this post was submitted on 18 Feb 2025
968 points (99.3% liked)

Technology

63010 readers
3458 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
968
Digital Fingerprinting: Google launched a new era of tracking worse than cookie banners | Tuta (tuta.com)
submitted 3 days ago by misk@sopuli.xyz to c/technology@lemmy.world
235 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Bogasse@lemmy.ml 165 points 3 days ago (8 children)

So I guess for Firefox users it's time to enable the resist fingerprinting option ? https://support.mozilla.org/en-US/kb/resist-fingerprinting

[–] masterofn001@lemmy.ca 85 points 3 days ago* (last edited 3 days ago) (3 children)

You can also use canvas blocker add-on.

Use their containers (firefox multi-account container add-on) feature and make a google container so that all google domains go to that container.

If you want to get crazy, in either set in about:config or make yourself a user.is file in your Firefox profile directory and eliminate all communication with google. And some other privacy tweaks below.

google shit and some extra privacy/security settings

Google domains and services:

user_pref("browser.safebrowsing.allowOverride", false);
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false);
user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false);
user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false):
user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.provider.google.advisoryName", "");
user_pref("browser.safebrowsing.provider.google.advisoryURL", "");
user_pref("browser.safebrowsing.provider.google.gethashURL", "");
user_pref("browser.safebrowsing.provider.google.lists", "");
user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.provider.google.updateURL", "");
user_pref("browser.safebrowsing.provider.google4.advisoryName", "");
user_pref("browser.safebrowsing.provider.google4.advisoryURL", "");
user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
user_pref("browser.safebrowsing.provider.google4.gethashURL", "");
user_pref("browser.safebrowsing.provider.google4.lists", "");
user_pref("browser.safebrowsing.provider.google4.pver", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", "");
user_pref("browser.safebrowsing.provider.google4.updateURL", "");

Privacy and security stuff:

user_pref("dom.push.enabled", false);
user_pref("dom.push.connection.enabled", false);

user_pref("layout.css.visited_links_enabled", false);
user_pref("media.navigator.enabled", false);

user_pref("network.proxy.allow_bypass", false);
user_pref("network.proxy.failover_direct", false);
user_pref("network.http.referer.spoofSource", true);

user_pref("security.ssl.disable_session_identifiers", true);
user_pref("security.ssl.enable_false_start", false);
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
user_pref("security.tls.enable_0rtt_data", false);

user_pref("privacy.partition.network_state.connection_with_proxy", true);

user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
user_pref("privacy.resistFingerprinting.letterboxing", true);
user_pref("privacy.resistFingerprinting.randomization.daily_reset.enabled", true);
user_pref("privacy.resistFingerprinting.randomization.enabled", true);

user_pref("screenshots.browser.component.enabled", false);

user_pref("privacy.spoof_english", 2);

user_pref("webgl.enable-debug-renderer-info", false); user_pref("webgl.enable-renderer-query", false);

[–] Bluefruit@lemmy.world 31 points 3 days ago (1 children)

This is why I like Lemmy, never knew canvas blocker was a thing. Thank you.

[–] Krik@lemmy.dbzer0.com 23 points 3 days ago (1 children)

Or you just switch to LibreWolf where all these settings are already set. It even comes with uBlock preinstalled.

[–] refurbishedrefurbisher@lemmy.sdf.org 7 points 3 days ago

Or Mullvad Browser, which is just the Tor Browser without Tor.

There's also IronFox on Android which is more similar to LibreWolf than MV Browser.

[–] Chulk@lemmy.ml 9 points 3 days ago (2 children)

I'm still trying to wrap my head around fingerprinting, so excuse my ignorance. Doesn't an installed plugin such as Canvas Blocker make you more uniquely identifiable? My reasoning is that very few people have this plugin relatively speaking.

[–] RecallMadness 2 points 2 days ago (1 children)

Iirc, Websites can’t query addons unless those addons manipulate the DOM in a way that exposes themselves.

They can query extensions.

Addons are things installed inside the browser. Like uBlock, HTTPS Everywhere, Firefox Containerr, etc.

Extensions are installed outside the browser. Such as Flashplayer, the Gnome extensions installer, etc.

[–] RecallMadness 1 points 2 days ago

Further: the Canvas API doesn’t have any requirements on rendering accuracy.

By deferring to the GPU, font library, etc, tracking code can generate an image that is in most cases unique to your machine.

So blocking the Canvas API would return a 0. Which is less unique than what it would be normally.

[–] happydoors@lemm.ee 2 points 3 days ago

Maybe if they can connect you to your other usage but it’s probably more of their resources and such a small % of the population that it isn’t worth the time to subvert? Idk just guessing here

[–] oaklandnative@lemmy.world 1 points 2 days ago (1 children)

I use (and love) Firefox containers, and I keep all Google domains in one container. However, I never know what to do about other websites that use Google sign in.

If I'm signing into XYZ website and it uses my Google account to sign in, should I put that website in the Google container? That's what I've been doing, but I don't know the right answer.

[–] ayyy@sh.itjust.works 5 points 2 days ago (1 children)

Yes, that’s right. Also seriously consider ditching Single ~~Stalk~~Sign On entirely.

[–] oaklandnative@lemmy.world 1 points 2 days ago

Thank you. I agree re ditching it and have been working on that.

[–] sem@lemmy.blahaj.zone 18 points 3 days ago (1 children)

Why does it do this?

  • Math operations in JavaScript may report slightly different values than regular.

PS grateful for this option!

[–] grinde@programming.dev 21 points 3 days ago (1 children)

Some math functions have slightly different results depending on architecture and OS, so they fuzz the results a little. Here's a tor issue discussing the problem: https://gitlab.torproject.org/legacy/trac/-/issues/13018

[–] Bogasse@lemmy.ml 6 points 3 days ago (2 children)

But one question I've been asking myself is : then, wouldn't I be fingerprinted as one of the few nerds who activated the resist fingerprinting option?

[–] JohnEdwa@sopuli.xyz 6 points 2 days ago* (last edited 2 days ago)

Yes. But it's better than being identified as a unique user which is much more likely without it. You can test it yourself on https://amiunique.org/fingerprint

[–] sugar_in_your_tea@sh.itjust.works -1 points 2 days ago

Just use Tor browser if you want to blend in. Some sites will probably not work, and I don't suggest accessing banks with it, but it works well for regular browsing.

[–] pHr34kY@lemmy.world 15 points 3 days ago (2 children)

I've used this. The only annoyance is that all the on-screen timestamps remain in UTC because JS has no idea what timesone you're in.

I get that TZ provides a piece of the fingerprint puzzle, but damn it feels excessive.

[–] treadful@lemmy.zip 13 points 3 days ago (1 children)

And automatic darkmode isn't respected, and a lot of other little annoyances. That's why this is so difficult. These are all incredibly useful features we would have to sacrifice for privacy.

[–] unwarlikeExtortion@lemmy.ml 1 points 2 days ago

Dark mode can be recreated using extensions, although the colors most likely won't be as legible as "native support".

I don't see why a similar extrnsion couldn't change the timezones of clocks.

Additionally, I don't see why the server should bother with either (pragmatically) - Dark mode is just a CSS switch and timezones could be flagged to be "localized" by the browser. No need for extra bandwidth or computing power on the server end, and the overhead would be very low (a few more lines of CSS sent).

Of course, I know why they bother - Ad networks do a lot more than "just" show ads, and most websites also like to gobble any data they can.

[–] Slax@sh.itjust.works 3 points 3 days ago

Wait is that why my Firefox giving me errors when I try to log into websites with 2FA?

[–] Ulrich@feddit.org 13 points 3 days ago* (last edited 3 days ago) (1 children)

I mean it doesn't hurt but as far as I can tell, it doesn't actually block fingerprinting, it blocks domains known to collect and track your activity. The entire web is run on Google domains so that would be nearly impossible to block.

The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That's why the main strategy is to "blend in".

[–] Schadrach@lemmy.sdf.org 4 points 2 days ago (1 children)

The crazy part about fingerprinting is that if you block the fingerprint data, they use that block to fingerprint you. That’s why the main strategy is to “blend in”.

So, essentially the best way to actually resist fingerprinting would be to spoof the results to look more common - for example when I checked amiunique.org one of the most unique elements was my font list. But for 99% of sites you could spoof a font list that has the most common fonts (which you have) and no others and that would make you "blend in" without harming functionality. Barring a handful of specific sites that rely on having a special font, that might need to be set as exceptions.

[–] Ulrich@feddit.org 1 points 2 days ago (1 children)

No, the best way is to randomly vary fingerprinting data, which is exactly what some browsers do.

Font list is just one of a hundred different identifying data points so just changing that alone won't do much.

[–] Schadrach@lemmy.sdf.org 2 points 2 days ago (1 children)

I wasn't suggesting it as "font list and you're done". I was using it as an example because it's one where I'm apparently really unusual.

I would think you'd basically want to spoof all known fingerprinting metrics to be whatever is the most common and doesn't break compatibility with the actual setup too much. Randomizing them seems way more likely to break a ton of sites, but inconsistently, which seems like a bad solution.

I mean hypothetically you could also set up exceptions for specific sites that need different answers for specific fields, essentially telling the site whatever it wants to hear to work but that's going to be a lot of ongoing work.

[–] Ulrich@feddit.org 1 points 2 days ago

It's a combination of both.

[–] ZiemekZ@lemmy.world 8 points 3 days ago (1 children)

Privacy Badger anyone?

[–] Bogasse@lemmy.ml 7 points 3 days ago

But does privacy badger also act on the canvas APIs & cie. ?

[–] roscoe@lemmy.dbzer0.com 6 points 3 days ago

Does ublock do this?

[–] ookiiBoy@lemmy.blahaj.zone 7 points 3 days ago (1 children)

It annoys me that this is not on by default...

[–] perfectly_boiled_pizza@lemmy.world 13 points 3 days ago

It's a nice feature for those that actively enable it and know that it's enabled, but not for the average user. Most people never change the default settings. Firefox breaking stuff by default would only decrease their market share even further. And this breaks so much stuff. Weird stuff. The average user wants a browser that "just works" and would simply just switch back to Chrome if their favourite website didn't work as expected after installing Firefox. Chrome can be used by people who don't even know what a browser is.

[–] fossphi@lemm.ee 1 points 2 days ago

Please don't enable this blindly. A lot of modern websites depend on a bunch of features which will simply not work with that flag enabled. Only do it, if you're willing to compromise and debug things a bit