One thing I'm interested are the EFF demo sites which try to identify if you're "uniquely fingerprint-able." What I've seen a lot in the discourse is people attempting to increase the privacy of their browser (via add-ons, configurations, etc) only to see their browser become _more_ unique. They then conclude that you cannot get away from fingerprinting.
I think there are a few potential problems with this approach.
- A lot of browser-based mitigations (such as Firefox's "resist fingerprinting" settings) send dummy data to websites. So yes, you may have a unique fingerprint according to the EFF site. But, when you visit it later, you could in principle have a different unique fingerprint. I haven't seen much discourse which discusses whether this is a viable point of not. Yes, my Linux Firefox with a bunch of weird settings clearly stands out. But maybe I have a different fingerprint across visits?
- Additionally, this strategy seems to say "don't be unique, blend in with the crowd. Look like Windows 10 and Chrome." I think there must be some validity to this. But clearly, advertiser fingerprinting is _most_ interested in the vast middle of the bell curve, ie that huge mass of users with Windows 10-11 & Chrome & Edge. If looking just like everyone else were somehow an effective mitigation, then the advertisers' tracking technology would not actually be effective for the vast majority of cases; the ones they care about the most.
- I also wonder what the difference is between what security researches at EFF and other places can do in principle vs. what various websites are actually doing in practice. It's important to remember that advertising is now like a warrant; if an advertiser thinks you're a different person and serves you the wrong ad, no one will ever notice or care. They have no way to verify it, and whatever error exists won't ever show up in their promotional materials. Even if the fingerprinting technology is quite strong, I sincerely doubt the statistics we hear from advertisers (ie, "we can identify 90% of users") can be very accurate.
I don't mean to suggest that my points are strictly correct -- however I also don't think the usual discourse around the realities of advertising and tracking really gets to the bottom of things in a very accurate or useful way.
I think there are a few potential problems with this approach.
- A lot of browser-based mitigations (such as Firefox's "resist fingerprinting" settings) send dummy data to websites. So yes, you may have a unique fingerprint according to the EFF site. But, when you visit it later, you could in principle have a different unique fingerprint. I haven't seen much discourse which discusses whether this is a viable point of not. Yes, my Linux Firefox with a bunch of weird settings clearly stands out. But maybe I have a different fingerprint across visits?
- Additionally, this strategy seems to say "don't be unique, blend in with the crowd. Look like Windows 10 and Chrome." I think there must be some validity to this. But clearly, advertiser fingerprinting is _most_ interested in the vast middle of the bell curve, ie that huge mass of users with Windows 10-11 & Chrome & Edge. If looking just like everyone else were somehow an effective mitigation, then the advertisers' tracking technology would not actually be effective for the vast majority of cases; the ones they care about the most.
- I also wonder what the difference is between what security researches at EFF and other places can do in principle vs. what various websites are actually doing in practice. It's important to remember that advertising is now like a warrant; if an advertiser thinks you're a different person and serves you the wrong ad, no one will ever notice or care. They have no way to verify it, and whatever error exists won't ever show up in their promotional materials. Even if the fingerprinting technology is quite strong, I sincerely doubt the statistics we hear from advertisers (ie, "we can identify 90% of users") can be very accurate.
I don't mean to suggest that my points are strictly correct -- however I also don't think the usual discourse around the realities of advertising and tracking really gets to the bottom of things in a very accurate or useful way.