I exclusively use private browsing, but I know that doesn't do much in preventing tracking, so it's nice to see this finally starting to roll out.
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
Out of curiousity, how would you steelman the argument that fingerprinting is no different than a store owner, standing behind the counter, taking note of the faces of who enters his store, and maintaining a log?
I'm fairly confident I could sue that store owner for stalking if they were logging every time I entered that store and left, along with all my activities.
I'm absolutely positive I could if they were getting other store owners to help them track me.
What I don't understand is why this is unacceptable if they do it to a single person but perfectly normal if they do it to all their customers. IMO that should make things worse, not better.
Let's put it this way. You'd get a restraining order against someone if they followed you around all day, logging when you woke up, ate, who you talked with (even if they don't hear the conversation), where you went, and when you went to bed. That's clearly stalking, right? So why us it suddenly acceptable when it's being done by some guy named Mark who is stalking a billion people instead of just one?
We clearly differentiate this from being a regular customer at a store. If I'm a regular at Joe's Corner Market and get a sandwich every Wednesday for lunch then he remembers me because we're talking face to face and making conversation. It's personal. There's clear consent in what I'm sharing and there's a clear expectation that Joe isn't going to use that information to manipulate me or follow me around town. Our interaction is limited to the store and maybe bumping into each other on the street. It's clearly not stalking, we're just friendly. The same way your partner might know about when you wake up, go to sleep, eat for breakfast, and all that same stuff. Your partner isn't stalking you.
Doesn't your (proverbial) Costco membership card track every time you enter and leave the store? Doesn't seem like anyone is suing them...
Also, if they were logging you specifically, you may have grounds to stand on. But if they're logging every customer that comes in/out (like websites do), I think there is a lot less grounds for a restraining order or anything
Edit: Found out I'm using 'proverbial' wrong but I think you get the idea either way.
To make that analogy closer to the Internet reality, I would say that Internet tracking is more like a cabal of shop-keepers, librarians, neighbors, utility pole workers, and so on who are keeping track of all the faces, all their habits, what they look at, what they say, who they interact with, and share this information amongst themselves, recording it in perpetuity. They also share details with the police and anyone who cares to purchase them.
When you talk about a "shopkeeper" it gives it a small community charm. The Internet is anything but that.
The store owner visibly responds to the customers differently.
Fingerprinting is invisible. It's more like the store owner recording everyone on hidden camera.
The difference is scale and intent. A mom and pop store owner “remembering” my face versus big tech tracking is like comparing a nosy neighbor to the CIA.
One of them might peer out their window, the other will infiltrate every aspect of your life. One of them is bored, the other has no qualms about doing significant harm to you if it serves their interests.
It's automated data processing at scale rather than a local mom and pop country general store. The profit seeking, decision making, management culture driving decisions is a fundamentally different relationship. Also I don't think store owners do that?
Rather than presupposing an analogy to something importantly different, I would propose that the steelman would be along the lines of noting that ads and hyperpersonalization are effective at meeting and predicting your needs, and steering you towards an interpretation of your own needs that finds their fulfillment in deepening a consumer relationship. And if you get steered into lock-in with one company's ecosystem, you get the convenience of a stack of vertically integrated services.
> Also profiles can be configured and used with CLI, no need for UI (old or new).
AFAIK, they can only be created at the command line, not configured. If you want to do things like change default settings or install extensions from the Firefox Add-On store, you can't really do that at the command line.
You can do that by mucking around in the user.js file and manually adding .xpi files to the extensions/ subfolder, but that's probably stretching the definition of "done at the command-line" since most people aren't creating Puppet modules to manage Firefox profiles.
Perhaps someone knows an easier way to do this, though.
Instead of needing to know scripting for a core feature, it would be nice if I could tell the program to ask me every time I open a new window which profile that window used. Right click would have an option like their containers "opening new profile window" .
I am dreaming for righteous 'small' employees too, those who carry out the dishonourable practice of implementing privacy intrusion following instructions, for money. Corporates are built by thousands of ignorant grey workers.
This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
There was a commenter some time back showing that browser statistics were easy to skew. Safari and Firefox are less likely to show up in analytics, so website owners think they're less important than they really are. Conflating client-side with server-side analytics showed quite a gap.
Most of the people who are just looking at browser statistics for the purpose of managing a website are using simple tools that just simply collect data from user agent strings. Determining browser from this isn't 100% straightforward, but it's enough to give website operators a rough idea of what browser to target. This data was more important in the days when everything wasn't Chrome/Android/iOS, and it actually mattered what version of IE your users were running.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
>This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
You're more trackable by using NoScipt and there's no good reason to use it if you know how to properly use uBlock: https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-don...
uBlock is a content blocker so it can do everything NoScript can if you learn its advanced UI usage. Using additional extensions makes you more trackable.
I often think about this in connection with my user agent. I am sure it helps identify me. If I spoofed a Chrome/Windows UA that would probably be better from a privacy perspective. But if we all do that then web designers will never know that we exist. I want people to know there are Firefox and Linux users out there.
Easy to detect but companies are lazy. I remember when Netflix first worked for Linux on chrome but not Firefox. I changed my agent and was good to go. After some months I emailed them asking to lift the agent block. They assured me they weren't blocking by agent. I sent them screenshots. They doubled down. So I said ¯\_(ツ)_/¯ and just kept using the agent until they unblocked it
Absolutely, but the parent was speaking about privacy. Access is a different story, because you can test different user agent strings, and immediately determine whether you get access. By contrast, you can't change a user agent string and readily determine whether or not you've broken someone's ability to track you.
My example of access is just a clearer example of laziness. Maybe they were tracking but it seems unlikely, right? If they were, why not block? Laziness is a much better explanation.
I can get feedback with access, I can't get feedback with tracking. That's why I mentioned access.
They probably weren't tracking you, that was probably a case of directing a user toward a supported browser for customer support purposes. I would imagine that was a requirement in somebody's Jira ticket, solved with a few lines of code.
By contrast, tracking people on the web is a multibillion dollar industry, and there are out of the box commercial libraries that do very sophisticated tracking. None of these solutions rely on user agent string alone.
The vast majority of websites by count are not doing anything sophisticated. But some are.
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
Firefox is low on browser count but it's still around 4%[0]. That's enough that there will be lots of collisions. Even a small percent of a very large number is a very large number
However, if you're trying to search for somebody, and you're able to eliminate 96% of the data, you're in a much better position to accomplish your goal.
Whether or not you should care about this depends on what kind of tracking threats you're trying to avoid.
I mean yes and no. Raw numbers still matter. It's all about context. If you have a billion visitors and rule out 96% of them, sure, searching 4 million it's easier but it's still such a large number that that alone isn't enough. That's all I'm trying to say.
> if another Firefox user comes they are indistinguishable from each other,
Even if every Firefox browser gave off the exact same fingerprint, that wouldn't make the network traffic indistinguishable between Firefox users. There is a lot of entropy that is provided by your network stack of your device, the networks you connect to in order to get to the end website, the behavior of your requests, etc.
Now, most websites aren't doing this kind of analysis. But it isn't unheard of or impossible. There are major websites that are known to do TLS fingerprinting.
One thing I found that broke tracking algorithms was the ‘every tab is a new random profile’ extension. I can’t remember the name as I haven’t used it in a while and it broke a lot of logins.
They could not build a profile on you and it would break their system of tracking user login per device.
I've recently switched from Containerise + Temporary Containers to Auto Containers. Brand new addon, but the dev is responsive and IMO it works much better for creating new containers on the fly as you browse.
That's really handy! I like that it handles domains automatically
Edit: Seems to break ad blocking and there's some issues with login. Such as adding a container for YouTube requires also doing *.google.com since that's how the login is handled. Interesting and I'll keep playing around with it
In my case the single largest contributor to my fingerprint is ... canvas size. I run full screen with a custom Firefox setup that basically makes my canvas size unique :/ The "protection" Firefox uses for this is to always open a new window at a default size, which does nothing in my case since my toolbar config still makes the canvas size unique.
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
Now I understand why I'm getting paywall limits even in private browsing :) I use Tree Style Tab, so my canvas is also of unusual size and ratio. I guess I can try making it more narrow or wider to combat that :)
Unfortunately, Cloudflare and other protections will keep working even less than they used to. I have started to not use Cloudflare protected websites because they don’t work with Firefox. But that is a fight I am going to lose.
I'm sorry whatever problem you've run into, but it's definitely not true that no cloudflare protected websites work with any Firefox. You've run into something more specific, I guess.
Symptoms? Is it limited to when a site has Cloudflare's more aggressive protection turned on? I haven't noticed any problems I've attributed to Cloudflare, and I use Firefox exclusively.
This matches my experience as well. As a FF user, I very occasionally encounter problems, but these don't seem to be correlated to their using CF protections. Much more often I find sites broken that rely on cloud domains with bad reputations, which my DNS filters block.
I was actually wondering if the stuff that Mozilla's talking about here will be used by bad bot people to try to circumvent CF's abuse protections. As I recall from when I was working with them, CF's service relies in part on being able to identify botnet attacks by doing its own fingerprinting.
I wish them the best. When I last tested it on fingerprint.com, the hash remained stable even with resistFingerprinting and letterboxing from a VPN, only changing between profiles. When I daily-drove resistFingerprinting (not reduceFingerprinting that permits exceptions like dark mode) in 2021, my hash changed every restart.
Perhaps fingerprint.com has stepped up their detection game and have new heuristics to identify you, thwarting the resistFingerprinting measures.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
It’s a bit annoying that Firefox by default breaks all sites that use canvas imageData API. There is no permission for that, so no user-friendly way to ask for consent either.
It would be nice to see Firefox implement a few features browsers like brave have, like being able to automatically clear cookies for a site when leaving it, and to make containers available when in private browsing, ah well.
This is pretty handy and I've been using it for years[0].
I like the idea of Brave but we have a bigger fight that requires us to have no chromium. Chromium winning is Google winning, allowing them to control the Internet. I don't want that power in any single entity's hands. So I do ask that more people switch to Firefox or Safari as those are the best options to fight back and have decent market shares (even if small). If we lose the internet we'll lose our privacy too
I'm already using CanvasBlocker, Decentraleyes, and the NoScript Security Suite; but getting more protections will be nice. Even if it may take a while for them to land in Waterfox.
You are actually easier to track using these addons.
By installing Canvasblocker, Decentraleyes and NoScript you are providing more entropy to trackers and thus making it easier to track you. Imagine how many people worldwide block specifically Canvas, have weird looking network requests to certain js libs and have JS disabled for some (/all) scripts combined with your general setup (window size, font size, and many other factors that do not even require JS).
The Tor project explicitly suggests to not install an adblocker for example because of this.
I more or less use those addons (uMatrix instead of NoScript) plus uBlock Origin. uMatrix doesn't load a large number of JS files. An example from an ecommerce site I'm browsing right now: the site is functional (at least in browsing mode) without the scripts from
It needs only the JS from the first party domain. So they can track me from there but all the other guys don't know about me, unless they buy data from the first party. At least they have to do more work.
I also don't get advertising in any form, maybe because I don't have ecommerce apps on my phone and I block a lot of things with Blockada, but that's another story.
I don’t really mind first party telemetry. I’m already interacting with the sites, so they can build a nice profile if they want too. But my pet peeves are loads of non functional JS and not having an html render for web content for a non app website.
> (window size, font size, and many other factors that do not even require JS
Yeah, they require CSS, which you can also block using noscript and other tools, if you want.
Also, while you might be more "trackable" to those who fingerprint, if you are blocking those cross origin or same origin scripts from loading you are already stopping some of that. You can even blacklist some known hosts completely in your browser's policy settings and prevent those requests from ever reaching their destination.
Without an ad blocker and JavaScript blocker the average website would be 100GB in size and take several years to load. If I really cared about tracking protection I would just not use the regular internet and stick to Gemini. CanvasBlocker is just because the Tor browser itself has one implemented (source: <https://2019.www.torproject.org/projects/torbrowser/design/#...>) so I figured I might as well.
There has to be a happy middle between "no protection" and "complete uniqueness"
The web without ad blocking is revolting. Browsers building in these features makes them more popular.
Aside: Fuck the Washington Post. They have a line in their privacy policy that acknowledges the existence of "Do Not Track" flags in browsers. Their acknowledgement: since there is no industry standard for responding to it, they ignore it.
The actual industry standard for Do Not Track is to ignore it. It is deprecated. The browser we are talking about in this post, Firefox, removed support for Do Not Track in February of this year.
> Do Not Track. Some web browsers may transmit a “do-not-track” signal. Because there currently is no industry standard concerning how to treat such signals, the Services currently do not take action in response to do not track signals. We respond to legally recognized browser-based opt out signals such as the Global Privacy Control signal for California residents.
How is your browsing experience with that stuff? I used to go nuts with anti-tracking measures, but enough of my browsing experience kept breaking that it just didn't feel worth it.
My experience with uMatrix: most sites work right away. Others require fiddling with the matrix of media, script, xhr, frames and the third parties serving them. After a while it's easy to remember which ones must be temporary enabled and which ones don't. Sites with videos are a little more difficult. Sites with payments require care. I whitelist the minimum set of scripts that make the sites I use often work. There are usually many scripts that can be left out. If everything fails and it's a one shot site, I start Chrome.
It's fine. Sometimes I get annoyed by websites which require JavaScript to show static text (apparently HTML is too difficult?) or which block me with a 'please unblock challenges.cloudflare.com to proceed' (that second one seriously pisses me off when I see it on, for example, the website of the Belgian railways), but by and large I'm fine with just saying 'if it breaks I don't need it'. But I handle my e-mail with isync, mu, and mu4e; and as far as I understand e-mail tends to be a sticking point for those who care for their digital rights. I also don't have Xitter or Facebook or any of that nonsense.
If there's one thing I don't like its the fact that NoScript doesn't integrate with Multi-Account Containers. It would be neat if instead of having to temporarily allow GitHub JavaScript and re-disable it when I'm done; I could just allow GH JS in a GitHub or Microsoft container and it only being enabled in that container.
The question that I have not see answered in the many, many forum threads on "browser fingerprinting", is specifically why a user seeks to avoid it
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
Adding noise to images sounds like a really bad idea. It will mess with any Javascript code which performs processing on images. Try writing a photo editor in Javascript and watch your browser corrupt your images.
I use FF and I paid for NYTimes. I was logged in, yet NYTimes constantly flagged my browser with a persistent captcha I couldn't bypass for months (across 2 different machines). It thought I was a bot because of the privacy features. So I cancelled my subscription using my phone.
Is there a reason to force all these bot checks on logged in accounts that are paying you money other than insanity? Surely you could just have a max monthly bandwidth limit per account and just stop worrying about this?
I don't think there is any value of [x] for the monthly bandwidth usage you could pick that malicious users cannot afford, but legitimate users could not hit.
The New York Times is like a microcosm of the publishing industry. They seem to spend the majority of their effort on protecting their intellectual property. I'd rather they use those resources to improve their reporting, particularly about technical topics, but alas.
That's fair. I was a little bit sloppy with my previous comment; I was mentally conflating their lawsuits about intellectual property with their dark patterns that prevent people from unsubscribing. I'm not sure if it's still this way, but five years ago they were a nightmare to disentangle yourself from.
They actually published an op-ed criticizing Amazon for using dark patterns to prevent people from leaving Amazon Prime while they were using those exact same patterns themselves.
when I used to subscribe to the nyt, I had to block a few of their endpoints to kill the awful popups and etc. This, the further ads for paying subscribers, and a host of other issues led me to drop them as well though.
I just found a way to bypass the paywall on a web browser when I want to read an article. Which I figured was a easier solution than emailing customer service over a technical matter (never fun).
I'm still unhappy with the user-agent header. I tried removing information but it breaks a number of sites.
Would like to leave Linux in there (if feasible so it gets counted) but remove/spoof everything else.
Breaking websites is about the only thing you're going to accomplish by messing with the UA string. It's a small amount of entropy and anyone who really wants to track you, doesn't need it.
>Having a unique fingerprint means fingerprinters can continuously identify you invisibly
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
Agreed. And this technique becomes more effective as the number of people using it increases. It's easy to match up randomized fingerprints if only one person is doing it, but quite hard when thousands or millions are doing it.
Fingerprinting is nearly impossible to resist these days anyways, no matter which technics Firefox uses to reduce it, and sometimes it actually makes the browser appear more unique.
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my
plan is disabling it at source code level and build my own release.
I think this is a nihilistic view. The browser ultimately sends only what the webpage requests. If we gut the ability for websites to request large swathes of information such as every supported TLS Cipher suite and also better protections such as GDPR to make it illegal for browsers to track this information unless a user signs up and also not gating information behind said sign-ups
I don't think there's anything in GDPR or similar laws about disallowing paying for a subscription with money. It's merely about killing the practice of paying with your privacy for something otherwise labeled as "free".
"not gating information behind said sign-ups" was in the context of regulations like GDPR. You twisted that into "People should do work for free" which is not at all the meaning of what you replied to.
>The browser ultimately sends only what the webpage requests.
You've got 6 layers under your browser before that data is sent -- some of those are useful for fingerprinting. Also, browser behavior and feature sets are not and likely will never be 100% uniform.
> GDPR to make it illegal for browsers to track this information
Unfortunately the internet is global and people outside of the reach of those jurisdictions can just exist outside of the reach of those laws. Consider the existing landscape of malicious internet traffic and scams which are already illegal in almost every country -- they are still a widespread problem.
I dev my private fork of browser fingerprinting bypass and I can tell, this is like 1% of what commercial tracking companies use for fingerprinting.
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
I tested firefox recently. It had some AI summary button or something
that was new. I instantly wanted to eliminate this from the UI but I
don't know how to do that. I guess it is possible? But it probably
requires some time and research; the thing I don't need or want this,
it just takes away space.
Then I remembered why I no longer use firefox. I believe we, as users,
need to take back the open web. The days of some random developers
ruining the UI should really be over, be it firefox, or Google chrome
killing ublock origin. We need to fight back.
> It had some AI summary button or something that was new. I instantly wanted to eliminate this from the UI but I don't know how to do that. I guess it is possible?
Started a fresh profile, but couldn't find an AI button. The AI stuff in the context menu? You can remove the chat bot functionality right there. As for the buttons, if there is an undesirable button, it should be removable via context menu or toolbar customization.
Almost all "alternative" browsers are Chromium based or Gecko/Firefox based. If there are any that are truly scratch-built other than the text-based browsers such as lynx or w3m I'd be interested to hear about them. I'd guess they are extremely limited in features.
I exclusively use private browsing, but I know that doesn't do much in preventing tracking, so it's nice to see this finally starting to roll out.
The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
Out of curiousity, how would you steelman the argument that fingerprinting is no different than a store owner, standing behind the counter, taking note of the faces of who enters his store, and maintaining a log?
I'm fairly confident I could sue that store owner for stalking if they were logging every time I entered that store and left, along with all my activities.
I'm absolutely positive I could if they were getting other store owners to help them track me.
What I don't understand is why this is unacceptable if they do it to a single person but perfectly normal if they do it to all their customers. IMO that should make things worse, not better.
Let's put it this way. You'd get a restraining order against someone if they followed you around all day, logging when you woke up, ate, who you talked with (even if they don't hear the conversation), where you went, and when you went to bed. That's clearly stalking, right? So why us it suddenly acceptable when it's being done by some guy named Mark who is stalking a billion people instead of just one?
We clearly differentiate this from being a regular customer at a store. If I'm a regular at Joe's Corner Market and get a sandwich every Wednesday for lunch then he remembers me because we're talking face to face and making conversation. It's personal. There's clear consent in what I'm sharing and there's a clear expectation that Joe isn't going to use that information to manipulate me or follow me around town. Our interaction is limited to the store and maybe bumping into each other on the street. It's clearly not stalking, we're just friendly. The same way your partner might know about when you wake up, go to sleep, eat for breakfast, and all that same stuff. Your partner isn't stalking you.
Doesn't your (proverbial) Costco membership card track every time you enter and leave the store? Doesn't seem like anyone is suing them...
Also, if they were logging you specifically, you may have grounds to stand on. But if they're logging every customer that comes in/out (like websites do), I think there is a lot less grounds for a restraining order or anything
Edit: Found out I'm using 'proverbial' wrong but I think you get the idea either way.
> Doesn't your (proverbial) Costco membership card track every time you enter and leave the store
No (you have to use it at the register for Costco to know you were there),
and they don't track your every movement in store either,
and there isn't a standard way to say "I don't want this" which they nonetheless choose to ignore.
To make that analogy closer to the Internet reality, I would say that Internet tracking is more like a cabal of shop-keepers, librarians, neighbors, utility pole workers, and so on who are keeping track of all the faces, all their habits, what they look at, what they say, who they interact with, and share this information amongst themselves, recording it in perpetuity. They also share details with the police and anyone who cares to purchase them.
When you talk about a "shopkeeper" it gives it a small community charm. The Internet is anything but that.
The store owner visibly responds to the customers differently. Fingerprinting is invisible. It's more like the store owner recording everyone on hidden camera.
So no, you cannot steelman a broken analogy.
The difference is scale and intent. A mom and pop store owner “remembering” my face versus big tech tracking is like comparing a nosy neighbor to the CIA.
One of them might peer out their window, the other will infiltrate every aspect of your life. One of them is bored, the other has no qualms about doing significant harm to you if it serves their interests.
It's automated data processing at scale rather than a local mom and pop country general store. The profit seeking, decision making, management culture driving decisions is a fundamentally different relationship. Also I don't think store owners do that?
Rather than presupposing an analogy to something importantly different, I would propose that the steelman would be along the lines of noting that ads and hyperpersonalization are effective at meeting and predicting your needs, and steering you towards an interpretation of your own needs that finds their fulfillment in deepening a consumer relationship. And if you get steered into lock-in with one company's ecosystem, you get the convenience of a stack of vertically integrated services.
You could try to use profiles instead of private browsing. It keeps things separated.
Also profiles can be configured and used with CLI, no need for UI (old or new).
And, you can run it directly, no need to launch default firefox profile:Given that /usr/bin/firefox is just a shell script, you can
If you use an icon to run firefox (say, /usr/share/applications/firefox.desktop), you'll need to do copy/adjust line for the icon.> Also profiles can be configured and used with CLI, no need for UI (old or new).
AFAIK, they can only be created at the command line, not configured. If you want to do things like change default settings or install extensions from the Firefox Add-On store, you can't really do that at the command line.
You can do that by mucking around in the user.js file and manually adding .xpi files to the extensions/ subfolder, but that's probably stretching the definition of "done at the command-line" since most people aren't creating Puppet modules to manage Firefox profiles.
Perhaps someone knows an easier way to do this, though.
Instead of needing to know scripting for a core feature, it would be nice if I could tell the program to ask me every time I open a new window which profile that window used. Right click would have an option like their containers "opening new profile window" .
Right-click on the Firefox icon and choose "Open Profile Manager".
Or add "-p" to the startup command to do the same thing without right-clicking:
Better if they would allow some configuration like toggling js by domain. uBlock is great, but I would like first party support.
NoScript extension...
Tor? Although I wish there was a way to make a reddit account.
You might want to check out the Mullvad browser. They work with Tor and are based on Firefox. It won't connect you to the Tor network but still
I am dreaming for righteous 'small' employees too, those who carry out the dishonourable practice of implementing privacy intrusion following instructions, for money. Corporates are built by thousands of ignorant grey workers.
This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
There was a commenter some time back showing that browser statistics were easy to skew. Safari and Firefox are less likely to show up in analytics, so website owners think they're less important than they really are. Conflating client-side with server-side analytics showed quite a gap.
Most of the people who are just looking at browser statistics for the purpose of managing a website are using simple tools that just simply collect data from user agent strings. Determining browser from this isn't 100% straightforward, but it's enough to give website operators a rough idea of what browser to target. This data was more important in the days when everything wasn't Chrome/Android/iOS, and it actually mattered what version of IE your users were running.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
>This is a good use of Firefox resources. Unfortunately Firefox is at a natural disadvantage for fingerprinting by virtue of being used by such a small number of users.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
[1] https://en.wikipedia.org/wiki/Malvertising#Examples_of_malic...
You're more trackable by using NoScipt and there's no good reason to use it if you know how to properly use uBlock: https://github.com/arkenfox/user.js/wiki/4.1-Extensions#-don... uBlock is a content blocker so it can do everything NoScript can if you learn its advanced UI usage. Using additional extensions makes you more trackable.
[delayed]
I often think about this in connection with my user agent. I am sure it helps identify me. If I spoofed a Chrome/Windows UA that would probably be better from a privacy perspective. But if we all do that then web designers will never know that we exist. I want people to know there are Firefox and Linux users out there.
Spoofed UAs are easily detected. And if you are spoofing your UA you are among a very small subset of users.
Easy to detect but companies are lazy. I remember when Netflix first worked for Linux on chrome but not Firefox. I changed my agent and was good to go. After some months I emailed them asking to lift the agent block. They assured me they weren't blocking by agent. I sent them screenshots. They doubled down. So I said ¯\_(ツ)_/¯ and just kept using the agent until they unblocked it
Absolutely, but the parent was speaking about privacy. Access is a different story, because you can test different user agent strings, and immediately determine whether you get access. By contrast, you can't change a user agent string and readily determine whether or not you've broken someone's ability to track you.
My example of access is just a clearer example of laziness. Maybe they were tracking but it seems unlikely, right? If they were, why not block? Laziness is a much better explanation.
I can get feedback with access, I can't get feedback with tracking. That's why I mentioned access.
They probably weren't tracking you, that was probably a case of directing a user toward a supported browser for customer support purposes. I would imagine that was a requirement in somebody's Jira ticket, solved with a few lines of code.
By contrast, tracking people on the web is a multibillion dollar industry, and there are out of the box commercial libraries that do very sophisticated tracking. None of these solutions rely on user agent string alone.
The vast majority of websites by count are not doing anything sophisticated. But some are.
Interesting. So when you try resist fingerprinting. If you dont go all the way you're at risk of making your differentiations smaller?
As an oversimplified example:
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
https://xkcd.com/1105/
Firefox is low on browser count but it's still around 4%[0]. That's enough that there will be lots of collisions. Even a small percent of a very large number is a very large number
[0] https://radar.cloudflare.com/reports/browser-market-share-20...
Of course.
However, if you're trying to search for somebody, and you're able to eliminate 96% of the data, you're in a much better position to accomplish your goal.
Whether or not you should care about this depends on what kind of tracking threats you're trying to avoid.
I mean yes and no. Raw numbers still matter. It's all about context. If you have a billion visitors and rule out 96% of them, sure, searching 4 million it's easier but it's still such a large number that that alone isn't enough. That's all I'm trying to say.
Completely agreed
But if another Firefox user comes they are indistinguishable from each other, while every Chrome user is uniquely identifiable, are they not?
> if another Firefox user comes they are indistinguishable from each other,
Even if every Firefox browser gave off the exact same fingerprint, that wouldn't make the network traffic indistinguishable between Firefox users. There is a lot of entropy that is provided by your network stack of your device, the networks you connect to in order to get to the end website, the behavior of your requests, etc.
Now, most websites aren't doing this kind of analysis. But it isn't unheard of or impossible. There are major websites that are known to do TLS fingerprinting.
One thing I found that broke tracking algorithms was the ‘every tab is a new random profile’ extension. I can’t remember the name as I haven’t used it in a while and it broke a lot of logins.
They could not build a profile on you and it would break their system of tracking user login per device.
You probably mean Temporary Containers…?
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
I've recently switched from Containerise + Temporary Containers to Auto Containers. Brand new addon, but the dev is responsive and IMO it works much better for creating new containers on the fly as you browse.
https://addons.mozilla.org/en-GB/firefox/addon/auto-containe...
https://github.com/Shajirr/FF-Auto-Containers
That's really handy! I like that it handles domains automatically
Edit: Seems to break ad blocking and there's some issues with login. Such as adding a container for YouTube requires also doing *.google.com since that's how the login is handled. Interesting and I'll keep playing around with it
Thanks to both of you. That seems valuable.
https://github.com/stoically/temporary-containers/wiki/Autom...
This seem sto be the actual list of things it's protecting?
https://support.mozilla.org/en-US/kb/firefox-protection-agai...
They are... surprising to me. And as a developer, some of them seem kind of horrible. Altering canvas data, really?
In my case the single largest contributor to my fingerprint is ... canvas size. I run full screen with a custom Firefox setup that basically makes my canvas size unique :/ The "protection" Firefox uses for this is to always open a new window at a default size, which does nothing in my case since my toolbar config still makes the canvas size unique.
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
to defeat canvas size fingerprinting in firefox:
about:config -> set privacy.resistFingerprinting to true
about:config -> create new boolean key privacy.resistFingerprinting.letterboxing set to true
this will set your canvas to a common size which fits in the viewport and display a grey "letterbox" border in the surrounding space.
Now I understand why I'm getting paywall limits even in private browsing :) I use Tree Style Tab, so my canvas is also of unusual size and ratio. I guess I can try making it more narrow or wider to combat that :)
Unfortunately, Cloudflare and other protections will keep working even less than they used to. I have started to not use Cloudflare protected websites because they don’t work with Firefox. But that is a fight I am going to lose.
I'm sorry whatever problem you've run into, but it's definitely not true that no cloudflare protected websites work with any Firefox. You've run into something more specific, I guess.
Symptoms? Is it limited to when a site has Cloudflare's more aggressive protection turned on? I haven't noticed any problems I've attributed to Cloudflare, and I use Firefox exclusively.
This matches my experience as well. As a FF user, I very occasionally encounter problems, but these don't seem to be correlated to their using CF protections. Much more often I find sites broken that rely on cloud domains with bad reputations, which my DNS filters block.
I was actually wondering if the stuff that Mozilla's talking about here will be used by bad bot people to try to circumvent CF's abuse protections. As I recall from when I was working with them, CF's service relies in part on being able to identify botnet attacks by doing its own fingerprinting.
I wish them the best. When I last tested it on fingerprint.com, the hash remained stable even with resistFingerprinting and letterboxing from a VPN, only changing between profiles. When I daily-drove resistFingerprinting (not reduceFingerprinting that permits exceptions like dark mode) in 2021, my hash changed every restart.
Perhaps fingerprint.com has stepped up their detection game and have new heuristics to identify you, thwarting the resistFingerprinting measures.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
It’s a bit annoying that Firefox by default breaks all sites that use canvas imageData API. There is no permission for that, so no user-friendly way to ask for consent either.
Sites such as?
Offline friendly image editors for instance.
It would be nice to see Firefox implement a few features browsers like brave have, like being able to automatically clear cookies for a site when leaving it, and to make containers available when in private browsing, ah well.
This is pretty handy and I've been using it for years[0].
I like the idea of Brave but we have a bigger fight that requires us to have no chromium. Chromium winning is Google winning, allowing them to control the Internet. I don't want that power in any single entity's hands. So I do ask that more people switch to Firefox or Safari as those are the best options to fight back and have decent market shares (even if small). If we lose the internet we'll lose our privacy too
[0] https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
I'm already using CanvasBlocker, Decentraleyes, and the NoScript Security Suite; but getting more protections will be nice. Even if it may take a while for them to land in Waterfox.
You are actually easier to track using these addons.
By installing Canvasblocker, Decentraleyes and NoScript you are providing more entropy to trackers and thus making it easier to track you. Imagine how many people worldwide block specifically Canvas, have weird looking network requests to certain js libs and have JS disabled for some (/all) scripts combined with your general setup (window size, font size, and many other factors that do not even require JS).
The Tor project explicitly suggests to not install an adblocker for example because of this.
I more or less use those addons (uMatrix instead of NoScript) plus uBlock Origin. uMatrix doesn't load a large number of JS files. An example from an ecommerce site I'm browsing right now: the site is functional (at least in browsing mode) without the scripts from
It needs only the JS from the first party domain. So they can track me from there but all the other guys don't know about me, unless they buy data from the first party. At least they have to do more work.I also don't get advertising in any form, maybe because I don't have ecommerce apps on my phone and I block a lot of things with Blockada, but that's another story.
I don’t really mind first party telemetry. I’m already interacting with the sites, so they can build a nice profile if they want too. But my pet peeves are loads of non functional JS and not having an html render for web content for a non app website.
> (window size, font size, and many other factors that do not even require JS
Yeah, they require CSS, which you can also block using noscript and other tools, if you want.
Also, while you might be more "trackable" to those who fingerprint, if you are blocking those cross origin or same origin scripts from loading you are already stopping some of that. You can even blacklist some known hosts completely in your browser's policy settings and prevent those requests from ever reaching their destination.
Without an ad blocker and JavaScript blocker the average website would be 100GB in size and take several years to load. If I really cared about tracking protection I would just not use the regular internet and stick to Gemini. CanvasBlocker is just because the Tor browser itself has one implemented (source: <https://2019.www.torproject.org/projects/torbrowser/design/#...>) so I figured I might as well.
There has to be a happy middle between "no protection" and "complete uniqueness"
The web without ad blocking is revolting. Browsers building in these features makes them more popular.
Aside: Fuck the Washington Post. They have a line in their privacy policy that acknowledges the existence of "Do Not Track" flags in browsers. Their acknowledgement: since there is no industry standard for responding to it, they ignore it.
The actual industry standard for Do Not Track is to ignore it. It is deprecated. The browser we are talking about in this post, Firefox, removed support for Do Not Track in February of this year.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...
wow lmao
> Do Not Track. Some web browsers may transmit a “do-not-track” signal. Because there currently is no industry standard concerning how to treat such signals, the Services currently do not take action in response to do not track signals. We respond to legally recognized browser-based opt out signals such as the Global Privacy Control signal for California residents.
https://www.washingtonpost.com/privacy-policy/
How is your browsing experience with that stuff? I used to go nuts with anti-tracking measures, but enough of my browsing experience kept breaking that it just didn't feel worth it.
My experience with uMatrix: most sites work right away. Others require fiddling with the matrix of media, script, xhr, frames and the third parties serving them. After a while it's easy to remember which ones must be temporary enabled and which ones don't. Sites with videos are a little more difficult. Sites with payments require care. I whitelist the minimum set of scripts that make the sites I use often work. There are usually many scripts that can be left out. If everything fails and it's a one shot site, I start Chrome.
It's fine. Sometimes I get annoyed by websites which require JavaScript to show static text (apparently HTML is too difficult?) or which block me with a 'please unblock challenges.cloudflare.com to proceed' (that second one seriously pisses me off when I see it on, for example, the website of the Belgian railways), but by and large I'm fine with just saying 'if it breaks I don't need it'. But I handle my e-mail with isync, mu, and mu4e; and as far as I understand e-mail tends to be a sticking point for those who care for their digital rights. I also don't have Xitter or Facebook or any of that nonsense.
If there's one thing I don't like its the fact that NoScript doesn't integrate with Multi-Account Containers. It would be neat if instead of having to temporarily allow GitHub JavaScript and re-disable it when I'm done; I could just allow GH JS in a GitHub or Microsoft container and it only being enabled in that container.
Libraries documentation that requires javascript to load is the lowest of the bunch in my opinion.
I use LibreWolf at work, and I exempt most internal sites from aggressive anti-tracking stuff, but otherwise it works fine.
On the topic of Firefox fingerprinting, how does one edit the NetworkID in about:networking#networkid without creating new profiles or user accounts?
The question that I have not see answered in the many, many forum threads on "browser fingerprinting", is specifically why a user seeks to avoid it
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
Adding noise to images sounds like a really bad idea. It will mess with any Javascript code which performs processing on images. Try writing a photo editor in Javascript and watch your browser corrupt your images.
Like the articel says those features can be disabled on a per site basis.
You are able to toggle these specific named categories:
* Cookies
* Tracking Content
* Cryptominers
* Known Fingerprinters
* Suspected Fingerprinters
But there is no separate toggle for the feature that adds noise to the image, or indication of which toggle would affect that.
I use FF and I paid for NYTimes. I was logged in, yet NYTimes constantly flagged my browser with a persistent captcha I couldn't bypass for months (across 2 different machines). It thought I was a bot because of the privacy features. So I cancelled my subscription using my phone.
Is there a reason to force all these bot checks on logged in accounts that are paying you money other than insanity? Surely you could just have a max monthly bandwidth limit per account and just stop worrying about this?
I don't think there is any value of [x] for the monthly bandwidth usage you could pick that malicious users cannot afford, but legitimate users could not hit.
That's what early warnings are for. It's an easy problem to solve... except by the NYT.
How would a warning fix the problem?
"Hi, I see you've read [x-y] amount of news of new this month, we're going to cut you off at [x]"
What's the correct value of x?
If [x] is greater than or equal to the total amount of news published, then scrapers need one account.
If [x] is less than the total amount of news published, then you have now made it so legitimate subscribers cannot read all of the news.
Also, you have made things easier for scrapers, because they can determine how many accounts they need by dividing the total amount by [x].
The New York Times is like a microcosm of the publishing industry. They seem to spend the majority of their effort on protecting their intellectual property. I'd rather they use those resources to improve their reporting, particularly about technical topics, but alas.
We just down know from the outside how much revenue they would lose by redirecting that effort though.
That's fair. I was a little bit sloppy with my previous comment; I was mentally conflating their lawsuits about intellectual property with their dark patterns that prevent people from unsubscribing. I'm not sure if it's still this way, but five years ago they were a nightmare to disentangle yourself from.
https://news.ycombinator.com/item?id=23235341
They actually published an op-ed criticizing Amazon for using dark patterns to prevent people from leaving Amazon Prime while they were using those exact same patterns themselves.
https://www.nirandfar.com/cancel-new-york-times/
They probably don’t want you paying once and using that subscription to scrape the website. Which is reasonable.
Again, they have your login cookie and are already tracking what you've seen. Just start captcha'ing after several dozen articles per day.
when I used to subscribe to the nyt, I had to block a few of their endpoints to kill the awful popups and etc. This, the further ads for paying subscribers, and a host of other issues led me to drop them as well though.
Ha - I thought you were gonna say you switched browsers.
I just found a way to bypass the paywall on a web browser when I want to read an article. Which I figured was a easier solution than emailing customer service over a technical matter (never fun).
Just use Bypass Paywalls Clean. Paying for a subscription is up to you.
I just open dev tools and look at the file in the network tab. You can read it the response sub-tab usually.
I'm still unhappy with the user-agent header. I tried removing information but it breaks a number of sites. Would like to leave Linux in there (if feasible so it gets counted) but remove/spoof everything else.
Breaking websites is about the only thing you're going to accomplish by messing with the UA string. It's a small amount of entropy and anyone who really wants to track you, doesn't need it.
>Having a unique fingerprint means fingerprinters can continuously identify you invisibly
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
Agreed. And this technique becomes more effective as the number of people using it increases. It's easy to match up randomized fingerprints if only one person is doing it, but quite hard when thousands or millions are doing it.
dont use randomized fingerprints, spoof actual fingerprints, randomly.
A good fingerprint algorithm incorporates features and functionality that can't be spoofed because it is necessary for the browser to work correctly.
You can't just make your browser's APIs give erroneous outputs and still expect the browser's APIs to work.
Fingerprinting is nearly impossible to resist these days anyways, no matter which technics Firefox uses to reduce it, and sometimes it actually makes the browser appear more unique.
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my plan is disabling it at source code level and build my own release.
I think this is a nihilistic view. The browser ultimately sends only what the webpage requests. If we gut the ability for websites to request large swathes of information such as every supported TLS Cipher suite and also better protections such as GDPR to make it illegal for browsers to track this information unless a user signs up and also not gating information behind said sign-ups
> and also not gating information behind said sign-ups
"People should do work for free" isn't very workable.
I don't think there's anything in GDPR or similar laws about disallowing paying for a subscription with money. It's merely about killing the practice of paying with your privacy for something otherwise labeled as "free".
The quote I gave was the context, not GDPR.
"not gating information behind said sign-ups" was in the context of regulations like GDPR. You twisted that into "People should do work for free" which is not at all the meaning of what you replied to.
>The browser ultimately sends only what the webpage requests.
You've got 6 layers under your browser before that data is sent -- some of those are useful for fingerprinting. Also, browser behavior and feature sets are not and likely will never be 100% uniform.
> GDPR to make it illegal for browsers to track this information
Unfortunately the internet is global and people outside of the reach of those jurisdictions can just exist outside of the reach of those laws. Consider the existing landscape of malicious internet traffic and scams which are already illegal in almost every country -- they are still a widespread problem.
I couldn't quite catch what you meant, but
> The browser ultimately sends only what the webpage requests.
You should do research before making such claims.
I dev my private fork of browser fingerprinting bypass and I can tell, this is like 1% of what commercial tracking companies use for fingerprinting.
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
I tested firefox recently. It had some AI summary button or something that was new. I instantly wanted to eliminate this from the UI but I don't know how to do that. I guess it is possible? But it probably requires some time and research; the thing I don't need or want this, it just takes away space.
Then I remembered why I no longer use firefox. I believe we, as users, need to take back the open web. The days of some random developers ruining the UI should really be over, be it firefox, or Google chrome killing ublock origin. We need to fight back.
> It had some AI summary button or something that was new. I instantly wanted to eliminate this from the UI but I don't know how to do that. I guess it is possible?
Started a fresh profile, but couldn't find an AI button. The AI stuff in the context menu? You can remove the chat bot functionality right there. As for the buttons, if there is an undesirable button, it should be removable via context menu or toolbar customization.
I feel your pain with the AI stuff, but I think I had one sidebar open one time and I was able to disable it with one click.
You have to click that button and option to hide is right there.
I agree with your comment, but to resolve the question it's "browser.ml.chat.enabled". A common topic on HN,
https://hn.algolia.com/?query=browser%20ml%20chat&type=all
I use Firefox because it is better than Chrome, which is the only alternative I see.
Do you use something else?
Almost all "alternative" browsers are Chromium based or Gecko/Firefox based. If there are any that are truly scratch-built other than the text-based browsers such as lynx or w3m I'd be interested to hear about them. I'd guess they are extremely limited in features.
The graphical alternatives that I am aware of are extremely limited, such as NetSurf.
Not the commenter you're replying to, but I've been using LibreWolf for the last few months.
It's a bit more privacy focused, so may need some tweaking to your liking (by default it won't persist history, zoom levels, cookies, etc.)
LibreWolf, Iron Fox, and Brave are all worth a look, I think.