As the title says. Im trying to migrate towards privacy based choices all around. A VPN has been tough, I cant access some websites and i dont think i could convince my wife to adopt using it. I still use it anyway.
As the title says. Im trying to migrate towards privacy based choices all around. A VPN has been tough, I cant access some websites and i dont think i could convince my wife to adopt using it. I still use it anyway.
So we need a new internet then?
Yes, or atthe very least laws that forbid fingerprinting outright.
A “new internet” wouldn’t really fix this.
For example, if a site wants to display a page, it NEEDS to know how wide your screen is, otherwise the page will just look fucked up because everything will either be so wide it’s past your screen’s width, or so short it’s a narrow bar in the middle.
Same goes for if a site wants to display certain rendered content. It can’t do that without using some form of rendering engine like WebGL (and a “new internet” would still need some kind of engine to have that kind of rendered elements, even if it wasn’t WebGL specifically). Your exact, specific hardware, current program utilization, and minute differences in power usage will ALWAYS produce some form of unique fingerprint. You can use extensions like CanvasBlocker to help with this, but it’s not a guarantee and will break some rendering functionality. Then, the fact your browser blocks these functions is another data point that could track you. The lack of something is just as identifiable as having something as a data point.
Essentially, you can’t have the features of the web without also making it known to a site that your browser supports (or actively doesn’t support) those features. Even a “new internet” or entirely different set of browser and web frameworks wouldn’t remove fingerprinting, it would just mean fingerprinting is done by whatever new methods now exist.
Even if you as a person simply type a given way, you can be identified by your typing styles. For example, I tend to use both “simply” and “for example” a lot more than other people, as you literally just saw. If you tend to use the internet around a given time, your time zone can be inferred. Unless you want technology that fully rewrites everything you say in a standard, robotic tone 100% of the time, and also delays some of your web requests by 12 hours to throw off time fingerprinting, you can’t avoid that.
Try https://coveryourtracks.eff.org/ and it’ll give you a good sense of how many different things could fingerprint you. If you want to block ads, a site can know you block them. If you want to stay logged into ANY website after you close a tab, it’ll know you save cookies, etc.
As someone else mentioned, legal protections are best here, as the largest actors that use these fingerprinting techniques are usually corporate, legally registered entities that run ad networks, and if fingerprinting as a concept can’t be “blocked”, then people’s legal right to do so is your next best option.
Make the site send everything and the device determine what to use.
It’s a little more complicated than that.
Should every request you make to a site require EVERY single language the site is translated in to be sent? That’s many times more bandwidth, and would make your page load speeds tens of times slower by default. If that’s not possible, then they know your language and likely general region.
Want to stay signed in to a website, or have a site remember your settings? You can’t do that without some form of persistent authentication mechanism like a cookie, which can also be used to fingerprint you. If you don’t want that, you’ll have to sign back in to every single website every single time you open a tab for that site.
A site might send all its contents and let your browser format it without revealing its screen size… but what about if the content necessarily has to be different for different screens? A desktop layout for a site won’t work well on mobile, after all.
What about the times you browse? Unless you want some of your page loads to randomly take extra hours to happen just to obscure your time zone, that’s a data point too.
Oh, also no interactive code that sends data back to a server can run because it could be used to fingerprint your device’s general model, OS, and GPU/CPU hardware. Say goodbye to basically all web-based games, file converters, image editors, video players, etc.
Now add in your mouse and keyboard movements, topics of interest, and any data you voluntarily reveal about yourself on any website.
This is why I say this is more a legal problem for prevention than a technical one. Preventing most of this fingerprinting also necessarily means destroying the functionality of the web.
Of course they will be problems if you expect the exact same experience as now. Why can’t a website send everything? Bandwidth really isn’t so much of an issue and neither is latency these days. If that means a website needs to be built leaner and with less stuff, so be it. I don’t see anything you mention as a real blocker.
I think you underestimate how much bandwidth would be required for every single site and piece of web content to be sent in every single language, for every single request. (keep in mind this would also include ALL images with text in them, ALL captions and audio tracks for videos, and entire copies of video content if the contents itself has to be modified, such as on-screen images)
Sites could be slimmer, sure, but that doesn’t change the fact it would be a problem very quickly.
For example, a big problem is that if EVERYONE is using many times more bandwidth, the supply gets constrained for EVERYONE given there’s still a physical limit to how much data can flow through a cable (or internet exchange).
And again, there’s still way more data that could be collected on you that would negate this fingerprinting prevention, even if it was feasible. If you choose to read a particular news site even once, boom, there’s your country or even state/city.
Do we 100X bandwidth usage across the board, spend billions of dollars more every year in perpetuity to handle redundant bandwidth, pay more in server hosting costs to accommodate the extra usage, all just to eliminate ONE data point, or do we just pass some laws against using that data to fingerprint someone?
Then the services reduce what a website does. Neither of us know what that internet looks like but it solves the problem of privacy and I’d want to see what it its like and what innovations emerge to solve the problems you’re mentioning. A new internet is a massive undertaking, why wouldn’t it have lost a of problems needing to be solved? The significance of your criticism is proportional to the significance of the change.
I just think that such a massive undertaking would cost so much, require so much sacrifice, and not even necessarily prevent fingerprinting.
If you don’t want fingerprinting, then you genuinely cannot interact on the internet as yourself. Everything would have to be passed through a filter that makes everyone the same, including their interests, what they talk about, when they use it, and what they choose to consume.
At that point, it’s no different than a network of robots talking to one another while humans play pretend like they’re controlling them.
You cannot eliminate all fingerprinting via technical means alone. Even if you spend the billions and billions of dollars on drastically increased bandwidth and processing power, redesign every web framework from the ground up and brick every internet connected device on earth, bring functionality of all websites to the bare minimum and eliminate some types of sites/content entirely… some of it is just behavior based, which can’t be removed without removing the humans from the equation altogether.
This is why I believe a legal framework is best for fingerprinting protections, and technical measures only when it’s more of a simple data point to eliminate (e.g. if every browser, or most browsers enabled the Do Not Track header, nobody could realistically be identified by if they do or don’t have it on), because the alternative is fundamentally demolishing the ability of anyone to do anything online at a cost that’s even higher than what we spend now for more functionality.