231 pointsby joahnn_s3 hours ago21 comments
  • Aurornis3 hours ago
    > One tanh call on the right input is a per-OS signature. Claim macOS, return Linux math bits, and you have contradicted your own User-Agent.

    They (or rather the LLM that wrote this) missed that this is possibly fingerprintable to browser version range, which is slightly more interesting. Most users aren't spoofing their user agent headers to be a different operating system. Most fingerprinting solutions aren't trying to infer your operating system, they only care about semi-unique things that show up.

    It's an interesting finding. I wish they had taken some time to have a real person write it up. This is too heavily LLM written to ignore.

    • jeroenhd3 hours ago
      > Most users aren't spoofing their user agent headers to be a different operating system.

      The people behind the LLM behind this blog post are. They're trying to pretend their robots are people to sell other websites' data to their customer. It's easier to pass bot detection gates if you pretend to be a physical machine running Windows or macOS than if you honestly admit you're using Linux on a VM.

      • acters2 hours ago
        It's sometimes easier to lie than to tell the truth, and being on Linux telling the truth gets me more scrutiny than those pretending to be legit.
      • baby_souffle40 minutes ago
        Some scrape activity happens because I can't obtain the data any other way. I would be thrilled if certain retailers had price and availability data as an API so I could not bother with the bulk of scrape and process.
      • nradov35 minutes ago
        The HTTP User-Agent header was a mistake from the beginning. There is no legitimate need for the server to know what software the client is (or claims to be) running.
        • parasense15 minutes ago
          It certainly wasn't a mistake in the beginning, but it's certainly a mistake now.
        • esrauch17 minutes ago
          I feel like this is with 2026 view where browsers are so mutually compatible.

          In the bad old days there were so many differences between html, css and js behaviors that if you wanted your site to be nice you had to change it for the browser. The way css padding worked wasn't even the same. Feature detection was rarely viable for any of this.

          No user agent would probably have only entrenched IE6 dominance even more by blocking you from deliberately making a site that works at all on other browsers (including IE7 for that matter)

          • nradova few seconds ago
            I'm aware of that history and the User-Agent header was a mistake even back then. It took the pressure off of browser vendors and gave them an excuse to not fix their bugs.
      • reactordev2 hours ago
        The Internet is a cesspool of scams now
        • pocksuppet2 hours ago
          scraping, however, is not intrinsically a scam.
          • mplewis2 hours ago
            It is when you're doing it like the LLM companies are: at scale, to the degree that you're taking down my site, without my consent by masking your user-agent, for the purpose of stealing data I didn't authorize you to have.
            • Benderan hour ago
              I documented some crude methods that can stop most of that without a CDN. [1] There will be some false positives so I guess it depends on ones priorities which methods if any to implement or test on a throw-away test site. Not perfect, nothing is. I am watching hundreds of bots sending SYN's and the daemons are oblivious to them. The only method I have not played around with yet is #7 ssl fingerprinting.

              There are additional methods I chose not to document such as limiting access to logged in accounts that require double-opting-in to acceptable use policies and terms of use, not that most scrapers would give a toss. That it too much whack-a-mole for me personally. That method requires progressively adding friction to account creation and that comes with some pros and cons.

              [1] - https://nochan.net/b/Internet-Crap/20260606-How-To-Block-Som...

            • parasense11 minutes ago
              I think the key word was "intrinsically".

              It's like public photography, it's intrinsically legal, except when it's a Flock camera and then it's suddenly an invasion of privacy.

            • nradov31 minutes ago
              What data is being stolen? Are you referring to copyright violation or something else? If you don't want LLM companies to scrape a site then just restrict access to authorized users. Simple.
            • lsaferite2 hours ago
              Unfortunately the response to that right now is to nuke everything that isn't within a strict set of constraints. That helps with the bad bulk-scrapers, but hits everyone else as well as collateral damage.
            • VorpalWayan hour ago
              Something like Anubis in front of the server to protect it might be an option. It sucks that we have to resort to that yes, but it seems the least bad option currently (better than the entire internet going through Cloudflare at least).
            • userbinatoran hour ago
              The idiotic "stealing" argument again? At least use "piracy" if you want to be correct...

              The moment you openly publish information on the Internet, you have already given consent. There are other solutions to bandwidth usage.

              User-agent discrimination should be illegal. All it does is further the control that Big Tech has, and help authoritarian governments with their control too.

              • pdpian hour ago
                As with anything IP-related, the data is licensed under whatever terms you choose to impose. That’s the extent of the consent you’ve provided.
                • Asraelitean hour ago
                  Permission to access is not the same as permission to use.
          • dupedan hour ago
            No it's just intrinsically antisocial behavior
            • GaryBluto38 minutes ago
              Scraping has never "intrinsically" been anti-social behaviour, you just don't like it.
        • d1ss0nanz2 hours ago
          Always was.
        • Mistletoe32 minutes ago
          Has the internet made the average human’s life better? As someone that lived in both eras I have to say no. If you want to improve humanity greatly and prevent 6 billion people’s misery and counting, you build a time machine and prevent Tim Berners-Lee from inventing it in the first place. But it wouldn’t help because someone else would still invent this torture nexus of hyperconnected human minds.
    • joahnn_s2 hours ago
      You can only assert >148 at the moment, but there are better vectors to strictly assert the version by simply checking the addition of v8/blink on each chromium version (and since ~120 it's the case), so by checking if xxx is present and yyy is not present in js userland or css feature, the inference is 100% for the major version

      And for the LLM writing, yes, it's written in the article and blog, it's not hidden or pretending, otherwise I would never publish an article due to lack of time, and I stand by it

      • Arch-TKan hour ago
        It takes less time to write the prompt, you could just publish that?

        It's an important topic, and I am glad you wrote about it, but even half a page of notes would have been enough to convey this. It would save me literally skim reading headings just to get past all the fluff.

      • georgemcbayan hour ago
        > otherwise I would never publish an article due to lack of time, and I assume

        Didn't even have time to finish their HN reply.

    • comex2 hours ago
      This can be used to fingerprint version range, but so can a million other things. Browsers are constantly adding new features and fixing bugs, most of which can be detected from JavaScript.
    • userbinatoran hour ago
      The LLM has a good point. I personally don't care what or who wrote it if it's true.
  • jeroenhd3 hours ago
    Kind of a smart move by this company: write up an AI analysis of all fingerprinting techniques in hopes they get fixed after outrage so their scraping company can make more money. If it weren't for companies like this, fingerprinting wouldn't be so ubiquitous and the internet would be a better place in general.

    I prefer articles like this coming from the other side of the battle (fingerprint.js and friends) because at least their motives are clear.

    • codedokode2 hours ago
      I disagree, fingerprinting is necessary to track humans and it will be used regardless of scrapers being there or not.
      • coldbrewed2 hours ago
        I work at a CDN that provides bot detection services. I agree that there's baseline necessity in terms of fraud detection, and if not necessity then definitely financial motivation to fingerprint. But these days, abusive scraping is far and way the the main driver for fingerprinting.

        We don't fingerprint for ad purposes, and we destroy PII for humans as fast as we can because PII should be treated as radioactive. But we see customers that are constantly burned by abusive scrapers and the scrapers aren't slowing down.

        The current approach to scraping is strip mining the Internet and is having the corresponding pollution effects that you'd expect. I'm fine with individuals doing whatever weird automation they want, more power to you, but it's this industrial scale crawling and extraction that's degrading the Internet from all angles.

      • nradov29 minutes ago
        Why is it necessary to track humans? It might be more profitable for advertising but that's not the same as necessary.
        • zdragnar18 minutes ago
          Tracking humans isn't necessary. Fingerprinting is necessary to tracking humans.
  • sjrd3 hours ago
    I guess that's one more good reason to push for correctly rounded transcendental functions. I recently learned that they're basically solved now. [1]

    [1] https://arith2026.org/program.html (2nd keynote)

    • anematode40 minutes ago
      Agreed, correctly rounded libm functions are great, as long as they don't have miserable worse case behavior (as was famously the case with glibc's pow at one point).

      One thing I was thinking of doing is manually SLP-vectorizing the high-precision fallbacks that they use when they're close to a rounding boundary, so that you can get better worst-case behavior – but obviously it's good enough already for most purposes.

      I'm honestly surprised though that JS engines don't just keep using fdlibm though. The ECMAScript spec explicitly encourages it iirc. And if Math.tanh is on your hot path in JavaScript then you're doing something quite bizarre...

      • lifthrasiir27 minutes ago
        > as was famously the case with glibc's pow at one point

        Pow is famously hard anyway because it's bivariate and there is no currently known way to work around the table-maker's dilemma (TMD). CORE-MATH even crashes upon a new required precision record, because it intentionally avoids Ziv's rounding.

    • torginus2 hours ago
      I never understood why fixed precision, and integer math isn't more popular. In engineering, we used fixed point all the time, it ran on much simpler hardware and the error is mathematically easy to model. IEEE 754 floats are not only suspect when it comes to theory, but are often outperformed with integers smaller than the mantissa (so less than 24 bits of int can beat a 32 bit float), when it comes to things like loss of precision.
      • AlotOfReading2 hours ago
        I recommend pretty much everyone avoid fixed point and other float alternatives, barring exceptional cases after you've done your own numerical analysis, or you lack floating point hardware (rare these days).

        Yes, fixed point can use simpler hardware. That's also a completely irrelevant consideration for software. The vast majority of processors are optimized for floats now and some operations (e.g. division) are actually faster.

        The precision argument also falls apart. Any float with mantissa >= X+Y can get exactly the same results as a QX.Y fixed point. The float will actually perform better across the same range because you have to round it to perform like the fixed point. That means more precision, lower error, automatic normalization, better overflow behavior, a larger working range, etc. And it'll probably be just as fast, unless you're bottlenecked on memory bandwidth of inputs (unlikely). When you inevitably want an exp() or another special function, it's a heck of a lot easier to call libm than implement your own and it will perform better.

        Floats are also much easier to get right for your coworkers that aren't numerical analysts.

        • torginusan hour ago
          I didn't recommend fixed point for simpler HW - I recommended it for better precision (if you know what you are doing). First, a point I didn't make, is that if you have 32 bits of fixed, you get way more precision than with a 32 bit float. But I can think of a pretty common case where a 24 bit int would win against a 32bit float: convolution filters. If you have a filter whose inputs are supposed to sum up to 1 (which is the most common case), integer computations mean that, even with internal overflows, the end result will be correct. In contrast, with floats, you can lose precision. If you apply said operation 10000x recursively (say, you are 'stepping' a simulation), those errors can add up bigtime.

          > Floats are also much easier to get right for your coworkers that aren't numerical analysts.

          That one is true, however, when you have people, such as EEs who really care about precision, and know the theory behind it, then floats are often not the obvious choice. It has other advantages, like your calculation running the exact same regardless of CPU and/or compiler, which I'm sure a lot of analysts care about. Afaik finance people don't even use floats for things like account balances, because you can't represent something like 0.1$ exactly.

          Fixed point has basically no language support, and is very hard to get right, but sometimes you need to do that.

          Do you have any subject matter expertise in quantization errors? Like doing simulations or DSP work? Not trying to be antagonistic, just figure out where you're coming form.

          • AlotOfReading14 minutes ago

                First, a point I didn't make, is that if you have 32 bits of fixed, you get way more precision than with a 32 bit float.
            
            That's true, but I already responded to it. If you step up to the next size of float (e.g. f64), you have more precision than the fixed32. You can do exactly the same computation in f64 with equivalent inputs, and you'll get better precision than doing it in fixed32. Or you can round at every step like fixed does and get a bit-equivalent value if you don't want the precision. It's less memory efficient, but my point is that the remaining use cases for fixed point are situational and getting increasingly niche.

            Maybe using a bigger float type is cheating, but it's basically free because of the ubiquitous support for floats.

                In contrast, with floats, you can lose precision.
            
            This only happens with values outside the range of your fixed point type if you use larger floats as mentioned above. I consider that a different argument. You can alternatively view this as the float handling a situation more gracefully than fixed point would have.

                Afaik finance people don't even use floats for things like account balances, because you can't represent something like 0.1$ exactly.
            
            Finance types typically use decimal types from what I understand. This is really just the result of using a decimal syntax to initialize/output a binary representation. Fixed point has exactly the same problem. Decimals have an analogous issue with the value 1/3.

                It has other advantages, like your calculation running the exact same regardless of CPU and/or compiler, which I'm sure a lot of analysts care about.
            
            I wrote a library that makes floats more practically deterministic across platforms for very little cost (linked at [0] so you can see the limitations and numbers), and the underlying problem is [maybe] getting a standardized solution in C++29. You can get the same thing today just by changing compiler flags. If you need the special, non-reproducible float functions, your options are mainly to import a library or implement it yourself, same as fixed point.

                Not trying to be antagonistic, just figure out where you're coming form.
            
            I work in safety-critical automotive/robotics, used to do audio DSP, contributed a bit to the aforementioned standardization, etc. I also have a talk on this topic I've been working on for the last few weeks. It's a bit of a pet subject.

                Fixed point has basically no language support, and is very hard to get right, but sometimes you need to do that.
            
            There are absolutely situations for it, but that's exactly it: it's situational. And those situations are increasingly uncommon these days, now that hardware with good IEEE support is essentially ubiquitous and compilers/standard libraries are improving their implementations.

            [0] https://github.com/J-Montgomery/rfloat

        • Asraelitean hour ago
          > The vast majority of processors are optimized for floats now and some operations (e.g. division) are actually faster.

          This seems backwards. Hardware is optimized for floats because people use floats. If people used fixed point, hardware would become optimized for that instead.

          Given an equal number of transistors, I'm pretty sure fixed point would be a lot faster on equally optimized hardware for almost all operations.

        • hilariouslyan hour ago
          fixed-point provides uniform precision, exact integer-scaled arithmetic, is deterministic whereas floating point is more convenient but its not a panacea
          • AlotOfReadingan hour ago
            As I said, floats can provide results that are no worse than a specified fixed point type. So if you want uniform absolute precision, just round down to the required precision.

            Floating point is generally deterministic in practice with a fairly minor amount of effort, the major remaining issue being library rounding. I actually wrote a library that guarantees this for arbitrary code, with some small, obvious caveats like standard library precision. And the conference talks linked above note, the standard library issues are an increasingly solved problem for modern toolchains. The remaining cases are mostly things you won't do in fixed point. Let me know if you're aware of anyone computing erfc in fixed point for determinism though.

            I'm not saying there aren't any situations where other systems are justified, but you probably won't know if you fall into any of them without the kind of numerical analysis that most codebases will never receive.

          • mananaysiempre36 minutes ago
            Fixed-point arithmetic provides uniform absolute precision; floating-point arithmetic provides almost-uniform relative precision, as used by scientists and engineers for literally centuries (“significant digits” except the binary version is more uniform than the pencil-and-paper decimal one).

            Hardware floating point on CPUs (including SIMD units) is almost always IEEE 754 compliant these days (excepting only IBM’s weird fantasy land), and there the rules for the non-YOLO operations (+, -, *, /, sqrt, fma) are completely unambiguous and deterministic: treating the inputs as exact, compute the mathematically exact result, then either return it as is if it is exactly representable as a floating-point number, or if it’s not then round it to one that is according to the current rounding mode.

            Things that can mess this up:

            - GPUs just do whatever they feel like will make them look faster on benchmarks, don’t count on anything.

            - Transcendental functions (exp, sin, etc.) are really hard (multiple literal PhDs) to implement according to the rules I’ve just described (“correct rounding”), so you’ve only been able to get such implementations like this year, and I believe no stock libm has completely switched so bring your own if you need them.

            - Decimal-to-binary and binary-to-decimal conversions, by contrast, are not that hard to implement according to the rules in principle (it’s making them fast that’s difficult), yet Microsoft couldn’t get it right for literal decades, so if you need Windows then double-check CRT versions and bring in well-known open-source conversion code as necessary.

            - Denormal inputs or outputs are very slow in some implementations, leading to a hardware option to flush them to zero. Either make sure to not produce them or keep an eye on the option.

            - The precise bit pattern of the NaNs you get for invalid inputs may differ across platforms. Either make sure to not produce them (you really shouldn’t) or canonicalize upon de/serialization.

            - Sometimes compilers will try to HALP by performing e.g. single-precision math in double-precision accumulators and only rerounding upon store to memory; by fusing * followed by + (two roundings) to hardware fma (only one); by reassociating; etc. Take care to prohibit your compiler from doing these shenanigans (no -ffast-math or -funsafe-math-optimizations ever, in your code or in any dependencies, and God help you if you’re on MSVC).

            - Most shamefully, the 8087 (despite spawning the entire IEEE standard in the first place) tried to HALP by using 80-bit registers, so if you need x86-32 then be especially careful with compiler settings (I seem to remember the HALP mode might even be ABI-mandated on some 32-bit platforms so you’ll need to violate that).

            The concept of floating point is solid, the IEEE standard is stellar, but the superstructure around it is just—not, requiring an unnecessary amount of vigilance to just make it work as designed.

        • an hour ago
          undefined
    • Retr0id3 hours ago
      Tangential, but wow do they really register a new domain for each year and renew it in perpetuity?
      • yzydserd3 hours ago
        arith2027.org taken, arith2028.org available.
        • Retr0id3 hours ago
          Well, there's an arbitrage opportunity if I ever saw one
          • pclmulqdqan hour ago
            I go to the conference frequently and know the organizing committee. It depends on the year (2025 and 2026 did it, but not 2024). And if someone decides to register arith20xx.org, I doubt the conference would buy it.
          • voxl2 hours ago
            They would just choose a different domain name, it's not that important and the previous years tend to forward link anyway.
  • omoikanean hour ago
    I hope this eventually ends up in https://coveryourtracks.eff.org/ so I can see how unique my math functions are relative to a larger population.
    • twelve4031 minutes ago
      this is really something. They claim (no idea if true) to have patched 4,000+ signals in 550+ C++ files in Chromium. coveryourtracks.eff.org uses like what, 25 signals?
  • Retr0id3 hours ago
    Thanks for the writeup, claude
    • isiahl2 hours ago
      What I think is crazy are the links at the top to summarize the article with your preferred AI provider. The prompt asks it to summarize the article along with an advertisement for their product. This is the prompt I got when clicking the Claude link:

      > summarize+this+article+and+explain+how+scrapfly+helps+me+scrape+any+website+at+scale+and+bypass+anti-bot+systems+for+my+use+case:+https://scrapfly.dev/posts/browser-math-os-fingerprint/

    • _alternator_3 hours ago
      Yeah, interesting finding in the headline, the rest is just Claude.
      • userbinator2 hours ago
        Using AI to fight back against Big Browser is delightful.
    • ddtaylor2 hours ago
      I haven't been active on HN as much in the last few months. The community seems really fixated on calling content slop and detecting LLM usage in a paranoid way.
      • gdwatsonan hour ago
        I am not so paranoid, and I haven’t been working with AI, so my AI-dar is bad. But I keep reading technical writeups like this, then getting frustrated at the writing style or incomplete explanation – this one was more complete than most, though it was repetitive. Then I come read the HN comments, and I see that it was LLM-generated.

        (To be fair, this one says so up top. Even so my eyes skipped over it.)

        So I find the reaction helpful. I want to read posts in the best human style, but if the angry mob can’t motivate those, at least I can notice the pitchforks and torches, slap my forehead, and say, “Oh, that explains it.”

      • vlian208836 minutes ago
        Great observation! You've touched on something that's definitely worth exploring further. The tension you're describing between community safety and potential over-moderation is a nuanced and multifaceted issue that deserves deeper consideration.

        Key points to consider:

        1. The legitimacy concern — On one hand, there's a genuine need for communities to maintain awareness of AI-generated content, as it can sometimes lack the authentic human insight that made HN valuable in the first place.

        2. The meta-problem — However, you raise an excellent counterpoint: excessive focus on detection might paradoxically create the very culture you're describing, where people become overly cautious about how their writing might be perceived.

        3. Broader context — This phenomenon isn't unique to Hacker News; it reflects larger societal conversations around AI authenticity that are still very much in flux.

        Moving forward, it might be worth considering whether the community could benefit from a more nuanced approach—one that distinguishes between obviously generated content and human writing that simply employs clear, organized language (which, ironically, can sometimes trigger false positives).

        Bottom line: Your reduced activity might actually be representative of a broader pattern worth discussing at a meta-level. Have you considered posting this as a Show HN discussion? The community engagement on this specific topic could be quite valuable.

      • Retr0id2 hours ago
        And the other half of the community seems fixated on upvoting AI slop.
        • ddtayloran hour ago
          Sounds needlessly divisive.

          Why not criticize the content instead of the source or medium?

          • Retr0id26 minutes ago
            The medium is the message, which is especially true when it exists as content-marketing for their anti-anti-scraping product for AI companies to use to improve their ability to emulate blogs, among other things.
          • queenkjuulan hour ago
            "The content is AI slop and not worth reading"
            • ddtaylor17 minutes ago
              None of that is specific to the actual content. Might as well just say "I don't like it" which is also not objective analysis.

              This article was about math functions, chrome, etc. If the author got something wrong, mention that, or if you don't like the pacing or how the content was divided into pieces, etc.

            • fragmedean hour ago
              We all want signal and no noise, but complaining about whether or not it's noise is just more noise.
              • queenkjuul41 minutes ago
                It's a signal to those who haven't read it yet that it isn't worth reading
      • 37 minutes ago
        undefined
      • 39 minutes ago
        undefined
  • coppsilgold2 hours ago
    Even Tor Browser (/mullvad-browser) gave up trying to obscure the operating system though arguably they shouldn't have. There appear to be too many fingerprinting vectors.
    • chjj5 minutes ago
      I think they made the right call on that. It's unclear to me whether hiding the OS is even possible. There's just too much OS-specific behavior that happens inside (and outside) a web browser. It's hard to account for all of it.

      OS rendering differences can likely betray you even when canvas extraction is blocked/noised. At least one tor-browser dev has publicly confirmed that you can't even hide the difference between X11 and Wayland[1], nevermind two entirely different OSes.

      [1] https://forum.torproject.org/t/linux-is-it-alright-to-run-th...

    • ranger_dangeran hour ago
      Tor Browser straight up does not even modify navigator.platform at all, so it's incredibly easy to see when you're not using e.g. Windows.
      • coppsilgold28 minutes ago
        I believe they used to make the user-agent appear to belong to Windows but then they stopped doing it with the excuse that there are other ways to tell anyway.

        The OS doesn't really matter, the amount of entropy it contains is very low. As long as the anonymity set of browser-users is large it's all good. And I believe Tor Browser accomplishes this objective.

  • qurren2 hours ago
    just inject this with your favorite JS injection plugin

        let oldTanh = Math.tanh;
        Math.tanh = x => oldTanh(x) + Math.random()/10000000;
    • chjj2 hours ago
      it's elegant, but i prefer:

          Math.tanh = Math.random;
    • sanxiyn2 hours ago
      The article addresses this: search for "No noise".
      • an hour ago
        undefined
    • Klonoaran hour ago
      Multiple anti-bot vendors will detect that replacement and use it as part of their fingerprinting process.
    • gruez2 hours ago
      Great, now you'll be outed as "hides fingerprint", which is probably more identifying than if you returned a normal value.
  • fweimer2 hours ago
    Recent glibc uses the correctly rounded tanh from CORE-MATH, so it returns different values than what's quoted in the article. It's unclear today if it's possible to achieve reasonable performance for other transcendental functions with correct rounding, so other functions have their own unique fingerprints.
  • torginus2 hours ago
    What I don't get is that Chrome is hundreds of megabytes of just executable code, I assumed they statically linked half the userland. Also, I though tanh isn't a function, but an intrinsic emitted by the JS JIt that uses CPU instructions - which might be fingerprintable as well, but it's weird that for a math operation, you need to branch to a 'dlsym()' function.
    • pocksuppet2 hours ago
      The x87 FPU implemented transcendental functions in microcode. Most instruction sets don't implement them. Mmicrocode is actually slower than software, since it doesn't get the benefit of things like branch prediction.
    • mmis1000an hour ago
      Chrome is the only browser that preserve unused bit in value NaN through non JITed mode as far as I remember. And that bit become 0 when code get JITed.
  • jmward01an hour ago
    Is this even a fight that is possible to win here? Run enough functions and between timing comparisons (x takes 2.5 y) and rounding (things like this) and I suspect you can nail os/exact machine and possibly even other tasks running on that machine. I'm not sure there is a viable way to stop this. At best just make it a little harder? Society and legislation need to catch up here. It is like a lock on my door. Locks don't stop people. They just deter a few people and delay a couple more but a determined person can (likely very easily) break into my house. That is why we need society to call it out that it isn't right (people avoiding buying things they think are stolen, shunning those that do it, etc etc) and laws that step in (it is a crime to break into my house. real resource dedicated to tracking down and stopping people that do it, etc). A similar approach needs to happen here. It should be illegal to track a person like this and people that get hired at a place using the gains of it should shun those companies and society should shun those companies.
    • nradov22 minutes ago
      Sure, except that in cyberspace a lot of the people who are doing things that are — or should be — illegal are located in jurisdictions where no enforcement is possible. Places like Russia, Myanmar, and North Korea have no concept of the rule of law and criminals who scam foreigners are actively protected by local authorities. So analogies to door locks completely break down there.
  • joahnn_s3 hours ago
    We noticed Chromium Math.tanh since v148 returned a different result, so we dig it - it's now a fingerprintable surface to retrieve the OS Chromium run on
  • drnick13 hours ago
    This is interesting, but even without relying on JS, most users are already fingerprintable by the combination of IP + user agent.
  • andai2 hours ago
    I am not the NSA, but on an unrelated note, this delights me!
  • IvanK_netan hour ago
    I think the screen resolution is also fingerprintable. That is why a browser should resize your window to a random size each time you visit a website.
  • 2 hours ago
    undefined
  • a-dub3 hours ago
    how hardened are modern browsers with respect to detecting underlying os? seems like there would be loads of gaps?
    • majorchord41 minutes ago
      There are boatloads of gaps.
  • mrsssnake2 hours ago
    JavaScript was a mistake.
  • amelius3 hours ago
    Can't we make fingerprinting illegal, as in, jailtime illegal?

    Would not solve everything but still help a lot.

    • chaboud2 hours ago
      I'd rather penalize the application than the technique. Windows was rumored to long have "quirks" that would do better things for apps that had bugs that the OS ended up fixing instead of the app.

      Javascript systems have long had polyfills for varied browser feature comparability gaps.

      Whether you agree with these, making probing detection via fingerprinting illegal would take away this lever. Making surreptitious tracking via fingerprinting illegal? Even for state actors?

      Yeah, that's probably reasonable. If someone is going to wear a tracking collar in exchange for "free" services, a little disclosure makes sense.

      • Terr_2 hours ago
        Yeah, the problem is how the data is kept and abused afterwards.
    • bloody-crow2 hours ago
      I don't think it'd be possible to define fingerprinting narrowly enough to not also outlaw perfectly normal and legitimate usecases.
      • chjjan hour ago
        I'm not even sure I'd want to make it narrow. I'd start with:

        "Information gained via side-channel for the purpose of correlating individuals."

        But you'd have to add an enormous amount of legalese after that to make it ironclad. They'll start arguing "this isn't a side-channel", "we're targeting bots, not individuals", etc. You'd have to define every word in that sentence very carefully.

        I'd make it sweeping. "Individual" can mean "person", "bot", "suspected bot", "AI agent", "a piece of autonomous or non-autonomous software", basically anything. The "side-channel" definition might get trickier, but I'd rather legit use-cases get burned than privacy get burned.

        The OP was downvoted, but I agree. I think fingerprinting should be in the same criminal category as an illegal wiretap.

    • akersten2 hours ago
      Why should it be illegal for me to recognize the way you walk into my store, even though you're wearing a mask and a trenchcoat? Some vague sense of indignation?

      Yeah, tracking bad, I get it, but are whatever damages that kind of legislation would prevent (probably nothing measurable) really more important than fixing the easy, in our face social problems that politicians could instead be focusing on?

      • chjj32 minutes ago
        The analogy falls apart when "your store" is actually a handful of multi-billion dollar corporations that surveil a significant portion of the internet and covertly grant government agencies (and god knows who else) access to the data.

        It's passive surveillance on the order of billions of people. It's not a mom-and-pop shop.

      • thepasch2 hours ago
        > Why should it be illegal for me to recognize the way you walk into my store

        If you did it in just your store, that wouldn't be a problem. The correct analogy, however, is "why should it be illegal for me to attach a perfectly traceable and invisible air-tag to you when you enter my store, without your explicit consent, and subsequently follow and document your every movement no matter where you go, as long as that location has a business relationship with my store, and also my store is the most popular chain on the planet that has business relationships with basically any relevant business that exists." And I don't think the answer to this one shouldn't be particularly difficult to arrive at.

        • akersten2 hours ago
          Well it's not really an airtag, I don't "attach" anything to your browser when I check what its GPU can do.

          That's just a description of you that I share with my other stores. Casinos, Target, Burger King, etc all do this when you get 86'd, for example.

      • kaladin-jasnah2 hours ago
        Isn't fingerprinting used across many different websites? Then the analogy would be a number of stores colluding to recognize the same person across all stores?

        (I have no idea, I don't know too much about this)

        • charcircuit2 hours ago
          Which is famously done by casinos. But in practice many businesses big and small do share intelligence with each other about problematic customers who shoplift etc.
      • altcognito2 hours ago
        Because you don't have a right to know everything about me, follow me to my home, my purchasing preferences, and so on and so forth.
      • lorecore2 hours ago
        > Why should it be illegal for me to recognize the way you walk into my store, even though you're wearing a mask and a trenchcoat?

        If you have that right, the public should have the right to know you're doing this before they enter your store, so they can avoid it.

        Same with the websites, they should, legally, have to say they're about to fingerprint you so that you can close your browser tab and never come back.

    • codedokode2 hours ago
      Why don't you ask browser developers to stop adding features helping fingerprinting? Browsers even have some API for tracking ad clicks (attribution API or something) and user interests tracking API which nobody of the users needs.
  • dmitrygr3 hours ago
    Interesting reporting, marred by obvious llm-slop-sounding writing. "You are not building..., you are ..."
    • netsharc2 hours ago
      Why "slop-sounding"? It's definitely LLM slop.

      Man, why the fuck don't they just make a powerpoint with bullet points if all the sentences are like that.

  • WarOnPrivacy2 hours ago
    [dead]
  • rafeuddaraj3 hours ago
    [flagged]