Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
t_mann 2 days ago

Isn't fingerprinting covered by GDPR in a similar way to how cookies are? So in theory you should be able to opt out, at least as an EU user.

bryanrasmussen 2 days ago | parent | next [-]

sure, if they ask you can we track you and you say no they should not fingerprint.

apples_oranges 2 days ago | parent | next [-]

EU (or whoever) could mandate a switch in the browser, when turned on, all identifying apis are disabled. But the IP is still the same, so..

afiori 2 days ago | parent | next [-]

This falls into the same problem as the DNT header, while being a good technology it will be used by so few people that is might very well increase fingerprinting capabilities in some ways.

kennywinker 2 days ago | parent | prev | next [-]

Non-hostile websites use identifying apis for functionality.

Disabling them globally means a broken browsing experience.

troupo 2 days ago | parent | prev [-]

The law has been around for almost 10 years now. If browser vendors wanted, they could have come up with such a switch themselves.

Guess which company is coincidentally is the world's largest advertiser, largest ad broker, largest data tracker and owns world's most popular browser?

AlexandrB 2 days ago | parent | prev [-]

How would you ever find out/enforce this though? With cookies, you can examine the local cookie storage but with fingerprinting everything happens server-side (as I understand).

bryanrasmussen 2 days ago | parent | next [-]

>How would you ever find out/enforce this though?

programmers really have a hard time understanding the law, how does any violation of the law ever get found out, or any law enforced? Generally someone says hey this company is doing X, and then the government gets a warrant to say let us look through your stuff to find out if you are doing X.

As a normal rule most companies work something like:

"excuse me, we have reports you are doing X"

"Not exactly, this is what we are doing - we call it X1, which is why we are totally ok under the rules governing X. Our legal dept. can totally explain"

Court case instantiates.

If the company is doing something that they will actually say "no we are doing nothing of the sort!" then it is likely someone in the company will at some time say "hey they are really doing X" and then the warrant thing I discussed first happens.

At any rate finding out enforcing things can happen without perfect technical access to everything, that's how justice systems have managed to work for centuries.

Sanzig 2 days ago | parent | prev | next [-]

The fingerprint collection happens mostly using client-side JS (a bit of server side with HTTP headers, but the really high entropy stuff is client side).

Conceivably you could develop some sort of heuristic that detects when a script is simultaneously poking at a whole bunch of APIs associated with common fingerprinting techniques (canvas capabilities, WebGL, screen size, installed fonts, etc) and then kill it. But it is certainly much harder than blocking cookies.

mhitza 2 days ago | parent | prev [-]

> with fingerprinting everything happens server-side (as I understand).

It happens client-side. Browser headers sent through for requests aren't enough for fingerprinting.

bryanrasmussen 2 days ago | parent [-]

sure but anyway the data collection is not that important, it is actually the data storage and data deletion parts that are going to make or break a GDPR case.

on edit: better clarify, I mean if you are fingerprinting, but not storing in such a way that you can actually identify someone (although not sure why you would use fingerprinting then) then I don't think there is a case.

troupo 2 days ago | parent | prev [-]

Those obnoxious "cookie" dialogs? Yes, they cover fingerprinting as well. E.g. some innocent company wants to keep your precise geolocation data for 12 years: https://x.com/dmitriid/status/1817122117093056541

Cookie banners were never about cookies or privacy. The industry designed them with some very explicit goals in mind: to force users to opt-in to pervasive tracking, and to blame "how unusable web has become" on GDPR

dmix 2 days ago | parent [-]

Cookie banners were a result of an EU ePrivacy "cookie law" from 2002, 16yrs prior to GDPR and before fingerprinting.

troupo 2 days ago | parent [-]

The current breed of cookie banners is the industry's response to GDPR