Web fingerprinting or how surveillance advertising should be illegal

I read something that worried me so much that I was still thinking about it waking up. I’m talking about a post on Michael Tsai’s blog, where he quotes Bitestring’s article: Fingerprinting is worse than I thought. Everything in this article is fascinating, and, to be honest, quite frightening to me who was — as I discovered — rather clueless about the scale and depth of web fingerprinting.

To be honest, I didn’t know much about web or JavaScript “fringerprinting” in the first place. I naively thought that by using a strong content blocker, Apple’s iCloud Private Relay, and Safari with most of its privacy-protection features activated, I’d be safe. How wrong I was. Then I read this quote from Nick Heer, talking about Fingerprint Pro and their live demo, demonstrating how your user ID remains the same despite everything:

My visitor ID was stable in Safari after visiting fingerprint.com only in private windows across two separate sessions. This, despite using Safari’s anti-tracking features, having iCloud Private Relay switched on, and using browser extensions which limit what kinds of scripts are able to run in my browser — and, again, accessing it only in private windows. On its homepage, FingerprintJS says the “VisitorID will remain the same for years, even as browsers are upgraded”. It can be, near as makes no difference, a permanent personal identifier.

My first reaction reading all this was: what is the point of using ad blockers then?

Sure, you’ll still block ads, but if your privacy is not more protected than without using one, if ad companies manage to track you as effortlessly, then what is the point? If someone follows me everywhere I go around town and watches me sleep at night, I don’t really care for a service that is just hiding them from my sight and not preventing them from following me and tracking me in the first place.

This is all very concerning to be honest. How is any of this legal? Maybe the European Union should start banning web fingerprinting altogether instead of just adding it to the GDPR:

How should this work in practice? User consent means an informed, unambiguous action (such as change of settings from “no” to “yes”). In order to be able to rely on this legal ground, companies that use fingerprinting would have to, in the first place, reveal the fingerprinting before it is executed and, then, wait for a user to give their freely-given informed consent. Since the very purpose of fingerprinting is to escape user’s control, it is hardly surprising that trackers refuse to apply this standard.

Maybe I should start using JavaSnipt again: I noticed on Fingerprint Pro’s website that if I disable JavasScript, it doesn’t register my visit (but it breaks the live demo tool, so I can’t be 100% sure about the ID generated with JavaScript turned off, but I think it breaks at least some of the fingerprinting process.)1

Like I commented on Tsai’s blog, it makes you wonder: has JavaScript improved or made our web experience worse?

Until Apple does something about this — and I think they eventually will and should, considering their focus and claims on privacy — I might consider using Firefox, which seems to be able to block fingerprinting.2 On Bitestring’s blog:

Fingerprinting has become a popular method of user tracking due to its ability to connect multiple different browsing sessions even if the user clears browsing history and data. Given there are companies selling fingerprinting as a service, if you want to really protect yourself from fingerprinting, you should use Tor Browser or Firefox with resistFingerprinting=true. If you need to use Chromium, then Brave browser is a good choice. It also randomizes fingerprint for each session, making it harder to link your browsing sessions. However, I do not recommend Brave because it is based on Google’s Chromium engine, thus only encourages Google’s monopoly.

Looking at the available Safari extensions when searching for “fingerprinting,” the only one I see claiming to protect users from it is made by Norton, famous for its anti-virus software. You know that surveillance advertising is bad when an anti-virus company is the one trying to protect you from it; imagine having to hire a shady bodyguard to prevent salespersons to follow you around everywhere.

That’s the web we have today: a privacy-invasive, ad-filled, garbage-full junkyard where it’s impossible to navigate without being followed and exposed to all sort of disgusting, unwanted, threatening objects, with only a few gems hidden in it. Sigh.

  1. Maybe private browsing or incognito mode should be renamed as “history-off mode” or “logged-off session”? I think it would be more accurate.↩︎

  2. Even if it doesn’t do much regarding web fingerprinting, what I’ll do for now is use both Wipr and JavaSnipt and figure an efficient way to make them work together, along with StopTheMadness and the brand new StopTheFonts. Can’t be too careful nowadays.↩︎