Amidst the glossy marketing for VPN services, it can be tempting to believe that the moment you flick on the VPN connection you can browse the internet with full privacy. Unfortunately this is quite far from the truth, as interacting with internet services like websites leaves a significant fingerprint. In a study by [RTINGS.com] this browser fingerprinting was investigated in detail, showing just how easy it is to uniquely identify a visitor across the 83 laptops used in the study.
As summarized in the related video (also embedded below), the start of the study involved the Am I Unique? website which provides you with an overview of your browser fingerprint. With over 4.5 million fingerprints in their database as of writing, even using Edge on Windows 10 marks you as unique, which is telling.
In the study multiple VPN services were used, each of which resulted in exactly the same fingerprint hash. This is based on properties retrieved from the browser, via JavaScript and other capabilities exposed by the browser, including WebGL and HTML5 Canvas.
Next in the experiment the set of properties used was restricted to those that are more deterministic, removing items such as state of battery charge, and creating a set of 28 properties. This still left all 83 work laptops at the [RTINGS.com] office with a unique fingerprint, which is somewhat amazing for a single Canadian office environment since they should all use roughly the same OS and browser configuration.
As for ways to reduce your uniqueness, browsers like Brave try to mix up some of these parameters used for fingerprinting, but with Brave being fairly rare the use of this browser by itself makes for a pretty unique identifier. Ultimately being truly anonymous on the internet is pretty hard, and thus VPNs are mostly helpful for getting around region blocks for streaming services, not for obtaining more privacy.
Being fingerprinted is not the same as being identified.
Exactly. Even if they could identify the computer, they can only go “look, it’s that computer again”. They have no clue where that computer is, who it belongs to, and so on.
haha tell yourself what you need to hear in order to sleep at night
but privacy is obsolete. come on in, the water’s warm
Of course as usual you have no actual evidence to back up your claim. Its supposed to just be accepted at face value. Browser finger printing is like most other attacks on cyber privacy. It depends on sloppy practices by the individuals being targeted to identify more than just the browser by anyone who matters. The fact that the encryption you ecrypt a file with is, in and of itself, secure and unbreakable does you no good if you write the passphrase on the zip drive.
Thats where exploiting human error in the use of the technology comes in. To make the finger prints useful for actual identification you need to match them to finger prints collected by other sites where the individual has left the same browser finger print and provided actual identifying information.
The problem arises when companies like Palantir and Fog aggregate all that info and join it with traffic to your socials or bank.
My phone isn’t me, but it’s pretty easy to link it to me.
Exactly.
Sure. They are fingerpriting for kicks. This whole effort, and the teams and budgets involved, do it for the sake of it, not because they can correlate the fingerprint with the user at several key points around the web — such as when you log into any platform. Sure.
If you use the same configuration when browsing both anonymized and non anonymized they can correlate your anonymized activities to your actual identity if the organizations you intentionally identify yourself to share the browser finger print information with other entities that aggregate it or if they themselves aggregate it and the sites you don’t identify yourself too share the browser finger prints with them. Google for example has its fingers in most of the pies out there. Ideally you should use a completely different machine for anonymous and non anonymous connection sessions.
Being able to identify a computer or browser profile on a computer and distinguish it from other computers or briwser profiles which visit the same website doesn’t identify the actual user or the computers ip address. To do that you would have to match the browser finger print of the anonymized user to the browser finger print from a website where the user has provided identifying information or their true ip address. If the user uses a different local account and browser profile or better yet a different machine or virtual machine for their anonymous and non anonymous browsing that won’t work even with access to the fingerprints from a website where the user identified themselves or their true ip.
Now the actually interesting bit is that apparently blocking Java script and cookies and as much stuff as possible makes you “unique”. Now that is something I find weird and really worrying. Not for me being identifiable, but rather for folks just not caring about their own security (and bandwidth, telling the browser to avoid java script as much as possible makes sites load faster and more reactive).
That had me shook too — my tinfoil-hattedness was what made me unique. Its a plot point in Doctorow’s Little Brothers, but it never really hit home.
The bottom line is still that you should ideally use separate machines entirely for anonymized and intentionally deanonymized activities like, for most people anyway, online banking, your personal social media, ebay, Amazon, or whatever you choose to give identifying information to. Browser finger printing is far from the only reason to do that.
For a previous employer (this was in 2008), I once scraped some airline booking sites (for a consumer organisation who wanted to file a claim against them for unfair pricing). I did this on my work laptop, but working from home. We were quickly blocked, tried a few obfuscation and VPN methods, but kept being blocked again and again.
For over a year, it was practically impossible for me to book a flight, even with a different computer on a different network. This showed me the (scary) power of browser fingerprinting.
Why would the different computer be running the same browser? After all, it’s the browser that is identified.
Browser finger printing alone did not block an entirely different machine. You gave something else away.
Probably they can block my browser fingerprint and my IP, then also block other browsers or devices that make use of that IP by their fingerprint.
Being scraped is extremely unprofitable for flight sites: when you click on a certain flight, a reservation is held for you for usually 30 minutes, and that reservation costs the booking site money. More than recouped for by the normal sales fee, but if one makes thousands of reservations and no bookings multiple times per week, this starts to add up.
I’m not a fan of ads. What I allow on my computer should be put through.
I try my best to block them, as I really have no interest in anything advertised.
Besides, if I want something, I’m sure I can figure out how to get it myself.
I like to watch live trains. I’ve found reloading the page rapidly 4 or 5 times tends to stop the ads.
Or just use uBlock Origins. I see no ads on Youtube – at all. Never. None. Nada. Keine.
It is so rare for me to see an ad that it usually surprises me when one gets by.
Youtube messes with adblockers in some regions by delaying the video loading, not starting playback until you press pause and then play, or loading it up with no sound. They basically find new ways of breaking the player every few months, then the adblockers get around that, rinse and repeat.
They’ve also kept turning the maximum volume down on videos, so they can play the ads louder as the users have to crank their volume up to hear.
Used to be illegal to mess with volume for ads. When did that go away?
Oh yeah… I forgot Google and probably lot’s of other wonderful businesses and agencies that are there to simply look after us and have nothing but the best intentions for everyone. :-)
SYSTEM PROTECTION FAULT
ILLEGAL INSTRUCTION at CS:IP 0x847fb73ca SARCASM OUT OF BOUNDS.
HALT.
Identifying a specific machine or its approximate location using fingerprinting is scary enough. But it gets even scarier.
Let’s way your machine is “fingerprint proof” to some extend. It tries to hide it’s uniqueness. And not in such a way that it’s unique in the way it hides it uniqueness. You can even mask some user behavior such as mouse movement, click timing and key stroke timing, by adding some randomness.
But even if you have a machine that is “fingerprint proof” to some extend there are also ways to identify the user itself.
Examples of identifying users:
-Pattern-of-life analysis. Uses timestamps of events to identify a user. (detectives use this, like “L” in “Death Note”, but also IRL by authorities)
-Stylometric analysis. Identifies writing style. Combined with machine learning you can narrow down the list of potential authors. Articles: https://arxiv.org/abs/2211.07467 and https://academic.oup.com/dsh/article/35/4/812/5606771
Yep, I got ” Yes! You are unique among the 4552552 fingerprints in our entire dataset. ”
The ones that really narrowed it down were – (in order of most narrowing)
– fonts
– navigator properties
– canvas
– firefox,
– permissions
– screen size
I suspect I might have just been unique on those alone (it reckoned 0.00% have the same fonts installed as me, for a start).. I would have thought more than 1.18% were running a big hi res screen (my 6th smallest number), but obviously not the people who use the web site..
It is certainly a relevant thing to be concerned about – as all you have to do is log into one web site somewhere, and they know who you are and your ‘fingerprint’ . They can then sell that to others, who can tell if you vist their site even via vpn or with no cookies….
Indeed HaD should be filling in the box below with my username and email…
But now, if you used a reliable VPN, public wifi, or, whatever to mask your ip, to identify you or your actual isp connection that fingerprint has to be matched to one from a site where you somehow identified yourself or your connection. Whether or not that can be done probably depends on your browsing habits
VPNs aren’t about hiding from nation states. They are about protecting your first hop. You are slightly more trusting someone who is incentivized to maintain your privacy over an ISP who is probably your only option and who would love to make money selling your personal information. They have the information to link your computer to a person, that is the real danger. A VPN can add one extra hop there. As far as fingerprinting goes, I have had really good luck with Brave and an extension to spoof the latest chrome user-agent.
93.38% flash not detected.
On the one hand, reassuring that flash is dead. On the other hand, what’s wrong with the remaining 6.62% of browsers that they’re still installing flash??
Browser attestation is why VPNs will not keep you anonymous.
https://en.wikipedia.org/wiki/Web_Environment_Integrity
Considering the current climate, I’d expect this to be resurrected in some digital-ID form.
Curious why no mention of Mullvad Browser?