| ▲ | Sanzig 2 days ago |
| Browser fingerprinting is one of those things that should be outright illegal - it is far more of a threat than tracking cookies ever were. But it hasn't permeated the public consciousness like cookies have, so regulators seem to ignore it. |
|
| ▲ | patrickmay 2 days ago | parent | next [-] |
| This is a technical problem, not a legal one. The solution is for browsers to provide users with the ability to limit the information being sent. There's no need for the vast majority of websites to know my OS, number of CPUs, screen or window size, or most of the other fingerprinting metrics. |
| |
| ▲ | Sanzig 2 days ago | parent | next [-] | | I think it's both. It wasn't a problem when browsers were simple content display engines, but now that they are full VMs for application software, they need some of that capability just to function. FWIW, I think this was a mistake, but the genie is out of the bottle. I suppose one technical mitigation might be a permissions dialog when a script requests access to a high-risk API like canvas or WebGL. But that's unfortunately something that won't work for most users, who will just click through the dialog. | | |
| ▲ | istjohn 2 days ago | parent [-] | | I'm loathe to suggest it, but perhaps LLM's could help here? Once local LLMs are a couple orders of magnitude better and resource efficient, a user agent LLM could decide what features are actually needed for each page. | | |
| ▲ | codingminds 2 days ago | parent [-] | | Until the LLM learned that Cloudflare and friends will bomb you with Captchas until you allow all features again. |
|
| |
| ▲ | kennywinker 2 days ago | parent | prev | next [-] | | Making it a technical problem means it’s an arms race forever. Making it a regulation problem, if done right, can simply end the arms race. Not to mention the big players on the users’ team in the technical arms race (google, ms, apple) are also advertising companies. By all means let’s solve it from the technical side - but also lets regulate privacy so everyone gets it not just people paranoid/technical enough to use the latest/best privacy respecting tools. | | |
| ▲ | Aurornis 2 days ago | parent [-] | | > Making it a technical problem means it’s an arms race forever. Making it a regulation problem, if done right, can simply end the arms race. “If done right” is doing a lot of work in that sentence. The way hypothetical regulation is spoken of in abstract terms where it’s perfect, solves everything, and everyone complies perfectly is at odds with how regulation works in the real world. | | |
| ▲ | kennywinker 2 days ago | parent [-] | | I agree entirely, but I think that’s a problem because gov is captured by corporate interests / neoliberal ideas. They try to balance keeping corporate donors happy with keeping people happy, and create regulations that are toothless empty gestures that only serve as employment opportunities for lawyers and consultants. So yes, “if done right” is doing a lot of work. But i refuse to cede gov to the corps and retreat to anarcho-capitalist ideas like “this is a technical problem”. We attack on all fronts - regulation and technological solutions. |
|
| |
| ▲ | raxxorraxor a day ago | parent | prev | next [-] | | This information can be relevant for a site that needs to know your capabilities. No need to render some canvas if your client is a text browser. It isn't trivial to craft legislation to separate these use cases, but it also is far from impossible if there would be political will to do it. I think the latter is far more interested in surveillance of users where tracking is one building block. And of course legislation is needed to criminalize tracking without user consent. It would just be an internet stalking law being applied. | |
| ▲ | rsync 2 days ago | parent | prev [-] | | … which is why it is so frustrating (and damning) that Firefox does not make it simple to block all of these measurements. To whatever degree this is, indeed, a technical problem. There’s a simple choke point that is being intentionally unutilized. |
|
|
| ▲ | grishka 2 days ago | parent | prev | next [-] |
| It can't be made entirely illegal so IMO a better way would be to remove or restrict the APIs that fingerprinting scripts abuse. Make browsers hypertext viewers again! |
| |
| ▲ | thrance 2 days ago | parent [-] | | Why can't it be made illegal? And from the article, a very succinct explanation as to why browsers will never be fingerprint-resilient: > Chromium (Chrome) is built by Google, an advertisement company which tracks its users for showing relevant ads. So naturally it doesn’t have any inbuilt protection against fingerprinting. | | |
| ▲ | quantas 2 days ago | parent [-] | | Even if they make it illegal, it won't stop bad actors especially from foreign countries to abuse stuff like this. It's better to build better systems that fix this issue instead of relying on government laws. You could compare it to the concept of security by obscurity which is obviously bad. | | |
|
|
|
| ▲ | bee_rider 2 days ago | parent | prev | next [-] |
| It should be illegal, but we also need technical prevention of it, because the internet is global and goes through too many jurisdictions to really regulate. Plus, fingerprinting tech would get developed for criminal organizations or intelligence agencies anyway. |
| |
| ▲ | Szpadel 2 days ago | parent [-] | | there are some more or less legit causes for fingerprinting.
like bot protection or to identifying scammers that just create another account when previous is banned. whether this is justified is of course subjective | | |
| ▲ | ryandrake 2 days ago | parent [-] | | Somewhat off topic, but I think calling something "more or less legit" is a form of justifying it. |
|
|
|
| ▲ | amelius 2 days ago | parent | prev | next [-] |
| We need regulators with more balls. And more brains. This privacy theater is becoming very painful to watch. |
| |
| ▲ | t0lo 2 days ago | parent | next [-] | | People with ideas are a dying breed. The west doesn't have a fraction of the idealism of the 80s and 90s | | |
| ▲ | Yeul 2 days ago | parent | next [-] | | Those people all sold out and now live in California mansions. | |
| ▲ | rimbo789 2 days ago | parent | prev [-] | | Good: that naive idealism led us down some very stupid paths | | |
| ▲ | t0lo a day ago | parent [-] | | You ready to see what a world without naive idealism has in store for us? |
|
| |
| ▲ | Lord-Jobo 2 days ago | parent | prev [-] | | The core issue is that politically you gain nearly no votes and definitely no money by running with regulation as a pillar of your campaign. In fact, doing so will often times end up bringing donations from relevant industries directly to your opponent. Now, this system of perverse incentive and legal bribery should be fixed at the constitutional level but thats a gigantic can of worms. In the current system there are two methods that can circumvent the issue. The first is one deployed by the likes of Elizabeth Warren; run your campaign on a broad array of "fighting for your constituents" and don't get specific until you see already elected and drafting a bill. The second path is underutilized and should be done more: lie out your ass to the moneyed interests. Take their money, make them promises, eat at their fancy dinners, befriend them, laugh at their awful jokes. Then just fucking dunk on them in the legislature, as quietly as possible. Make a big show of being forced to, keep the charade going as long as possible. The inverse of this has been done a lot recently, with Sinema, with Fetterman. But the good version is quite rare, and a good opportunity to make our country a better place. Key notes: tough to do in bigger positions because they're rarely the first public office seats people hold, so track records build. Tough to do in many districts because voters can be rubes who actively agree with the corporations stomping on their nards. Tough to do if you make too large of a profile(not really a concern). | | |
| ▲ | jancsika 2 days ago | parent [-] | | > The core issue is that politically you gain nearly no votes and definitely no money by running with regulation as a pillar of your campaign. Proof of Domain Expertise: Name the famous presidential campaign which focused directly on combating "this system of perverse incentive and legal bribery" as its core campaign message. Edit: Hint: primary, lots of votes, lots of money MD5 of answer: 1c02462874398d776ff28aeed2d056b1 |
|
|
|
| ▲ | bugsMarathon88 2 days ago | parent | prev | next [-] |
| The Internet is a war zone: demanding made up rules for behavior online is as ineffectual as pleading for peace with the enemy during battle. Strap on a helmet if you're shell-shocked. |
|
| ▲ | chpatrick 2 days ago | parent | prev | next [-] |
| Seems almost impossible to police though. |
| |
| ▲ | 2 days ago | parent | next [-] | | [deleted] | |
| ▲ | tonyedgecombe 2 days ago | parent | prev | next [-] | | Yes, it’s probably worse to have unenforced regulations than no regulations. | |
| ▲ | Sanzig 2 days ago | parent | prev [-] | | Since fingerprinting is mostly client side, it should be detectable. If you serve a web page with a fingerprinting script, that should be an automatic big fine. | | |
| ▲ | MontyCarloHall 2 days ago | parent [-] | | Sites would then avoid running purpose-built fingerprint scripts and collect fingerprint metrics as a side-effect of necessary activities. Lots of sites need to know window/screen size, DPI, installed fonts, timezone/locale, etc. as a matter of being able to function properly. It would be impossible to know whether a site is also using this information to fingerprint users. The unsolvable problem is that modern websites are not simply documents but rather full-blown software with web browsers their runtime environments, and you simply cannot enable that amount of power without also enabling the power to fingerprint that runtime environment and thus fingerprint the user. |
|
|
|
| ▲ | troupo 2 days ago | parent | prev [-] |
| Or... You could read GDPR and realize that "cookie dialogs" were never about cookies: https://news.ycombinator.com/item?id=44670345 |
| |
| ▲ | Sanzig 2 days ago | parent | next [-] | | TIL, thanks! The usual convention of calling them "cookie dialogues" sure obfuscates that. | | |
| ▲ | dylnuge 2 days ago | parent [-] | | Which is a very intentional (and successful) marketing ploy by companies to get users to not care about them. It sounds like a boring technical thing instead of "we need your permission to let massive advertising networks track you around the internet" (consent isn't needed for site functionality; you can use cookies and never mention it if you don't use them for tracking). Unfortunately this is a challenge with regulation; companies find a way to break the spirit of it as much as possible while following the letter. It's better that companies need consent to track us than not, but consent managers are dark patterns designed to deeply annoy us at the prospect of saying no. |
| |
| ▲ | aniviacat 2 days ago | parent | prev [-] | | So does that mean that fingerprint.com, which records your fingerprint without asking for your consent, is operating illegally? | | |
| ▲ | eagleal 2 days ago | parent | next [-] | | Without permission yes, if it stores it (but that would probably just be client-side). If it stores it and uses it for matters different than what explicitely advertised when you consented to it, than yes it's even worse. edit: just saw that's a service they resell. So yeah it is against GDPR | |
| ▲ | troupo 2 days ago | parent | prev | next [-] | | Good question :) I think if it's all client-side, not logged or retained, and is not transmitted to third parties, it should be fine. IANAL | |
| ▲ | 9dev 2 days ago | parent | prev [-] | | Yes, almost certainly so. You did not consent, they have no legitimate interest to track you, and you were never informed about the what and why in plain language. The GDPR isn’t the complex legislation monster people make it out to be, but for the most part common sense about handling sensitive data. |
|
|
