[fjni]

Maybe it's because I'm idealistic in addition to being old, but I think a lot of this functionality was in fact added for explicit purposes.

A client sends the language header or the list of supported fonts not so that the server can "do whatever they want with this data." There is (or was) a real reason for it when we came up with these standards.

The fact that website providers, or more specifically ad-networks, have chosen to use these for other purposes is breaking that implicit agreement.

(edit) but you're probably right that i'm expecting too much.

[cortesoft]

I don’t understand why that would be an implicit agreement, though? Why would I expect that the website would not try to figure out who I am?

They are free to remember whatever they want about my request… but I am also free to modify the request however I want, if I choose to randomize the list of fonts or choose to not send it or whatever.

[applfanboysbgon]

> Why would I expect that the website would not try to figure out who I am?

For the same reason I expect my neighbor not to kill me or steal my shit. We live in a society, with societal expectations around behaviour. I, personally, would prefer not to live in an uncivilized jungle where the only rule is "do whatever you can get away with".

[cortesoft]

“Kill me and steal my shit” is a lot different.

This is more like, I am not offended if my neighbor notices that I leave my house around the same time everyday and come home around the same time. I don’t expect my neighbor to look away when I step outside. If I put something in my yard visible from their house, I won’t get offended if they look at it.

Killing and stealing are completely different things than “paying attention to what I do when I am doing things they can see”

[tardedmeme]

Are you offended if your neighbor publishes a register of what time everyone around him goes to work, and charges $50 for any burglar to get a copy?

[cortesoft]

What are the 'burglars' in this metaphor? Are you saying ad companies are burglars? Or hackers? Or who?

[applfanboysbgon]

If we want to make the metaphor a little more faithful: the neighbor tracking what time everyone is home is selling it to door-to-door salesmen who use that information to harass you. Meanwhile, both the guy tracking it and the door-to-door salesmen are leaving copies of the information in the open. They aren't directly selling it to burglars[1], but they are making it extremely accessible to burglars, who then use that information to rob you. There is a data breach every other day, with companies and people routinely getting extorted and in some cases victims have killed themselves. This is a direct result of the unethical behaviour of hoovering up a permanent record of everyone's every last little action, far beyond what is necessary to provide any service.

[1] Although some data brokers do sell it directly to burglars too. All the burglar has to do is say "I'm a door-to-door salesman, will you sell me the information?". Your neighbor can't be bothered to do any kind of real verification of whether they're a salesman or a burglar.

[sixtyj]

Website is a good dog. But its owners don’t have to be good as they can re-sell data about you to someone else.

Some sites can have more than 1,000 partners - you can explore their intentions in cookies consent window.

[kelnos]

> Why would I expect that the website would not try to figure out who I am?

Because doing so is creepy.

[cortesoft]

What makes it creepy?

[kelnos]

Sure, but I think some of the stuff it sends isn't necessary. A website doesn't need to know the list of fonts on my machine, for example.

Some of them are questionable: most websites do not need to know my time zone, but when a website can use that in a useful way related to its functionality, it would be annoying if the browser were to popup an allow/deny dialog, and even more annoying if I had to manually set it in the website's bespoke settings panel.

I'm not sure what the solution is here.

[marcosdumay]

> A website doesn't need to know the list of fonts on my machine

Unless you disallow websites from choosing their fonts, that information is really hard to hide. Most likely impossible.

What you can do is standardize the list.

> most websites do not need to know my time zone

Almost anything with a form needs this.

Every information on that page is necessary for something common and desirable. It's not using any advanced fingerprinting that can be blocked.