[mike_d]

> Or is this one of those privacy battles we just have to accept as unwinnable?

It depends on what you want to win. There are two types of fingerprinting:

- Browser fingerprinting (what you see here): Make sure that your Chrome on Windows behaves like every other Chrome on Windows and it isn't really a bot pretending to be Chrome. This results in you being treated like a real user and getting less CAPTCHAs.

- User specific fingerprinting: Determining that your browser is unique among all the browsers the website has seen so that you can be tracked without cookies.

The latter is obviously bad. Some people would argue the prior is bad, but it is a LOT of work to make every browser behave like every other browser across operating systems for little privacy benefit.

[TechDebtDevin]

Is it bad if I use fingerprinting to track anonymous users so that I can provide them with a great UX without requiring them to give me all their personal details? Or should I only use cookies, that the user might delete? I don't see an issue with either for this purpose.

[swatcoder]

Imagine you sat one of you users down, and explained the details of how your fingerpriting system worked.

You explain that their browser has all kinds of little, subtle leaks of information about what software they're using, what operating system they're using, whether it's up to date, what hardware they're running, whether they're in a public space or an office or a home, which city they're in, what ISP they use, how they've configured their monitor and screen, what settings they set in their browser, what language they use at home, etc etc

You explain that you can collect all this information without them knowing you were doing it, without them really being able to stop you if they wanted to, and that you can collate it into an identifier that lets you know every time they visit your site even if they don't tell you themselves in some way, and with no way to ask you to stop.

And you explain that you do this for them, to make their experience of your site better for them, and harder for them to accidentally break.

How do you think they'd respond?

To be clear, I'm not asking this as some rhetorical trick. There absolutely are users who wouldn't care in the least, and who might even see you as really clever for doing it.

But that's how you can know if it's bad or not. If you think your users would be creeped out or otherwise troubled by it, or might feel like you've invaded their privacy or their right to control their own experience in their own browser, then you already know it's bad. If you think they wouldn't mind, then -- and only then -- maybe it's not.

[pests]

Your example sounds like what people do in person all the time.

My local barber knows me when I walk in. He knows what I look like, what I wear, what I usually order.

He uses this to make my experience better. He saves me from having to tell him what I want, he knows what seat I like to sit in, and so on.

I don't have to tell him I'm coming in. He can figure it out by looking at me walking in the door.

[DeathArrow]

You can even tell who you speak with by recognizing the caller's voice, without seeing him.

You can recognize a writer by his style.

What GP is trying to say it's ok for people to use pattern matching but it's immoral if they use machines to do pattern matching.

[pests]

But why?

[tightbookkeeper]

> by looking at me

Your presented person is very different from an amalgamation of clues which are not meant to disclose public information and are not you.

But this is easy to solve. Instead of rationalizing call up a customer and try it.

[TechDebtDevin]

I think that's a solid model to use, however, I would argue that its safe to assume that: ** There absolutely are users who wouldn't care in the least, and who might even see you as really clever for doing it.** Makes up >= 95% of recurrent anonymous users by default.

[DeathArrow]

How is this different from using cookies?

[olliej]

You should be using a cookie for this purpose, you could in fact just store the ui settings directly in the cookie.

It becomes tracking once you say “I have an ID in a cookie, and I’m going to look up the settings for that ID in my own giant DB”.

What you’re suggesting - using fingerprinting - is the worst. It’s not reliable nor robust, it implicitly requires tracking (you have to record the fingerprint<=>setting db and look it up), and user cannot opt out of it nor trivially change state at will, etc.

There is fundamentally no legitimate reason to ever use fingerprinting over the actual explicit mechanisms for persistent storage.

[DeathArrow]

Facebook, Apple and Google use people faces to track them. Governments use public cameras to track people. Google and Facebook also use other kind of tracking people.

But somehow it's immoral for average Joe to track not people but browsers.

[olliej]

Um, as far as I know apple does not use faces to track people.

I'm not sure about google, but my experience with the folk working their make me suspect that even they would not start correlating faces across accounts/users (though I suspect they aren't as careful as apple to avoid that information being visible to them).

But more to the point you're saying "if entity X tracks people it's immoral for anyone else to not track people" rather than "it's immoral for entity X to track people", which is some kind of gross mental gymnastics, and applies to pretty much anything: "if person X gets away with assault, then I should also get away with assault", etc

[HeatrayEnjoyer]

Well for one you need explicit and freely given consent.

[DeathArrow]

>- User specific fingerprinting: Determining that your browser is unique among all the browsers the website has seen so that you can be tracked without cookies.

I worked briefly for an ad company that not only did their own fingerprinting but bought a lot of fingerprinting data, along some other type of info: country, age cathegory, sex, income cathegory.

[bostik]

Funny anecdote: back in 2004-2006 when I held the Infosec 101 course at the university, I raised an obvious point in the privacy section. If an individual harvests data on other people and then uses that to track their movements, actions and behaviours - we'd call it stalking. When a company does that, we call it data mining.

The lecture used to shock the students from the economics department.