Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
"We know the rest of it. We chose not to display it. Most pages would not have made that choice" this is written to frighten children maybe? Also that's not my internet provider. Maybe it's my ISPs upstream provider?
A client sends the language header or the list of supported fonts not so that the server can "do whatever they want with this data." There is (or was) a real reason for it when we came up with these standards.
The fact that website providers, or more specifically ad-networks, have chosen to use these for other purposes is breaking that implicit agreement.
(edit) but you're probably right that i'm expecting too much.
They are free to remember whatever they want about my request… but I am also free to modify the request however I want, if I choose to randomize the list of fonts or choose to not send it or whatever.
It knew how much my phone was charged and it made correct inferences about my device. It accurately read my gyroscope, how I interacted with the touch screen, and it demonstrated (not new knowledge to me but probably interesting to the general public) how these things could be used to identify you and also to make inferences about you (if you are sitting, standing, lying down, etc).
It starts slow but it got interesting.
Us not owing each other anything worked great in a prior era when people were largely correct in assuming most people were good actors. But as soon as the money and power of the internet became real, things started to turn more adversarial. The assumption of trust and lack of responsibility makes it easy for one side to take advantage of the goodwill of the other. And the technical and power imbalances inherit to the server-client nature of the web means that abuse is more likely to flow in one direction than the other.
So am I, come to think of it.
Anyway, if you really want to know what your browser is sending:
* It's running a kind of Chrome on a kind of Linux, at a stretch.
* Nobody can infer when I work and when I sleep. That includes me.
* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.
* But yes, browser fingerprinting is annoying.
* Since you can detect light mode, would it kill you to honor it?
https://github.com/fingerprintjs/fingerprintjs
Honestly surprised to see it licensed as MIT now too. It was something less permissive before. They aren't doing anything too crazy, more like being the first ones to be open about it.
I couldn't imagine what else companies like Google or Meta or TikTok can extract out of it that no one else can't. Integrations aren't exactly hard to make, quality is hard yes, but making half assed plumbing is sufficient too.
Those advertisers benefit from monopolistic markets with zero regulation while owning the platforms they sell advertising on that requires their explicit malware in order to use, what is unique about their finger printing versus what fingerprintjs provides?
> Since you can detect light mode, would it kill you to honor it?
It would probably still be low contrast garbage even if it did. :/
My guess this is LLM slop website generation. And they forgot to prompt to include high contrast text... And the site owner cant make the changes without a sloperator.
Same, it claims Brussels, but I'm in Antwerp. It also got my screen resolution wrong.
Same, it said Riverside but I'm in San Diego (about 100 miles away from Riverside).
Of course, its just using a geolocation database for the IP address and thus reporting the location of some switching center Verizon runs and not my actual location.
If you're trying to prove a point about privacy its probably best not to lead off with information that can be off by hundreds of miles while presenting the fact that it "knows" this information as being darkly ominous.
Presenting this information while being wrong probably does the opposite of the site's intent and gives some people a false sense of security because what real websites and apps track about you using digital fingerprinting is a lot more detailed, personalized and (usually) correct than what this website presents.
Are you like /severed/ or something? Surely you can infer when you work and sleep from your experience living your life as you.
Not everybody has a schedule. Mine is essentially "eat when hungry, sleep when tired", and my sleep patterns more closely follow a 26-hour day than a 24-hour day.
* Your socks don't match anything in the room.
* The man you thought you killed in Tuscaloosa woke up and walked home an hour later and is now a chiropractor in Shreveport.
* Your daughter is pregnant by the kid who trims the hedges.
* Your dog is dreaming about the squirrel in the wood pile.
How does it know?
But I am the only person in this timezone in the world. It uniquely identified me!
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
My browser fingerprint was unique among the visitors in the past 45 days.
Gotta love Firefox with ublock origin in advanced mode, even without JavaScript disabled so the site worked.
Did you enable firefox resist fingerprinting? Also maybe letterboxing, which I think is not enabled by that flag by default, and also helps with CSS fingerprinting.
So if you use this information you still need to disclose it and process data in accordance with the law.
It is definitely not legal in Europe, when used to track individual users. The consent pop-ups are not only about cookies.
https://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010...
> San Pablo, California, United States > You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us
I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
Needs some QA.
I've seen this exact UI style a dozen times now and it's always accompanied with tell-tale overly verbose, overly dramatic text.
Fugly.
Gave me a scare, thought I'm still somehow running an x86 build of Firefox.
Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
If I have a dictionary, I don't have to ask the meaning of a word I hear from someone I am speaking to, I can look it up in the dictionary. I may infer an incorrect meaning because the word has multiple meanings or is a colloquialism.
If I need to clarify that inaccuracy, I need other data points (for example, the context of the conversation), or I can ask my conversational partner for clarification).
Also, though, of COURSE your address arrived first... how else are they going to send back the data you are requesting?
Tor and similar multi-hop proxies, depending on construction, supposedly can't match source to destination IPs.
That checks out. I think what I have is similar to a graphics card but isn't quite.
More of you should be running current Firefox. It actually has serious engineering work going into protecting you from web tracking.
I work for a team entirely dependent on web tracking for Fraud prevention. The things Firefox does work to protect you and make our job harder. They genuinely make it harder for websites to track you.
Other things that genuinely help: Apple private relay. Some VPNs. Generated unique credit cards.
Is this actually true? Because I don’t even know if I have any control over this on iOS, and if I do then I’d guess almost nobody diverges from the default?
- Some of the numbers are off, eg - low contrast in dark mode makes text hard to readFirst paragraph, and I don't like this wording already. It's as if "my device" has any choice in the matter.
And actually, it's the reverse! Often enough your own device does not know your _actual_ public IP address without asking some kind of public service to snitch on your internet connection.
The fact that it begins with my IP address reminds me of those dubious VPN ads.
City is wrong, I may speak English but it's not my native language.
As other people said, there are much better pages showing you your browser fingerprint.
It doesn't matter whether you actually speak english natively or not, nobody cares about the actual values. Web sites don't actually care whether you have a robust font package in some way to discern whether you are a font hipster or something, they are just collecting signals.
What matters is that your physical machine and web browser combo report these values about the same way every single time they are probed, and that is used to reliably track YOU, uniquely, with great accuracy, with EVERYTHING you do on the internet, every site you visit, every mouse movement, every purchase linked back to you.
Everything.
The actual values don't have to match "reality" in any way. It's just about generating bits of signal about your setup.
Firefox on Android with ublock
guess mine isn't such a specific model as yours. so I don't have a real GPU, i have something similar to a GPU??? did I get a knock off Alibaba version?
The thing that bothered me is that browser are still sending the Referer info. I thought that was not supposed to work under https?
It got the city wrong but close to where I live. This stuff would be wildly wrong if I fired up my VPN. Although its annoying when I connected to a VPN to Steam it’ll often show my prices in Canadian dollars instead of USD.
Well, at least something positive from the shit I take for not sheepling my way through life using Chrome
The set of fonts available in stock iOS is hardly going to be unique now is it?
That it is even possible to install fonts onto iOS would be news to most users.
> news.ycombinator.com
This has always bothered me the most. I disabled the 'Referer' header once, but it breaks many websites.
It seems odd that any site would require a user come from somewhere.
That was actually my only surprise, everything else I was expecting.
edit: ignore this, looks like I just needed to save my preferences again. Thanks for showing me that I have been leaking my referer for some mysterious amount of time.
It’s been a long time my 2016’ iPhone as been called recent or high-end but I’ll take the compliment, thank-you.
This is surely only partially true.
https://addons.mozilla.org/en-US/firefox/addon/site-color-ch...
I thought this didn't work anymore and browsers left out the referer in the case of https, is that not so then?
While I still follow the general privacy first tenets, I have ended up backing off on some tools (noscript and librewolf) at the extremes of privacy because if every site is going to track everything by my IP or by my ASN or browser fingerprint, I do have a happy medium of being private enough while not being utterly broken in my browsing.
Roughly that looks like email aliases on demand via sieve rules, ublock origin with liberal use of filter lists, different handles and a password manager, frozen credit ratings, and Tailscale exit nodes or Mozilla(Mullvad) VPN for uncontrolled WiFi access points for my jnrootabke android device and mostly signal for comms.
I'm getting to old to be a privacy extreme enthusiast when all of my family side channels everything straight to Facebook, so this is the impure level of privacy I can sustain.
does the same or better, without AI regurgitation and a WordPress theme.
Span this across all of your movements and activities across multiple aggregators and it's a trail of movement through a fog of data that is fuzzy, but enough to identify you, or a small cohort of similar users.
>The specific combination of fonts on your device is nearly unique — like a fingerprint made of letters
Is this one true? I've not made any changes to fonts on my phone that I know of, wouldn't it just be bog standard iPhone fonts?
Curiosity not challenge
Would be cool if you actually did track just to prove the point like "you've opened this page 6 times now, 2 of those were via VPN and one time was using the Firefox Focus browser. Have you found any flaws in the data yet?"
This phenonemon is much older than "browser fingerprinting"
https://web.archive.org/web/20260508131253if_/https://sincey...
if you want to make me afraid of browser fingerprinting, try explaining how that information can be used to harm me. i'm aware that it's possible, i just don't care because it doesn't seem like it's that big of a deal.
Terrible company-at least you know you are testing what is being used.
Reality is that most do not care about privacy (look at the number of Google users, even developers themselves who are completely aware of it and continue to "embrace" the mass tracking). There is also the mass brainwashing which is an issue where people that use VPNs think that they are anonymous and this is terrifying to think (thank you NordVPN non-sense, which also use Google Analytics which then correlate entire traffic later-on, what a joke).
We can see that big companies are able to do a great deal for privacy like Cloudflare and Apple (relatively speaking).
>Reality is that most do not care about privacy
Most people don't understand how much they are being tracked online, and even less know how to start preventing it. The vast majority of people care deeply about privacy. It is a natural human desire. Ask someone that says they have "nothing to hide" if they would be willing to let you install a camera pointed at their bed. Are they doing anything wrong in bed? Anything to hide? No. They still deserve privacy.
Saying you don't care about privacy because you have nothing to hide is like saying you don't care about free speech because you have nothing to say. [1]
Just because people don't care about the issue doesn't mean they shouldn't have the right by default. Privacy should be the default. It is bad for you to have less privacy because it gives governments, corporations, and other people significant power over you and allows them to harm you more easily. Also it is your right, just like the 1st amendment.
[1] Edward Snowden
Annoyingly the web is becoming a bit more annoying to browse as a DuckDuckGo (mobile) and Brave (desktop) user. With a VPN on top it gets even worse.
Where are you was sent to another location due to the VPN, this was all it really impacted. When you arrived was wrong because of the Mullvad browser, even without the VPN enabled it reports that I'm in Reykjavik, which I'm not. What you brought with you, it got the resolution wrong, as the browser locks itself to various resolutions to prevent this kind of fingerprinting. GPU and Battery both say "kept back", I assume this means it couldn't get anything, because when I run in Safari it says Apple GPU.
Harder problem is getting the economic system that relies on this information swapped out. Have fun when 99% of web doesn't 'work'.
Oh wait, no, I'm an e-addict. Drat! Curse this monkey!
1. GPU "or similar" stranded prose. Firefox returns "Mozilla, or similar" as the masked renderer string and my parser was grabbing the second half. Masked-GPU case now gets its own observation.
2. Desktop battery showing NaN/100%. Chromium reports a phantom 100%-charging battery on machines without one; my filter was too narrow. Stricter check, falls through to "kept back."
3. Storage quota of 39+ GB reading as implausible. Now expressed in GB, and the prose was reworded ("would let this page write up to" rather than "allocated to").
4. Screen size matching window size (Firefox letterboxing / Brave farbling). Page now names it: "your browser appears to be returning the viewport in place of the real screen — anti-fingerprinting at work."
5. "Recent, high-end display" being claimed on old retina devices (iPhone 5-class). Tightened the heuristic.
6. No-JS hangs at "reading." <noscript> block added.
Worth saying directly since it came up. The prose is hand-written. Each observation has a small set of templated registers and the code selects among them based on what the data returns. There is no LLM in the runtime path. AI helped me iterate on the spec like it does for most projects now. The sentences on the page are mine. If that's not the kind of work you're in the mood for, fair, but the slop charge is wrong.
- Reverse IP/geocode (while be cute about "we won't show your IP", oh no, not my IP!)
- Timezone - Ok, yeah, lots of websites need/make use of that for completely legit tasks
- Browser/OS/Screen size - boring, again mostly needed or historical
- GPU - Again, not super interesting IMHO
- Battery - Ok, this is the first one I think should be behind a permission dialog
- Language - Come off it, that's just table stakes
- Fonts - Again, not sure how else this should work in a "perfect" world
- Cookies/dark mode/DnT/etc - Ehh, again aside from fingerprinting (which ruins everything) these are all QoL improvements IMHO
- Referrer - Again, this is just how the web works
I think the websites that take all of that and show you a fingerprint or show the data in a more data-oriented way are way more compelling.
This, almost certainly vibe-coded, website doesn't do anything novel and hits on a huge pet peeve of mine: using low-quality arguments for a legit issue (fingerprinting). By mixing in stuff like your IP/Language on the same level as Battery/GPU/other-fingerprinty-things it makes the whole argument less compelling.
The server tells your browser to display a line of text in a specific font. If that font is available, your browser does so, and if not, it displays the text in your default font, or a backup font if the developer specified one. There's no need for the server to know if it's there or not.
> Every page you have ever visited knows at least this much. Most of them know more. None of them told you.
So? Why would I want the news site I'm visiting to "tell me" it knows my preferred language, that I'm using light mode, or the estimated location of my IP address...?
It's not surprising that a browser which renders text can be used to identify which fonts are available. It's not surprising that a browser which allows calculation with your GPU will identify your type of GPU.
The "without asking" framing is just silly. I expect to be asked for consent to use my webcam or microphone or exact precise location. But the last thing I want is to be asked for permission around detecting my local time zone or preferred language or my screen resolution or 20 other totally reasonable things for a website to be able to know.
The site does seem to be implying that disclosure and consent are the issues:
> We did not ask for your location.
> Nothing about this was requested. The information arrived on its own.
> Your device volunteered all of this in the first milliseconds of the connection. It will do this again on the next page you visit, and the one after that.
> No permission is required.
It's framing this as if browsers are maliciously volunteering information that ought to be protected, and that sites are maliciously hiding the information available to them.
It does seem to be clearly suggesting that even basic pieces of information ought to be available only upon request and that this must be disclosed to users.
You say this is "not a proposal to gate every header", but it's sure looking like something close to that to me.
No it didn't. It was queried by the JS running on the page. It's a fun demo but it could really do without the slop prose.
> With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops.
What? When I enable JS it shows me a lot of stuff that is only queriable with JS.
I use windows color filters (Grayscale inverted is my preferred, in the past I used plain inverted) for poor man's dark mode (or light mode in this case) for stuff that doesn't honor my color scheme and hurts my eyes. It also has a hotkey, so it is really handy sometimes, but you need to enable it in the settings.
Assistive technologies are great, not only because they benefit those who have no choice but to rely on them, but also they can benefit the luckier people.
> The prose
> Hand-written · Template-based, not generative
> Every sentence on this page was written by Matt. The code selects among prose templates based on what your browser returned. No language model writes or rewrites anything at runtime. If a condition is not covered by hand-written prose, the page stays quiet about it — we'd rather say less than say something false.
It looks like this is an ad by the way, check op's posting history
This is out of control, and y'all just comment these threads as if they're made by humans.
peoples obsession with 100% privacy while operating in a public space is immature. if you're that risk averse dont connect to the internet.