> But seriously, what is the point of thinking about these things. Who is going to go to such lengths to try to "identify" me.
Nobody's going to very much trouble at all. They're just dumping every characteristic they can gather about you into an AI system, like a Bayesian classifier or a Convolution Neural Net. It doesn't require very much work to take into account clearly discrete data like the set of headers you submit, or the delay between switching pages, or parts of your IP address.
You hear a lot of stuff on HN about how inaccurate AI is, and much of it is true. But for figuring out when the set of HTTP headers correlates with your shopping habits, it should actually do a pretty good job, because it's basically just a matter of finding ways to correlate data together. No need to recognize when it's missing some form of outside context, because it doesn't "fail" or "succeed", it just does "worse" or "better." As long as it does better than a coin flip, it's worth it.
Right now, it's pretty effective to block ads by just not loading them, but there's no universal law that says it will always be that way. That already doesn't work on YouTube, which serves the ads from the same domain as the content, meaning that most ad blockers don't work on it. If ad blocking keeps becoming more popular, tactics like that will become more common. Once the ad serving becomes strictly first-party, relying on JavaScript looks like an increasingly terrible idea, not because of the minuscule number of people blocking JavaScript, but because you can't trust the potentially-malicious client to defend against click fraud.
These replies about "uniqueness" are in response to me disclosing I use a text-only browser or some non-graphical client to access websites. Why should "uniqueness" matter to me. As I said, I am just trying to avoid the annoyances of graphical web browsers. I am successful in doing that.
The majority of web use for me is not shopping. Why should I use the same browser for shopping that I use for recreational web use.
As for YouTube, this has been brought up many times. I cannot speak for other users, but I see zero ads when using YouTube. I search and download videos from the command line. With very few exceptions I never need to use youtube-dl because the signature values are already in the web page. There is no need for a "Javascript video player" to submit HTTP requests. The Javascript-enabled behavioural tracking on the YouTube website is insane. I use tiny shell scripts to search and download. I am aware of "SponsorBlock" which suggests some videos have ads embedded in them however I have never seen such a video. Most videos I watch are non-commercial.
"Click-fraud" is IMO secondary to fraud on the part of Big Tech and Big Tech wannabes who induce advertisers to purchase online advertising knowing, but not adequately disclosing, that it suffers from such inherent technical flaws.
> These replies about "uniqueness" are in response to me disclosing I use a text-only browser or some non-graphical client to access websites.
And your disclosure was in response to a CSS-based fingerprinting demo. If being fingerprinted doesn’t even matter to you, and you use a text-only browser just because you prefer the UX, then why bring it up on this article in the first place?
Because when there is a thread about a demo, and for some users the demo does not work, it is common to see comments that the demo did not work.
Being fingerprinted does matter to me. It is one more reason why the large, complex, graphical browsers supported directly or indirectly by online advertising annoy me. It is nigh impossible for users to control those programs.
As it happens, using a text-only browser, the TCP clients and the use of a proxy to remove headers all make fingerprinting less useful. The fingerprinting techniques used by "tech" companies tend to rely on the features of the large, complex, graphical browsers supported directly or indirectly by online advertising. For example, CSS fingerprinting does not work with a text-only browser doing its own formatting and ignoring CSS. Although this is not the primary reason I use a text-only browser, TCP clients and a proxy, any attempted fingerprint of that setup would indicate a user who cannot see ads. What would be the use of the fingerprint then.
Nobody's going to very much trouble at all. They're just dumping every characteristic they can gather about you into an AI system, like a Bayesian classifier or a Convolution Neural Net. It doesn't require very much work to take into account clearly discrete data like the set of headers you submit, or the delay between switching pages, or parts of your IP address.
You hear a lot of stuff on HN about how inaccurate AI is, and much of it is true. But for figuring out when the set of HTTP headers correlates with your shopping habits, it should actually do a pretty good job, because it's basically just a matter of finding ways to correlate data together. No need to recognize when it's missing some form of outside context, because it doesn't "fail" or "succeed", it just does "worse" or "better." As long as it does better than a coin flip, it's worth it.
Right now, it's pretty effective to block ads by just not loading them, but there's no universal law that says it will always be that way. That already doesn't work on YouTube, which serves the ads from the same domain as the content, meaning that most ad blockers don't work on it. If ad blocking keeps becoming more popular, tactics like that will become more common. Once the ad serving becomes strictly first-party, relying on JavaScript looks like an increasingly terrible idea, not because of the minuscule number of people blocking JavaScript, but because you can't trust the potentially-malicious client to defend against click fraud.