One option: a fund where you buy tokens, that you can spend reading an article. That will, however, lead to more clickbait and AI slop and snowing under serious blogs with low volume.

This micro payments for content idea has been tried a few times, with slight variations. No-one has cracked the problem yet. But maybe one day
  • ericd
  • ·
  • 1 day ago
  • ·
  • [ - ]
I know HN doesn’t love crypto, but this kind of thing seems promising for finally cracking micropayments: https://www.x402.org/
Ads are annoying, but they are ok, what is not ok is collecting data and then selling it, so they can profile you without your consent across different platforms.
how about donating to the creator directly? not subscription, just occasional donations whenever people feel like it - content is more widely available, and people who really enjoy it or are well off can actually fund the development
Yes, but you need a scalable and low-friction donation solution. Patreon is the closest but it doesn’t pay the bills for most creators. Maybe some micro-tipping solution, but nobody has made that work yet.
No one has made a successful micro-tipping solution, because regulations and entrenched interests (banks, payment processors) have too much control and assess per-transaction fees that dwarf the amounts that such a system would be designed send.

Aggregation of tips and payouts would help, but that requires network effects (achievable only at scale) to be viable. I believe this approach has been tried in recent years, but I am not sure where those efforts went.

If someone puts a donate button beside their name or in the corner of their webpage, and that button leads to a payment page, I think that's good enough.

The point of paying creators is so that they can focus on creating content instead of making other things. Giving money to a creator is basically saying "you're so good at what you do, and it has so much cultural/intellectual value, I'd rather have you make content instead of stocking shelves or making food". But this should be reserved for people that publish good content because they can and are passionate about it, not just anyone putting out slop with the instrumental goal of paying their bills. If the friction of clicking a button and filling in payment details is enough to deter people from paying them, then maybe their content isn't worth paying for and they should find some other way to make a living instead.

I already pay my isp. Maybe they should work something out with them.
> I want to make sure that content creators are compensated for their work. Ad firms that employ fingerprinting stand between me and the content creator.

This is false: We're the ones who pay the creator, because:

> I'm not going to pay $5/month for every blog that I occasionally read

If that upsets you, please understand it upsets me to, because

> but at the unacceptable price of privacy

I want you to consider a different toothbrush brand, or maybe a hot location for a holiday, and the idea that I am "invading" your privacy in trying to do this is disconcerting.

I understand there are actors who want to use your private personalising data to harm you. I think that is bad, but I am telling you friend, that isn't me.

> I'm not quite sure what the answer is.

Listen, as an insider I am not quite sure what the answer is either, but I'm telling you that content creators need to eat because you have threatened them with capitalism which murders you if you don't participate, and I am the one feeding them and not you.

I think though, it probably takes the form of better laws that prevent people from using personalised data to harm you without public (judicial) review, and I think that is going to require people like you thinking of the outcome that you want, instead of foolishly trying the impossible to conserve your personal privacy.

Showing ads doesn't require invasive and pervasive 24/7 surveilance.
We could normalize paying content creators directly. So instead of paywalls or ads, we get "donate" buttons.
  • tetha
  • ·
  • 1 day ago
  • ·
  • [ - ]
It reminds me of a game we played with students of data classification algorithms like ID3: How many yes/no questions do we need to uniquely identify everyone in this room?

With like 12 students, that's 4 bits, and it often ends up with 2-3 questions. It starts off with the obvious ones - man/woman/diverse, but then a realization comes in: An answer usually contains more information than just that one bit. If you have long hair, you're most likely a woman and/or a metalhead for example. That part will get shaken out later on.

And those thoughts make these browser fingerprinting techniques all the more scary: They contain a lot of information and that quickly cuts the possible amount of people down. Like, I'm a Linux Firefox user with a screen on the left. I wouldn't be suprised if that put me in a 5-6 digit bucket of people already.

> An answer usually contains more information than just that one bit.

That means there is less information in the question "do they have long hair?", not more. Asking "long hair?" and then "woman?" is probably, in most groups, roughly the same as just the first or second question alone. So the second question added much less than one bit of information because the answer is probably "yes". "Long hair" and then "metalhead" is the same, except that the answer to the second question is probably "no".

Yes/no questions on average contain the most information each when they partition the remaining possibilities 50:50. Then each answer gives you exactly one more bit. The closet you get to either a 100:0 or 0:100 yes:no split, the smaller the fraction of a bit you encode in the answer.

"Metalhead?" usually gives you lots of bits of information (probably 4 in an "average" group of 16 containing at least one metalhead) if the answer is "yes", but on average that's outweighed by the very high chance that the answer will be "no". If there are no metalheads or only metalheads, it gives you zero information.

  • tetha
  • ·
  • 1 day ago
  • ·
  • [ - ]
Ah, I flipped it in my head. That happens after 10 years.

In this case, it was often an interesting exercise in bias as well. "Woman?" would usually single out 1-2 persons out of the 15, so it was a terrible question. It was CompSci after all. "Long hair?", lumping women and metal heads into one group would often split it into half and half. That was much better, and then spurred creative thoughts like travel distance, or bus stations.

>An answer usually contains more information than just that one bit.

Isn't the point to ask yes or no questions?

  • zie
  • ·
  • 1 day ago
  • ·
  • [ - ]
Yes, but you can make assumptions based on what you know about humans generally. Like their example that if you ask if you have long hair. If you answer yes the likelihood is you are probably female.

You can think of all sorts of questions and answers like this, and when you combine with the assumptions and answers from previous answers you can make even more assumptions. They won't always be correct, but you don't have to be "perfect", depending on your use-case. For example for advertising purposes assumptions(even if incorrect) can still go a long way.

There is a reason Target got sooo good at identifying pregnant women[0] before the women knew they were pregnant that they creeped out women, and had to pull back what they did with that information. This was like a decade or more ago. It's only gotten more accurate since then.

0: one example from 2012: https://techland.time.com/2012/02/17/how-target-knew-a-high-...

https://medium.com/@colin.fraser/target-didnt-figure-out-a-t...

https://www.predictiveanalyticsworld.com/machinelearningtime...

  • zie
  • ·
  • 1 day ago
  • ·
  • [ - ]
Even if that one particular instance is false, I seem to remember Target saying their model was too accurate and they were changing how they did things. i.e. Target admitted to predicting pregnancies very well.

Why would they do that, if they didn't think their system was that good?

Maybe to convince other companies to buy Target ads. Advertising companies uptalk how effective their advertisements are to persuade other companies to buy adspace.

Target isn’t going to do something that scares away consumers, like say “our ad tracking is TOO good”, unless there’s another benefit that makes it net positive for them.

> Target got sooo good at identifying pregnant women

That's why I pay with cash and do not have a loyalty card (other customers often offer theirs at cash register anyway). And of course I don't even go to Target.

I don't know if Target specifically use all of these, but I would bet they have data based on at least some of facial/gait/demographic recognition, wi-fi/Bluetooth beaconing, vehicle registrations, time and location tracking, statistical analysis of your purchases and clustering of people you have made purchases next to (e.g. you bought something at same time and till as your mother more then once). I'm sure they have other methods too. They can also combine datasets from brokers that do have a face:name link (say you used a card at another store that captured it and sold the data) and resolve you within their own data that way.
It's still a yes/no question, it's just that the question is "do you have long hair".

The goal of these decision trees is to have as few questions that divide the group in two balanced halves (and also recursively).

If you imagine a binary tree with questions in each internal node, and in each leaf there is a person. You want the height of the tree to be minimized.

  • tetha
  • ·
  • 1 day ago
  • ·
  • [ - ]
Yes, but multiple yes or no questions in combination can easily yield more information than they should in a real dataset. That's the real educational point.
You seem to be confused about the difference between "less" and "more". In general a yes-no question gives less than 1 bit of information if yes and no are not equally likely. There is no way it can be expected to give more.
> There is no way it can be expected to give more.

It is indeed not possible for it to give more, because it only has a single bit answer, which by the pigeonhole principle can't give you more than one bit.

The best yes/no questions are the ones which are independent of each other and bisect the group evenly. "Are you female" is typically good because it will be approximately half the population. Then you want independent questions that bisect the population again, like "does your first name have more than the median number of letters" which should be mostly independent of the first question. Another good one is conditional questions like "are you taller than the median for your sex" since a pure height question wouldn't be independent of sex but that one is.

Whereas bad questions would be ones with highly disproportionate responses, like "do you have pink hair with black and green highlights" which might be true for someone somewhere but is going to have >99% of people answering no, or "were you born on the planet Mercury" which will be 100% no and provide zero bits of information.

[flagged]
I think a plain reading of the post you’re replying to would be “obvious as a way of segmenting people”.
  • Vinnl
  • ·
  • 1 day ago
  • ·
  • [ - ]
It's obvious in the sense that most people will start out with that as their first question.
  • skaul
  • ·
  • 1 day ago
  • ·
  • [ - ]
Self-plug but if anyone is interested in learning more about how browser fingerprinting works and the different protections browser makers deploy against it, I wrote a longer post about this a few months ago: https://pitg.network/news/techdive/2025/08/15/browser-finger...
its consistent cross site, so you get all the same privacy problems as with 3rd party cookies
The article is missing links to one of the first fingerprint diagnostic tools, https://coveryourtracks.eff.org/ , formerly called something like panopticon.net.
or don't trust the EFF!
Beyond the notion that no org should be trusted implicitly, why would the EFF specifically be untrustworthy?
  • baxuz
  • ·
  • 15 hours ago
  • ·
  • [ - ]
Was just about to ask the same.
The core of the problem is that we've made this behavior of "run javascript that pulls more javascript and then run that too" the default. Stallman was right, as always.
The problem is not JS, the problem is useless techonolgies like WebRTC or WebGL that can run without permission and that, I think, are used in 99% cases for figerprinting. And people who designed them and did nothing to prevent fingerprinting.
WebGL and WebRTC are hardly useless, but they allow you to collect way too much fingerprinting data based on the way they've been designed.
Neither WebRTC or WebGL are remotely ‘useless’. Very fair though to say that you would prefer to have them disabled and/or whitelisted for certain sites.
The older I get the more I see that RMS was right about so many things.

When I was young I used to think of him as that eccentric pedantic mit guy but now I see him as a true warrior for freedom.

Oh yeah. He's been telling us for decades how technology will be used to oppress people. I guess he had the experience of how things turned out with UNIX, and knew first hand how hard he had to work to even have a chance at undermining them. What he did at a time was build something from scratch which was compatible with the UNIX interface. These days I would call that a lost battle.

Imagine if you said: I'm going to undermine facebook by building another social network which will be Free software, and will be compatible with facebook. I'll federate facebook whether they like it or not, and I'll do that by reverse engineering how facebook servers talk to each other. That wouldn't work because it takes you huge effort to pull off, and it takes facebook zero effort to change the interface in a tiny way that breaks everythign for you. (Ok the analogy isn't perfect, but hopefully you get the idea of diminishing something's value by forcefully opening it up)

But he hugely contributed to win a battle like this in the late 80s, then Linus Torvalds came in and finished the job in 1991 or so. RMS doesn't get the credit or even appreciation he deserves. I think he's one of the most tragic figures in the history of computers.

  • gruez
  • ·
  • 1 day ago
  • ·
  • [ - ]
>The core of the problem is that we've made this behavior of "run javascript that pulls more javascript and then run that too" the default. Stallman was right, as always.

It really isn't, because there's plenty of fingerprinting scripts that run on the same domain, especially fingerprinters from security providers like cloudflare or akamai.

A browser basically is like a really dumb trojan, pulling a whole herd of wooden horses into the city.
Does he have a strong stance of JS in the browser? In any case, I don't think many people would agree that the dubious extra privacy you gain from blocking that is really worth breaking half the web. Fingerprinting is not too hard even without JS.
> Does he have a strong stance of JS in the browser?

Lets see what he says on the subject.

https://www.gnu.org/philosophy/javascript-trap.html

Ok so his issue is even more obtuse - he doesn't care about fingerprinting; he cares that not all JS code is GPL.
Did you actually read the article? It doesn't mention GPL even once.

And neither does the page on LibreJS, which is the tool he created to attempt to address the problem[1]

[1] https://www.gnu.org/software/librejs/

Did you? The whole thing is about how JavaScript allows running nonfree (that means not GPL to him) software on your computer without realising it.
> https://news.ycombinator.com/user?id=IshKebab

> Did you? The whole thing is about how JavaScript allows running nonfree (that means not GPL to him) software on your computer without realising it.

No, Free is not the same as GPL you ignoramus.

I would re-frame "is it really worth breaking half the web" as those sites are not compliant to begin with. Nothing in the web standards stack mandates javascript, its an optional feature! Web developers of yore understood that a fundamental property of a properly written web site was to degrade gracefully if javascript wasn't available, but the groupthink of the past decade has chosen weaponized incompetence over doing their jobs and in the process has not only thrown a load of noncompliant insecure garbage out there, but broken a load of accessibility standards, and other things in the process.
Blocking most JavaScript is fine, it mostly just breaks the silly pointless over-designed sites anyway. Just like everything else, most of the internet is garbage; blocking over-designed JavaScript sites isn’t a perfect filter but it is an ok first heuristic.
His stance is pretty simple. The JS on most pages is proprietary, and he doesn't like proprietary software.
  • xp84
  • ·
  • 1 day ago
  • ·
  • [ - ]
On articles like this always I see a lot of people bragging about how they’ve pimped out their browser(s) to make themselves “untrackable” (or proposals to make new ways of tracking impossible) but nobody ever brags about how lack of “tracking” has positively impacted their lives.

I do block ads on the web with UBlock Origin because there’s no pay option to opt-out of it and ads ruin the experience. But I don’t give a fig about tracking. Change my mind. Why would the average person enjoy a better life if they became untrackable on the Web?

This tracking absolutely has impacted the average person. Have you noticed how addictive the social media algorithms are today? Pretty much everyone I know struggles to get off their recommended or "for you" tab at this point. It literally is rooted in tracking how long you spend on each piece of media, rewarding and delaying that reward based on what will hook you the most. If you start disabling tracking and anonymizing your browser, it suddenly all becomes really clear how unnecessary the content really is...
The average person probably won't notice or care otherwise this would be a much more publicized issue. The average person also doesn't care that their refrigerator and television phone home, their calls and data are slurped up by the NSA, and their location can be tracked through their cell phone and vehicle movements.

However, just because the average person doesn't notice and doesn't care, it doesn't mean that their life can't be ruined at some point because of these things. You never know when you're suddenly going to be targeted for something you may or may not have done.

People being untrackable in general ensures that folks who need to be untrackable are more easily able to achieve that goal --- the world is a much darker place if journalists are hindered in researching stories.
I think about this sometimes as I do a lot of things attempt to protect my privacy and keep control of what I’m paying attention to (ie not doom scrolling / shorts, carefully controlling notifications). So I make a lot of sacrifices including my time in order to maintain control over my technology.

I think it’s not possible for me to say if my life is really better, because it’s the whole road not taken thing. It’s not possible to know and so it’s not worth agonising over, but I’m choosing to live according to my values at least, and that seems valuable.

Whether or not they would enjoy a better life doesn’t matter if there’s no way to avoid your assumed preferences being tied to your devices, and for it to know the preferences of those you spend time with, those you work with, where you go, etc.

Though, from what I understand, overall the fingerprinting success rate is only about 30%.

One time fingerprinting, sure. But if you collate tracking info from a hundred sources or so, you pretty much have person, name, email, and location.
Is this before or after ICE became a $150B secret paramilitary beholden to a corrupt authoritarian with a large cohort of sycophantic tech billionaires?
  • xp84
  • ·
  • 1 day ago
  • ·
  • [ - ]
I’m not an illegal immigrant so I’m not worried about it
Neither are many of the people ICE has beaten and detained, didn't save them, won't save you.
That is short-sighted for many reasons that I don't need to mention.
> nobody ever brags about how lack of “tracking” has positively impacted their lives

This reminds me of the anti-vax logic a tad in that they lack the imagination on the seemingly obvious effects of their ideal world.

Being indifferent to companies and political parties (which becomes your Gov't when voted into power) indirectly states that you are indifferent to others attempts to influence you and/or foolhardy enough to believe that all of your beliefs consistently originates from objective personal experience.

I have one! Because of my anti-tracking measures, all social media platforms still don't seem to have a profile on me for content preferences, and so fail to show me the hyper-curated slop they do to everyone else. What I see instead is a classic feed of the best content generally trending across the world, pre-2010 style. That's one way it has impacted my life.

Another way is the security and peace of mind it gives me while living in a country that has a behemoth population of bad actors online. Everyone I know has fallen to at least one targeted cyber-scam or the other. I haven't.

Something missed in the continual tracking/privacy discussion is the primary motivations for doing so, with the assumption that it's about advertisers trying to sell you more stuff.

I'm 100% in the need for personal privacy camp, but mention this only because without addressing the underlying issues, it's hard to come up with larger solutions.

And the big issues really come down to fraud and cyber attacks:

- Years ago, the NYTimes was found to be doing some kind of homegrown fingerprinting with canvas. They have plenty of ways of doing analytics and tracking subscribers, they were trying to root out ad fraud.

- When Spotify has people every day putting up AI-generated streams and attempting to "listen" to them with bot networks, they start to look at things like fingerprinting.

- Massive credential stuffing attacks on sites are often thwarted at the technical level by fingerprinting.

- Bot traffic (and in particular AI indexing bots not respecting robots.txt) has shot up dramatically in the last year, and fingerprinting is one of the strongest ways of bot identification.

Again, want the personal privacy, but think we need to fix the professional problems to get there.

For a fingerprint to be useful it must not only be unique but also persistent. If I have a process that randomly installs and deletes wacky fonts, I'm unique at any given time, but the me of today can't be linked to the me of tomorrow, right?
Point still taken, however you can only really check if a given font is installed, not obtain a list of all fonts. Thus, installing a wacky font is pointless as the fingerprinter won’t bother to check that particular font. There is queryLocalFonts on chrome but this requires a permission popup.
Correct, however:

> By following users over time, as their fingerprints changed, they could guess when a fingerprint was an ‘upgraded’ version of a previously observed browser’s fingerprint, with 99.1% of guesses correct.

https://coveryourtracks.eff.org/static/browser-uniqueness.pd...

https://mullvad.net/en/browser/browser-fingerprinting

> If I have a process that randomly installs and deletes wacky fonts, I'm unique at any given time

Technically for fonts, there’s no API for listing installed fonts, so trackers have to check each font by name. Likely they won’t be checking super obscure font names.

That method might help for other signals though.

  • gruez
  • ·
  • 1 day ago
  • ·
  • [ - ]
>If I have a process that randomly installs and deletes wacky fonts, I'm unique at any given time, but the me of today can't be linked to the me of tomorrow, right?

See: https://xkcd.com/1105/

Services with a large enough fingerprinting database can filter out implausible values and flag you as faking your fingerprint, which is itself fingerprintable.

The problem we’re falling into under this (ostensibly accurate) point is when we start making this a game, where fingerprinting is either “100% effective and insidious”, or “can’t be 100% certain 100% of the time, so it’s ineffective and nobody will use it against me”.

The point is that a sufficiently motivated actor could use a very broad array of tactics, some automated and some manual, to identify, observe, track, and/or locate a target. Maybe they can’t pin you down with your browser fingerprints because you’ve been smart enough to use tools that obfuscate it, but that’s not happening in a vacuum. Correlating one otherwise useless datapoint that happens to persist long enough to tie things together at even low-ish confidence is still a hugely worthwhile sieve with which to filter people out of the possibility pool.

The problem isn’t that it doesn’t affect most average people, or that it it’s terribly imprecise. The problem is that it’s even a little effective, while being nearly impossible to completely avoid. It’s also a problem if that’s used by a malicious state actor against a journalist, to pick a rather obvious example. Because even in isolation, this kind of violation of civil liberties necessarily impacts all of society.

The public should be given more information and control, broadly speaking, for when they are asked to trade their rights for convenience, security, and/or commerce. In particular, I think the United States has allowed bad faith arguments against regulatory actions and basic consumer rights so corporate lobbyists can steamroll any chance of even baseline protections. It would behoove all of us to be more distrustful of companies and moneyed interests, while being more engaged with, and demanding of, our governments.

But they still wouldn't be able to confidently connect his different fingerprints to the same individual, just that he is one of a group of individuals who fake their fingerprints.
  • gruez
  • ·
  • 1 day ago
  • ·
  • [ - ]
It would depend on what your existing fingerprint is. If you're using some sort of rare browser/OS/hardware combination (eg. pale moon/gentoo linux/IBM thinkpad) it might be worth spoofing, but if your configuration is relatively "normie" (eg. firefox/windows/relatively recent intel or amd cpu/igpu)you're probably making yourself stick out more by faking your fingerprint.
The issue is that, especially on desktop, I doubt there are many fingerprints that more than 100 people have, given everything that they test. I would even suspect that most common desktop fingerprints are classified as bots.
It's likely that yes, you will end up with an alias that links you because of a cookie somewhere, or a finger print of the elliptic curve when do do a SSL handshake, or any number of other ways.

The ironic thing is that because of GDPR and CCPA, ad tech companies got really good at "anonymizing" your data. So even if you were to somehow not have an alias linking your various anonymous profiles, you will still end up quickly bucketed into a persona (and multiple audiences) that resemble you quite well. And it's not multiple days of data we're talking about (although it could be), it's minutes and in the case of contextual multi-armed bandits, your persona is likely updates "within" a single page load and you are targeted in ~5ms within the request/response lifecycle of that page load.

The good news is that most data platforms don't keep data around for more than 90 days because then they are automatically compliant with "right to be forgotten" without having to service requests for removal of personal data.

  • baq
  • ·
  • 1 day ago
  • ·
  • [ - ]
The real problem: if you can’t be identified, the system assumes you’re a bot, untrustworthy, or both and instead of reading content you get to select squares with buses and traffic lights ad infinitum.
Yes, and the conspicuous lack of signal is itself a signal.

"Get me all the individuals in this geo area that have atypical communication patterns..."

  • Terr_
  • ·
  • 1 day ago
  • ·
  • [ - ]
https://xkcd.com/1105/
We really need a browser (or several) that aren't effectively controlled by private interests (such as corporations).

Basically they are used as spy-tools. Many anti-features are pushed into them - a simple example is the disable-right-click functionality. I do understand that some of this have a useful functionality (for instance during an exam on-campus-site, to restrict what the students may do), but I always hate that I need e. g. a browser extension just to disable this antifeature. That's a super-simple example; there are many more severe examples such as fingerprint spy-sniffing here.

> a simple example is the disable-right-click functionality

This is a part of a W3C browser spec and every web browser has to implement it. But you're right that people writing the spec work for companies selling web browsers.

> Worst of all, perhaps, it can extract a canvas fingerprint. Canvas fingerprinting works by having the browser run code that draws text (perhaps invisibly), and then retrieving the individual pixel data that it drew. This pixel data will differ subtly from one system to another, even drawing the same text, because of subtle differences in the graphics hardware and the operating system.

I am concerned about the detail here: does this mean per hardware class (e.g. same model of GPU), or per each individual device?

Is the implication that there are certain graphical operations that - perhaps unintentionally - end up becoming akin to a physically unclonable function in hardware?

>I am concerned about the detail here: does this mean per hardware class (e.g. same model of GPU), or per each individual device?

per combination of hardware(GPU, resolution of display) and software(exact drivers)

  • sfink
  • ·
  • 1 day ago
  • ·
  • [ - ]
I have heard of such things. The signal is not persistent over time, since it's dependent on eg heat and concurrent operations. But it's there, to some degree, and can be correlated over time somewhat.

We've made our world a scary place.

Sandboxing in containers and manually exempting specific security tokens is arguably one of the better steps we can take in the immediate term, as are random agent strings and returning fake data for common prompts. Of course that only works in the immediate, because this, like advertising in general, is an arms race at the moment.

This feels like a regulatory question, not a technical one. We've repeatedly proven that with math and code alone, we can fingerprint and identify almost every unique person on the planet, given enough data points. The long-term solution seems like it should be severe consequences for data breaches (as in, corporation-destroying penalties for disclosure of PII, including fingerprint data) such that everyone only collects the data they need to provide the service in question and not a single bit more, deleting it as soon as it's no longer necessary. Right now there's no consequence if Google or Meta disclose huge swaths of user data, and thus no disincentive to collecting as much as they possibly can.

Punish the leaking of data, and suddenly you've raised it's cost to the point that casual players will nope out entirely. From there, it's the eternal back and forth of governments waffling between business and electorate interests.

  • gruez
  • ·
  • 1 day ago
  • ·
  • [ - ]
>We've repeatedly proven that with math and code alone, we can fingerprint and identify almost every unique person on the planet, given enough data points.

I'm very skeptical of this claim, especially in practice. Contrary to what many fingerprinting sites claim ("you're unique of everyone we fingerprinted!!"), browser fingerprinting can't possibly uniquely identify someone. Smartphones are pretty locked down and there's very few customization options that allow for fingerprinting. In the US Apple has around 50% market share in the US, and there are 30 iPhones models that are still in support. That means if you're an iPhone user in a city of 1 million, there are, on average, approximately 16.6k (500k / 30) other people with the same exact model of iPhone (and therefore fingerprint) as you. As long as you don't do anything to stick out (eg. living in the US but setting Denmark as your locale), you'll be reasonably anonymous.

  • dwg
  • ·
  • 1 day ago
  • ·
  • [ - ]
> ...severe consequences for data breaches...

Often had the same thought, if not shared same opinion. On the other hand, stiffer penalties have the trade off of incentivizing cover-ups, i.e. disincentivize honest disclosure.

And that’s where I’d need other SMEs in the room to help craft policy. Enough of us agree that the status quo is untenable, but we lack a clear vision to change it still. I know where I stand, but I don’t know what I don’t know.
You could test with this: https://github.com/abrahamjuliot/creepjs Does it store the data? Unknown.

The best browser for protection is https://mullvad.net/en/browser because it makes the connection uniform, to better blend in.

> best

I guess that really depends on how you classify "best"

Tor is pretty good for protection. Then there's always i2P as well…

Saying one browser can protect the best is pretty hard to prove.

Best among existing. Anti-fingerprinting field is still in it's early stages.

I wouldn't say Tor Browser is the best because it requires custom configuration to be usable conveniently, which will make the connection non-uniform (and the user will stand out).

>Tor is pretty good for protection. Then there's always i2P as well…

Tor and i2P does nothing for (anti)fingerprinting - the program which render the web pages does.

>Saying one browser can protect the best is pretty hard to prove.

Not a proof but things to consider: https://privacytests.org/

  • sfink
  • ·
  • 1 day ago
  • ·
  • [ - ]
I'd like a "Firefox + uBlock Origin" column on that page. (But then you'd have to consider filter lists enabled...)
Mullvad Browser is just Tor Browser without tor.

Among all the available browsers, mullvad/tor browser is the best we have in terms of fingerprinting resistance.

I don't agree the search for a technical solution. Fingerprinting is not useful for the small personal website, and when it's useful and abused, there's a 99% chance that there's a network behind. You can audit and control the networks using the law. Why not do that?

It's been obvious for a decade and a half that technical solutions won't be practical to implement.

I still haven't found a method that can fingerprint simple Firefox containers. I use automatic temporary containers as a rule, and rules for specific sites where I want to keep persistent sessions.

I don't understand how temporary containers are still not a built-in Firefox feature, it seems like such a no-brainer solution for privacy.

  • ·
  • 1 day ago
  • ·
  • [ - ]
Open question,

If you're on a VPN and using Firefox containers, is the only way to identify me to look at my mouse movement and correlate it?

Isn't the semi-recent per-site cookie jar most of this functionality?
  • arbol
  • ·
  • 19 hours ago
  • ·
  • [ - ]
Do you have a repo for this?
  • rob_c
  • ·
  • 1 day ago
  • ·
  • [ - ]
How to scream I'm behaving badly online...
How to scream, “I’m living a life of unalloyed privilege.”
Visiting a store does not give it the right for someone to stalk you. I don't see any reasons why (apart from the obvious $) this sort of business is not considered illegal. It wouldn't solve all the problems but would drastically reduce the incentives.

I know one particular online car store that shares user data with insurance companies and they use that in their models to compute a "willingness" to pay more for insurance as well as of establishing the user profile. Let's say you look a sports car but you end up buying a family van, they charge you more for that.

The very interesting part is that they create a "customer profile score" they is just a number and sell that number to other companies. So, by pipping your habits they aggregate data and technically do not violate some local laws.8

I want a spoofing tool. How would one go about sending all my browser's traffic through a proxy that swapped out fingerprintable aspects with those of selectable presets of the most common browser configurations? It'd help to be able to bypass certain details for a whitelist domains that actually needed granular exceptions. Most websites don't need this data for serving you.
there are a few more angles to this.

Firstly, on the counter argument side, when you visit a website, you are using their hardware, they have every right to make any requirements they want to use their hardware, they are not public spaces.

But more importantly, the fix is actually easy, use more than one browser, use private browsing sessions, use more than one device, only log in to services you dont mind tracking you, use ad blocking. everywhere. Dont use sites that dont behave. All things you should be doing anyway.

However, I also think the whole concept of browser fingerprinting is exaggerated. None of the things that can be used for fingerprinting are long lived, meaning any fingerprint probably has a shorter life span than the average cookie, and also far less reliable than say an IP address, which absolutely doesnt personally identify you.

meanwhile, it is quite rediculous to log in to all these services with 2FA, then expect any kind of technical or legal measure to prevent them from knowing exactly who you are with 100% accuracy.

Mostly thinking out loud, truly anonymous browsing is a tor node away, but a long time since I used that, there wasn't anything there I was interested in after intel exchange went down.

What I don't get, all this data is reported by your machine - why isn't there a tool/browser fork that allows spoofing a (fairly) complete realistic profile, with some sane presets like Edge/W11/Thinkpad or Safari/macOS/M4? Is it too complex, would it break too much, or am I just unaware?
  • arbol
  • ·
  • 15 hours ago
  • ·
  • [ - ]
There are browsers that people use for multi accounting that switch fingerprints for you. See octobrowser and other similar ones. They're generally paid products and need to work in conjunction with proxies
Most privacy-thumping browsers do this, to some degree, but it’s not a panacea. The article gets into it.
The article mentions some complications and browsers like LibreWolf that address some of them. But that's not really what I have in mind - I'm thinking more of a dashboard with editable fields for everything that might get queried, populated with what currently gets sent, and a drop-down that lets you select among preset/saved custom profiles.
I am planning to write my MSc thesis about the currently broad topic "Future of Open Web. Since I work at a contextual targeting company, I have also aggregated data about traffic to some news sites & contacts in the industry for interviews.

Any particularly interesting angles to this that you wished there was research on?

  • metek
  • ·
  • 20 hours ago
  • ·
  • [ - ]
I've recently started going full send and using Ad-Nauseaum instead of simply using an ad-blocker. I've even started seriously boning up on Javascript to see if I can come up with some horribly hacky :click:hover:focus smokescreen sideload.

I'm sick to death of companies thinking they have any right to keep tabs on me because they think it'll make them a buck.

You missed one of our best guarded secrets: ja3 hashes and their successors.

Basically, we can identify browsers based on the supported ciphers in TLS handshake (order matters too AFAIK). Then when your declared identity is not matching the ja3 hash, you're automatically suspicious, if not blocked right away. I think that's the reason for so many Capchas.

I built a nice tool to visualize that: https://tls.peet.ws. Its not that secret anymore though, more and more libraries are starting to allow spoofing for browser tls configs. There isnt really a cat/mouse game here - once you match the latest chrome, there is nothing to fingerprint
I do not think I understand that website. I see that JA3 always gets changed after refresh, but not sure what JA3 is. Why is it always different, and is it good or bad?
Modern browsers randomise parts of the handshake, which results in an unstable ja3. ja4 and others normalize the relevant details to make the fingerprint constant again.
How effective is it at "un-anonymizing" me? I value privacy. What do you think I can do about "any" of this?
It tends to identify your platform/browser version, with relatively low granularity. Unless you have an unusually rare OS/browser config, it won't deanon you on on its own. But it can be combined with other fingerprinting vectors.
JA3/JA4 are useless now.

At best they identify the family of browser, and spoofing it is table stakes for bad actors. https://github.com/lwthiker/curl-impersonate

Slight correction: Spoofing it is table stakes for ever so slightly capable actors.

These will still help against the masses of dumb actors flooding your stuff.

What’s ja3?
Here you go: https://developers.cloudflare.com/bots/additional-configurat...

It's a better explanation that I can provide.

Oh! Now I wonder, if crowdsec could issue bans based on that
  • zkmon
  • ·
  • 1 day ago
  • ·
  • [ - ]
I'm sure it's a privacy issue. But how does this browser fingerprinting harm the user? Maybe it can work like a session cookie used for correlating across different requests from the same user. What's the damage here?
  • ghxst
  • ·
  • 1 day ago
  • ·
  • [ - ]
Browser data points can make it easy to identify a browser or in some cases even a specific machine, but that doesn’t necessarily equate to identifying a user. What frustrates me is that it takes a service I trusted with my personal data to be the one that attaches an identifier to those metrics. The best practice for privacy is to always keep profiles and identities separated, rotate P.O. boxes, email addresses, phone numbers, and payment methods so that when someone identifies your browser or device, the accuracy of linking it to you stays low. Of course, this approach comes with its own problems...
Useful site to see what info your browser is giving out:

https://amiunique.org/

To extend the closing remarks from a SIGINT perspective, sure some fingerprints are non unique and short lived, have little data. But hang onto it long enough and sure enough some slower data from another band might eventually correlate it with something else.

The last time I looked at this seriously I was trying to find out how much fidelity (if it was possible at all) was necessary to identify someone by their mouse and keyboard input.

It's not just what you do but how you do it.

you're all running chrome signed into google with 47 extensions and complaining about privacy. the call is coming from inside the house
Stupid question but what happens to fingerprinting if you just disabled JavaScript? Sure it breaks websites, but that's what I do with ubo advanced, which I also use to block webrtc, etc. (I really miss umatrix for this purpose). Am I fingerprinted because a site can't run JavaScript? If I use a VPN too?
Yeah. You are fingerprinted if you disable JS and/or use a VPN. Read the article for more info.
I did but I don't think I understand how it's that bad, random IP address with JavaScript disabled is 2 data points that can't, as far as I can see, be really helpful in identifying me. Seems like you're fingerprinted anyway so the less you give the better...
Just having JS disabled narrows you down by a lot. Yeah, fingerprinters can't use a lot of their more sophisticated techniques, but they still have a lot to work with as I understand it. I'm no expert though.
yeahh. For me technically it does not make sense for "privacy friendly" web analytics to rely on fingerprinting techniques because the common sentiment seems to be that cookies are bad. At least cookies are easily controllable.

Now shameless adverting: of course I present the solution: https://counter.dev

Thanks for the browser recommendations.

I switched to the Mullvad browser. The other recommendation, LibreWolf, provides the following warning on install which scared me away: "Warning: librewolf has been deprecated because it does not pass the macOS Gatekeeper check! It will be disabled on 2026-09-01."

FYI I wouldn’t say that the Mullvad browser is any better at anti-fingerprinting than Librewolf. I always point people to http://fingerprint.com/ so they can see how difficult it is to beat even JS based tracking and this doesn’t even get into the server-side methods (i.e. just fetching a stylesheet) of tracking users.

That’s not to say you shouldn’t use a browser that blocks ads etc but I don’t think people should immediately think that they’re not fingerprintable because they’re running these. There definitely needs to be more discussion on the reality of how much these browsers can “protect” you.

tldr -- it's fine. MacOS Gatekeeper will create warnings about products that are not signed via the apple developer program, which is $99/year librewolf is an open source product, that is very strictly a "community" libre / FOSS project. naturally, having an individual take up notarization assumedly, you are using brew -- brew recently decided to stop supporting / deprecate all casks that does not pass gatekeeper checks, for some reason I cannot fully determine.
Why would I trust any software that doesn’t pass the gatekeeper test? Even if it claims to be “open source” with links to some code repo there is no guarantee the binary blob you are running was built using only that code and nothing else.

Sure even with the gatekeeper test you can’t be sure it’s built against only the claimed code but it does guarantee:

1) the binary hasn’t been modified since it was signed 2) the binary was signed by somebody in possession of the private key 3) there is some measure of identification via Apple on who or what signed the binary 4) somebody was willing to fork over $99 to sign the binary

It’s not perfect security by any means but it is something. Otherwise the binary you are running might as well have come from some sketchy email attachment. And fuck that. Why would I want that on my machine?

I get that the $99 might be a hurdle for “non-organized open source” (ie most open source… doesn’t have a non-profit entity to take up the expense and credential management, etc…)… and there are probably ways apple could make it easier for such “collectives”… but ultimately I’d argue that signed binaries are good for everybody. While imperfect, they provide some form of traceability and accountability.

obviously it’s not a 100% guarantee of being fuckery-free. The private key might have been compromised, the appleid might have been hijacked and the developer program might have been enrolled with stolen credit cards… but it’s still a hurdle to filter out a large swath of low effort nonsense.

You could always just build it yourself from source if you are concerned.
Sure but most people aren’t going to do that. It automatically limits the audience willing to use the software.

This isn’t an easy problem! I’d argue signed binaries are good for everybody… They are good for the end user because it provides some assurance the thing hasn’t been tampered with and provides at least some form of audit history. It’s good for the developers too! It ensures that users are running the binaries the dev intended them to run! It’s good for the platform maker as it reduces the attack surface…

The problem is… getting the keys to sign binaries requires getting a private key! And not just any key but one that been blessed somehow by something that all parties can trust. And trust isn’t a technical problem but a meatspace human some. Apple solves it by requiring the dev to cough up 100USD and probably some other personal information. I have no idea how Ubuntu does it or Microsoft…. But something, somewhere has to bless that signing key.

So for Linux, generally you are installing packages from your distro's repo so they are signed by the repo itself. I would have assumed that it would be the same on Mac with brew/macports/etc signing the code, but from what you are saying I guess not, I don't see why.

Edit: Apparently Brew doesn't sign stuff because they don't trust the code they are being asked to sign. Apparently you can just get brew to build the package locally with `brew install --build-from-source librewolf` though which is useful.

On windows you just need a certificate from a known authority. This will still probably cost you money but you have a lot more options at different price levels. Also that certificate is a widely useful thing rather than an apple dev account which is only useful in the apple walled garden.

  • Y_Y
  • ·
  • 1 day ago
  • ·
  • [ - ]
Sounds like you need to switch OS
The article rants about how turning off JavaScript is actually harmful because it makes you more fingerprintable, then in the same breath recommend switching to an obscure browser nobody else uses?

If you want to avoid being uniquely identifiable stick to Chrome, signed into a Google account, running on a PC from Best Buy.

  • neilv
  • ·
  • 1 day ago
  • ·
  • [ - ]
> Since almost every web browser in the world now supports JavaScript, turning it off as a measure to protect privacy is like going to the shopping mall wearing a ski mask.

I'm going to steal this nice analogy, for when I try to explain this point and some related points.

We’re working on a comprehensive solution here (and could use your help), the Ethical Computing Initiative.

https://aol.codeberg.page/eci/

I have a bit of a different take on browser fingerprinting: I don't want to uniquely identify you as a person so I can serve you ads, or whatever. I want to identify your traffic when you're scraping my content from 2,000 different IP's and 1,000 different user accounts, I can block you or rate limit you without hurting anyone else.

Given the scale of scrapers these days (AI companies with VC money have no problem spinning up thousands of VMs running Chrome), fingerprinting at the browser level is the only realistic option.

(obligatory: my personal opinion, not necessarily my employer's)

seeing projects like https://github.com/jonasstrehle/supercookie kind of fill me with a dread about just how many holes would need to be plugged in the web for "privacy" to be assured, and how that would degrade my experience as an end user
when PayPal tells you that they already know you and don't require you to log in: that's fingerprint.com behind the scenes.

There are pros/cons.

It should be obvious by now that using any free service of scale is being paid for by your interactions which are made more valuable through fingerprinting.

Trying to circumvent that just makes it more expensive for the rest of us.

  • slig
  • ·
  • 1 day ago
  • ·
  • [ - ]
>when PayPal tells you that they already know you and don't require you to log in: that's fingerprint.com behind the scenes.

Why use a third party service when cookies can do exactly that? They load their .js from the same domain they set up a cookie and there's no limitation to read that cookie, correct?

Paypal does what? I'm sometimes nervous I only need 2 factors of authentication. 0FA seems dangerous for financial anything.
We can start by getting rid of (freezing) the User-Agent header. No need to make it easy.
There is no good technical solution here. But the damage could be limited if browsers at least limited entropy somewhat. Stuff like reading back canvas contents should need user approval.

Just make sure it’s sufficiently illegal to keep this info. Find and make big visible examples of fining companies that trade in this info. If a company sells a product that fetches ads based on an ”identifier” their little js snippet computed then just pay them a visit. Fine both them and their customers to the max extent of the gdpr (or equivalent).

  • rcpt
  • ·
  • 1 day ago
  • ·
  • [ - ]
All this and I still need to click on the cookie pop ups like they'll bring the cargo planes to the island.
I’m curious if there is a product like cloudflare’s remote browser isolation that obfuscates it in that way.
How exactly do advertisers take fingerprints and translate that to targeted ads for each user?
A combo of your IP, browser fingerprint plus the fact that you logged in somewhere and that links to your actual name etc. Identify you in isolation is not very useful. It's connecting that identity to another place that's valuable.
  • xnx
  • ·
  • 1 day ago
  • ·
  • [ - ]
The browser history is collected across multiple sites to form a profile. If the user ever enters their email address or logs in, their entire history is deanonymized.
I don't mind advertisers knowing more about me. If they can display ads that are relevant to me, this is a better experience on both sides.

Unfortunately there is no way to tell advertisers, "No, I'm not interested in your product. I never will be. Don't waste your money."

The top offender is Hims. No, I don't have hair loss. I don't want hair loss supplements. I also don't have ED, and I object strongly to ads for that showing up unexpectedly when I'm showing a YouTube video to someone else.

The second top offender is whoever it is (they keep changing their name) who thinks that I need some kind of Christian motivational course to get control of "the P-word". (Their phrase, not mine.) No, I don't have a problem with pornography. I am very rarely interested in it. And when it comes up every few months, I don't feel any guilt about it afterwards. Furthermore I'm an atheist. A Christian motivational course isn't going to work well for me regardless.

Yes, Google does offer a report function, and a block function, for ads. The report function seems to have gotten rid of the unwanted ED ads. The block really doesn't work when the ads are all very similar AI slop that is rotated frequently. Block this ad, and then next unwanted ad from the same source will be coming along soon enough. (The reason why I particularly dislike Hims is that they are more aggressively rotating their ads.)

Relevant/personalised ads doesn't mean ads that benefit you. It's means ads that are better able to extract money from you.

It means that, when you need a new dishwasher, you will never see the actual best dishwasher for you, only dishwashers that are a bit more expensive than you actually need but you will end up buying one of them anyways.

It means that you are more likely to see products you would impulse buy just after you get your paycheck. Or slightly inflated prices on things you usually buy.

It means ads designed to take advantage of addictions to sugar, alcohol, gambling etc

Finding stuff you actually want to buy has never been easier, you can find hundreds of reviews and comparisons instantly. People who opt into personalised ads don't end up being more savvy online shoppers, they just end up buying more junk.

My preferences are based on my understanding of myself.

I do not have those problem addictions. Of course I am going to comparison shop for any large purchases. I am good enough about controlling spending that excess junk isn't one of my problems.

But what I do have a problem with is coming up with creative ideas for people in my life. So, for example, I would have never thought to look for https://www.zazzle.com/cup_equation_love-168099175298227864. But I'm very glad that someone out there knew enough about me to guess that this might be an item that I'd like. And my wife liked the cup a whole lot.

Does this happen often? No. But I'm perfectly happy to pay a premium for a product when an advertiser gets it right.

There are always situations where an advert is useful and we remember those. However, when an advert causes you to spend more than you would, you have no idea it has happened.

Maybe you truly are above the influence of advertising. However, almost no one believes that they are affected by advertising yet clearly almost all of those people are wrong.

I find it safer to assume I am part of the vast majority of people who would be influenced by personalised advertising. Given that online advertising is basically the biggest business in the world, I assume that it would find a way to get money from me.

You do you. If you believe that you are helpless in the face of the temptation of advertising, you should avoid advertising.

But it would be nice if you worked on your listening skills as well.

You gave a list of major evils that consuming advertising leads to. I don't suffer from those evils. Or at least if I do, then I must also in serious denial to be unaware of it.

You also seem to think that I said that I am unaffected by advertising, and it doesn't lead to me spending money. This is a bizarre conclusion given that I said that I am affected by advertising, and I gave an example of where it did lead to me spending money.

But the critical difference is this. You treat advertising as an assault on your mind. Whose job is to enable evil corporations to steal your money. I view advertising as a discovery method. The world is full of innovators coming up with things that they think others may want. They then use advertising as a way to let people know that there is a thing that they may want. I rarely want it. But I'm willing to waste a bit of time on the pitch.

And on the rare occasions that I do get something, I actually enjoy it regularly. That cup I mentioned? I just made tea for my wife, and served it to her in that cup.

We are different people. I have a very different relationship to advertising than you do. The fact that it is different, doesn't mean that I'm wrong to be me.

  • blfr
  • ·
  • 1 day ago
  • ·
  • [ - ]
If you don't mind them knowing but resent the ads, you can just block the ads. You can do dns ad blocking[1], in-browser plugins/extensions[2], finally, patch the apps[3]. Or deploy all of them.

[1] https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#...

[2] https://ublockorigin.com/

[3] https://revanced.app/patches?pkg=com.google.android.youtube

Perhaps you missed that I am willing to deal with ads in general? I am perfectly willing to put up with the annoyance, and like knowing that I am bringing money to the channel that I'm watching. I only want specific advertisers turned off.

A general "show me no ads" solution is not my preference.

  • canyp
  • ·
  • 1 day ago
  • ·
  • [ - ]
That is a loser's proposition. Targeted advertising should be objected to on the grounds that surveillance and manipulation are unethical, it doesn't matter how useful it may or may not be in your personal experience. Them suddenly being more useful wouldn't make them any more ethical.
10 years too late.
How about trying out legal solutions against browser fingerprinting? The European Data Protection Board -- i.e., the union of "GDPR Police" in each EU Member State -- made it clear the fingerprinting violates the ePrivacy Directive.
As someone who used to work on Chrome, I can confirm that browser fingerprinting is indeed a nightmare.

Back in the early days of Privacy Sandbox, before that crashed and burned against the UK CMA not even letting Google remove third-party cookie support [0], there was a lot of optimism about how we were going to completely solve cross-site tracking, even in the face of determined adversaries. This had several ingredients; the biggest ones I can remember are:

1. Remove third-party cookie support 2. Remove unpartitioned storage support 3. IP protection at scale 4. Solving fingerprinting

In the end, well... at least we got 2, which has some security benefits, even if Chrome gave up on 1, 3, and 4, and thus on privacy. Anyway, everyone could tell that 4 was going to be the hardest.

The closest I saw to an overarching plan was the "privacy budget" proposal [1], which would catalogue all the APIs that could be used for fingerprinting, and start breaking them (or hiding them behind a permission prompt, maybe?) if a site used too many of them in a row. I think most people were pretty skeptical of this, and the main person driving it moved off of Chrome in 2022. Mozilla has an analysis suggesting it's impractical at [2]. Some code seems to still exist! [3]

A key prerequisite of the privacy budget proposal was trying to remove passive fingerprinting surfaces in favor of active ones. That involved removing data that is sent to the server automatically, or freezing APIs like `navigator.userAgent` which are assumed infallible, and then trying to replace them with flows like client hints where the server needed to request data, or promise-based APIs which could more clearly fail or even generate a permissions prompt. This was quite an uphill battle, as web developers (both in ad tech and outside) would fight us every step of the way, because it made various APIs less convenient. Elsewhere people have cited one example, of reducing Accept-Language [4]. The other big one was the user agent client hints headers/API [5], which generated whole new genres of trolls on the W3C forums.

As Privacy Sandbox slumped more and more towards its current defeated state, people backed off from the original vision of a brilliant technical solution that worked even in the face of determined adversaries. Instead they retreated to stances like "if we just make it hard enough to fingerprint, it'll be obvious that fingerprinting scripts are doing something wrong, and we can block those scripts"; see e.g. [6]. Maybe that would have worked, I don't know, but it becomes much more of a cat-and-mouse game, e.g. needing to detect bundled or obfuscated scripts.

And now of course it's all over; the ad tech industry, backed by the UK CMA, has won and forced Google to keep third-party cookies forever, and with those in place, there's not really any point in funding the anti-fingerprinting work, so it's getting wound down [7]. The individual engineers and teams are probably still passionate about launching opt-in or Incognito-only privacy protections, but I doubt that align with product plans. I'm sure Google doesn't mind the end result all that much either, as having to migrate the world to privacy-preserving ad tech was going to be a big lift. Now all that eng power can instead focus on AI instead of privacy.

[0]: https://privacysandbox.com/news/privacy-sandbox-next-steps/

[1]: https://github.com/mikewest/privacy-budget

[2]: https://mozilla.github.io/ppa-docs/privacy-budget.pdf

[3]: https://chromium.googlesource.com/chromium/src/+/36dc3642bee...

[4]: https://github.com/explainers-by-googlers/reduce-accept-lang...

[5]: https://developer.mozilla.org/en-US/docs/Web/API/User-Agent_...

[6]: https://privacysandbox.google.com/protections/script-blockin...

[7]: https://privacysandbox.com/news/update-on-plans-for-privacy-...

JavaScript disabling helps a lot, regardless of what author says. It disables most of the tracking attempts, improves security and most of all pages load faster and hardly break if you're just browsing anyway.

The whole article never mentions the gold standard of anti-fingerprinting, Tor Browser. It just shows how shallow the article is when it mentions Mullvad Browser, a fork of TBB, instead of TBB itself! There's also no mention of using an upto-date DNS block list to thwart fingerprinting attempts even more

  • msm_
  • ·
  • 1 day ago
  • ·
  • [ - ]
Yeah, I don't get it. Tor browser alone, with no additional configuration and basic hygiene, is enough to stop any fingerprinting and tracking. The only problem is that it's too private, and tor traffic is often associated with crime, so it's sometimes blocked, notably by cloudflare.

I don't use it for daily browsing, but when I want to search for something I don't want associated with me (for example, health concerns) I just use tor browser and don't worry about tracking.

The Tor Browser won’t effectively stop fingerprinting, if anything it makes you more unique due to the low amount of people worldwide using it, and then you add points of data by using different DNS providers, extensions etc.

The Tor Browser as a privacy measure is likely no better than a normal browser with uBlock if you’re also using it like a “normal” browser, signing into the same accounts you always use etc. My opinion obviously but I dislike people recommending the Tor Browser as a lot of it’s primary benefits are lost if you’re just using it as a daily driver browser.

I always point people to https://fingerprint.com/ to see if their browser can defeat it. Most of the time you can’t without clearing cookies, changing device resolution, change VPN location etc. something the average person can’t/won’t do. Even JS aside there are a ton of different ways to track people based off even just getting server side data when a site’s stylesheet is fetched.

The ignorance and disinformation is off the charts. Do you see "browsing" in my response? It's only for that, you don't login to your real accounts with it. It's only discouraged to use ANY extensions with TBB

> Tor Browser as a privacy measure is likely no better than a normal browser with uBlock

Why tell the whole world how fucking dumb you are? Tor browser has been developing anti-fingerprinting techniques long before you even heard the word being thrown around. 2M+ userbase is enough to hide among and stop fucking complaining. It's a non-profit, people run relays voluntarily and that's the current best way to thwart fingerprinting attempts

  • kuon
  • ·
  • 1 day ago
  • ·
  • [ - ]
It is not really fingerprinting but I realized that ipinfo can place my IP on my house. I guess some stupid phone sent the GPS location. Isn't that supposedly under GDPR in Europe? Can I delete it somehow?
Don’t confuse privacy with anonymity. One is a right in the US, the other is not.
Not trying to be sarcastic; I may be unaware of some relevant legal framework for the US, could you please elaborate which one is a right and how is it enshrined and enforced?
Not American here, but I'm aware of both privacy in mixed forms (privacy act 1974, HIPAA, COPPA, and CCPA in California); as well as anonimity in First Amendment et al since there's case law (IANAL) demonstrating the requirement of anonimity to avoid persecution of free speech.

All of these have limitations and exceptions in a complex legal system. But to issue a blanket statement like the comment above is no really correct - just trying to make a point, I guess

Also not a lawyer but anonymity case law is a mixed bag to best, and more practically speaking very narrowly targeted compared to privacy.
Arguments for both are derived from, but not explicit in, the Bill of Rights. Privacy has broad points of support while anonymity is primarily attributed to the First Amendment, but only in narrow circumstances.
The only way to have privacy in a semi public location, like the Internet, is anonymity.

Ask any celebrity how much privacy they have. They can’t even buy Starbucks without people commenting on how fat their comfy clothes make them look. Because they have no anonymity.

  • uoaei
  • ·
  • 20 hours ago
  • ·
  • [ - ]
It's moderately inconvenient to
  • uoaei
  • ·
  • 42 minutes ago
  • ·
  • [ - ]
oops!
There was just a youtube video of a penetration tester showing a screencap of some hacker: they used something called "octo browser" to act like their target as they used stolen cookies to login as hacked targets.

Seems like we all need to come together and use the same technique to "we are borg, we are browsing your internet as one, tracking is futile"

On the pros of fingerprinting: it's practically the only consistent tool to prevent malicious use in certain usecases, such as app hosting and similar bot protection.

Email validation doesn't work. Ip blocking doesn't work. Captcha? Kind of. Fingerprinting? Very efficient.

  • kkfx
  • ·
  • 1 day ago
  • ·
  • [ - ]
Has anyone ever thought that RSS doesn't have a fingerprint?

Because the sites that still offer feeds, at least those for which a feed makes sense, well, you can read them comfortably via RSS.

Browser fingerprinting has been a thing since at least 2008. Kissmetrics was the first company I heard of that was doing this.
Isn't it forbidden on the EU anyways - thanks to GDPR?
The real problem here is not technical, it's political. None of this should be legal, let alone the basis of companies worth hundreds of billions. This is surveillance capitalism, and is incredibly harmful to society in a multitude of ways. And as long as the owning class is able to dictate what's legal, this injustice will continue.
I mean... I don't give a fuck about fonts, I don't give a fuck about drawing shit to some canvas. Can I not just opt out?

Yes, I know that's ski-mask bla bla bla, but I still don't want my browser to be doing this nonsense.

There's the gemini protocol and gopher.

When I think of all the tracking that goes on, these are becoming more lucrative.

Gemini and Gopher are better than the existing WWW, (although there are others as well, such as Spartan (uses the same file format as Gemini, but it is a different protocol without TLS), Scorpion (my own format, intended to be between Gemini and "WWW as it should be if it was designed better"), and others).

However, you might also want to access HTTP and HTML, and to do so without needing to load fonts, pictures, etc; you might use a web browser that omits many of these features. However, it also can result in some problems; there are a few ways to work around some of these, such as adding your own scripts to handle some services, adding proxy services for handling some services (although some of these can use other protocols such as Gemini), and/or using the HTML/CSS commands in other ways (e.g. using ARIA to decide the formatting rather than using CSS). However, there are other issues, e.g. if the web page you download includes more junk than the actual main text.

>And even though my personal safety and liberty probably aren’t at stake, I don’t want to give any support to the global advertising behemoth, by allowing advertisers access to better information about me.

Giving the surveillance economy access to your habits means making them slightly better informed about everyone. That won't directly endanger you; the SE will just become slightly better informed about how people like you function.

This will enable it to increase the amount of risk faced by some other person that you will never hear of (and vice versa) if any of you is even suspected of endangering the SE, in proportion to the risk to the SE which people like you may hypothetically pose, as quantified by the methods of nepotism-powered pseudoscience.

[dead]
[dead]
When an individual stalks a person without their consent, it is considered unlawful. Why is it ok for websites to do this?

Perhaps what is missing is a criminal law that forbids deliberate non-consensual tracking of a person's activity. Even in public.

Recording someone as you happen to be recording something in public (including CCTV) is not deliberate or targeted towards an individual. But even in public, if someone followed you around tracking what you're doing (even without recording you), that shouldn't be lawful. Public figures and law enforcement activity based on probable cause being the exceptions.

Can anyone think of any reasonable counter-arguments to this?

A counter argument is that stalking in itself, in the US at least, is not unlawful. It becomes unlawful once someone starts threatening another person. So the digital analog would be to allow tracking as long as the site doing the tracking doesn't threaten the people that are being tracked.
You're talking about the law today, and I concede. Why don't we change it so it becomes lawful. No one wants to be stalked, and notwithstanding the exceptions I mentioned, no one should have to endure the harassment. There is no scenario where one person would legitimately have a right or a need to stalk another person (unless financial gain is a legitimate reason).