DE version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
54% Positive
Analyzed from 8154 words in the discussion.
Trending Topics
#browser#page#site#data#fingerprinting#don#more#still#information#wrong
Discussion (271 Comments)Read Original on HackerNews
* It's running a kind of Chrome on a kind of Linux, at a stretch.
* Nobody can infer when I work and when I sleep. That includes me.
* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.
* But yes, browser fingerprinting is annoying.
* Since you can detect light mode, would it kill you to honor it?
https://github.com/fingerprintjs/fingerprintjs
Honestly surprised to see it licensed as MIT now too. It was something less permissive before. They aren't doing anything too crazy, more like being the first ones to be open about it.
I couldn't imagine what else companies like Google or Meta or TikTok can extract out of it that no one else can't. Integrations aren't exactly hard to make, quality is hard yes, but making half assed plumbing is sufficient too.
Those advertisers benefit from monopolistic markets with zero regulation while owning the platforms they sell advertising on that requires their explicit malware in order to use, what is unique about their finger printing versus what fingerprintjs provides?
I'm using Apple's Private Relay VPN so it was hundreds of miles off. It's always interesting to see where websites or services think I'm located using their geolocation databases, but if I turn it off they can pinpoint me within a couple of miles. Thankfully almost nobody has ever blocked Apple's VPN, so I never have to turn it off.
> Since you can detect light mode, would it kill you to honor it?
Seriously, I'm in my mid-30s but some of these dark mode sites make me feel mid-80s. I can't see shit on this site.
> Since you can detect light mode, would it kill you to honor it?
It would probably still be low contrast garbage even if it did. :/
My guess this is LLM slop website generation. And they forgot to prompt to include high contrast text... And the site owner cant make the changes without a sloperator.
Same, it claims Brussels, but I'm in Antwerp. It also got my screen resolution wrong.
Same, it said Riverside but I'm in San Diego (about 100 miles away from Riverside).
Of course, its just using a geolocation database for the IP address and thus reporting the location of some switching center Verizon runs and not my actual location.
If you're trying to prove a point about privacy its probably best not to lead off with information that can be off by hundreds of miles while presenting the fact that it "knows" this information as being darkly ominous.
Presenting this information while being wrong probably does the opposite of the site's intent and gives some people a false sense of security because what real websites and apps track about you using digital fingerprinting is a lot more detailed, personalized and (usually) correct than what this website presents.
Are you like /severed/ or something? Surely you can infer when you work and sleep from your experience living your life as you.
Not everybody has a schedule. Mine is essentially "eat when hungry, sleep when tired", and my sleep patterns more closely follow a 26-hour day than a 24-hour day.
* Your socks don't match anything in the room.
* The man you thought you killed in Tuscaloosa woke up and walked home an hour later and is now a chiropractor in Shreveport.
* Your daughter is pregnant by the kid who trims the hedges.
* Your dog is dreaming about the squirrel in the wood pile.
How does it know?
But I am the only person in this timezone in the world. It uniquely identified me!
My browser fingerprint was unique among the visitors in the past 45 days.
[0] https://coveryourtracks.eff.org/
Gotta love Firefox with ublock origin in advanced mode, even without JavaScript disabled so the site worked.
Did you enable firefox resist fingerprinting? Also maybe letterboxing, which I think is not enabled by that flag by default, and also helps with CSS fingerprinting.
So if you use this information you still need to disclose it and process data in accordance with the law.
It is definitely not legal in Europe, when used to track individual users. The consent pop-ups are not only about cookies.
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
This is the root problem. Your browser is supposed to be your agent. It's the User Agent, after all! It should be working on the user's behalf, users should understand what their browsers are doing, and browsers shouldn't be doing anything without the user understanding and affirmatively consenting to it. I should be the ultimate authority over what my browser sends, and browsers should make it trivial to exercise that authority.
In reality, the browser is Somebody Else's Agent. It's working for the web developer, giving him all sorts of things that make his life easier. And it's working for the advertiser, providing tracking clues and fingerprinting. And it's working for the browser developer, collecting metrics and telemetry and god knows what else for them to do god knows what with. But, it's not really working for me or on my behalf anymore, I'm just a passenger in the car.
EDIT: Understood that IP address is not something under the browser's control, and it's unfortunately necessary to reveal in order to connect to a web site. It's a terrible mis-feature that IP addresses (by default without a VPN) can be reliably mapped to countries, state/provinces, and sometimes even cities. This is a huge design flaw in how we hand out IPs. In a better world, having an IP address shouldn't reveal anything about someone's geographic location.
All the features that allow web sites and ad companies to track and target ads are features that are primarily there to give functionality that makes the web a better experience for users. JavaScript allows websites that are better experiences than not having it. I know some people disagree, but I think they are either intentionally ignoring useful things or have a purity view of the web that doesn’t match most people.
I should be able to expect some privacy from my device. What if my browser starts sending a picture of my front camera with every request, is that okay?
"We know the rest of it. We chose not to display it. Most pages would not have made that choice" this is written to frighten children maybe? Also that's not my internet provider. Maybe it's my ISPs upstream provider?
no data was cast to internet, it was all code executed with local user permissions to access the devices devices and logfiles displayed inline as "proof" that you are standing on stage with naught but your drawers.
people were at times moved into a panic and could be manipulated into making contact with malignant entities. there were casualties.
never underestimate the damage that can be caused by manipulating perceptions of the current situation,its not a joke, its handgun serious.
A client sends the language header or the list of supported fonts not so that the server can "do whatever they want with this data." There is (or was) a real reason for it when we came up with these standards.
The fact that website providers, or more specifically ad-networks, have chosen to use these for other purposes is breaking that implicit agreement.
(edit) but you're probably right that i'm expecting too much.
Some of them are questionable: most websites do not need to know my time zone, but when a website can use that in a useful way related to its functionality, it would be annoying if the browser were to popup an allow/deny dialog, and even more annoying if I had to manually set it in the website's bespoke settings panel.
I'm not sure what the solution is here.
They are free to remember whatever they want about my request… but I am also free to modify the request however I want, if I choose to randomize the list of fonts or choose to not send it or whatever.
Some sites can have more than 1,000 partners - you can explore their intentions in cookies consent window.
For the same reason I expect my neighbor not to kill me or steal my shit. We live in a society, with societal expectations around behaviour. I, personally, would prefer not to live in an uncivilized jungle where the only rule is "do whatever you can get away with".
Because doing so is creepy.
It knew how much my phone was charged and it made correct inferences about my device. It accurately read my gyroscope, how I interacted with the touch screen, and it demonstrated (not new knowledge to me but probably interesting to the general public) how these things could be used to identify you and also to make inferences about you (if you are sitting, standing, lying down, etc).
It starts slow but it got interesting.
Still interesting, even if not surprising.
Us not owing each other anything worked great in a prior era when people were largely correct in assuming most people were good actors. But as soon as the money and power of the internet became real, things started to turn more adversarial. The assumption of trust and lack of responsibility makes it easy for one side to take advantage of the goodwill of the other. And the technical and power imbalances inherit to the server-client nature of the web means that abuse is more likely to flow in one direction than the other.
But it's become clear that in the absence of governance, standards of behavior, and rules both explicit and implicit, the Internet has grown toward tyranny and automated exploitation rather than freedom.
We need to set some rules and expectations that people can rely on, otherwise rules will continue to be imposed on us.
So am I, come to think of it.
My disappointment is not with websites. It is with browsers. They have continuously prioritized dark pattern support. They have consistently removed user control.
I mean it's not the websites that default to recording every keystroke, default to tracker persistence, default to phoning home with daily telemetry, etc.
When I first started using HN, I ran four very different browser engines. Now there's no real choice.
The server knows my window's resolution? Well I think thats very useful information for the application to have for layouting.
You know what other application is recording my keystrokes right now? HackerNews. "recording keystrokes" is also known as "typing in a text box"
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
Needs some QA.
I've seen this exact UI style a dozen times now and it's always accompanied with tell-tale overly verbose, overly dramatic text.
Fugly.
https://coveryourtracks.eff.org/
https://amiunique.org/
Gave me a scare, thought I'm still somehow running an x86 build of Firefox.
https://www.ipleak.com/full-report/
Anyway, if you really want to know what your browser is sending:
https://browserleaks.com/
https://coveryourtracks.eff.org/
> San Pablo, California, United States > You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us
I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk
Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
If I have a dictionary, I don't have to ask the meaning of a word I hear from someone I am speaking to, I can look it up in the dictionary. I may infer an incorrect meaning because the word has multiple meanings or is a colloquialism.
If I need to clarify that inaccuracy, I need other data points (for example, the context of the conversation), or I can ask my conversational partner for clarification).
The geolocation API requires prompting the user for permission before it can be used: https://developer.mozilla.org/en-US/docs/Web/API/Geolocation...
Also, though, of COURSE your address arrived first... how else are they going to send back the data you are requesting?
Tor and similar multi-hop proxies, depending on construction, supposedly can't match source to destination IPs.
That checks out. I think what I have is similar to a graphics card but isn't quite.
The fact that it begins with my IP address reminds me of those dubious VPN ads.
City is wrong, I may speak English but it's not my native language.
As other people said, there are much better pages showing you your browser fingerprint.
It doesn't matter whether you actually speak english natively or not, nobody cares about the actual values. Web sites don't actually care whether you have a robust font package in some way to discern whether you are a font hipster or something, they are just collecting signals.
What matters is that your physical machine and web browser combo report these values about the same way every single time they are probed, and that is used to reliably track YOU, uniquely, with great accuracy, with EVERYTHING you do on the internet, every site you visit, every mouse movement, every purchase linked back to you.
Everything.
The actual values don't have to match "reality" in any way. It's just about generating bits of signal about your setup.
So don't you think presenting the info as it's a great uncovered secret and then getting it wrong will lead the layman to disbelieveing everything?
Of course, the other extreme is the EFF site that says "Currently, we estimate that your browser has a fingerprint that conveys at least 18.33 bits of identifying information.".
There must be some middle ground to present this info.
> news.ycombinator.com
This has always bothered me the most. I disabled the 'Referer' header once, but it breaks many websites.
That was actually my only surprise, everything else I was expecting.
edit: ignore this, looks like I just needed to save my preferences again. Thanks for showing me that I have been leaking my referer for some mysterious amount of time.
It seems odd that any site would require a user come from somewhere.
First paragraph, and I don't like this wording already. It's as if "my device" has any choice in the matter.
And actually, it's the reverse! Often enough your own device does not know your _actual_ public IP address without asking some kind of public service to snitch on your internet connection.
Firefox on Android with ublock
guess mine isn't such a specific model as yours. so I don't have a real GPU, i have something similar to a GPU??? did I get a knock off Alibaba version?
The thing that bothered me is that browser are still sending the Referer info. I thought that was not supposed to work under https?
It got the city wrong but close to where I live. This stuff would be wildly wrong if I fired up my VPN. Although its annoying when I connected to a VPN to Steam it’ll often show my prices in Canadian dollars instead of USD.
Well, at least something positive from the shit I take for not sheepling my way through life using Chrome
Thanks op for reminding us of the privacy issues with our browsers. The EFF and others already told us, but the issues remain. Lets hope you're hear to stay and fight for our privacy alongside us.
It’s been a long time my 2016’ iPhone as been called recent or high-end but I’ll take the compliment, thank-you.
https://addons.mozilla.org/en-US/firefox/addon/site-color-ch...
Also we should disable referrer field.
The set of fonts available in stock iOS is hardly going to be unique now is it?
That it is even possible to install fonts onto iOS would be news to most users.
While I still follow the general privacy first tenets, I have ended up backing off on some tools (noscript and librewolf) at the extremes of privacy because if every site is going to track everything by my IP or by my ASN or browser fingerprint, I do have a happy medium of being private enough while not being utterly broken in my browsing.
Roughly that looks like email aliases on demand via sieve rules, ublock origin with liberal use of filter lists, different handles and a password manager, frozen credit ratings, and Tailscale exit nodes or Mozilla(Mullvad) VPN for uncontrolled WiFi access points for my jnrootabke android device and mostly signal for comms.
I'm getting to old to be a privacy extreme enthusiast when all of my family side channels everything straight to Facebook, so this is the impure level of privacy I can sustain.
Of course the browser knows my IP and language. Nothing on this page is really surprising
does the same or better, without AI regurgitation and a WordPress theme.
>The specific combination of fonts on your device is nearly unique — like a fingerprint made of letters
Is this one true? I've not made any changes to fonts on my phone that I know of, wouldn't it just be bog standard iPhone fonts?
Curiosity not challenge
Would be cool if you actually did track just to prove the point like "you've opened this page 6 times now, 2 of those were via VPN and one time was using the Firefox Focus browser. Have you found any flaws in the data yet?"
https://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010...
Span this across all of your movements and activities across multiple aggregators and it's a trail of movement through a fog of data that is fuzzy, but enough to identify you, or a small cohort of similar users.
https://news.ycombinator.com/threads?id=mwheelz
Mods, is there something we should know? Is there maybe a reason to stay away from the linked website?
Is this actually true? Because I don’t even know if I have any control over this on iOS, and if I do then I’d guess almost nobody diverges from the default?
I thought this didn't work anymore and browsers left out the referer in the case of https, is that not so then?
This phenonemon is much older than "browser fingerprinting"
https://web.archive.org/web/20260508131253if_/https://sincey...
> You left for 6.3 seconds. We noticed.
This is surely only partially true.
Annoyingly the web is becoming a bit more annoying to browse as a DuckDuckGo (mobile) and Brave (desktop) user. With a VPN on top it gets even worse.
Terrible company-at least you know you are testing what is being used.
Reality is that most do not care about privacy (look at the number of Google users, even developers themselves who are completely aware of it and continue to "embrace" the mass tracking). There is also the mass brainwashing which is an issue where people that use VPNs think that they are anonymous and this is terrifying to think (thank you NordVPN non-sense, which also use Google Analytics which then correlate entire traffic later-on, what a joke).
Oh wait, no, I'm an e-addict. Drat! Curse this monkey!
Where are you was sent to another location due to the VPN, this was all it really impacted. When you arrived was wrong because of the Mullvad browser, even without the VPN enabled it reports that I'm in Reykjavik, which I'm not. What you brought with you, it got the resolution wrong, as the browser locks itself to various resolutions to prevent this kind of fingerprinting. GPU and Battery both say "kept back", I assume this means it couldn't get anything, because when I run in Safari it says Apple GPU.
Harder problem is getting the economic system that relies on this information swapped out. Have fun when 99% of web doesn't 'work'.
1. GPU "or similar" stranded prose. Firefox returns "Mozilla, or similar" as the masked renderer string and my parser was grabbing the second half. Masked-GPU case now gets its own observation.
2. Desktop battery showing NaN/100%. Chromium reports a phantom 100%-charging battery on machines without one; my filter was too narrow. Stricter check, falls through to "kept back."
3. Storage quota of 39+ GB reading as implausible. Now expressed in GB, and the prose was reworded ("would let this page write up to" rather than "allocated to").
4. Screen size matching window size (Firefox letterboxing / Brave farbling). Page now names it: "your browser appears to be returning the viewport in place of the real screen — anti-fingerprinting at work."
5. "Recent, high-end display" being claimed on old retina devices (iPhone 5-class). Tightened the heuristic.
6. No-JS hangs at "reading." <noscript> block added.
Worth saying directly since it came up. The prose is hand-written. Each observation has a small set of templated registers and the code selects among them based on what the data returns. There is no LLM in the runtime path. AI helped me iterate on the spec like it does for most projects now. The sentences on the page are mine. If that's not the kind of work you're in the mood for, fair, but the slop charge is wrong.
- Reverse IP/geocode (while be cute about "we won't show your IP", oh no, not my IP!)
- Timezone - Ok, yeah, lots of websites need/make use of that for completely legit tasks
- Browser/OS/Screen size - boring, again mostly needed or historical
- GPU - Again, not super interesting IMHO
- Battery - Ok, this is the first one I think should be behind a permission dialog
- Language - Come off it, that's just table stakes
- Fonts - Again, not sure how else this should work in a "perfect" world
- Cookies/dark mode/DnT/etc - Ehh, again aside from fingerprinting (which ruins everything) these are all QoL improvements IMHO
- Referrer - Again, this is just how the web works
I think the websites that take all of that and show you a fingerprint or show the data in a more data-oriented way are way more compelling.
This, almost certainly vibe-coded, website doesn't do anything novel and hits on a huge pet peeve of mine: using low-quality arguments for a legit issue (fingerprinting). By mixing in stuff like your IP/Language on the same level as Battery/GPU/other-fingerprinty-things it makes the whole argument less compelling.
The server tells your browser to display a line of text in a specific font. If that font is available, your browser does so, and if not, it displays the text in your default font, or a backup font if the developer specified one. There's no need for the server to know if it's there or not.
if you want to make me afraid of browser fingerprinting, try explaining how that information can be used to harm me. i'm aware that it's possible, i just don't care because it doesn't seem like it's that big of a deal.
> With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops.
What? When I enable JS it shows me a lot of stuff that is only queriable with JS.
> Every page you have ever visited knows at least this much. Most of them know more. None of them told you.
So? Why would I want the news site I'm visiting to "tell me" it knows my preferred language, that I'm using light mode, or the estimated location of my IP address...?
It's not surprising that a browser which renders text can be used to identify which fonts are available. It's not surprising that a browser which allows calculation with your GPU will identify your type of GPU.
The "without asking" framing is just silly. I expect to be asked for consent to use my webcam or microphone or exact precise location. But the last thing I want is to be asked for permission around detecting my local time zone or preferred language or my screen resolution or 20 other totally reasonable things for a website to be able to know.
The site does seem to be implying that disclosure and consent are the issues:
> We did not ask for your location.
> Nothing about this was requested. The information arrived on its own.
> Your device volunteered all of this in the first milliseconds of the connection. It will do this again on the next page you visit, and the one after that.
> No permission is required.
It's framing this as if browsers are maliciously volunteering information that ought to be protected, and that sites are maliciously hiding the information available to them.
It does seem to be clearly suggesting that even basic pieces of information ought to be available only upon request and that this must be disclosed to users.
You say this is "not a proposal to gate every header", but it's sure looking like something close to that to me.
No it didn't. It was queried by the JS running on the page. It's a fun demo but it could really do without the slop prose.
I get the point, but I think the EFF Panopticon page is a better representation of browser fingerprinting and how it works, because most of the things shared are really basic elements of data that aren't personally identifiable. You can absolutely fingerprint Firefox with a default config, so obviously this was vibe-coded and just doesn't do much. Cool, you did a GeoIP lookup, read the user-agent, the referrer header, and the accessibility data, exactly zero of that should be surprising to anyone that knows how you access a website.
Not quite, I'm on a 2016 iPhone SE
Uhm... how did I get to the bottom if I scrolled 0%?
My general location is also wrong.
This site's theme is barely visible.
And the entire idea for the site is at least couple decades old.
Unoriginal slop.
I use windows color filters (Grayscale inverted is my preferred, in the past I used plain inverted) for poor man's dark mode (or light mode in this case) for stuff that doesn't honor my color scheme and hurts my eyes. It also has a hotkey, so it is really handy sometimes, but you need to enable it in the settings.
Assistive technologies are great, not only because they benefit those who have no choice but to rely on them, but also they can benefit the luckier people.
> The prose
> Hand-written · Template-based, not generative
> Every sentence on this page was written by Matt. The code selects among prose templates based on what your browser returned. No language model writes or rewrites anything at runtime. If a condition is not covered by hand-written prose, the page stays quiet about it — we'd rather say less than say something false.
It looks like this is an ad by the way, check op's posting history
Are we supposed to care?
This is out of control, and y'all just comment these threads as if they're made by humans.
Oh wait
peoples obsession with 100% privacy while operating in a public space is immature. if you're that risk averse dont connect to the internet.