A few weeks ago, I was using my mothers PC. Google was erroneously in French, and no language chooser available. So I checked. Firefox sent a HTTP header with a Dutch preference. She was logged in with her Google account, which had a Dutch language preference. Some geolocation providers put her in Dutch speaking cities of Belgium. Still, the Google Algorithm had decided she would speak French. Plenty of other sites make similar errors, especially the biggest ones
So I wonder: Why are we sending out all this info. Fingerprinting is the only actual use. The number of sites using it as it should is minimal. Lets just stop giving it. They don't need a list of audio or video devices. They don't need my installed fonts. They don't believe my language settings when I whack them over the head with it. Let's just fill in defaults everywhere. Maybe provide a whitelist for legitimate sites.
Sites preferring geolocation over Accept-Language as a means of picking the language is one of my pet peeves. Preferring geolocation over a logged in user's stored setting is beyond absurd.
With weirdly sticky behavior too once you’ve left that area. My google sign in prompt was in Italian for over a decade after logging in there once on a family vacation. Only with the latest login revamp did that setting finally get purged. Everything else was always english, profile set to english etc.
There's a trend in commercial software where folks keep adding epicycles on epicycles, often based on barely stat-sig wins in A/B tests, to the point of systems becoming completely impenetrable. I bet this was a result of that.
Ha, I even started to receive spam mail in Polish (kind of "we got your webcam, give us money").
They're clearly using the collected data and are subject to the same problems.
Prime video is amazing for this; in Germany but only dubs available? Admit defeat that the orig audio is somehow not available but not even English subtitles?!
With video I think that it’s sometimes a licensing thing. As in, the streaming service licenses subtitles from a third party and the rights are limited to specific countries.
Germany has a very strong culture of dubbing essentially everything. Just finding any showing of a film in its original language at a cinema is very difficult outside of major cities for example.
Agreed. I live in Finland, but my preferred language is English. Many many sites send me Finnish by default, although Google directions will always be in Swedish.
I seem to have to "change results to English" on google searches at least once a week when it forgets which language I've setup and used for the past ten years!
If you set the language to something that isn't the default anywhere, and isn't standard for your country (so for you, English followed by Danish would do) Google seems to respect the preference.
But you add a lot of entropy to the privacy violators.
And geolocation is often wrong. Half of IP locators locate my VPS in one country, a quarter in another country, 1000 miles away, and another quarter in a third country, 1000 miles away from the first two.
Selecting a locale based solely on geolocation is absurd, and the reverse is equally true. Just because you prefer a specific locale doesn't mean you're physically in that country. Unfortunately, I encounter this anti-pattern far too often.
Yeah I live in Spain but don't speak the language so well. It's super frustrating when I get redirected to Spanish versions of sites. Sometimes they even redirect me back to Spanish after I deliberately choose English.
Netflix used to offer Audio and Subtitles in several languages. Now even subtitles the only option I get is Spanish (Latin America)... Like come on, sometimes I want to learn another language, understand the real word behind the sounds.
I may understand Audio, because of Edge location storage costs, but Subtitles... that’s blasphemy.
One time, I set a self-checkout machine to French to immerse myself in French training in Canada. This happened to set the payment terminal to French as well, which must have set a bit in the on-card chip.
Now, all my pay-at-the-pump interactions at gas stations are all in French. A website I was purchasing from flipped to French when I entered my card info. There were a few surprise interactions where my language preference was clearly derived from my bank card setting.
I’m just hoping that being classed as bilingual is doing wonders for my “social” score at some clandestine data clearinghouse.
A while ago a LinkedIn request from a Chinese person hit my inbox. I reluctantly pressed Accept Connection (in the email) only to find out that my LinkedIn language setting had changed to Chinese.
Now, I don't speak or read Chinese and couldn't immediately find a way to change the setting back to English. Could probably find it on the internet but .. Oh well, I don't really use LinkedIn so it's just stayed that way now.
I can understand it if someone's sending out something like a Google Doc collaboration invite, especially to a non-GMail address, the email will be in the Google Docs UI language of the sender. But LinkedIn has your profile with all your preferences!
What next, a colleague shares the link to a location, you open it in your car, and your car UI turns into Chinese?
Why anyone would use Chrome blows my mind a bit. Brave is a superior browser in every single aspect of a browser and as of rn - you do not see ads on the Internet.
Because Brave is just trying to build their own ad-network under the guise of being "privacy" oriented. It is a conflict of interest trying to get profitable selling user data while also claiming to block it. When first installed the their own ad and crypto stuff is enabled-by-default. Then throw in a few nefarious incidents, such as the affiliate link-hijacks a few years ago, and it is hard to trust them.
No browser is safe from capitalistic rot at this point.
Ads in and of themselves don't mean a browser isn't privacy-focused. In fact the most privacy focused one I can think of, Duckduckgo, is monetized by ads. All of Duckduckgo is. They're just not personalized.
I use Ungoogled Chromium (download from Github) that has all the tracking code removed. Only downside is updates are not automatic but otherwise runs flawlessly.
I want everything, everywhere be always in english by default unless I explicitly set another language or there is no english version at all. Even if it's my native language and I'm in my home country
This is one of the main reasons why I use (and pay) for another search engine than Google. It just keeps translating everything it can to the country I’m connecting from. Even results from Reddit go to an automatically translated page.
Google is really bad at handling multilingual users, or even just users that don’t want to use the language of the place they connect from. Now by default Youtube even translates the audio automatically, it’s unbearable.
And I have declared the languages I speak in my Google profile. It doesn’t seem to matter.
You do realize that the fact of paying for any service makes your usage perfectly attributable to real identity, don't you. Something that Google needed to work hard to infer with some level of certainty you actually pay for. And I'd only have so much trust in promises of respecting your privacy given by any business. Everything that can be sold is for sale, event if this meant that it could not longer claim to "do no evil".
Paying for a search engine means that I am the customer, not the product. While you are correct that my data is an asset for Kagi, it is a one shot asset, vs my subscription, which is recurring revenue.
I can look at the privacy policy for Kagi (https://kagi.com/privacy), and see that I am not at risk of having my searches logged or data shared. I trust them because violating that privacy policy puts them at risk of being sued by me, and by any investors in the company.
As you yourself stated: either company is capable of building a profile. One has promised not to do that contractually, and google, more or less, has promised to do exactly that regardless.
You are generalizing. Google and big providers do that, usually (US)services that need to cater to the whole world.
But a huge part of the normal web still uses and _needs_ preferred language. No one wants to be forced to use geolocation.
Just one very common example are info pages for sightseeing, they are usually available in all languages that people commonly visit from and just work if you browse to them. Not to mention that geolocation would be useless anyway in that case.
It would be nice if Google actually used the preferred language. They don't give a shit. I'm still getting maps and other stuff in local language based on IP.
I logged in on deployment in the Middle East, and still have Google randomly swap over to Arabic in search and on YouTube. It has been over a decade and a half (since I was there), and I've never once tried to do any browsing in anything but English. To even drive this incompetence further, I was Navy so I have under two weeks time total of be logged in.
Frankly for a company that's a Spyware company, they sure are incompetent.
So true. It's funny how the article mentioned "privacy enhancing technologies" - how about instead, we get rid of the disgustingly huge quantity of technology devoted to removing our privacy?!
Every browser information leak that can contribute to fingerprinting needs to be plainly considered a security vulnerability in need of fixing/mitigation, period. This class of vulnerabilities has continued to get a huge pass, only being taken seriously by projects like TOR browser and then still only the convenient fixes getting backported.
I do realize this is a tall ask, as many of these vulnerabilities arise from standards promulgated by the surveillance industry itself (chiefly Google, of course), and so are not easily mitigated. For example font lists and ask-to-use-microphone are straightforward to fix for general web browsing, whereas the fix for browser viewport size requires some kind of thoughtful design that subsumes the old model.
In general I'd say that browsers (or at least their operating modes) need to start differentiating into different things for the open [season] web versus app runtimes, so that vulnerability mitigations can be stronger for the open [season] web and sidestep complaints that it disrupts legitimate apps. Of course the two modes need to be indistinguishable by websites, lest every two-bit xitter-summarizing "news" site insists that it's some special snowflake needing app functionality to run its surveillance code.
Also since I'm apparently writing my Christmas list, we desperately need widespread privacy laws in the US. If you want a "value add" feature of your product to be shoving ads in people's faces, fine - people at least get immediate and actionable feedback from that. But persistent tracking supported by pervasive surveillance is completely at odds with individual liberty. And taking away the largest consumer surveillance market would mean much less being invested in new ways to attack users.
I certainly did not mean to imply that every browser fingerprinting vulnerability is due to Google née Doubleclick. What did I say to make you think so?
And from a technical perspective, Accept-language doesn't seem terribly hard to mitigate - exactly one language at a time, and UI that allows a user to easily change to another, as if it's part of the logical URL. It's all the javascript APIs, especially the graphics ones with their loads of weakly-defined behavior, that are especially pernicious.
On mobile, the one I use has a share button that lets you open the comment in a browser and not have to login to the apo, though you miss some customizations like notification on comment replies.
This article doesn’t explain what change Google is supposed to be making and they don’t link to anything that explains it either. (There is a link to what seems to be to a policy change for the ads platform.) Does anyone know what they’re talking about?
Read it more carefully (it is easy to miss). They’re going to start using and allowing third party device fingerprinting throughout their ad ecosystem.
This is obviously illegal in Europe, the UK and California (no consent), and an unnnamed regulator warns that it intends to take action.
>“also giving people the privacy protections they expect.”
My expectation is you don't fucking store any data about me to be used for advertisements/AI/etc and everything is opt-in, period. Where is that option?
OT but anyone else finds it ironic that we had multiple articles telling us how Forbes publishes AI generated articles way outside their expertise and still we're seeing Forbes articles regularly on HN?
Like, I know that apparently this one is a personal blog, but why does anyone even set up a blog at Forbes. Sometimes I wonder about this.
And actually, even when knowing it's a personal blog and me a serious, I cannot really take it serious anymore when seeing the Forbes URL. I am more inclined to skip chapters, to look for AI slop, and to not take the views of the author as independent. Not consciously, but subconsciously.
I don't even bother clicking on Forbes links anymore. Opinion pieces are fine but it seems like Forbes is entirely being used for the legacy of its name to make random blogs sound authoritative and respectable.
Combined with other news story [0] it sure feels like google is switching from trying to comply with regulation & instead doing what they want with a "Well what are you going to do about it?" attitude.
Regulators really need to cut them down to size. Was bad enough during anti-trust era in the US...now we're dealing with multinational entities the size of countries. Can't let that get out of hand or we'll end up living under corporations not governments.
Congress creates, empowers and funds regulatory bodies based on the demands of the people (voters, lobbyists). You either grant licenses to operate within a framework or you have to follow people around scooping up shit and work through the legal system as enforcement mechanisms.
Big tech or big business very much prefers the scoop shit and fight it out in court method as it gives them a huge advantage.
> it sure feels like google is switching from trying to comply with regulation & instead doing what they want with a "Well what are you going to do about it?" attitude.
Which is, depending on your perspective, either terrifying or just stupid.
Right now anti-fingerprinting security is not very high on anyone's minds, but remember that your digital fingerprints follow you EVERYWHERE. You can't turn them off or disable them on your side like cookies.
It's sort of like the wholesale elimination of privacy as a concept, you might say.
But hence the stupidity! It's too bold a move not to elicit a reaction from developers and users (who have the power to discover just how many bits of information they are leaking about themselves using tools like https://pbtest.org/).
So on one hand I can have websites that offer richer functionality by being aware of my time zone and locally installed fonts, or on the other hand I can have privacy. Hmm, which is worth more?
TIL about Web Audio, an API that allows any web page to find out about the user's sound setup (e.g. channel count and some kind of transfer function of the audio subsystem?) despite there being no legitimate purpose for that.
> Your browser fingerprint appears to be unique among the 183,020 tested in the past 45 days.
Damn how is this possible when I'm using a stock iPhone? I look at the characteristics and apart from timezone and language, how can they tell the same model iPhone apart?
> but remember that your digital fingerprints follow you EVERYWHERE. You can't turn them off or disable them on your side like cookies.
I'm honestly curious, if you don't mind clarifying a bit more. How do your digital fingerprints follow you everywhere without your being able to erase them? This thread goes into device fingerprinting, but if one rigorously changes devices and certain use/account practices, how can they still be tracked so totally?
> if one rigorously changes devices and certain use/account practices
Your account practices will need to include only using an account on one device. Every time you use an account that identifies you on a device, that device can be associated to you; at that point its fingerprint is your fingerprint. Rotating devices faster just adds more devices to your identity.
Tor browser asks you if you want to allow fingerprinting or not when a site attempts to query your HW info. Not sure why other browsers can't do the same.
This isn't new. Most advertising companies have had some sort of "Cross device targeting" or "household targeting" solution for going on almost a decade now. It's also why the suggestion of "repeal GDPR, just use cookie blockers" is so misguided.
Google's philosophy seems to be that intrusive tracking and behavioral advertising are OK as long as they only happen on the user's device.
The result is a worst-of-both-worlds: To an end user, it will still feel as if you're being tracked, with ads following you around, etc, but no worries, your privacy is safe because the advertiser doesn't have access to the data...
The site you're talking to can still read your data, but most third party sites can be cut off. Privacy Badger will let you block Google Tag Manager, and while it warns you that some sites will break, few do.
I don't think there's a universal answer there, it would depend on how accurately they can fingerprint you without GTM. Blocking it does remove an identifier that would make it easier, but blocking it is also a piece of data that could feed into the fingerprinting algorithm.
It would be interesting to purposely feed a bogus GTM cookie though. It might actually throw their tracking and fingerprinting off if somehow you were able to send random GTM tags on every request.
Its not clear to me how much this will help; but based on how tags work, it seems like it should help at least somewhat. I use Privacy Badger on both Firefox on PC and Android and haven't run into any sites that break, other than maybe something like Ticketmaster? I'm sure it makes less of a difference on an Android device, where Google has other hooks to track me, but any little bit helps.
- nowadays (iirc) you can serve/proxy those scripts via your own domain (to circumvent ad blocker blocklists)
- there are limitations re the number of blocking rules in Manifest V3
It’s cat and mouse at this stage, we’re getting to the point where blocking ads will be as hard/annoying as, say, installing 3rd party apps on your iPhone. Too much of a hassle even for fairly techie users
> there are limitations re the number of blocking rules in Manifest V3
Use Firefox. uBlock Origin on Firefox also gets around CNAME cloaking to make advertiser domains appear as first party, which Chrome does not give sufficient access to do that.
It doesn't get around actually serving these endpoints mixed directly in with first party endpoints, but these are a hard sell on the advertising side too, from the technical effort from the publisher to implement it to the advertisers reluctance to trust the stats when the publisher gets to be the man in the middle.
Manifest V3 can even work with unlimited blocking rules and in-page content blocking. Firefox' implementation of it does that. So yeah the fact that Google doesn't makes it very deliberate.
I wonder if at this point an AI-based ad blocker that would actually look at the DOM, or maybe even the image, would be viable.
Obviously, this requires significantly more resources. But it feels like a more productive use of the hardware power that we already have, compared to the most recent Electron monstrosity.
(And yes, this is all kinda silly in a sense that it's an insane amount of effort and resources to spend on, basically, blocking unwanted shouting. Obviously the long-term sustainable option is to just kill ads altogether.)
So, if I use a device that doesn’t support tracking, and they track it anyway, how do they get it to present the “do not sell my personal information” button?
Also, are there any decent plugins that block all of google instead of just the ads? I imagine they’d need to MITM static font assets, etc.
I also wonder if / when this means Google will start fingerprinting and tracking tenants’ customers on GCP.
This works until you start living with someone who gets frustrated by things like sponsored results not working (completely fair, because they are often highly relevant).
I came back home to my parents house this christmas and my parents and my brother complained to my why the Google sponsored links don't work anymore (because I've set their DNS to an adblock DNS).
I couldn't believe what they were saying. Their words didn't make sense to me. I ended up in removing all adblock- and privacy-related settings in our router - it felt like a defeat.
You can set blocking per-device. I have strict blocking for my own devices, super-heavy blocking for IoT and other untrusted devices, and a lighter blocking as default. If they complain, I can disable blocking for them, or even set up a guest VLAN.
Presumably you set your router to intercept all UDP/53 traffic, but remember the whole point of DoH is to prevent that and ensure nothing gets between the advertising surface and the advert source.
That’s why I also block all known DoH IPs. It’s a pretty long list, like 130 IPs. I have an allowlist for devices I don’t want to mess with, like my Pihole or guest devices.
It’s definitely not perfect, but it does de job for now.
What I think is one thing that would be helpful is the ability to define unencrypted proxies for encrypted connections (which is especially useful if the proxy is on the same computer), where the browser does not encrypt the request being sent to the proxy and does not expect an encrypted response; so that the encryption with the server will be handled by the proxy instead. This will save power, as well as allow blocking without needing to encrypt and decrypt the data twice.
We have kernel level anti cheat systems for games. So how about kernel level anti tracking?
Browsers use system calls to provide the information used for fingerprinting the device, so why not intercept these calls and lie. Have all users present an identical fingerprints and we're back to pre google times. Yes, we lose some important functionality, but maybe it's a price worth paying?
Never mind the other elephants in the room that do worse than track your browsing habits...
This page only works on digitally signed supported operating systems. Please consider migrating to a supported system by Microsoft, Apple or an Android device officially supported by Google.
If you're running your workload on someone else's hardware (eg in the cloud) being able to attest it's not being modified is critical. From a companies perspective, when they run their software in the context of a customers hardware, it makes sense that they may similarly wish to ensure the software is running unmodified. This is how games are able to ensure there is no cheating occuring and banks can ensure malware is not tampering with the bank software unbeknownst to their customer. There are obviously ways for this to be use this for more distasteful mechanisms like fingerprinting, but that's not necessarily enough reason to abandon the technology. There are ways to achieve attestation without compromising privacy, but it does require widespread rollout of the attestation mechanism.
The outcome will be that many sites simply refuse to work on any browser that does this. Users will blame the browser for not working and switch to one that is supported. Most people are happy to trade their privacy for convenience - especially since most people don't even realize they are doing it.
The point is that the fingerprint looks like “the generic fingerprint”, blocking that would be pointless, because it’d block a massive number of completely valid users.
It's more complicated than that. You can use subtle differences in hardware and GPU rendering so that syscalls aren't even relevant. And you can never really prevent timing attacks, because you can just use a network request to get the current time from the server.
I've been wondering how hard it would be to make a completely fingerprint-proof browser.
One idea would be to run it in a deterministic emulator. All machine code instructions would be guaranteed to take exactly the same amount of time to execute on every machine, as far as is observable to the browser, and threads would be scheduled in the same order every time. Zero access to the host system through fonts, WebGL etc.
This would mean a massive performance penalty, but modern computers are fast enough that it might be usable for many sites. You could have a small number of discrete speed tiers, where you use the fastest tier that your computer is capable of.
I first read it as a joke, but come to think of it...this would be actually quite awesome for malware isolation and sandboxing. Giving software/apps different fake profiles that look like different identities on the filesystem would be quite the feature.
You would have to have some kind of launcher where you can select the isolated chroot/sandbox you want to run that specific program in.
Implementation-wise this could actually be done with eBPF, as most if not all syscalls can be intercepted and "farbled" (Brave's terminology) there. Features-wise this would probably be a separate filesystem for each program context, plus the things that firejail implements in userspace. Shared libraries would have to be loaded separately into memory, and glibc would have to be changed to not use any environment variables or debugging related function calls.
This is what the Tor Browser is designed to do, and it does it very well (all in userspace no less). The main drawback is that some sites don't render as nicely and occasionally a site simply doesn't work.
The most important anti-tracking feature Tor has other than IP masking is disabling JavaScript by default. That's a complete non-starter for the modern web.
I'm so done with the advertising industry. They will keep trying to follow us. Not even because it works, but because it's Google's the other companies' moat. Only with their pervasive tracking networks can they sell tracked ads.
If there was no tracking, anonymous content sensitive ads would be more popular and thus valuable.
Unfortunately even Mozilla is now trying to appease advertisers with their PPA initiative. I don't want purchases to be attributed.
I will continue blocking all ads forever and circumventing them in other ways possible (like pirating content and using paywall blockers). I'm done trying to fix the system.
And when shit really hits the fan, non- and "wrong"-usage of this stuff will make you a suspect. The Uighurs are a testing ground for total surveillance on- and offline already. Bad times...
I believe Mozilla's funding comes from the search team at Google, not the browser team. (It's nominally compensation for including Google as the default search engine.) If anything, I'd be more concerned about Chrome, since it might be difficult for Google Search to fund Google Chrome to its current levels without raising arm's-length concerns (i.e. "is this a bona fide payment for services rendered?").
good, as long as chrome has such an overwhelming marketshare, reducing its funding sounds like a good idea. the companies that build on chrome can contribute to the funding to keep chrome alive.
So Google's value proposition is to be the central tracking authority that knows who you are and enforces compliance on the advertising industry by keeping your name secret but letting advertisers know that: person x did this and then did that?
I have a script which runs a random browser in incognito mode with a random user agent and a random search website every time I click a shortcut. Then another script changes the DOH dns setting for my connection every hour. Next up I will set a socks proxy setting on each browser via command line params to a ssh connection located in Europe. Oh and I also change my computer name on every logon and have random hw address enabled.