[______-]

> End the arms race on fingerprinting

Google is known to fingerprint you on their sites[0] and this practice will continue unless some sort of political action is taken to make fingerprinting illegal. WebGL is not the only heuristic used to reliably determine it's a specific device accessing a site, but a whole slew of techniques can be used to reliably determine it is 'you' who is on a site (you can even detect if a browser is running in a virtual machine, among many other techniques to fingerprint).

To mitigate this, I do most of my browsing with JS disabled by default, and if I really need JS turned on (for a site I trust like my bank), then I temporarily turn it on for that specific site. Also you can just disable WebGL in Firefox in about:config but keep in mind, there are many other techniques Google and `ADTech` in general can use to fingerprint you.

[0] https://jonatron.github.io/webgl-fingerprinting/

[danShumway]

This is a complete sidenote, but I don't understand why Firefox's Canvas controls don't affect WebGL.

Firefox has per-site settings for whether the canvas should be accessible which are very useful, but they don't have per-site settings for WebGL, it's either on or off for the entire profile. Which kind of defeats the point of Canvas blocking since (at least last time I checked) WebGL fingerprinting is possible regardless of whether Canvas can be read from.

I'm sure there's some technical reason, but it really seems like turning Canvas reads off for a site should also turn off WebGL.

[cpeterso]

Here is a Firefox bug report suggesting a per-site permission for WebGL: https://bugzilla.mozilla.org/show_bug.cgi?id=1694456

There's been no Mozilla comments on the bug yet. Perhaps so many sites use WebGL that the user would be pestered with too many permission prompts?

[approxim8ion]

Google turn every result on their search result page into a tracking URL if you have JS disabled. The solution is to allow JavaScript and install the Google Search Link Fix add-on, until they break that too I guess. Or use another search engine.

[soared]

Fingerprinting on your own sites is pointless since only third party cookies are being removed. First party cookies still work like normal.

[tpxl]

It gives you the ground truth with which you then correlate fingerprints from non-first-party domains.

[tedivm]

The whole point of it is to correlate it to other data using the same fingerprinting method. Google is often a first party and a third party, so they need a way to line all that data up.

[SiebenHeaven]

Won't turning js off make you one of the few people in the world that do this and hence easier to fingerprint?

[1vuio0pswjnm7]

I have seen this type of reasoning before in HN comments but from a user's perspective it does not make sense. Imagine every user is sending a maximum amount of information, which we can see keeps increasing over time, via HTTP headers (including cookies), browser capabilities, hardware capabilities, etc. This "run with the herd" reasoning seems to suggest the best way to avoid fingerprinting is to send the maximum amount of information, "like everyone else". That only results in ever more information being sent to the online advertising industry. The probability they can distinguish one user fingerprint from another goes up as the amount of information sent increases. The objective of the online advertising services company is to gather as much information as possible from users.

The objective for the user should be to send as little information as possible. If a fingerprint shows the user is not running JS and is providing only a very minimal, generic set of information, how much value is there is trying to serve ads to that user. Users who want better privacy should be trying to reduce the amount of information they send. Maybe the first movers in that effort are "fingerprinted" as being privacy-conscious, tech-savvy, etc. That is probably going to result in less ads served to them, not more. Eventually, when most users, "the herd", is sending the minimal amount of information, the fingerprints all look similar.

Think it through. Advertisers do not care about users who will not indiscriminantly run JS. They go for the low-hanging fruit.

[hakfoo]

I'd posit that the biggest risk for advertisers is "plausible bullshit". Their ability to say "look at our huge tracking profiles" is dependent on both quantity and quality of data. If ad networks can't accurately sanitize their data, advertisers are going to balk at spending $6 per click for misprofiled audiences, when they can spray-and-pray "good enough" contextual ads for 30 cents a click.

Give me a VPN that regularly geolocates me at a Starbucks 30km out of town. Give me plugins that stuff my search history with a fixation on the Cincinnati Bengals and replacement parts for a 2013 Hyundai Accent. Yeah, they might see my actual traffic patterns, but the goal is to make it expensive and hard to filter the real use from the elaborate story.

[______-]

You're just added to a (very large pool) of people who browse with JS turned off. Turning JS off as a default is a common thing.

[leesalminen]

Amongst the top 1% of tech savvy users, maybe. In all my years of supporting 100,000s of “regular” users I’ve never encountered anyone with JS disabled.

[jffry]

Even the fact that WebGL is disabled contributes some entropy that can be used to identify you.

[______-]

You can't detect if WebGL's turned on/off if JS is turned off. You need JS turned on to detect WebGL's presence

[lima]

> Google is known to fingerprint you on their sites[0]

To my understanding, Google (and many other sites) use WebGL and other fingerprinting techniques to distinguish real users from bots.

This does not mean they use it to track individual users (if that were even legal in Europe under GDPR).

[Nextgrid]

Google's tracking consent flow is already in breach of the GDPR, so it's not a problem for them.

[hkai]

Why do you want to disable it? Isn't it nice to see ads that are interesting and useful to you rather than looking at some useless ads you're not interested in?

[Spivak]

The issue is buried in the premise of the question.

“If you’re going to see an ad regardless, would you rather it be relevant to you or not?”

The answer is and always has been “I don’t want to see an ad in the first place, I don’t want you collecting any information about me under any circumstances, and anything that makes ads spots worth less is a positive.”

You know the cheeky “you won’t see fewer ads, they’ll just be leas relevant” line? The only long term solution to actually see fewer ads is to drive their value down to nothing.

The fact that you can pay to remove ads on a lot of services kinda gives the game away that they’re a net negative. Why would you ever want them gone if they’re so useful and helpful?

AdTech is such a garbage industry — drunk on their own delusions of facilitating commerce and helping businesses reach customers while being so annoying and vile that the only way their products to function is to insert themselves into every facet of life because nobody would ever seek them out on their own. Bleh.

[doomslice]

There's two sides to the equation though (I work on Supply Side ad tech).

There's a huge amount of content that people are just not willing to pay for, but would gladly view ads. You may be willing to pay for Youtube Premium and Twitch Plus or whatever, but the vast majority of people do not.

Do I feel like I'm a horrible person because I help make websites more money so they can stay in business? Heck no. It's the only reason 90% of these sites are able to exist in the first place.

[zentiggr]

So what happens when the tracking / fingerprinting / data mining that your industry keeps doubling down on, provides enough data for

-- your next health insurance change to triple your premiums because of that previous bill you had such a hard time paying down

-- your mortgage / refi / loan application to be denied for factors completely separate from your actual credit report, but have made it into a reputation system

-- you get quietly, passively bypassed for that job application from the reputation hit from that one really poorly thought through social media post last century.

Data mining and data stores that affect people's lives and opportunities, that aren't just obfuscated, but actively secret are a blight.

[Spivak]

I feel like gladly is overstating it a bit but I take your point. Users will put up with ads with a lot less resistance than a paywall. But that logic still doesn't really follow unless you think that businesses making money by literally any means they can get away with is an end unto itself.

If you have a service like YouTube that provides so much value and is such an economic multuplier that we can't possibly imagine society existing without it then why don't we just pay for it? The fact that we have no system to fund public goods that aren't ads and taxes is a huge failing. You're basically just describing a tax system that is paid in consumerism which sucks because it's inherently regressive.

If you have a product which is genuinely useful to hundreds of millions of people but that the value only materializes when it's available for 'free' to everyone then we should have ways of getting you funded that isn't attention or convincing individuals to pay you a subscription fee.

You're hitting on an important economic function that ads are currently doing but then twisting it around and saying that there's possibility for anything but ads to perform that function.

[fauigerzigerk]

>You're basically just describing a tax system that is paid in consumerism which sucks because it's inherently regressive.

Why is it regressive? High earners pay more for ad-funded sites than low earners. That's not regressive. It's not progressive either, strictly speaking, but it's better than subscription fees which are regressive because everyone pays the same absolute price regardless of their disposable income.

[danShumway]

> High earners pay more for ad-funded sites than low earners.

I'm not certain this is true. And targeted advertising certainly makes it less true, not more. Advertisers are not excluding low-income users from advertising, instead they're targeting more products at them that those users are more likely to buy.

Untargeted ads for higher-cost luxury products might make the Internet cheaper for low-income users, but that's not what is happening in the ad industry right now. Ads exist to get you to spend money, and they are just as targeted at poor people as they are at rich people.

I wouldn't be that surprised if the effect is the opposite, since poor people have less access to research resources, comparison shops, and trials that would allow them to combat the psychological effects of advertising. They're also generally under a lot more stress and time-pressure when they shop than rich people are, which is likely to make them even more vulnerable to manipulation during a difficult purchase decision.

[fauigerzigerk]

>The only long term solution to actually see fewer ads is to drive their value down to nothing

You can only hope that whatever marketers would do instead to promote their stuff is less annoying or damaging. I have my doubts.

[hkai]

Interesting point of view. Have you ever sold a product? I assume not, otherwise I can't imagine how you would conclude that ads don't contribute to sales and don't bring value to customers.

[MomoXenosaga]

"Why would you ever want them gone if they’re so useful and helpful?"

Good point. Netflix replaced cable for a reason. People can stomach ads up to a point but I don't think anyone likes them.

[1vuio0pswjnm7]

Well said.

[chaosite]

Seeing ads isn't nice.

[danShumway]

No, I don't want that, for multiple reasons:

- I don't trust ad networks to give me more relevant ads, the data they currently have has not made my advertising experience better, so I don't see why giving them more data is going to fix the problem. I don't see strong evidence that advertisers know how to make useful ads regardless of how much data they have.

- I don't trust ad networks to target responsibly for my benefit. Ad networks are trying to manipulate me into buying products, they are trying to affect how I view the world. That's a hostile relationship, they don't have my best interest in mind, so "more effective" is not necessarily going to translate to my benefit. Ad networks are not trying to make ads more useful to me, they are trying to get me to buy stuff.

- I don't trust ad networks to only use tracking to improve relevance. I take it as a given that their tracking will be used for underhanded price changes, changes to UX to make it harder for me to complete certain actions, deal availability, geolocking, changing results when I comparison shop, and other anti-user practices.

- I want to have control over what data goes into my advertising profiles. Tracking me everywhere forces me to treat my advertising profile like I would treat a cat -- I don't want to do reinforcement training on my ads. With tracking, if I want to be advertised a certain product, I have to reinforce to the network that I care about it. If someone sends me a link, I have to think before clicking on it because I don't know what that will signal to advertisers. This is a really awful way to interact with computers in general, and it discourages people from freely browsing the web.

- Ad tracking creates an additional security risk for my data. I might get advertised an embarrassing product at the wrong time in front of the wrong person, that information might get leaked to other 3rd-parties that are somehow even less scrupulous than advertisers. There are multiple instances of ad networks effectively doxing people, outing their secrets. It's not safe to trust ad networks with that data.

- Even if none of the above was true, I don't take it as a given that even at a purely conceptual level targeted advertising is better than untargeted advertising. I disagree with the philosophical premise behind that kind of marketing, I think that marketing should be user controlled and based on signals that users consciously give about what they want to see. I think in most cases that users should start the search for a new product themselves and decide what they want advertised to them. Even if the advertising industry was ethical (which to be clear, it's not), I still don't want targeted ads.

- And even if I did want targeted ads, heck anyone who is tracking me for advertising purposes without my permission. If your product is so heckin great, then it shouldn't be a problem for you to get me to opt into tracking. The lack of affirmative consent is a problem, regardless of the outcome. You have to get people's permission before you do this stuff -- even if I'm happy with the result, that doesn't excuse you from asking my permission. And no, collecting the data anyway but just showing less relevant ads on the front end doesn't count. I don't want the tracking code on my computer at all unless I've invited it to be there.

---

Now, completely separately from everything above, I also don't want to see ads at all and I think everyone should block them and burn the entire industry to the ground regardless of the consequences. BUT that is not the primary reason why I'm against fingerprinting and user tracking. Even if I loved ads, I still wouldn't be OK with the kind of tracking that tech companies are doing, and I still wouldn't want them to fingerprint me.

[hermitdev]

I like to think of it this way: ads do not exist to serve value to me. Ads exist to extract value from me. They are an increasingly obtrusive and insecure means to convince me to spend money. They are, essentially, psychological warfare on my wallet.

And no, I am not being sarcastic, nor do I think I'm being overly hyperbolic in this.