I think two things keep the status quo where the end-user is exploited and attacked constantly. The first is the VC / Startup model. Because VC is the true customer, and not the end-user. The second is the current marketing and advertising model. Can it keep working well enough to be worth the money? When it's not, the bottom falls out.

Old business model: solve a problem for your customer, add some value, take home a cut. Current business model: solve investment return for your investors, get the returns by addicting your end-user to something they don't need. Future business model: ?

If you visit my eg. physical clothing store I'm allowed to monitor your in-shop behavior to better optimize my store for your needs. Same for a restaurant etc. That's how _you_ get _much improved services_ and I get _happier customers_.

Ofc I'm not allowed to freaking resell that data. THIS is the problem in online: releseling and data-brokers. Just KILL these categories of businesses off completely and make _them_ criminal (like even give f prison sentences to them).

We should get back to our sanity in ONLINE. As long as you're on _my (online) property_ and using _my services_ I can of course see EVERYTHING you f do, and should stop pretending I don't. As long as I'm not sharing this data with anyone else, I should be 100% allowed to use every drop of this data to improve my services to you and totally differentiate myself from the incompetent competition that can't properly do this.

Data privacy (from EU's GDPR to... everything else) only helps big corporations fend-off competition from small startups or boutique shops that could easily out-compete them by offering hyper-personalized hand tailored micro-optimized experiences for their smaller number of customers based on the loads of data they collect from them.

...we've all been brainwashed by this privacy psyop to sheepishly "fight for our privacy" in ways that are detrimental to us and only help our corporate oligarch overlords maintain an even tighter grip on power, while offering us worse and worse services. Wake the f up, DATA IS MEANT TO BE USED to IMPROVE goods and services, not remain uncollected or sit unused!

My hacker news icon has been stuck as the icon for a weather site that I sometimes check. It’s been stuck that way for close to a year now, and has survived an iOS update too.

It persists across profiles and into private browsing mode.

I have the same, the Youtube icon is the Hacker news icon, and the other way round. I have to assume this is some sort of race condition, data corruption, or something else, and it's quite widespread too given all these reports.

For me the iOS HN icon changes between the reddit and github, depending on which one I've been using the most on my phone recently. This happens on both iOS Safari and Kagi's Orion.

I thought that this was just a bug in iOS but based on the comments in this thread, it seems to be common not only across OSes but browser vendors too (I assume iOS Orion uses the same engine as Safari)

Safari has super long lived favicon caches too. The only way to force a rebuild is to set your system clock forward a few years.

I thought I was the only one! Something in the UI cache is so horribly corrupted and it has been for years on my MacBook, I just gave up hope.

I get the same bug in Firefox as well sometimes.

I get the wrong for HN in mobile Chrome

This was fixed after we reported it a few years ago while working on the paper.

Look at the Github repo:

- The last update was 2 years ago.

- It says that MS Edge 87 is affected. The current Version of Edge is 142.

This is no longer an issue, but it is interesting thinking about how long the NSA knew about this before the general population did.

Android/Firefox it showed me my unique ID after the first 18. Then there was a button to try again ans that put me in the same loop you're having.

make it 2021 actually. After these years, was this fixed?

Tried a similar approach but found that putting the browser in a VM has a tendency to expose a few data points that stand out as less trust worthy which means you end up getting a lot of captchas on some websites (like using swiftshader for renderer, not having some fonts installed, among other things), lying about these can typically be detected as well (like injecting noise into a canvas, modifying the advertised renderer). If you've found any solutions to these please share.

This sounds interesting, do you have this written up anywhere?

Thanks!

Supercookie: Browser Fingerprinting via Favicon - https://news.ycombinator.com/item?id=26051370 - Feb 2021 (81 comments)

Paper author here, here’s a valid link: https://www.cs.uic.edu/~polakis/papers/favicon.pdf

https://supercookie.me/workwise

I guess that you can do fingerprinting with any cached content, but the insane persistency of favicon's cache makes this much more concerning.

Seems like Firefox made changes to address this kind of tracking in version 85.

I got different IDs in regular browsing vs my first incognito window vs my second incognito window.

There is ad money at stake, and it is unfortunately one of the key revenue models in the modern web. I don't know if this particular research was sponsored by ad-tech or if it's preventive, but it shouldn't be generally surprising that this kind of things are heavily researched.

The "supercookie" phenomenon from a few years ago (when this was created) was that despite using private browsing or deleting cookies, the site id remains the same for the same browser.

It could track you between site visits, at a minimum.

If websites can detect that you've disabled favicons, then you are easy to track between all websites because you are very unusual.

Ad networks don’t care. It’s a data leak. Even a few extra bits can be valuable to tag you with a better uid.