Web Fingerprinting Is Worse Than I Thought
Bitestring (via Hacker News):
But companies found another way to uniquely identify you across different sessions and websites without using cookies or other persistent storage. It’s called web fingerprinting. Fingerprinting is a more sophisticated approach to identify a user among millions of others. It works by studying your web browser and hardware configuration. Many websites use a fingerprinting library to generate a unique ID. This library collects data from multiple JavaScript APIs offered by your web browser. For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details that you would not want a typical news website to see.
All of these values are combined to generate a unique ID. Surprisingly, each user’s device and browser specifications differ so much that they get a unique ID among millions.
I did not think web fingerprinting is serious until I came across a company which is actually selling fingerprinting as a service to other websites. I tried their demo and shocked how accurate it is. Many ecommerce websites use it because these fingerprinting companies sell it, saying it prevents credit card frauds and increases security of the websites.
My visitor ID was stable in Safari after visiting fingerprint.com only in private windows across two separate sessions. This, despite using Safari’s anti-tracking features, having iCloud Private Relay switched on, and using browser extensions which limit what kinds of scripts are able to run in my browser — and, again, accessing it only in private windows. On its homepage, FingerprintJS says the “VisitorID will remain the same for years, even as browsers are upgraded”. It can be, near as makes no difference, a permanent personal identifier.
Previously:
- Analytics in Apple Apps
- See What JavaScript Commands Get Injected Through an In-App Browser
- Safari 15 IndexedDB Information Leaks
- Firefox Total Cookie Protection
- Identifying People by Their Browsing Histories
- The Success of Intelligent Tracking Prevention
Update (2023-04-07): Kuba Suder:
There are some tools that let you check how you’re fingerprinted and exactly what data provides how many bits of information / how much uniqueness, e.g.: amiunique.org and coveryourtracks.eff.org.
6 Comments RSS · Twitter · Mastodon
Years from now, we'll have to ask ourselves: was the web improved or made worse by JavaScript?
And then people wonder why Safari doesn't just blindly implement whatever new web API Chrome has begun inflicting on the world… Not to say Safari is necessarily doing enough to prevent this yet (the demo shows they aren't), just to say that by carefully reviewing the proposed APIs, Safari has a fighting chance against such fingerprinting services. Chrome clearly doesn't, and neither would Safari if they got goaded into following Chrome.
Note that this includes rejecting the proposed API design if necessary: often APIs leak fingerprinting information not just by implementation, but by design, in that even a careful implementation of the API couldn't help but leak information by documented usage of the API.
@Pierre I feel like this is a straw man. I don’t see people wondering why Safari doesn’t blindly implement every API. They wonder why it takes so long for the ones that already have traction. For the main things that people care about, my impression is that Safari eventually implements them pretty much the same way, which shows that they weren’t delayed over privacy. And then we have results like this that show that the end result is that Safari is fingerprintable, too. And other browsers like Brave that are arguably better on privacy and yet more compatible. So I think the burden of proof is on those claiming that Safari delays are helping privacy. It’s the same thing with energy. People just assume that if there’s a feature Safari doesn’t implement it’s because of battery life—and then Safari does eventually implement it and there’s no evidence presented that the delay led to a much more efficient implementation.
[…] me so much that I was still thinking about it this morning waking up. I’m talking about a post on Michael Tsai’s blog, where he quotes Bitestring’s article: Fingerprinting is worse than I thought. Everything in this […]
I will readily concede that criticism of Safari runs the gamut from NPR's eminently reasonable, experience-backed feedback that Safari ought to correctly implement what it claims to implement at http://blog.apps.npr.org/2021/08/31/joy-generator.html , to completely insane demands.
But that does not mean "lack of platform integration API" criticism of Safari is fringe. For instance, every single instance of criticism of Safari that claims Apple is "crippling" its browser, especially on iOS, in order to prevent the web from competing with native apps implies Safari is lacking APIs to leverage platform features. Do I really need to point out specific examples of such criticism? And every time this criticism is made to specify what kind of API they would like access to, assuming they even bother to do that, it turns out the API (at least at the time) had not made much in the way of standardization, and often was objected by Firefox too, typically on privacy grounds.
Apple ought to better communicate on their intents. And I too am wary of Apple's warped incentives, especially with regard to its iOS and Mac app stores and the revenue they collect from them, which is why I am looking at web apps as a way to circumvent Gatekeeper. But if the criticism that Apple cripples Safari as a way to prevent competition to the native APIs had any grounds, Safari wouldn't implement "downloading" synthesized files… yet it turns out it does. And I am just as much wary of Google introducing web features with little to no regard for the impact on end user privacy in general and avenues for fingerprinting in particular. Apple ought to better explain how what they are doing (and not doing) protects privacy, but we ought to demand from Google how their new APIs are not ruining our expectations of privacy: even if I am not using Chrome, my correspondents may for instance, and Google (and others…) could learn a lot about me from them.
A couple of weeks ago the FingerprintJS site was showing more than a dozen of sessions for me, which were clearly not mine. Today, from another country, no past sessions were shown at all. Thus, I have serious doubts about the reliability of the service with browsers implementing fingerprinting protections.