Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update!: Browser fingerprinting overview #2119

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

jonaharagon
Copy link
Member

Changes proposed in this PR:

  • Add fingerprinting overview page

Please do not add any suggestions or reviews correcting grammar or wording until this PR is undrafted, it will only waste time. This draft PR is only open to accept suggestions about what information needs to be incorporated on this page.

  • I have disclosed any relevant conflicts of interest in my post.
  • I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project.
  • I am the sole author of this work.
  • I agree to the Community Code of Conduct.

@jonaharagon jonaharagon added c:browsers browsers, add-ons, and related topics c:guides full-length guides and content labels Apr 8, 2023
@jonaharagon jonaharagon force-pushed the jonaharagon/fingerprinting branch from 1a3e9cb to 285f9bb Compare April 8, 2023 18:33
@netlify

This comment was marked as duplicate.

@netlify

This comment was marked as outdated.

@ghost

This comment was marked as off-topic.

@jermanuts

This comment was marked as off-topic.

@privacyguides privacyguides locked as off-topic and limited conversation to collaborators Apr 12, 2023
@jonaharagon

This comment was marked as resolved.

@jonaharagon jonaharagon force-pushed the main branch 9 times, most recently from 0a94f3f to d80af39 Compare April 11, 2024 17:36
@jonaharagon jonaharagon self-assigned this May 22, 2024
@jonaharagon jonaharagon force-pushed the jonaharagon/fingerprinting branch from 70077b7 to a9ab3b3 Compare May 24, 2024 06:51
@privacyguides privacyguides unlocked this conversation May 24, 2024
Copy link

github-actions bot commented May 24, 2024

Your preview is ready!

Name Link
🔨 Latest commit e81b8ac
😎 Preview https://2119--glowing-salamander-8d7127.netlify.app/

@jonaharagon
Copy link
Member Author

I originally wanted to write more about this topic, but I think adding this basic overview now will be good, and it can maybe be expanded on later.

@jonaharagon jonaharagon marked this pull request as ready for review May 24, 2024 07:23
@jonaharagon jonaharagon requested a review from dngray May 24, 2024 07:23
Copy link
Member

@redoomed1 redoomed1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two grammar suggestions.

Otherwise, this is an excellent overview! Linking to the Arkenfox wiki for further reading is a wise choice too. I also found their GitHub issues tracker to be a useful resource.


Many non-experts will claim that using Firefox or enabling its fingerprinting resistance preferences will make you *more* unique, give you *less* privacy, and make you "stand out in the crowd." However, if you instead do nothing at all then your browser will *already* be uniquely identifiable. Thus, the "crowd" of Google Chrome or Safari users these people will claim exists in fact does not, because you can't blend in to a crowd filled with completely unique browsers. A [study](https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/cross-browser-fingerprinting-os-and-hardware-level-features/) published in 2017 demonstrated an approach that could uniquely identify 99.24% of users, without even taking into account their IP address.

==When you are already completely unique, becoming "more unique" is impossible.== In reality, these fingerprint resistance features are generally not meant to make your browser unidentifiable at all, they merely block tracker scripts from collecting certain metrics, which in turn *can* make your browser unidentifiable to certain—but not all—tracking scripts which rely on those metrics.
Copy link
Member

@redoomed1 redoomed1 May 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
==When you are already completely unique, becoming "more unique" is impossible.== In reality, these fingerprint resistance features are generally not meant to make your browser unidentifiable at all, they merely block tracker scripts from collecting certain metrics, which in turn *can* make your browser unidentifiable to certain—but not all—tracking scripts which rely on those metrics.
==When you are already completely unique, becoming "more unique" is impossible.== In reality, these fingerprint resistance features are generally not meant to make your browser unidentifiable at all. They merely block tracker scripts from collecting certain metrics, which in turn *can* make your browser unidentifiable to certain—but not all—tracking scripts which rely on those metrics.

- How fast your computer is[^2]
- And much more...

Some of these metrics are stronger or weaker than others, your browser window size is a weak tracking metric because it is easily changed, while your fonts or timezone are a stronger identifier because they are relatively static, for example. Combined with—or even without—the tracking factors people typically think of, such as your IP address, tracking cookies, and user agent; metrics like these can easily pinpoint particular browsers across the web.
Copy link
Member

@redoomed1 redoomed1 May 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Some of these metrics are stronger or weaker than others, your browser window size is a weak tracking metric because it is easily changed, while your fonts or timezone are a stronger identifier because they are relatively static, for example. Combined with—or even without—the tracking factors people typically think of, such as your IP address, tracking cookies, and user agent; metrics like these can easily pinpoint particular browsers across the web.
Some of these metrics are stronger or weaker than others: your browser window size is a weak tracking metric because it is easily changed, while your fonts or timezone are a stronger identifier because they are relatively static, for example. Combined with—or even without—the tracking factors people typically think of, such as your IP address, tracking cookies, and user agent; metrics like these can easily pinpoint particular browsers across the web.


</div>

Many people think their browser fingerprint is a single thing, like your actual fingerprints, a string of characters like `XP2urbkhQIaHyMQYXYv4` that uniquely identifies their browser, and if they can get theirs to match everyone else's they are safe. However, browser fingerprinting actually refers to the broad collection of all the different metrics which websites can use to track you.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might just be me, but the first sentence of this paragraph feels a little awkward to read


Many people think their browser fingerprint is a single thing, like your actual fingerprints, a string of characters like `XP2urbkhQIaHyMQYXYv4` that uniquely identifies their browser, and if they can get theirs to match everyone else's they are safe. However, browser fingerprinting actually refers to the broad collection of all the different metrics which websites can use to track you.

While many websites or fingerprinting scripts do take all those metrics and hash them into a single identifying string with a fingerprinting algorithm, the algorithms and the metrics they use to create that fingerprint varies between different trackers. In other words, just because one fingerprinting test says your browser's fingerprint is non-unique, or randomized, or any certain thing; doesn't necessarily mean that it will be for every other fingerprinting test or tracker out there, because every method of fingerprinting your browser is different.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
While many websites or fingerprinting scripts do take all those metrics and hash them into a single identifying string with a fingerprinting algorithm, the algorithms and the metrics they use to create that fingerprint varies between different trackers. In other words, just because one fingerprinting test says your browser's fingerprint is non-unique, or randomized, or any certain thing; doesn't necessarily mean that it will be for every other fingerprinting test or tracker out there, because every method of fingerprinting your browser is different.
While many websites or fingerprinting scripts do take all those metrics and hash them into a single identifying string with a fingerprinting algorithm, the algorithms and the metrics they use to create that fingerprint vary between different trackers. In other words, just because one fingerprinting test says your browser's fingerprint is non-unique, or randomized, or any certain thing; doesn't necessarily mean that it will be for every other fingerprinting test or tracker out there, because every method of fingerprinting your browser is different.


There are advantages and disadvantages to each of these approaches, and generally they cover distinct threat models, but all approaches ultimately try to make it more difficult for websites to track you across the internet.

[Firefox](../desktop-browsers.md#firefox) out of the box takes the first approach, which is to simply block third-party requests to "companies that are known to participate in fingerprinting." This is the *safest* approach, because it results in almost no website breakage, but it also provides the least protection, because it relies on identifying trackers in advance. It also does little to block first-party tracking. You can generally achieve similar results in any browser with an extension that blocks known trackers, like [uBlock Origin](../browser-extensions.md#ublock-origin).
Copy link
Member

@redoomed1 redoomed1 Jul 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Embedding the link to the blog post from which this excerpt originated

Suggested change
[Firefox](../desktop-browsers.md#firefox) out of the box takes the first approach, which is to simply block third-party requests to "companies that are known to participate in fingerprinting." This is the *safest* approach, because it results in almost no website breakage, but it also provides the least protection, because it relies on identifying trackers in advance. It also does little to block first-party tracking. You can generally achieve similar results in any browser with an extension that blocks known trackers, like [uBlock Origin](../browser-extensions.md#ublock-origin).
[Firefox](../desktop-browsers.md#firefox) out of the box takes the first approach, which is to simply block third-party requests to "companies that are [known](https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting) to participate in fingerprinting." This is the *safest* approach, because it results in almost no website breakage, but it also provides the least protection, because it relies on identifying trackers in advance. It also does little to block first-party tracking. You can generally achieve similar results in any browser with an extension that blocks known trackers, like [uBlock Origin](../browser-extensions.md#ublock-origin).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should probably be a footnote instead.

@jonaharagon jonaharagon changed the title Browser fingerprinting overview update!: Browser fingerprinting overview Aug 2, 2024
@jonaharagon jonaharagon marked this pull request as draft August 2, 2024 03:15
@redoomed1 redoomed1 dismissed their stale review August 29, 2024 16:14

never meant to be a blocker

@privacyguides-bot
Copy link
Collaborator

This pull request has been mentioned on Privacy Guides Community. There might be relevant details there:

https://discuss.privacyguides.net/t/mullvad-browser-fingerprint/22931/17

@privacyguides-bot
Copy link
Collaborator

This pull request has been mentioned on Privacy Guides Community. There might be relevant details there:

https://discuss.privacyguides.net/t/browser-fingerprinting-tracking-overview/12250/10

@privacyguides-bot
Copy link
Collaborator

This pull request has been mentioned on Privacy Guides Community. There might be relevant details there:

https://discuss.privacyguides.net/t/extensions-and-fingerprinting/23394/3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c:browsers browsers, add-ons, and related topics c:guides full-length guides and content
Projects
Status: In progress
Status: Needs Changes
Development

Successfully merging this pull request may close these issues.

4 participants