Same, i don't see any problem with my facebook feed, it's all just friends and family postings and local events and some local news posts and things like that.
No political content or anything I would consider rage bait.
Most of the things you've listed here don't actually seem all that reasonable to me.
User agents as a concept are rather poorly thought out across the board and not all that useful but persist because that's just how technical cruft is.
Fonts should be provided by the website; if not provided the choice should take the form of a spec sent by the website including line height, sarifs or not, monospace or not, etc. There's little to no excuse for the current font situation IMO beyond poor design decisions that became heavily entrenched.
Timezone and other obviously private metadata should never be shared without the user explicitly granting permission on a case by case basis. The status quo here is completely inexcusable as is the continued failure to fix the problem.
Size of the physical screen should never be exposed under any circumstances. The current size of the browser window is reasonable on its face but now that fingerprinting is understood to be an issue should always be heavily letterboxed unless the user consents to sharing the exact value.
Video formats should be provided by the website as a list of offerings and the browser should respond with a choice; the user could optionally intervene. There's no reason to expose the full capabilities to a remote service.
Querying the current time should be gated behind an explicit permission. There's almost never a need for it. However from a fingerprinting perspective you also have to worry about correlating the rate of clock skew across clients. That can be solved by gating access to high resolution time counters behind an explicit permission as (once again) the vast majority of services have no legitimate use for such functionality.
I don’t ever use any font provided by the website. I don’t even let websites choose which fonts get used. Instead I choose a set of fonts (monospaced and proportional) that are readable and everything uses those.
If you want to see what that looks like, go into the Firefox settings, find the Fonts section, click Advanced, and then uncheck “Allow pages to choose their own fonts, instead of your selections above”. Be sure to adjust the “Minimum font size” while you’re here so that nobody uses text sizes that you cannot read.
Yeah, because I love it when every website I go to downloads 10 megs of fonts to my computer before it starts rendering the page. Fonts should be suggested by the website, and a bog-standard "every computer has this" font should be listed as the fallback.
> Timezone and other obviously private metadata should never be shared without the user explicitly granting permission on a case by case basis
100% agree.
> Size of the physical screen should never be exposed under any circumstances
I mostly agree, but with the understanding that this would cause issues with "modern" web pages having very difficult to format layouts. Responsive design requires a response, after all.
> Video formats should be provided by the website as a list of offerings and the browser should respond with a choice
You're still getting the same feedback with this, that the browser chose to use X format, so you're not increasing privacy with this, only difficulty.
> Querying the current time should be gated behind an explicit permission
100% agree. If there is no active local processing of information that the server relies on, in the format of a game or some other interactivity, then there is no reason why the server needs to know your local time.
That's why I said that a spec mechanism should also be provided. The issue is that sites can perform measurements regarding the layout that change based on the font used. So the browser should only ever provide a few fallbacks, nothing more, and anything else needs to come from the site itself.
> screen size
I think maybe you're confusing the physical screen with the current size of the browser window?
> video formats
The issue at present is that a site can programatically test a long list of formats against your setup to see what happens. What I'm describing increases privacy because the site can no longer directly query for the entire list of supported formats and the user can optionally control the process. Obviously it's still possible to botch the implementation on the browser's end but the point is to make it possible to do the right thing.
That is a fair point but it would presumably still be a step in the right direction.
> video formats
True, a malicious streaming site could still work to fingerprint your client if you watched multiple different videos. However that would require active work on the part of the server and could be mitigated by the client which is already miles better than the status quo.
I suppose my proposed solution would also introduce a new constraint that a stream couldn't switch codecs from one chunk to the next but I doubt that would be much of an issue in practice.
I don't believe that's how it works now. At present the server would typically send code that queries for codec support prior to sending video chunks. These days there's the low level WebCodecs API; [0] previously you would have used MediaSource.isTypeSupported( ... ). [1] The issue is that at present the code sent by the server handles any queries and makes the selection. That leaves the door open to run arbitrary queries for the purpose of characterizing the underlying platform.
> If the type attribute is specified, the browser immediately compares it with the media types it can display. If the type is not supported, the browser skips querying the server and directly checks the next <source> element.
Huh. That's interesting but in practice it doesn't quite work. The major streaming platforms want to handle things programmatically in chunks and they need a way to establish what codec (among various other parameters) to use before they get started. So the requirement is a browser mechanism to make that information available to server provided code running on the client. And I'm further stipulating that this mechanism should facilitate optional intervention by the user.
We're talking about fingerprinting, not serving up content. They could leave the content being served up unchanged, then add those tags elsewhere on the page where the user wouldn't notice, pointing at a tiny 1-second empty video.
These are all relics from the innocent 90's Internet. We had our global village and everything was fine. A couple of bad actors spamming blue pills here and there and that was it.
Now we have actual criminal organizations and other real bad actors.
I'm sure we can come up with something better than advertise our whole local computing platform on every HTTP request.
The tor project seeks this bypass this by keeping such things standardized across users, even down to reported screen size. And there is nothing stopping the browser from fibbing as most settings dong matter all that much (ie UK v Canadian v American English).
This is a bad idea though, because any newly discovered means to get even a single data point results in being able to ID every tor user. I'd be better to have every tor browser always generate a random fingerprint so that even if the unexpected happens people will never get anything but random results.
> to have every tor browser always generate a random fingerprint
Browsers do not "generate" fingerprints. They expose data that can be used to fingerprint users. You cannot "randomize" this; even if you were to return random values for, say, user screen size, with various visual side effects, it would just be another signal to fingerprint: "Oh, your browser is returning random values? Must be a Tor browser user".
> it would just be another signal to fingerprint: "Oh, your browser is returning random values? Must be a Tor browser user".
That's perfectly fine! As long as they can't tell which tor user you are they can't track your browsing activity or associate it to any one tor user. That's the goal. Currently tor browser sticks out like a sore thumb by trying to appear identical no matter who uses it, which is fragile because any one data point unaccounted for unmasks everyone.
I fantasize having a browser that I can use only for viewing content.
No applications. No mail. No need for cookies.
I can use a "regular" browser for more enhanced stuff. But for simple content consumption, we can just have a "dumb" browser that can't do much.
> A user agent that says the browser's version? Reasonable enough.
No user agent. I'm guessing it will need it for JavaScript or HTML features, and dynamically update if using an old browser, but let's just not supply a user agent and let it be the reader's burden to have a reasonably decent browser.
> Being able to ask for fonts, if the system has them? Difficult to have font support without that.
What's the fallback if the system doesn't have them?
> Getting the user's timezone, language and keyboard layout? Reasonable.
Keyboard layout is irrelevant for viewing content. For timezone and language: Yeah, I can see the use cases, but these are in a small minority. Let there be a popup when requested, and the user can specify the timezone/language as requested.
> The size of the screen, and the size of the browser window? Difficult to lay things out without that.
Let's let this new browser return only from a (small) discrete set of sizes. It will pick the size closest to the actual browser window size and send that.
> Of course a video or audio player needs to know which video formats your browser supports - how else to provide the right video?
Same answer as user agent. Either let the user pick from a selection of video formats, or just hard code a reasonable one and put the onus on the user to have a browser that supports it.
> Obviously javascript can get the time, and it's trivial to figure out the system's clock error by comparing that to the time on a server.
This hypothetical browser could just not send the time :-) For 99% of content consumption, this function is not needed.
What I'm describing should be part of "Private mode". Or browsers should have an "Ultra-private" mode that is the above. If it's too complex/risky maintaining it all in one codebase ... fine. Just have a separate browser.
Right now, if I built such a browser, I'm sure a lot of sites meant for content would break. But in my fantasy world, using "Ultra-private" would be the default, and people who make sites will target them first.
I think much of the complexity in making a web browser is all the "other" stuff. Being able to run apps, cookie/privacy management, etc.
Unfortunately you've now made an incredibly niche browser, and the lack of those metrics is a good fingerprint by itself. How browsers render SVGs can be used for fingerprinting (even the underlying OS affects this, and I assume you'll want to see those), combine with ISP from IP address, and unless theres hundreds users in every city you're now pretty easily trackable.
There's no problem with having a unique fingerprint. The problem is having a consistent one. Randomize the fingerprint every time and you're fine. The IP address problem applies to everyone, including anyone using tor browser. The only solution to that is not using your own IP address (VPN/proxy). If I were going to make a secure privacy focused browser it either wouldn't allow things like rendering SVGs (which have introduced vulnerabilities beyond tracking) and wouldn't allow much (if any) JS and only a sane subset of CSS.
> Unfortunately you've now made an incredibly niche browser, and the lack of those metrics is a good fingerprint by itself.
If 100 people are using that browser, how will they know which one is me?
> How browsers render SVGs can be used for fingerprinting (even the underlying OS affects this, and I assume you'll want to see those)
Can you provide details on this? And how will they know which OS I'm using (through SVG rendering...)? The UserAgent definitely should not send the OS.
> combine with ISP from IP address
That's already provided whether I use Private mode or not, correct? I can always use a VPN.
You're the only one out of 100 that visits HN, or who's use matches a particular timezone, or who has the use pattern that [anti-]correlates with your work pattern, or ...
So the HN operator sees someone using this browser, with this timezone. Then I go to some other site. Let's pretend that site's operator and HN's are identical. How will they know that I'm the same guy who went to HN? How does he know there aren't two people who use the browser in the same timezone (and the other one doesn't go to HN)?
I think the point is that it takes very few data points to effectively deanonymize someone. And the less common a data point is, the greater the information gain. "User is male" eliminates ~half of users. "User actively reads HackerNews" eliminates >99%. "User uses this niche browser that only 1000 people have ever been seen using" eliminates 99.999%.
This is how surveillance operates at scale. You don't need a stable identifier linking a specific person's identity, you just need a few data points to narrow it down to even a few thousand people. Then you apply more focus on those people, gathering data points that eliminate people until you're left with your target. And thanks to decades of global iteration on surveillance infrastructure, and AI to glue data sets together, it's all automated.
No support for forms. The browser is meant for content consumption. Not for interaction/creation.
One could argue that any JS capabilities to do network requests (including dynamically rendering content) would be disallowed.
Yes, I know, this is going pre-Web 2.0.
Yes, of course, most current sites won't work in that model. But I'll also say: Most current content sites don't need these capabilities. They have them because they know the browser supports them.
Again - a fantasy. I know only a few people will use it. I know that won't be enough to change web behavior. It would be nice, though, if sites carried a badge to indicate they conform to all of the above.
i've had the same thought for 20 years and unfortunately it's less likely than ever to happen now, given how many sites require javascript and have cloudflare pages before even loading a site (I get several a day).
thankfully i think traditional web surfing is probably going to die out in the next 10 years, and progressively decline a lot much sooner than that as people start to interact with AI rather than browsers (or any software for that matter).
my feed of hackernews is going to be my AI agent giving it to me in plain text very soon, and soon after that i will probably never visit the internet again because it will be impossible to know what's real and fake
as a millennial it will be interesting to experience the full cycle of being born when nothing was online, to everything being online, to then again being entirely offline by the time i'm older
> my feed of hackernews is going to be my AI agent giving it to me in plain text very soon
Wait for the advent of local agents running on local models (for privacy) followed by techniques to fingerprint agents, followed by techniques to infer query parameters based on agent behavior. I wish I was joking but it seems all too plausible.
As the submission shows, Tor browser isn't enough. My hypothetical browser would never have an IndexedDB API. Why should it?
"Web applications use it for offline support, caching, session state, and other local storage needs"
This use case is completely orthogonal to what my browser is meant to do. My browser would not have a concept of local storage.
The premise of starting with a modern browser and stripping away features to get privacy is flawed - it's always vulnerable to these types of things. I'm going the opposite route: Only add features if they cannot be exploited for monitoring.
All of these could have a set of standard non identifiable answers (eg. firefox reports the same 20 fonts, couple video formats, one among a few standard window sizes etc.) and for anything more extensive/precise, it would require the user's authorization and the user should have the option of feeding fake info (eg. fake timezone)
Firefox's "Resist fingerprinting" does this. It sets timezone to UTC, standardizes the fonts, standardizes a whole bunch of other fingerprinting data, etc. It also has a "letterboxing" option to round screensize down to the nearest 100px and stuff too. Tor uses all of those settings by default, though they are also in standard firefox in about:config.
When i use Resist Fingerprinting my main issue is the timezone being set to UTC. most of the other stuff it does never causes issues. I guess sometimes sites need to read the canvas, but theres a permission box that allows that when needed. I wish there was a similar permission box for timezone.
The only other drawback to the "resist fingerprinting" option is you will encounter cloudflares' captcha checkbox everywhere and all of the time :(
Ideally you'd have browsers randomizing what they send instead of reporting the same info every time. That way even a deviation from the "norm" can't be assumed to ID someone.
The most popular browser is made by an ad company. They also provide the majority of funding for their biggest competitor. Why would you expect anything different?
The funding for tor project is nowhere near what is needed to develop an entire browser. Mainly because the web has become such a bloatfest, not because of any wrongdoing by tor.
It's a fine line between making the web usable, fingerprinting, and peppering the user with dozens or hundreds of permissions.
And since browsers rival OSes for complexity (they are basically OSes in their own right already), any part of the system can be inadvertently exposed and exploited.
Most stock android phones don't either. You usually get to control precise location, notifications, some background activity, SMS, Calls, Mic, Camera, SD Card, etc.
But most ROMs don't allow controls for WiFi, Cell data, Phone ID, Phone number, User ID, local storage, etc...
Yes. A few apps have been caught doing nefarious stuff using advertising sdks, like meta, but on android most apps are well sandboxed and can only access what you approve.
For those things you can't control it doesn't ask. You can see those under "other permissions" (or similar).
But once you look there it's too late if you care about this data and forgot to turn on airplane mode.
And yet this sort of endless (fingerprintable) browser feature list is what people cite when they claim that mobile Safari is somehow way behind Chrome, and how it’s a travesty that Chrome can’t natively implement all these (again, highly fingerprintable) features on the iPhone.
I had a herniated disc and severe nerve pain. I took 16 ibuprofen a day, 4 200mg pills every 6 hours, it did nothing that I could tell. I also used a methylprednisolone dose pack, also didn't seem to help. I also tried prescribed opioid (tramadol), didn't seem to help much.
Acetaminophen worked far, far better than all these. It worked so well, but i wanted to be careful to limit myself to 3000mg a day, so I took 1 500mg pill every 4 hours for a few days while awaiting surgery. It's the only thing that got me through it. Even a epidural lumbar steroid injection didn't help...
I had severe nerve pain due to a herniated disc. While awaiting a surgery, I was prescribed an opioid (Tramadol) but it didn't seem to help much at all. Acetaminophen actually worked better than the opioid for me...
Yes, I had a herniated disc and had severe nerve pain. While waiting for a time when I could get surgery to fix it acetaminophen reduced the pain even more than opioids! ibuprofen and an oral steroid like methylprednisolone did nothing...
Acetaminophen is like a wonder drug for me while ibuprofen doesn't seem to ever do anything for me.
>For inflammatory pain (most headaches, most pain from injuries), ibuprofen absolutely works better.
Unfortunately, for me ibuprofen doesn't seme to help at all with any of these. Like I understand that my pain are often inflammatory based, and i try ibuprofen, but the pain doesn't dull at all even if I take 800mg etc...
I take 1000mg acetaminophen and boom my pain is vastly reduced...
reply