The fact that I have to go to great lengths to browse anonymously - and companies desperately try to circumvent my genuine decision to opt out of their tracking - tells me everything I need to know about those companies. Words like sleezy, shady, and predatory come to mind.
I would love to see this taken one step further and have states/countries prevent companies from tracking me altogether if I reject their cookies, but I fear it's more likely those companies will lobby to prevent Firefox from protecting us.
I briefly discussed this extension and how to proceed after the passing of a maintainer with Mozilla staff in their Extensions and People teams at FOSDEM this year, but there was no real procedures in place at the time of our chat.
[0]: https://addons.mozilla.org/en-GB/firefox/addon/temporary-con...
[1]: https://github.com/stoically/temporary-containers/issues/634
./firefox -CreateProfile "profile-name /home/user/.mozilla/firefox/profile-path/"
./firefox -profile "/home/user/.mozilla/firefox/profile-path/"
Given that /usr/bin/firefox is just a shell script, you can
- create a copy of it, say, /usr/bin/firefox-hn
- adjust the relevant line, adding the -profile argument
You're in luck since EU's GDPR is about informing users of PII harvesting and consent in general (among other things). So the banner is not only about cookies. And I think nowadays there are similar regulations elsewhere.
When you talk about a "shopkeeper" it gives it a small community charm. The Internet is anything but that.
One of them might peer out their window, the other will infiltrate every aspect of your life. One of them is bored, the other has no qualms about doing significant harm to you if it serves their interests.
I'm absolutely positive I could if they were getting other store owners to help them track me.
What I don't understand is why this is unacceptable if they do it to a single person but perfectly normal if they do it to all their customers. IMO that should make things worse, not better.
Let's put it this way. You'd get a restraining order against someone if they followed you around all day, logging when you woke up, ate, who you talked with (even if they don't hear the conversation), where you went, and when you went to bed. That's clearly stalking, right? So why us it suddenly acceptable when it's being done by some guy named Mark who is stalking a billion people instead of just one?
We clearly differentiate this from being a regular customer at a store. If I'm a regular at Joe's Corner Market and get a sandwich every Wednesday for lunch then he remembers me because we're talking face to face and making conversation. It's personal. There's clear consent in what I'm sharing and there's a clear expectation that Joe isn't going to use that information to manipulate me or follow me around town. Our interaction is limited to the store and maybe bumping into each other on the street. It's clearly not stalking, we're just friendly. The same way your partner might know about when you wake up, go to sleep, eat for breakfast, and all that same stuff. Your partner isn't stalking you.
[Edit]: I want to encourage the above comments. Doesn't matter if recursive4 believes the other side or not, I want these conversations to be front and center. I like to see the other responses than mine as well and I think these help us refine our arguments and by being prominent they help others be convinced and join us. So while I know we don't usually talk about how to upvote/downvote, I'll just say "vote strategically rather than agreeability" :)
So no, you cannot steelman a broken analogy.
Rather than presupposing an analogy to something importantly different, I would propose that the steelman would be along the lines of noting that ads and hyperpersonalization are effective at meeting and predicting your needs, and steering you towards an interpretation of your own needs that finds their fulfillment in deepening a consumer relationship. And if you get steered into lock-in with one company's ecosystem, you get the convenience of a stack of vertically integrated services.
You can talk at a normal voice inside your own home at night, and even if the neighbor can hear you through the thin walls, they have no legal recourse. If you start blasting music, the police will (in principle) come and stop you.
Some things are okay in moderation and simply bad in excess.
If you're doing fingerprinting for tracking purposes, you're gonna be tracking a lot more in-depth data.
But in the end, there are pretty much three types of Internet user today: 1. The person who uses the default browser installed on their device. 2. The user who always downloads Chrome when they first get a new computer. and 3. Nerds who do something else.
I'd rather be trackable but secure -- the big draw for me is NoScript. Paired with uBlock, I'm safe from malvertising[1]
[1] https://en.wikipedia.org/wiki/Malvertising#Examples_of_malic...
Only things uBlock doesn’t replicate:
NoScript’s anti-XSS and anti-clickjacking heuristics (uBlock just blocks the sources, not sanitize payloads).
NoScript’s control over other active content types (e.g., WebGL, media codecs, etc).
If a website has 100 visitors, and 99 of them use Chrome, and 1 user uses Firefox, it doesn't matter how good their fingerprinting resistance is, they're always the one using Firefox.
They could not build a profile on you and it would break their system of tracking user login per device.
https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
https://addons.mozilla.org/en-GB/firefox/addon/auto-containe...
It would be really useful to have something that dithers the reported canvas size by 5 or 10 pixels in different containers to add noise there.
about:config -> set privacy.resistFingerprinting to true
about:config -> create new boolean key privacy.resistFingerprinting.letterboxing set to true
this will set your canvas to a common size which fits in the viewport and display a grey "letterbox" border in the surrounding space.
My experience lately has been that fingerprint.com is able to identify my main profile "in bursts", i.e. it will identify me consistently for some days, then it will forget and tell me it's never seen me. Maybe the service they provide on the landing page has a TTL policy? Either way, I've observed this behaviour on both my main profile and my "Firefox Focus"-like profile (a mix of no history + automatic temporary containers). On Mullvad Browser, however, it always seems to group me with random access across the globe.
I have more restrictive protections on. If you use just loose settings, it completes, but advanced fingerprint protection, for example, breaks captcha completion.
This is very known issue.
I was actually wondering if the stuff that Mozilla's talking about here will be used by bad bot people to try to circumvent CF's abuse protections. As I recall from when I was working with them, CF's service relies in part on being able to identify botnet attacks by doing its own fingerprinting.
https://support.mozilla.org/en-US/kb/firefox-protection-agai...
They are... surprising to me. And as a developer, some of them seem kind of horrible. Altering canvas data, really?
By installing Canvasblocker, Decentraleyes and NoScript you are providing more entropy to trackers and thus making it easier to track you. Imagine how many people worldwide block specifically Canvas, have weird looking network requests to certain js libs and have JS disabled for some (/all) scripts combined with your general setup (window size, font size, and many other factors that do not even require JS).
The Tor project explicitly suggests to not install an adblocker for example because of this.
bigcommerce.com
classyschema.org
doofinder.com
elfsightcdn.com
google.com
grit.software
gstatic.com
hexgator.com
klarna.com
skeepers.io
criteo.com
googletagmanager.com
I also don't get advertising in any form, maybe because I don't have ecommerce apps on my phone and I block a lot of things with Blockada, but that's another story.
Yeah, they require CSS, which you can also block using noscript and other tools, if you want.
Also, while you might be more "trackable" to those who fingerprint, if you are blocking those cross origin or same origin scripts from loading you are already stopping some of that. You can even blacklist some known hosts completely in your browser's policy settings and prevent those requests from ever reaching their destination.
The web without ad blocking is revolting. Browsers building in these features makes them more popular.
Aside: Fuck the Washington Post. They have a line in their privacy policy that acknowledges the existence of "Do Not Track" flags in browsers. Their acknowledgement: since there is no industry standard for responding to it, they ignore it.
If there's one thing I don't like its the fact that NoScript doesn't integrate with Multi-Account Containers. It would be neat if instead of having to temporarily allow GitHub JavaScript and re-disable it when I'm done; I could just allow GH JS in a GitHub or Microsoft container and it only being enabled in that container.
* Cookies
* Tracking Content
* Cryptominers
* Known Fingerprinters
* Suspected Fingerprinters
But there is no separate toggle for the feature that adds noise to the image, or indication of which toggle would affect that.
I like the idea of Brave but we have a bigger fight that requires us to have no chromium. Chromium winning is Google winning, allowing them to control the Internet. I don't want that power in any single entity's hands. So I do ask that more people switch to Firefox or Safari as those are the best options to fight back and have decent market shares (even if small). If we lose the internet we'll lose our privacy too
[0] https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
Is it (a) to avoid internet marketing, (b) some other reason or (c) both. What is the "threat model"
If the answer is (c) then is there a belief that a fingerprint collected for marketing purposes may be used for other purposes
I do not use a browser to make HTTP requests, I only send two headers, Host and Connection, unless I need to send more, e.g., User Agent, Cookie, Accept, etc. The vast majority of websites I access work with only two headers. The list of ones that require more is short and the local forward proxy adds them automatically for those sites
For me, the "threat model" is (a) internet marketing
I do not see any ads because (1) the computers I use cannot access ad or tracking servers^FN1 and (2) I use a text-only browser to read HTML. There is no Javascript interpreter, no way to auto-load resources, no way to display images, no way to store cookies, etc.
I have no issue with this information that I'm a text-only web user being revealed to any internet marketer. (More likely I am mistaken for a "bot" as a result of crude heuristics)
On the other hand, if I were using a popular browser to make HTTP requests, one that sends a "common" fingerprint to internet marketers, then this would signal a more viable target for ads and tracking. Popular browsers have default settings that enable Javascript, cookies, images, auto-loading resources, etc.
tl;dr The reasons a computer user has for avoiding fingerprinting may be different. For example, one user might want to "blend in" and "hide", i.e., avoid being "identified", whereas another user might want to "be left alone", i.e., avoid being the target of internet marketers
FN1. Markerters always seem to require access to DNS
This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.
In contrast a randomized fingerprint mean when you visit A you have a fingerprint X' and on B you have a fingerprint Y' and no one else on the internet has X' or Y' but A and B can't correlate you.
The protections we've put in place first try to do API normalization to make it so more people have a fingerprint X, and it isn't unique. And then they do API randomization so you use X' and Y'.
If a fingerprint goes to extra effort of detecting a randomized fingerprint, and ignore (or remove) the randomization, they will get the X fingerprint which - hopefully - matches many more users.
Unless they tackle all the hidden things, all artifacts, canvas rendering and many more.
These companies will be actually happy after this change, because even users with ublock and other plugins, will think they're not tracked. Yeah, nope.
And it's not that hard to see how they fingerprint your browser, reverse any JS tracking script yourself and see.
Then I remembered why I no longer use firefox. I believe we, as users, need to take back the open web. The days of some random developers ruining the UI should really be over, be it firefox, or Google chrome killing ublock origin. We need to fight back.
Started a fresh profile, but couldn't find an AI button. The AI stuff in the context menu? You can remove the chat bot functionality right there. As for the buttons, if there is an undesirable button, it should be removable via context menu or toolbar customization.
Do you use something else?
It's a bit more privacy focused, so may need some tweaking to your liking (by default it won't persist history, zoom levels, cookies, etc.)
Last time I tried everything I could to prevent Firefox from calling home, it was still requesting Mozilla servers. Though I haven’t given up, my plan is disabling it at source code level and build my own release.
> The browser ultimately sends only what the webpage requests.
You should do research before making such claims.
"People should do work for free" isn't very workable.
You've got 6 layers under your browser before that data is sent -- some of those are useful for fingerprinting. Also, browser behavior and feature sets are not and likely will never be 100% uniform.
> GDPR to make it illegal for browsers to track this information
Unfortunately the internet is global and people outside of the reach of those jurisdictions can just exist outside of the reach of those laws. Consider the existing landscape of malicious internet traffic and scams which are already illegal in almost every country -- they are still a widespread problem.