| ▲ | matthewdgreen 2 days ago |
| This isn't exactly browser fingerprinting (though it may involve browser fingerprinting.) But the biggest open question I have right now is: what is Meta doing to get around Apple's iOS privacy protections? A couple of years ago, Apple launched App Tracking Transparency as a way to reduce tracking across their iOS app ecosystem. People predicted that this would be devastating for companies like Meta and Snap, and it was -- briefly, for Meta. But Meta seems to have rebounded very quickly, maybe Snap not so quickly. The rumor I've heard is that Meta threw every brain they had against the problem of finding new ways to track app users, which presumably involves some similar type of fingerprinting. The revenue success strongly indicates were successful. But if this is true, nobody has much written about it. |
|
| ▲ | gherkinnn 2 days ago | parent | next [-] |
| https://news.ycombinator.com/item?id=44169115 They found sneaky ways on Android. There is no way they aren't trying to do so on iOS. One must always assume malice with anything Meta. |
| |
| ▲ | dietr1ch 2 days ago | parent | next [-] | | It always freaked me out that WhatsApp found the SMS code sent to verify the phone number without requiring any action from me. Also, WhatsApp refuses to be usable without giving it Contacts access. I had to use the app, login to the web client, and then I was finally able to type a phone number to start a new chat. I ended up uninstalling it, but there's plenty of people AND business that nowadays mainly or even only use WhatsApp that it's painful to be on the privacy-first side. | | |
| ▲ | homebrewer 2 days ago | parent | next [-] | | If you're on Android, it's an Android API feature, it has nothing to do with WhatsApp and is used by lots of other applications. https://developers.google.com/identity/sms-retriever/overvie... | | |
| ▲ | dietr1ch 2 days ago | parent [-] | | That's nice for the careless user, but without any system request or notification it's impossible for the user to tell whether the app used a workaround or the system just cooperated. |
| |
| ▲ | ornornor 2 days ago | parent | prev | next [-] | | On iOS this is an OS facility and works for all apps (also for email codes if using apple mail on the iPhone) For WhatsApp, WhatsApp business lets you easily start conversations just by entering any phone number. But yeah it’s still WhatsApp and meta, I personally avoid it as much as I can. | |
| ▲ | 1vuio0pswjnm7 a day ago | parent | prev | next [-] | | In testing I did, it is possible to run WhatsApp on Android without access to "Contacts" For example, 1. Export contacts from the Contact app to a file if it is not a new phone 2. Disable Contacts app 3. Install a different contact database such as OpenContacts from F-Droid or Github 4. Import contacts from the file into OpenContacts WhatsApp will not import the contacts in the OpenContacts database Further, no other app will import these contacts either This solves the "access to contacts" issue | | |
| ▲ | 1vuio0pswjnm7 a day ago | parent | next [-] | | Never had these software developer created issues with landlines. | |
| ▲ | Xelbair a day ago | parent | prev [-] | | the issue is that it shouldn't NEED to be solved by user in the first place |
| |
| ▲ | pavel_lishin 2 days ago | parent | prev | next [-] | | I share your woes regarding WhatsApp; my family overseas uses it, so I have to use it when visiting them, and I also had to do the weird workaround of creating a Whatsapp URL with the destination phone number, and then opening it in the browser, and then having it redirect me to the app. | | | |
| ▲ | Klonoar a day ago | parent | prev [-] | | > It always freaked me out that WhatsApp found the SMS code sent to verify the phone number without requiring any action from me. I don't fault you for not trusting Meta - I feel the same. That said, what you're talking about here is an OS feature nowadays. |
| |
| ▲ | metalliqaz 2 days ago | parent | prev [-] | | I find it is useful to do so for all corporations. | | |
|
|
| ▲ | Beijinger 2 days ago | parent | prev | next [-] |
| "But companies found another way to uniquely identify you across different sessions and websites without using cookies or other persistent storage. It’s called web fingerprinting. Fingerprinting is a more sophisticated approach to identify a user among millions of others. It works by studying your web browser and hardware configuration. Many websites use a fingerprinting library to generate a unique ID. This library collects data from multiple JavaScript APIs offered by your web browser. For example, websites can see web browser version, number of CPUs on your device, screen size, number of touchpoints, video/audio codecs, operating system and many other details that you would not want a typical news website to see." My "rugged" browser for regular browsing has plug-ins that randomize all this data. |
| |
| ▲ | rafram 2 days ago | parent | next [-] | | This most likely makes you more identifiable, not less, until a critical mass of people are using a browser with the exact same randomness properties. | | |
| ▲ | graemep 2 days ago | parent | next [-] | | I can see this as an argument for avoiding unusual properties, but how can they identify you using random properties? Even if it is just one user doing this how can they match the fingerprints? Also, its unusual enough that its unlikely they will bother trying. | | |
| ▲ | rafram 2 days ago | parent [-] | | The fact that the properties are randomized (and which properties are randomized) identifies the extension that you’re using, and if that extension has like 10 users, that uniquely identifies you across sites. All of this is overkill anyway unless you actually think you’re up against a determined actor targeting you personally. If you are, they will bother trying. | | |
| ▲ | graemep 2 days ago | parent | next [-] | | > The fact that the properties are randomized (and which properties are randomized) identifies the extension that you’re using, and if that extension has like 10 users, that uniquely identifies you across sites. How do they know they are randomised rather than actual properties? | |
| ▲ | bigbuppo 2 days ago | parent | prev [-] | | Go hang out with people that actually work in marketing and advertising and see if that changes your views. |
|
| |
| ▲ | Beijinger 2 days ago | parent | prev [-] | | Yes. It makes me unique. Every visit. If I visit the site 10 times, you have 10 unique IDs. | | |
| ▲ | rafram 2 days ago | parent [-] | | And if the site loads 100 iframes, it can figure out the distribution of values that your browser returns, which doesn’t change, and is likely to be close to unique until many people are using the same setup as you. (Or it can just use properties of the extension like monkey-patched function toString() outputs to identify its users, which, again, narrows it down to a very small group.) | | |
| ▲ | Beijinger 2 days ago | parent [-] | | Yes! You are unique among the 4162412 fingerprints in our entire dataset. Yes! You are unique among the 4162649 fingerprints in our entire dataset. Two visits... https://amiunique.org/ | | |
| ▲ | rafram 2 days ago | parent [-] | | Yeah, you get the exact same results in two separate incognito sessions in stock Chrome. They don't immediately add your fingerprint to their database. (And that site isn't using the state of the art in fingerprinting - check https://fingerprint.com/ for a slightly better indicator.) | | |
| ▲ | Beijinger 2 days ago | parent [-] | | https://fingerprint.com/demo/ Yes, fingerprint.com realizes that I am the same visitor. But ONLY IF I access it from the same IP address. This is impressive, but in the end not so much. They claim VPN does not matter for them. It does. Probably one of the last things that makes my browser identifiable. | | |
| ▲ | rafram 2 days ago | parent | next [-] | | > Yes, fingerprint.com realizes that I am the same visitor. QED... | | |
| ▲ | Beijinger 2 days ago | parent [-] | | Yes, based on IP address. Great achievement. I change my IP, I am unique again. And they want money for this? Nice try. |
| |
| ▲ | miki123211 2 days ago | parent | prev [-] | | Haha, that failed spectacularly. On stock Mac OS Safari (no plugins, no hardened config), I did what they asked and visited their site in incognito mode via a VPN. It gave me a different id, with a message gleefully announcing that "your ID is the same when you're in incognito mode!" It even showed me some supposed visit from a minute ago. Jesus what a scam. | | |
|
|
|
|
|
| |
| ▲ | RiverCrochet 2 days ago | parent | prev [-] | | what plugins do you use/recommend? | | |
| ▲ | Beijinger 2 days ago | parent [-] | | You could try these: Browser Plugs Fingerprint Privacy Randomizer Clear URLs [I don't care about cockies] Privacy Badger Random User-Agent Switcher Temporary Containers uBlock Origin Canvas Blocker NoScript Font Fingerprint Defender Not all sites will work with it. For banking and plan ticket booking, I always recommend a separate, but major (e.g. Chrome) browser without any plug-ins. | | |
| ▲ | gruez 2 days ago | parent | next [-] | | >Random User-Agent Switcher Don't bother. User agent spoofing is easily detectable and it's trivial to figure out your real user-agent based on js implementation differences or TLS fingerprinting. All this does is get you banned/flagged by security vendors, on top of sticking out like a sore thumb. >Canvas Blocker >Font Fingerprint Defender Also easy to easy to detect because randomized values will put you in the bucket of "uses privacy extension" users, which is probably a smaller bucket than whatever hardware profile you're on (eg. macbook pro m3 14"). | | |
| ▲ | Beijinger 2 days ago | parent [-] | | Maybe. >>Random User-Agent Switcher
>Don't bother. User agent spoofing is easily detectable and it's trivial to figure out your real user-agent based on js implementation differences or TLS fingerprinting. JS is blocked by default on my browser. >Canvas Blocker
>Font Fingerprint Defender > Also easy to easy to detect because randomized values will put you in the bucket of "uses privacy extension" Hm. How are they going to detect it is randomized? They would have to identify me first again as the same user and then conclude I randomize these values. | | |
| ▲ | gruez 2 days ago | parent [-] | | >JS is blocked by default on my browser. The major browsers can still be differentiated via default headers and TLS fingerprints, none of which requires js. Moreover if they're inconsistent you'd get flagged with "spoofs user agent", which makes you more identifiable than something like "firefox on mac". >Hm. How are they going to detect it is randomized? They would have to identify me first again as the same user and then conclude I randomize these values. Because a given canvas/font metrics value should return the same result given the same graphics hardware/font set. If you randomize the results it basically guarantees that your fingerprint has never been seen before. This might seem like a good thing (because you're randomized every time), but any competent fingerprinting implementation is just going to flag you as "spoofs canvas/font information". The point isn't necessarily to identify you as any particular user, it's to use the fact you're spoofing canvas/font/user-agent to fingerprint you further. |
|
| |
| ▲ | RiverCrochet 2 days ago | parent | prev [-] | | Thanks! IMHO The portable versions of Chrome or Firefox are great when you want a completely separate browser instance. |
|
|
|
|
| ▲ | prasadjoglekar 2 days ago | parent | prev | next [-] |
| IP addresses are quite static. Most phones and laptops come "home" once a day and get attached to the home IP. Do it for long enough and you can household all the other IP v6s, MACs etc. that are untethered. |
| |
| ▲ | gruez 2 days ago | parent | next [-] | | >MACs etc. that are untethered. MAC addresses don't leave the local network, so it's not relevant to web tracking. Moreover it's randomized by default on ios/android so the tracking potential is limited. | |
| ▲ | eli 2 days ago | parent | prev | next [-] | | Apple's iCloud Private Relay seems like it should solve this for iOS. | |
| ▲ | kytazo 2 days ago | parent | prev [-] | | My impression would be the opposite.
IPv6s get constantly rotated by most ISPs. MACs are always randomized, even when connecting to the same network. At least as far as modern devices go. Am I wrong? | | |
| ▲ | aorloff 2 days ago | parent | next [-] | | IPv6 isn't the boogeyman for tracking in general, because so much still relies on IPv4 | |
| ▲ | SpaghettiCthulu 2 days ago | parent | prev | next [-] | | Last I heard, the default on Android was to randomize MAC address across networks but keep them static for each network. | | | |
| ▲ | vel0city 2 days ago | parent | prev [-] | | > IPv6s get constantly rotated by most ISPs I've had the same prefix for five years now. And yeah, sure, my device cycles through ephemeral IPv6 addresses often, but always within the same prefix. Group IPs somewhere between /64s and /56 and you'll essentially get a household identity, at least for a few days to a few years. | | |
| ▲ | kstrauser 2 days ago | parent [-] | | Yep. The addresses in an IPv6 /56 or so are about the same as an IPv4 address as far as identifying a single location. |
|
|
|
|
| ▲ | Hilift 2 days ago | parent | prev | next [-] |
| > what is Meta doing to get around Apple's iOS privacy protections? Money always finds a way. Everyone thought the changes made a few years ago would hurt Meta but they make $70 billion net profit. At a minimum, they only need a good relationship with advertisers, and a (sort of measurable) increase from a campaign. Also ads are different now. One address may see the same five seconds of an ad hundreds of times. That is a much easier ecosystem to correlate targets through data enrichment. |
| |
| ▲ | 0cf8612b2e1e 2 days ago | parent [-] | | Let’s pretend that the Apple restriction is 100% effective- how much impact would you expect to Meta’s bottom line? Sure, Meta would love to know every spicy detail of your life, but just following in app activity probably reveals more than enough to sway advertisers. Meta hoovers up every detail because they can. Knowing that user #7227724 spends 23 minutes a day in Spotify might make the ad targeting 0.4% more accurate, but does not seem like the lynchpin for the entire business. |
|
|
| ▲ | dec0dedab0de 2 days ago | parent | prev | next [-] |
| probably just ignored them. Aren't those privacy protections basically you saying "pretty please don't track me?" |
| |
| ▲ | tagraves 2 days ago | parent | next [-] | | Not on iOS, as I understand it. If you "Ask app not to track" on iOS then the app cannot access your IDFA, which was the ID that previously was used to track a device across apps. | |
| ▲ | willis936 2 days ago | parent | prev | next [-] | | If we're exploring the space of "they're lying" isn't a simpler explanation be that they're lying about their revenue? | | |
| ▲ | pc86 2 days ago | parent | next [-] | | The consequences for lying about revenue as a public company are many orders of magnitude worse than lying about compliance with some private contract or TOS. | | |
| ▲ | PenguinCoder 2 days ago | parent [-] | | Mess with someone's personal privacy, non-issue. Mess with investors money, instant problem.. Money is more important than people, to these groups. |
| |
| ▲ | cr125rider 2 days ago | parent | prev [-] | | No. The SEC gets very grumpy with public companies if they do that. |
| |
| ▲ | rafram 2 days ago | parent | prev [-] | | You're confusing IDFA with Do Not Track. |
|
|
| ▲ | resource_waste 2 days ago | parent | prev [-] |
| >what is Meta doing to get around Apple's iOS privacy protections? A strong relationship to Apple and cross-value marketing. Surely these rules only apply to middle sized and smaller companies. We've seen Apple get caught bending the rules for big players, even if they don't admit it. |
