Honestly surprised to see it licensed as MIT now too. It was something less permissive before. They aren't doing anything too crazy, more like being the first ones to be open about it.
I couldn't imagine what else companies like Google or Meta or TikTok can extract out of it that no one else can't. Integrations aren't exactly hard to make, quality is hard yes, but making half assed plumbing is sufficient too.
Those advertisers benefit from monopolistic markets with zero regulation while owning the platforms they sell advertising on that requires their explicit malware in order to use, what is unique about their finger printing versus what fingerprintjs provides?
The 100% charging readout is the desktop-with-no-battery phantom. I pushed a stricter filter for that earlier, you may be on a cached copy (try a hard refresh). On the light-mode call: the page detects your preference but doesn't honor it, intentionally. The irony being that the demo ignores the same signal it points out. I take the cost of the annoyance.
> It would probably still be low contrast garbage even if it did. :/
My guess this is LLM slop website generation. And they forgot to prompt to include high contrast text... And the site owner cant make the changes without a sloperator.
yeah it told me I'm "in Los Angeles" but that's just the time zone I'm in. It also "thinks" that because I have two different languages as inputs that it has scored some kind of "gotcha", but I just happen to also frequently use a second language .
"English · Chinese
Your browser’s primary language is English. It also carries Chinese. This tells us not just what language you speak, but often where you were raised, where you have lived, or who you live with. This is transmitted in the header of every HTTP request. It has been doing this for as long as you have used this browser."
No, the fact that I have English and Chinese as input languages does not tell it "where I was raised, where I have lived, or who I have lived with.". Might as well say "the fact that you're using a phone to look at the Internet tells reveals that you are someone who can access a phone to look at the Internet!". Yes, technologies interact with other technologies. That's how "technologies" work. Is it Orwellian? Yes. But is it more Orwellian than the surveillance states of Russia/China/North Korea. etc? We also can now find our phones/cars/devices that can share location, locate criminals by way of their online activity, record incidents that"need" to be recorded (like when ppl are committing crimes or when police officers need to be held accountable for their behavior). Catastrophizing about the "overreach" of tech is a cognitive choice. That all being said, it is good to be aware of what info our technologies "know" about us.
I'm using Apple's Private Relay VPN so it was hundreds of miles off. It's always interesting to see where websites or services think I'm located using their geolocation databases, but if I turn it off they can pinpoint me within a couple of miles. Thankfully almost nobody has ever blocked Apple's VPN, so I never have to turn it off.
> Since you can detect light mode, would it kill you to honor it?
Seriously, I'm in my mid-30s but some of these dark mode sites make me feel mid-80s. I can't see shit on this site.
Same, it said Riverside but I'm in San Diego (about 100 miles away from Riverside).
Of course, its just using a geolocation database for the IP address and thus reporting the location of some switching center Verizon runs and not my actual location.
If you're trying to prove a point about privacy its probably best not to lead off with information that can be off by hundreds of miles while presenting the fact that it "knows" this information as being darkly ominous.
Presenting this information while being wrong probably does the opposite of the site's intent and gives some people a false sense of security because what real websites and apps track about you using digital fingerprinting is a lot more detailed, personalized and (usually) correct than what this website presents.
> Surely you can infer when you work and sleep from your experience living your life as you.
Not everybody has a schedule. Mine is essentially "eat when hungry, sleep when tired", and my sleep patterns more closely follow a 26-hour day than a 24-hour day.
This is fascinating, please do tell more about it! How does it affect your mental health? How do you deal with times day and night are flipped? How does it affect your social life?
That it should in some way affect my mental health has never once occurred to me. If anything, i assume that living on one's body's own natural schedule would be optimal in terms of related effects on mental health.
> How do you deal with times day and night are flipped?
When there's not something pressing me into a schedule, e.g. a job, i kind of "circle around" to a conventional schedule every few weeks. All things considered, i prefer the "swapped" times because it's quieter at night. e.g. less traffic driving by, fewer neighbors making various noises, and no DHL/UPS/DPD deliveries for the neighbors being dropped off here because the neighbors aren't home (whereas i am almost always at home and both the neighbors and the local delivery folks know it).
i'm a retiree so, with the exception of shopping and rare appointments, the night/day or weekend/weekend[^1] are not generally distinctions which affect me, and it's never bothered me in the slightest to not have a fixed schedule. On the contrary, a fixed schedule somewhat bums me out long-term, presumably because it does not match my biological clock.
> How does it affect your social life?
My social life is (by preference and choice) comprised solely of (A) my FOSS work, and there's no clock associated with any of that, and (B) my wife. Both my and my wife's biological families are all on another continent, so we've no family obligations which require physical presence. When i'm not FOSS'ing, we play a lot of board games.
[^1]: stores are closed on Sundays and all public holidays in Germany. More than once i've gone to the store, only to discover it's closed due to a holiday i've overlooked (like, most recently, May 1st).
I am once again asking privacy advocates to try sounding normal for once. Trying to make a browser accessing your timezone sound nefarious isn't going to convince anyone of anything.
That's what helped L figure out Kira was in Japan, and likely a student given the times of deaths, in Death Note. Ruled out 7.8 billion people in one step
The claim was that a site could "infer when you sleep, when you work, and when you browse because you cannot sleep." Is that not true? I know that the timing of my HN comments tells a pretty clear story about my schedule having recently looked at a histogram.
Whether or not the information is accurate isn't really the point. It's that it serves as a way to identify you even without cookies. I looked for better websites, the EFF one[0] is informative.
My browser fingerprint was unique among the visitors in the past 45 days.
uMatrix + NoScript personally (yes, seems silly, but I find NoScript's UI more convenient for script toggling, while liking uMatrix's fine grained controls)
Did you enable firefox resist fingerprinting?
Also maybe letterboxing, which I think is not enabled by that flag by default, and also helps with CSS fingerprinting.
It hasn't received updates in a good long while, but seems to work fine, for me anyway. Has some rough edges, logging blocks when there's a bunch of redirects is a bit of a pain, making it hard to fix whitelisting in complicated things (like the dozen domains microsoft uses for auth) but apart from that...
(and ofc there's a bunch of forks adding bugfixes, some even relatively recent in activity, but unfortunately none have become the blessed official maintainer)
Did you specifically re-enable javascript? Ublock origin on medium mode blocks all the tracking javascript and I'd think advanced would follow the same basic starting point.
Visiting without JS: "With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
Maybe it's just because I am old, or have worked on internet software for almost 30 years, but none of this seems surprising or even concerning?
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
> You appear to be in Denver, United States. Your internet provider is Netskope Inc. We know this because your IP address — 163.xxx.xxx.32 — was the first thing your device sent us. We know the rest of it. We chose not to display it. Most pages would not have made that choice. We did not ask for your location. Your address arrived before you did.
"We know the rest of it. We chose not to display it. Most pages would not have made that choice" this is written to frighten children maybe? Also that's not my internet provider. Maybe it's my ISPs upstream provider?
there was a prank way back, that used simple html, css and javascript, to instruct the browser to display IP address, public, and local, popup a stream from the webcam, and place them among a crafted document intended to trigger i.e. troll people.
no data was cast to internet, it was all code executed with local user permissions to access the devices devices and logfiles displayed inline as "proof" that you are standing on stage with naught but your drawers.
people were at times moved into a panic and could be manipulated into making contact with malignant entities. there were casualties.
never underestimate the damage that can be caused by manipulating perceptions of the current situation,its not a joke, its handgun serious.
> Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives.
This is the root problem. Your browser is supposed to be your agent. It's the User Agent, after all! It should be working on the user's behalf, users should understand what their browsers are doing, and browsers shouldn't be doing anything without the user understanding and affirmatively consenting to it. I should be the ultimate authority over what my browser sends, and browsers should make it trivial to exercise that authority.
In reality, the browser is Somebody Else's Agent. It's working for the web developer, giving him all sorts of things that make his life easier. And it's working for the advertiser, providing tracking clues and fingerprinting. And it's working for the browser developer, collecting metrics and telemetry and god knows what else for them to do god knows what with. But, it's not really working for me or on my behalf anymore, I'm just a passenger in the car.
EDIT: Understood that IP address is not something under the browser's control, and it's unfortunately necessary to reveal in order to connect to a web site. It's a terrible mis-feature that IP addresses (by default without a VPN) can be reliably mapped to countries, state/provinces, and sometimes even cities. This is a huge design flaw in how we hand out IPs. In a better world, having an IP address shouldn't reveal anything about someone's geographic location.
I don’t think it is as simple as saying browsers are working for the web developer and advertisers.
All the features that allow web sites and ad companies to track and target ads are features that are primarily there to give functionality that makes the web a better experience for users. JavaScript allows websites that are better experiences than not having it. I know some people disagree, but I think they are either intentionally ignoring useful things or have a purity view of the web that doesn’t match most people.
I guess what I'm advocating for is that it should not be all-or-nothing, and it should not default-on:
Most web sites have no business knowing my time zone. Why are browsers offering it up? That should be gated on the user's permission.
Most web sites should not be able to determine what my screen resolution is, or what my operating system is. Browsers should also hold that back and only disclose it with the user's permission.
Most web sites should not by default have access to all the shit JS gives them access to. Battery Status, Web Audio, WebGL, Sensors, WebRTC, Geolocation, media devices (camera and mic), clipboard, local storage... All of these have uses, but should be behind individual, easy to access per-website preferences, and by default the site shouldn't even be able to query for their existence (which is enough to fingerprint), let alone call them. I shouldn't have to blanket turn off JavaScript to kill these things.
All a website needs to know about me, my browser, or my computing environment is I want to "GET /".
There are browsers that offer that level of control, but most people don't want to use them because they are confusing and don't offer the things most people actually care about.
> Most web sites have no business knowing my time zone.
That would work if websites only displayed dates in UTC. Which is not what most people expect. Browsers need to know your timezone so timestamps can displayed with the right setting for you.
Ideally, the user would decide whether to display UTC or local time, based on their system or browser's preference, the web site would just send UTC or an opaque datetime object, and the browser would render it in the user's preferred date/time format.
They dont need to collect your accelerometers information of your irl movements or your devices' automatic time zone stuff i dont think. That basically gives away you're using a VPN and makes it easier to fingerprint you
Maybe it's because I'm idealistic in addition to being old, but I think a lot of this functionality was in fact added for explicit purposes.
A client sends the language header or the list of supported fonts not so that the server can "do whatever they want with this data." There is (or was) a real reason for it when we came up with these standards.
The fact that website providers, or more specifically ad-networks, have chosen to use these for other purposes is breaking that implicit agreement.
(edit) but you're probably right that i'm expecting too much.
I don’t understand why that would be an implicit agreement, though? Why would I expect that the website would not try to figure out who I am?
They are free to remember whatever they want about my request… but I am also free to modify the request however I want, if I choose to randomize the list of fonts or choose to not send it or whatever.
> Why would I expect that the website would not try to figure out who I am?
For the same reason I expect my neighbor not to kill me or steal my shit. We live in a society, with societal expectations around behaviour. I, personally, would prefer not to live in an uncivilized jungle where the only rule is "do whatever you can get away with".
This is more like, I am not offended if my neighbor notices that I leave my house around the same time everyday and come home around the same time. I don’t expect my neighbor to look away when I step outside. If I put something in my yard visible from their house, I won’t get offended if they look at it.
Killing and stealing are completely different things than “paying attention to what I do when I am doing things they can see”
If we want to make the metaphor a little more faithful: the neighbor tracking what time everyone is home is selling it to door-to-door salesmen who use that information to harass you. Meanwhile, both the guy tracking it and the door-to-door salesmen are leaving copies of the information in the open. They aren't directly selling it to burglars[1], but they are making it extremely accessible to burglars, who then use that information to rob you. There is a data breach every other day, with companies and people routinely getting extorted and in some cases victims have killed themselves. This is a direct result of the unethical behaviour of hoovering up a permanent record of everyone's every last little action, far beyond what is necessary to provide any service.
[1] Although some data brokers do sell it directly to burglars too. All the burglar has to do is say "I'm a door-to-door salesman, will you sell me the information?". Your neighbor can't be bothered to do any kind of real verification of whether they're a salesman or a burglar.
Sure, but I think some of the stuff it sends isn't necessary. A website doesn't need to know the list of fonts on my machine, for example.
Some of them are questionable: most websites do not need to know my time zone, but when a website can use that in a useful way related to its functionality, it would be annoying if the browser were to popup an allow/deny dialog, and even more annoying if I had to manually set it in the website's bespoke settings panel.
The location it chose was laughably inaccurate (and since I'm the kind of person who posts here I know why). Censoring the IP address was a little cheesy, but down at the bottom it gets better.
It knew how much my phone was charged and it made correct inferences about my device. It accurately read my gyroscope, how I interacted with the touch screen, and it demonstrated (not new knowledge to me but probably interesting to the general public) how these things could be used to identify you and also to make inferences about you (if you are sitting, standing, lying down, etc).
I think a lot of us old tech folks want to still believe in those techno-libertarian ideals of the old web. However, in order to do that we largely need to ignore the capitalistic and authoritarian ideals of the modern web.
Us not owing each other anything worked great in a prior era when people were largely correct in assuming most people were good actors. But as soon as the money and power of the internet became real, things started to turn more adversarial. The assumption of trust and lack of responsibility makes it easy for one side to take advantage of the goodwill of the other. And the technical and power imbalances inherit to the server-client nature of the web means that abuse is more likely to flow in one direction than the other.
I agree entirely. Those of us old enough to have experienced those dreams are naturally going to mourn the loss of the Internet as a place for wild experimentation because we know so much good came from it and there isn't any true replacement.
But it's become clear that in the absence of governance, standards of behavior, and rules both explicit and implicit, the Internet has grown toward tyranny and automated exploitation rather than freedom.
We need to set some rules and expectations that people can rely on, otherwise rules will continue to be imposed on us.
One thing is using information about my connection like my IP and a different one is my browser exposing the angle that I'm holding my phone.
I should be able to expect some privacy from my device. What if my browser starts sending a picture of my front camera with every request, is that okay?
No, that wouldn't be ok, but if my browser did that, I wouldn't be mad at the website for doing something with the data I sent them. I would be mad at my browser, not the web site.
I remember some users with phpBB signatures some 20 years ago that did the "I know where your IP address lives" trick. Yeah, a bit surprised this is still being done, only today not as some silly troll move in a forum but on some professionally designed website.
You don't need an angle for that. That is highly invasive and can be used to target unique individuals. Why not default to a pro-human oriented mindset rather than pro-corporation?
That seems more of an issue with the school, though, rather than the actual web request. In this case, there IS a prior agreement between the school and MS, so there can be additional expectations about how that works.
I didn't know the browser made an agreement between myself and it. Here I am thinking that I am forced to use monopolistic tech because I a US citizen have zero say in the direction of technology in the country, that's decided by undemocratic financiers gambling with pension funds in SF. Silly me.
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
My disappointment is not with websites. It is with browsers. They have continuously prioritized dark pattern support. They have consistently removed user control.
I mean it's not the websites that default to recording every keystroke, default to tracker persistence, default to phoning home with daily telemetry, etc.
When I first started using HN, I ran four very different browser engines. Now there's no real choice.
HN does not record your key strokes until and unless you click the reply link…and then only if recording your final edited comment counts as recording your keystrokes.
On the other hand, your browser might be recording each of your keystrokes just because it can and if your browser does, those keystrokes are not going to HN.
It's trivial for HN to record your keystrokes. Any application that can read your keys can record your keystrokes - its fundamental to how software works. You wouldn't be able to write a game if you couldn't.
The distinction you are trying to make a is a distinction without a difference. If you don't want sites to "record your keystrokes", then don't use a computer. Trying to paint this as nefarious is a losing battle and completely undermines any awareness you are trying to bring about.
There's a difference between HN getting the final text when you hit "reply" and a site using JavaScript to time how long it takes you to hit each individual key press and how many times you hit backspace or moved your mouse to switch to a different tab to look something up or if you made up some facts in the comment or if you used an extension like grammarly or anything else.
>site using JavaScript to time how long it takes you to hit each individual key press and how many times you hit backspace
You mean like a video game? Are video games now nefarious applications tracking you? Your browser is not "leaking" anything to websites. It's hard to understand what you are even complaining about. If you don't want grammarly to record your keystrokes, then don't install grammarly.
It's like ordering a beer and then complaining about alcohol.
Yes! By a user who’s 21 days old, has never commented and it’s not even following this thread as he has absolutely never replied and never will. Having these kind of submissions not flagged is killing hacker news
I disagree, the discussion is still interesting to me. The page might be low quality AI slop (though it claims it’s not), I did find the discussion about it informative to a degree.
The website is pretty & the overdramatic copy is fun, but there's much better fingerprinting demos out there.
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
The overdramatic tone is pretty funny. "You are in [wrong city]. We could send a team on ninjas to kill you right now, but we chose not to. You are welcome."
Both linked in the Sources & Confessions modal at the bottom. Cover Your Tracks is the spiritual ancestor of this whole piece. amiunique is more rigorous; this is the editorial cousin.
Wow! Somebody with ChatGPT discovered the concept of browser headers, then for some odd reason made the verbiage really ... weird "We chose not to tell you"... okay...
Anyway, if you really want to know what your browser is sending:
> We did not ask for your location. Your address arrived before you did.
Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
Nah. The browser has a mechanism to request geolocation. This is the ask that was not performed. The user was not asked, which is the important piece.
If I have a dictionary, I don't have to ask the meaning of a word I hear from someone I am speaking to, I can look it up in the dictionary. I may infer an incorrect meaning because the word has multiple meanings or is a colloquialism.
If I need to clarify that inaccuracy, I need other data points (for example, the context of the conversation), or I can ask my conversational partner for clarification).
> Nah. The browser has a mechanism to request geolocation. This is the ask that was not performed. The user was not asked, which is the important piece.
Yes, that would have tripped the prompt asking the user, which would have had explicit user acceptance or refusal. The point is you don't need consent to do a fuzzy match usibg other data in most jurisdictions.
> my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
Tor and similar multi-hop proxies, depending on construction, supposedly can't match source to destination IPs.
I love that the very first thing it showed was wrong
> San Pablo, California, United States
> You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us
I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk
I am running Firefox. Firefox does not report you GPU according to the site, instead returning a generic "Mozilla" GPU.
More of you should be running current Firefox. It actually has serious engineering work going into protecting you from web tracking.
I work for a team entirely dependent on web tracking for Fraud prevention. The things Firefox does work to protect you and make our job harder. They genuinely make it harder for websites to track you.
Other things that genuinely help: Apple private relay. Some VPNs. Generated unique credit cards.
The 39 GB number is a bug. I was reading quota (browser allow-up-to ceiling) and calling it "allocated." Fixed; pushing now. Contrast is intentional but I hear you. not changing it but noted, and a cleaner reading mode is on the to-do later.
And like most people discussing these things, you entirely miss the point.
It doesn't matter whether you actually speak english natively or not, nobody cares about the actual values. Web sites don't actually care whether you have a robust font package in some way to discern whether you are a font hipster or something, they are just collecting signals.
What matters is that your physical machine and web browser combo report these values about the same way every single time they are probed, and that is used to reliably track YOU, uniquely, with great accuracy, with EVERYTHING you do on the internet, every site you visit, every mouse movement, every purchase linked back to you.
Everything.
The actual values don't have to match "reality" in any way. It's just about generating bits of signal about your setup.
> It doesn't matter whether you actually speak english natively or not
So don't you think presenting the info as it's a great uncovered secret and then getting it wrong will lead the layman to disbelieveing everything?
Of course, the other extreme is the EFF site that says "Currently, we estimate that your browser has a fingerprint that conveys at least 18.33 bits of identifying information.".
There must be some middle ground to present this info.
The Referer header is the one that's hardest to opt out of cleanly, strip it at the network level and too many things break. Referrer-Policy lets the origin set the rule, but the visitor doesn't get to choose. There's a quiet move toward Referrer-Policy: strict-origin-when-cross-origin as a sane default in modern browsers but it's still origin-dictated, not visitor-dictated.
I strip/forge it with a old, probably outdated firefox extension (Referer Control.) But you still got news.ycombinator.com. How? I thought the extension was broken, but it's not.
That was actually my only surprise, everything else I was expecting.
edit: ignore this, looks like I just needed to save my preferences again. Thanks for showing me that I have been leaking my referer for some mysterious amount of time.
It's interesting that this breaks things. When trying to link to an internal password vault at work it would always break. People would have to click the link on my site, then reload it to get the page to load. This wan an issue for years, across multiple versions and despite many people offering up ideas to help solve it. One day I thought maybe it was a referrer issue, so I had it open with noopener,noreferrer, and that fix it.
It seems odd that any site would require a user come from somewhere.
> We know this because your IP address was the first thing your device sent us.
First paragraph, and I don't like this wording already. It's as if "my device" has any choice in the matter.
And actually, it's the reverse! Often enough your own device does not know your _actual_ public IP address without asking some kind of public service to snitch on your internet connection.
I guess I shouldn't be surprised that it gives my exact GPU, but that was surprising to me. Just so everyone knows, its an AMD Radeon RX 6900 XT and I paid way too much for it during the covid/crypto price explosion when they were sold out everywhere. Still a bit raw about that, but it is an excellent card on Linux (fedora)
"Your graphics processor identified itself as or similar"
guess mine isn't such a specific model as yours. so I don't have a real GPU, i have something similar to a GPU??? did I get a knock off Alibaba version?
Real bug. Firefox returns "Mozilla, or similar" for the renderer string and my parser was grabbing the second half. Fixed; pushing in a minute. Your GPU is fine. Your browser is doing the right thing.
Confirmed. Firefox's privacy hardening returns "Mozilla, or similar" or just "Mozilla" as the renderer string. Chrome doesn't (yet). My parser was treating the Firefox string as if it were ANGLE format and grabbing the wrong half. Fixed.
The GPU string really is the spicy one combined with screen + fonts it's enough to single you out across most of the open web. The card itself is a tank.
Yea that is a strong fingerprint. Especially if any of the other things were correct or someone has a way to model your behaviors. How long you scroll vs how often you type etc. and somehow that's still not enough for big tech and they need biometrics, photo IDs, etc.
Yeah, the bottom counter on the page is meant to make exactly that point. Mouse movements, scroll velocity, tab switches, reading pauses are all features in modern fraud / "trust" scoring systems alongside the static fingerprint. Biometrics is the next layer, and it's already happening on the back of "passive" liveness detection most people never see.
My battery is at NaN%, the site is cool but it should probably change the text if I’m not actually exposing that information.
It got the city wrong but close to where I live. This stuff would be wildly wrong if I fired up my VPN. Although its annoying when I connected to a VPN to Steam it’ll often show my prices in Canadian dollars instead of USD.
Battery: kept back
Your browser kept your battery level back. Firefox removed this API entirely in 2016, after researchers proved it could be used to track a visitor across websites without cookies, without consent. The API still exists in the specification. It was simply hidden — from you, and from any page that might ask after it.
Well, at least something positive from the shit I take for not sheepling my way through life using Chrome
I got this message and I'm on Chrome, on a laptop. I tested in the console on that site and was able to get the battery level though, so I'm pretty sure their check is just broken.
It seems like they know I have an iPhone with dark mode enabled, that I speak English, and that I'm in the USA (but wrong city wrong state). I am kinda unimpressed, I'm pretty sure they can get a lot more info than that.
Would be nice if more people were focus on fixing these issues instead of just a bunch of "we already know", and making fun up the tone of the site.
Thanks op for reminding us of the privacy issues with our browsers. The EFF and others already told us, but the issues remain. Lets hope you're hear to stay and fight for our privacy alongside us.
Thanks for that. The page isn't trying to tell anyone something they don't already know, it's trying to put it in front of the people who haven't been told. The bug reports today have been gold and the volume is meaningfully better for them.
Mine told me my graphics card was "or similar" so my stock Firefox is doing at least okay.
While I still follow the general privacy first tenets, I have ended up backing off on some tools (noscript and librewolf) at the extremes of privacy because if every site is going to track everything by my IP or by my ASN or browser fingerprint, I do have a happy medium of being private enough while not being utterly broken in my browsing.
Roughly that looks like email aliases on demand via sieve rules, ublock origin with liberal use of filter lists, different handles and a password manager, frozen credit ratings, and Tailscale exit nodes or Mozilla(Mullvad) VPN for uncontrolled WiFi access points for my jnrootabke android device and mostly signal for comms.
I'm getting to old to be a privacy extreme enthusiast when all of my family side channels everything straight to Facebook, so this is the impure level of privacy I can sustain.
Same for me, also the "screen" size is off (just shows window size), the location is off by hundreds of kilometres and other information is quite generic (battery level "kept back", small set of standard fonts available...).
Yet even with all this information most webpages still insist on showing me the language version of the country who's IP address I have rather than, you know, using the preferred language selection.
It's almost like web devs don't know the concept of traveling outside ones county.
> Your device carries these typefaces, of the seventeen commonly probed by fingerprinting checks. The specific combination of fonts on your device is nearly unique
The set of fonts available in stock iOS is hardly going to be unique now is it?
That it is even possible to install fonts onto iOS would be news to most users.
Aside from the fingerprinting methods, the graphics processor string seems to be the most immediately personal data given up (other than location, which was incorrect for me). I could see sites tailoring ads around an assumed class, income, and level of digital literacy based on this data point alone.
Access to the available font list might be useful for identifying devices likely issued by a particular organization. Unusual fonts that are part of an org's branding usually are installed as part of a standard device image. This allows employees to produce brand-compliant presentations, etc. I was an intern at GE in the mid-90's and we had a custom font with just one character defined - the "meatball" corporate logo.
Dunno what it is with the wording but my brain started reading it in a bit of a "Hello Clarice" Hannibal Lecter style lol
>The specific combination of fonts on your device is nearly unique — like a fingerprint made of letters
Is this one true? I've not made any changes to fonts on my phone that I know of, wouldn't it just be bog standard iPhone fonts?
Curiosity not challenge
Would be cool if you actually did track just to prove the point like "you've opened this page 6 times now, 2 of those were via VPN and one time was using the Firefox Focus browser. Have you found any flaws in the data yet?"
As far as this website reports, I'm undistinguishable from most other Mac users in Brooklyn, New York. Seems like it's not actually highlighting the frightening aspects of fingerprint.
Yeah, your browser fingerprint might be a needle in a needlestack. You might not be able to distinguish one needle from another needle easily, but if you have enough needle samples you can start to identify what the needles are pointing at. Data aggregators collect enough pseudo-indistinguishable needles to be able to disambiguate and associate them with a known identity or cohort. For example, your mobile browser might be indistinguishable from most other Mac users in Brooklyn, but your mobile browser might be the only one running on a device from an IP address that regularly logs a meal in MyFitnessPal at that Starbucks wi-fi before making Apple Pay/Google Wallet purchase, hits the next 8 stops on the train before connecting to the same cell tower at the narrow window as you enter your office (telling on myself a bit, tho I am in Vancouver, not Brooklyn).
Span this across all of your movements and activities across multiple aggregators and it's a trail of movement through a fog of data that is fuzzy, but enough to identify you, or a small cohort of similar users.
Opening this page in text-only browser, i.e., no Javascript, CSS, auto-loading resources, etc., it appears to contain zero information about the visitor. Not even an IP address
> You came here from news.ycombinator.com. Your browser told us the address of the page you were reading before this one. Every link you follow tells the destination where you were. The page you just left knows you left. This page knows where you came from. Neither was asked.
I thought this didn't work anymore and browsers left out the referer in the case of https, is that not so then?
> Your device carries these typefaces, of the seventeen commonly probed by fingerprinting checks. The specific combination of fonts on your device is nearly unique
Is this actually true? Because I don’t even know if I have any control over this on iOS, and if I do then I’d guess almost nobody diverges from the default?
Fair point, and you're right. On iOS the stock font set is essentially uniform across devices in the same OS version, so the "nearly unique" claim doesn't hold there. Just pushed a hedge: prose now distinguishes between desktop (where fonts accumulate via apps and OS over time, and the bundle is genuinely identifying) and iOS/Android (where it isn't, on its own). Combined with screen + GPU + language + timezone the iOS version still narrows the field, but the prose shouldn't overclaim. Thanks.
So if they can figure out whether I have an expensive laptop/computer based on my graphic card, then they can adjust the prices I see on the page (e.g.higher prices for game devs/players and lower prices for plumbers). Not fair.
You can't gaurentee any of this is fingerprintable without checking twice (i.e. give the user a unique url, then ask them to restart the browser and visit it). In privacy browsers like LibreWolf or Mullvad Browser this is almost all spoofed, save for things like the IP which needs to be hidden/changed independently of the browser.
Correct on rigor. Proving a fingerprint requires the two-visit protocol you describe. The page doesn't actually compute a stable fingerprint or attempt to track returning visitors, it shows you the signals that go into one. The barcode at the bottom is deterministic from the data shown but isn't compared against anything stored. Sloppier than a real fingerprinting tool, by design.
Huh? The user mwheelz seems to have been [dead]'d in the time this post has been on the front page. If I look at their comments page, those posted more than 46 minutes ago (at the time of writing) are normally visible and the rest are [dead].
Most of this is pretty standard stuff but one thing I did learn is some of the fingerprinting techniques I wouldn't've thought of. Like Mozilla/Apple not sharing GPU or battery information being used to confirm which browser I use even if I fake the User Agent String.
"With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
Its mixing confidential info. For example, you know I'm connected from a location, but you do not know my precise location. I connected from a tower that is from Odido, but I am not paying Odido for a subscription.
Right, IP-to-geo is approximate and gets a lot of cases wrong (yours among them). Most ad networks use it as a region/DMA hint, and not precise positioning. The point of including it isn't precision. It's that any location is more than nothing, and the visitor never opted in.
Trying this in Lynx I'm surprised it didn't at least get some information from me in the request headers. You don't need JavaScript to pull things out of them.
Someone should do a demo where they take all the info from the browser and feed it to an LLM to describe the person as accurately as possible. I bet it would be 10x better than any horoscope.
Browsers are stuck between compatibility and privacy. Every bit of environment detail has some site that claims to need it, and every extra bit makes users easier to distinguish.
But anybody knows (in tech I mean) that a browser client leak a lot of things and sustained tracking is easy even cross-browsers (and cross-devices too with more advanced techniques), including history (easy to know which websites were visited with timing analysis in loops and iteration), it falls on the responsibility of the user to achieve privacy, but it requires heavy sacrifices that frankly most users are not willing to do, fingerprint.com is really basic and doesn't go to a great length at all actually to track users (fortunately).
Reality is that most do not care about privacy (look at the number of Google users, even developers themselves who are completely aware of it and continue to "embrace" the mass tracking). There is also the mass brainwashing which is an issue where people that use VPNs think that they are anonymous and this is terrifying to think (thank you NordVPN non-sense, which also use Google Analytics which then correlate entire traffic later-on, what a joke).
Similarly, just like how somebody would think that a company selling weapons that are expressly used to harm protestors is a terrible company, a company that tracks its users and invades their privacy is a terrible company.
We can see that big companies are able to do a great deal for privacy like Cloudflare and Apple (relatively speaking).
>Reality is that most do not care about privacy
Most people don't understand how much they are being tracked online, and even less know how to start preventing it. The vast majority of people care deeply about privacy. It is a natural human desire. Ask someone that says they have "nothing to hide" if they would be willing to let you install a camera pointed at their bed. Are they doing anything wrong in bed? Anything to hide? No. They still deserve privacy.
Saying you don't care about privacy because you have nothing to hide is like saying you don't care about free speech because you have nothing to say. [1]
Just because people don't care about the issue doesn't mean they shouldn't have the right by default. Privacy should be the default. It is bad for you to have less privacy because it gives governments, corporations, and other people significant power over you and allows them to harm you more easily. Also it is your right, just like the 1st amendment.
I would never use NordVPN–I think their marketing is deceptive and they don't accept private payments, among other issues, but there is a big difference between the VPN collecting data and just their website. Bitwarden has a privacy respecting pw manager, but their website uses analytics.
Absolutely, Nord is a sh*t company when it comes to privacy, they removed the anonymity claim as well recently and changed it by "Security", but anyway a VPN is far (very far) from being enough to reach decent level of Opsec. Anyway, VPNs that care can start use Enclave at the very minimum, but it's insufficient as traffic can easily be correlated if you disconnect peers one by one (gov can just sniff DC firewall, then DDoS each IP connecting through it, check if the guy is still online... (ton of ways)). Mullvad is clearly more trustable regarding the steps taken to ensure more privacy, but it's not enough on its own and even them say so.
For Bitwarden, well, US government (and Google, and more) is aware of your usage of it through their analytics so I wouldn't say it's really privacy respecting but sure, there is a bigger effort yeah.
With javascript off it just stalls at "reading" forever. There are certainly some viewport properties and other things it does know even without JS execution, but the mitigation is significant. And the page itself (the JS application) cannot act on that data or communicate it. Instead it has to be processed by some other application on the backend or wherever. Not in my browser by my computer.
As an experiment, I made a small retail shop (< 30 products) that would use JS for modern style async/await calls, but would then use old school POSTs if JS was disabled with full page reloads on every POST. it sucked to dev and as UX, but it was possible to do. Had the non-JS POST style updates been any less annoying, it might have been viable. Nobody likes full reloads. They suck. JS can do nice things for UX. It's just that we can't have nice things because people suck
That's what frames are for. Only reload the frame with the important data in it (total cost, list of products in cart) and point the category links in the page to open in the same frame as the shopping cart. You can even style the frame contents with the main page's stylesheet so it only needs to load a `$41.29` total if that's all that's changed.
No, I did not defile myself that badly by using frames nor layout with tables either. <shudder> I did layout with CSS. It wasn't just an update to the total. It was a proper modern day UI look (if not so much feel) so that it had a collapsible shopping cart on the side so you could see the items and quantities and link back to the item's page.
I tried it with a VPN running and in the Mullvad browser and it got all the big stuff wrong.
Where are you was sent to another location due to the VPN, this was all it really impacted. When you arrived was wrong because of the Mullvad browser, even without the VPN enabled it reports that I'm in Reykjavik, which I'm not. What you brought with you, it got the resolution wrong, as the browser locks itself to various resolutions to prevent this kind of fingerprinting. GPU and Battery both say "kept back", I assume this means it couldn't get anything, because when I run in Safari it says Apple GPU.
2/3 of the big browsers are open source, you could just change it this year! (Assuming your mobile device isn't from the former personal computer company turned status symbol manufacturer).
Harder problem is getting the economic system that relies on this information swapped out. Have fun when 99% of web doesn't 'work'.
Something attacked my computer.
I shut the page, and some old one popped up.
I shut it, and they popped up again
I shut my browser, and Notepad++ was filling with <cr><lf>
I closed Notepad++, closed every open app, and restarted.
Update: I pushed two rounds of fixes for things people caught.
1. GPU "or similar" stranded prose. Firefox returns "Mozilla, or similar" as the masked renderer string and my parser was grabbing the second half. Masked-GPU case now gets its own observation.
2. Desktop battery showing NaN/100%. Chromium reports a phantom 100%-charging battery on machines without one; my filter was too narrow. Stricter check, falls through to "kept back."
3. Storage quota of 39+ GB reading as implausible. Now expressed in GB, and the prose was reworded ("would let this page write up to" rather than "allocated to").
4. Screen size matching window size (Firefox letterboxing / Brave farbling). Page now names it: "your browser appears to be returning the viewport in place of the real screen — anti-fingerprinting at work."
5. "Recent, high-end display" being claimed on old retina devices (iPhone 5-class). Tightened the heuristic.
6. No-JS hangs at "reading." <noscript> block added.
Worth saying directly since it came up. The prose is hand-written. Each observation has a small set of templated registers and the code selects among them based on what the data returns. There is no LLM in the runtime path. AI helped me iterate on the spec like it does for most projects now. The sentences on the page are mine. If that's not the kind of work you're in the mood for, fair, but the slop charge is wrong.
It's somewhat interesting but over half of what it talked about is just silly.
- Reverse IP/geocode (while be cute about "we won't show your IP", oh no, not my IP!)
- Timezone - Ok, yeah, lots of websites need/make use of that for completely legit tasks
- Browser/OS/Screen size - boring, again mostly needed or historical
- GPU - Again, not super interesting IMHO
- Battery - Ok, this is the first one I think should be behind a permission dialog
- Language - Come off it, that's just table stakes
- Fonts - Again, not sure how else this should work in a "perfect" world
- Cookies/dark mode/DnT/etc - Ehh, again aside from fingerprinting (which ruins everything) these are all QoL improvements IMHO
- Referrer - Again, this is just how the web works
I think the websites that take all of that and show you a fingerprint or show the data in a more data-oriented way are way more compelling.
This, almost certainly vibe-coded, website doesn't do anything novel and hits on a huge pet peeve of mine: using low-quality arguments for a legit issue (fingerprinting). By mixing in stuff like your IP/Language on the same level as Battery/GPU/other-fingerprinty-things it makes the whole argument less compelling.
I'm with you on almost all of this, but since you (almost) asked, here's how I think fonts should work:
The server tells your browser to display a line of text in a specific font. If that font is available, your browser does so, and if not, it displays the text in your default font, or a backup font if the developer specified one. There's no need for the server to know if it's there or not.
That's essentially how things used to work, and the problem is that it too can be gamed using JavaScript. For example, a relatively naive approach might be:
1. Make an HTML <span> element that contains "The quick brown fox jumps over the lazy dog" written in the default font.
2. You can't query what font that was, but you can use the getComputedStyle() DOM function of that element to work out the width (for example) of the resulting element. Note this down.
3. Do the same for all the different fonts that you want to test.
4. If any element's width differs from the default's noted in step 2, then the corresponding font is guaranteed to be installed on your system.
As written, this won't detect the font that the user has selected to be the default font (because it won't detect the width as being different). However, you can work around this (and remove most false negatives to boot) by a simple addition:
5. Pick one of the fonts that you detected as being installed.
6. Create more elements (as in step 1) that correspond to all the fonts that were detected as being the same width as the default, but have the font you selected in step 5 as a fallback. (eg. 'font-family: Testing, Fallback;')
7. Any element with a width that differs from the font you selected in step 5 is installed on the system.
What you get will be a relatively complete list of what fonts are on the system out of the ones you tested. If you want more accuracy, you can do a similar thing with individual letters instead.
Fair pushback, and partially right. Most of these data points are individually defensible. Accept-Language helps with localization, Referer is just how links work, timezone is universally useful. The page's argument isn't that any single one is bad; it's that the bundle is identifying. Panopticlick / Cover Your Tracks measures combinatorial uniqueness, not any single point. The piece could be sharper about the distinction. Noted.
People discovering "just how the web works" have spawned myriad complaints, misguided laws, and general anger and confusion. I wish there was a test people had to take before they go online or something. Otherwise they'll still be mad that Chrome Incognito didn't prevent ads.google.com from registering them as a pageview statistic.
> This volume requires JavaScript. That is part of the point — your browser is what is being read.
> With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops.
What? When I enable JS it shows me a lot of stuff that is only queriable with JS.
This is just... silly. Everything it told me, while browsing on my iPhone, seems entirely reasonable.
> Every page you have ever visited knows at least this much. Most of them know more. None of them told you.
So? Why would I want the news site I'm visiting to "tell me" it knows my preferred language, that I'm using light mode, or the estimated location of my IP address...?
It's not surprising that a browser which renders text can be used to identify which fonts are available. It's not surprising that a browser which allows calculation with your GPU will identify your type of GPU.
The "without asking" framing is just silly. I expect to be asked for consent to use my webcam or microphone or exact precise location. But the last thing I want is to be asked for permission around detecting my local time zone or preferred language or my screen resolution or 20 other totally reasonable things for a website to be able to know.
Right that most of these aren't surprises individually, and right that nobody wants a permission prompt for Accept-Language. The argument isn't that you should, it's that the combination is enough to identify you across sites without your awareness, and that the wider tracking ecosystem trades on that bundle. The piece is editorial about the thing existing, not a proposal to gate every header. Reasonable to push back if you find the bundle isn't the point.
Fingerprinting has exited for a long time. But this site is specifically saying "None of them told you".
The site does seem to be implying that disclosure and consent are the issues:
> We did not ask for your location.
> Nothing about this was requested. The information arrived on its own.
> Your device volunteered all of this in the first milliseconds of the connection. It will do this again on the next page you visit, and the one after that.
> No permission is required.
It's framing this as if browsers are maliciously volunteering information that ought to be protected, and that sites are maliciously hiding the information available to them.
It does seem to be clearly suggesting that even basic pieces of information ought to be available only upon request and that this must be disclosed to users.
You say this is "not a proposal to gate every header", but it's sure looking like something close to that to me.
> Your screen is 1512 by 982 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display. Your device volunteered all of this in the first milliseconds of the connection.
No it didn't. It was queried by the JS running on the page. It's a fun demo but it could really do without the slop prose.
Pedantic but right. The JS queries them; the browser returns them without prompting the user. "Volunteered" is the editorial verb for that round-trip but it does paper over a layer.
the breathless fearmongering but also condescending tone of this really makes it hard to take seriously. yeah, you can "digitally fingerprint" me when i browse the web. do you know when else you can get my fingerprints? literally any time i touch something in the real world, i leave my fingerprints behind. and nobody is making websites telling us all what a risk to privacy that is.
if you want to make me afraid of browser fingerprinting, try explaining how that information can be used to harm me. i'm aware that it's possible, i just don't care because it doesn't seem like it's that big of a deal.
I use windows color filters (Grayscale inverted is my preferred, in the past I used plain inverted) for poor man's dark mode (or light mode in this case) for stuff that doesn't honor my color scheme and hurts my eyes. It also has a hotkey, so it is really handy sometimes, but you need to enable it in the settings.
Assistive technologies are great, not only because they benefit those who have no choice but to rely on them, but also they can benefit the luckier people.
According to the "Sources" popup, creator can't even excuse the slop as AI slop:
> The prose
> Hand-written · Template-based, not generative
> Every sentence on this page was written by Matt. The code selects among prose templates based on what your browser returned. No language model writes or rewrites anything at runtime. If a condition is not covered by hand-written prose, the page stays quiet about it — we'd rather say less than say something false.
All these submissions come from bots, and users with accounts younger than a month with one single submission (in this case three times the same submission).
Maybe the system should block anyone with lower than xyz points and 20 comments to post any link?
I dunno, I guess it's hard but this shit is really affecting the community.
It's really bad, it's not using proper fingerprinting techniques, no network stack fingerprinting, no browser history via DNS poisoning, no narrowing down exact country with timing and so on. I mean this is even inferior from basic tools like amiunique, what's the point?
None of the information identified for me was surprising using an up-to-date Firefox on Mac w/ a mostly default configuration. I had to unblock Javascript in NoScript for the page to work.
I get the point, but I think the EFF Panopticon page is a better representation of browser fingerprinting and how it works, because most of the things shared are really basic elements of data that aren't personally identifiable. You can absolutely fingerprint Firefox with a default config, so obviously this was vibe-coded and just doesn't do much. Cool, you did a GeoIP lookup, read the user-agent, the referrer header, and the accessibility data, exactly zero of that should be surprising to anyone that knows how you access a website.
This is a great exercise, it's generally accurate on location but it's hard to express how granular they can be Identifying users through browser information. fonts? display size? processor? how unique is that really in laymans terms?
* I'm not in that city.
* It's running a kind of Chrome on a kind of Linux, at a stretch.
* Nobody can infer when I work and when I sleep. That includes me.
* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.
* But yes, browser fingerprinting is annoying.
* Since you can detect light mode, would it kill you to honor it?
The amount of fingerprinting this page reveals pales in comparison to what actually happens in the wild
its ease is also vastly inflated. If it was as simple as this site makes it out to be, companies like fingerprint.com don't exist.
Don't know about easy but their JS lib doing this is quite good:
https://github.com/fingerprintjs/fingerprintjs
Honestly surprised to see it licensed as MIT now too. It was something less permissive before. They aren't doing anything too crazy, more like being the first ones to be open about it.
I couldn't imagine what else companies like Google or Meta or TikTok can extract out of it that no one else can't. Integrations aren't exactly hard to make, quality is hard yes, but making half assed plumbing is sufficient too.
Those advertisers benefit from monopolistic markets with zero regulation while owning the platforms they sell advertising on that requires their explicit malware in order to use, what is unique about their finger printing versus what fingerprintjs provides?
I knew about this library but is it legal in the EU? Because that library works very well
* That's the wrong battery percentage and the wrong charging status.
> Since you can detect light mode, would it kill you to honor it?
It would probably still be low contrast garbage even if it did. :/
The 100% charging readout is the desktop-with-no-battery phantom. I pushed a stricter filter for that earlier, you may be on a cached copy (try a hard refresh). On the light-mode call: the page detects your preference but doesn't honor it, intentionally. The irony being that the demo ignores the same signal it points out. I take the cost of the annoyance.
Okay but it's really hard to read for those of us with old people eyes.
I'm 36 and I struggled to read it.
... Wait, 36 isn't old is it??
> It would probably still be low contrast garbage even if it did. :/
My guess this is LLM slop website generation. And they forgot to prompt to include high contrast text... And the site owner cant make the changes without a sloperator.
yeah it told me I'm "in Los Angeles" but that's just the time zone I'm in. It also "thinks" that because I have two different languages as inputs that it has scored some kind of "gotcha", but I just happen to also frequently use a second language .
"English · Chinese Your browser’s primary language is English. It also carries Chinese. This tells us not just what language you speak, but often where you were raised, where you have lived, or who you live with. This is transmitted in the header of every HTTP request. It has been doing this for as long as you have used this browser."
No, the fact that I have English and Chinese as input languages does not tell it "where I was raised, where I have lived, or who I have lived with.". Might as well say "the fact that you're using a phone to look at the Internet tells reveals that you are someone who can access a phone to look at the Internet!". Yes, technologies interact with other technologies. That's how "technologies" work. Is it Orwellian? Yes. But is it more Orwellian than the surveillance states of Russia/China/North Korea. etc? We also can now find our phones/cars/devices that can share location, locate criminals by way of their online activity, record incidents that"need" to be recorded (like when ppl are committing crimes or when police officers need to be held accountable for their behavior). Catastrophizing about the "overreach" of tech is a cognitive choice. That all being said, it is good to be aware of what info our technologies "know" about us.
> I'm not in that city.
I'm using Apple's Private Relay VPN so it was hundreds of miles off. It's always interesting to see where websites or services think I'm located using their geolocation databases, but if I turn it off they can pinpoint me within a couple of miles. Thankfully almost nobody has ever blocked Apple's VPN, so I never have to turn it off.
> Since you can detect light mode, would it kill you to honor it?
Seriously, I'm in my mid-30s but some of these dark mode sites make me feel mid-80s. I can't see shit on this site.
> I'm not in that city.
Same, it claims Brussels, but I'm in Antwerp. It also got my screen resolution wrong.
> I'm not in that city.
Same, it said Riverside but I'm in San Diego (about 100 miles away from Riverside).
Of course, its just using a geolocation database for the IP address and thus reporting the location of some switching center Verizon runs and not my actual location.
If you're trying to prove a point about privacy its probably best not to lead off with information that can be off by hundreds of miles while presenting the fact that it "knows" this information as being darkly ominous.
Presenting this information while being wrong probably does the opposite of the site's intent and gives some people a false sense of security because what real websites and apps track about you using digital fingerprinting is a lot more detailed, personalized and (usually) correct than what this website presents.
[dead]
> Nobody can infer when I work and when I sleep. That includes me.
Are you like /severed/ or something? Surely you can infer when you work and sleep from your experience living your life as you.
> Surely you can infer when you work and sleep from your experience living your life as you.
Not everybody has a schedule. Mine is essentially "eat when hungry, sleep when tired", and my sleep patterns more closely follow a 26-hour day than a 24-hour day.
This is fascinating, please do tell more about it! How does it affect your mental health? How do you deal with times day and night are flipped? How does it affect your social life?
> How does it affect your mental health?
That it should in some way affect my mental health has never once occurred to me. If anything, i assume that living on one's body's own natural schedule would be optimal in terms of related effects on mental health.
> How do you deal with times day and night are flipped?
When there's not something pressing me into a schedule, e.g. a job, i kind of "circle around" to a conventional schedule every few weeks. All things considered, i prefer the "swapped" times because it's quieter at night. e.g. less traffic driving by, fewer neighbors making various noises, and no DHL/UPS/DPD deliveries for the neighbors being dropped off here because the neighbors aren't home (whereas i am almost always at home and both the neighbors and the local delivery folks know it).
i'm a retiree so, with the exception of shopping and rare appointments, the night/day or weekend/weekend[^1] are not generally distinctions which affect me, and it's never bothered me in the slightest to not have a fixed schedule. On the contrary, a fixed schedule somewhat bums me out long-term, presumably because it does not match my biological clock.
> How does it affect your social life?
My social life is (by preference and choice) comprised solely of (A) my FOSS work, and there's no clock associated with any of that, and (B) my wife. Both my and my wife's biological families are all on another continent, so we've no family obligations which require physical presence. When i'm not FOSS'ing, we play a lot of board games.
[^1]: stores are closed on Sundays and all public holidays in Germany. More than once i've gone to the store, only to discover it's closed due to a holiday i've overlooked (like, most recently, May 1st).
Supposedly we naturally gravitate to a 26–hour cycle (experiments done with people living underground and with no clocks)
It was much better for me.
* Your socks don't match anything in the room.
* The man you thought you killed in Tuscaloosa woke up and walked home an hour later and is now a chiropractor in Shreveport.
* Your daughter is pregnant by the kid who trims the hedges.
* Your dog is dreaming about the squirrel in the wood pile.
How does it know?
This is all common knowledge, unfortunately.
[flagged]
I am once again asking privacy advocates to try sounding normal for once. Trying to make a browser accessing your timezone sound nefarious isn't going to convince anyone of anything.
> You prefer dark interfaces — your operating system told us.
oOoOohh my settings worked as intended, spooky!
Agree, sending my language, if I use dark mode or time zones is all data that can be used to give me a better experience so I don’t mind.
It's the usual terse LLM voice that makes everything sound dramatic. Nails on a chalkboard
That's what helped L figure out Kira was in Japan, and likely a student given the times of deaths, in Death Note. Ruled out 7.8 billion people in one step
> Trying to make a browser accessing your timezone sound nefarious isn't going to convince anyone of anything.
But I am the only person in this timezone in the world. It uniquely identified me!
The claim was that a site could "infer when you sleep, when you work, and when you browse because you cannot sleep." Is that not true? I know that the timing of my HN comments tells a pretty clear story about my schedule having recently looked at a histogram.
Whether or not the information is accurate isn't really the point. It's that it serves as a way to identify you even without cookies. I looked for better websites, the EFF one[0] is informative.
My browser fingerprint was unique among the visitors in the past 45 days.
[0] https://coveryourtracks.eff.org/
> Our tests indicate that you have strong protection against Web tracking.
Gotta love Firefox with ublock origin in advanced mode, even without JavaScript disabled so the site worked.
I got the same in my iPhone using Safari with Firefox Focus installed.
uMatrix + NoScript personally (yes, seems silly, but I find NoScript's UI more convenient for script toggling, while liking uMatrix's fine grained controls)
Did you enable firefox resist fingerprinting? Also maybe letterboxing, which I think is not enabled by that flag by default, and also helps with CSS fingerprinting.
I used to use umatrix, preferred it to ublock origin advanced mode. However, isn't umatrix unsupported?
It hasn't received updates in a good long while, but seems to work fine, for me anyway. Has some rough edges, logging blocks when there's a bunch of redirects is a bit of a pain, making it hard to fix whitelisting in complicated things (like the dozen domains microsoft uses for auth) but apart from that...
(and ofc there's a bunch of forks adding bugfixes, some even relatively recent in activity, but unfortunately none have become the blessed official maintainer)
Did you specifically re-enable javascript? Ublock origin on medium mode blocks all the tracking javascript and I'd think advanced would follow the same basic starting point.
Yeah, didn't work without it.
If i run that (or similar sites) multiple times, shouldn't I like.. not be unique each time?
At least in Europe the gdpr still counts, even when you don't use cookies but fingerprinting.
So if you use this information you still need to disclose it and process data in accordance with the law.
In my case, the site reports "The technique is called browser fingerprinting. It is legal everywhere."
It is definitely not legal in Europe, when used to track individual users. The consent pop-ups are not only about cookies.
[dead]
"It doesn't matter that the FUD isn't accurate" Hmm.
id still prefer the information be inaccurate. since sites are rude enough to try and track me, the least i can do is feed them unique garbage.
Visiting without JS: "With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
Maybe it's just because I am old, or have worked on internet software for almost 30 years, but none of this seems surprising or even concerning?
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
> You appear to be in Denver, United States. Your internet provider is Netskope Inc. We know this because your IP address — 163.xxx.xxx.32 — was the first thing your device sent us. We know the rest of it. We chose not to display it. Most pages would not have made that choice. We did not ask for your location. Your address arrived before you did.
"We know the rest of it. We chose not to display it. Most pages would not have made that choice" this is written to frighten children maybe? Also that's not my internet provider. Maybe it's my ISPs upstream provider?
there was a prank way back, that used simple html, css and javascript, to instruct the browser to display IP address, public, and local, popup a stream from the webcam, and place them among a crafted document intended to trigger i.e. troll people.
no data was cast to internet, it was all code executed with local user permissions to access the devices devices and logfiles displayed inline as "proof" that you are standing on stage with naught but your drawers.
people were at times moved into a panic and could be manipulated into making contact with malignant entities. there were casualties.
never underestimate the damage that can be caused by manipulating perceptions of the current situation,its not a joke, its handgun serious.
> Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives.
This is the root problem. Your browser is supposed to be your agent. It's the User Agent, after all! It should be working on the user's behalf, users should understand what their browsers are doing, and browsers shouldn't be doing anything without the user understanding and affirmatively consenting to it. I should be the ultimate authority over what my browser sends, and browsers should make it trivial to exercise that authority.
In reality, the browser is Somebody Else's Agent. It's working for the web developer, giving him all sorts of things that make his life easier. And it's working for the advertiser, providing tracking clues and fingerprinting. And it's working for the browser developer, collecting metrics and telemetry and god knows what else for them to do god knows what with. But, it's not really working for me or on my behalf anymore, I'm just a passenger in the car.
EDIT: Understood that IP address is not something under the browser's control, and it's unfortunately necessary to reveal in order to connect to a web site. It's a terrible mis-feature that IP addresses (by default without a VPN) can be reliably mapped to countries, state/provinces, and sometimes even cities. This is a huge design flaw in how we hand out IPs. In a better world, having an IP address shouldn't reveal anything about someone's geographic location.
I don’t think it is as simple as saying browsers are working for the web developer and advertisers.
All the features that allow web sites and ad companies to track and target ads are features that are primarily there to give functionality that makes the web a better experience for users. JavaScript allows websites that are better experiences than not having it. I know some people disagree, but I think they are either intentionally ignoring useful things or have a purity view of the web that doesn’t match most people.
I guess what I'm advocating for is that it should not be all-or-nothing, and it should not default-on:
Most web sites have no business knowing my time zone. Why are browsers offering it up? That should be gated on the user's permission.
Most web sites should not be able to determine what my screen resolution is, or what my operating system is. Browsers should also hold that back and only disclose it with the user's permission.
Most web sites should not by default have access to all the shit JS gives them access to. Battery Status, Web Audio, WebGL, Sensors, WebRTC, Geolocation, media devices (camera and mic), clipboard, local storage... All of these have uses, but should be behind individual, easy to access per-website preferences, and by default the site shouldn't even be able to query for their existence (which is enough to fingerprint), let alone call them. I shouldn't have to blanket turn off JavaScript to kill these things.
All a website needs to know about me, my browser, or my computing environment is I want to "GET /".
There are browsers that offer that level of control, but most people don't want to use them because they are confusing and don't offer the things most people actually care about.
> Most web sites have no business knowing my time zone.
That would work if websites only displayed dates in UTC. Which is not what most people expect. Browsers need to know your timezone so timestamps can displayed with the right setting for you.
Ideally, the user would decide whether to display UTC or local time, based on their system or browser's preference, the web site would just send UTC or an opaque datetime object, and the browser would render it in the user's preferred date/time format.
They dont need to collect your accelerometers information of your irl movements or your devices' automatic time zone stuff i dont think. That basically gives away you're using a VPN and makes it easier to fingerprint you
Maybe it's because I'm idealistic in addition to being old, but I think a lot of this functionality was in fact added for explicit purposes.
A client sends the language header or the list of supported fonts not so that the server can "do whatever they want with this data." There is (or was) a real reason for it when we came up with these standards.
The fact that website providers, or more specifically ad-networks, have chosen to use these for other purposes is breaking that implicit agreement.
(edit) but you're probably right that i'm expecting too much.
I don’t understand why that would be an implicit agreement, though? Why would I expect that the website would not try to figure out who I am?
They are free to remember whatever they want about my request… but I am also free to modify the request however I want, if I choose to randomize the list of fonts or choose to not send it or whatever.
> Why would I expect that the website would not try to figure out who I am?
For the same reason I expect my neighbor not to kill me or steal my shit. We live in a society, with societal expectations around behaviour. I, personally, would prefer not to live in an uncivilized jungle where the only rule is "do whatever you can get away with".
“Kill me and steal my shit” is a lot different.
This is more like, I am not offended if my neighbor notices that I leave my house around the same time everyday and come home around the same time. I don’t expect my neighbor to look away when I step outside. If I put something in my yard visible from their house, I won’t get offended if they look at it.
Killing and stealing are completely different things than “paying attention to what I do when I am doing things they can see”
Are you offended if your neighbor publishes a register of what time everyone around him goes to work, and charges $50 for any burglar to get a copy?
What are the 'burglars' in this metaphor? Are you saying ad companies are burglars? Or hackers? Or who?
If we want to make the metaphor a little more faithful: the neighbor tracking what time everyone is home is selling it to door-to-door salesmen who use that information to harass you. Meanwhile, both the guy tracking it and the door-to-door salesmen are leaving copies of the information in the open. They aren't directly selling it to burglars[1], but they are making it extremely accessible to burglars, who then use that information to rob you. There is a data breach every other day, with companies and people routinely getting extorted and in some cases victims have killed themselves. This is a direct result of the unethical behaviour of hoovering up a permanent record of everyone's every last little action, far beyond what is necessary to provide any service.
[1] Although some data brokers do sell it directly to burglars too. All the burglar has to do is say "I'm a door-to-door salesman, will you sell me the information?". Your neighbor can't be bothered to do any kind of real verification of whether they're a salesman or a burglar.
Website is a good dog. But its owners don’t have to be good as they can re-sell data about you to someone else.
Some sites can have more than 1,000 partners - you can explore their intentions in cookies consent window.
> Why would I expect that the website would not try to figure out who I am?
Because doing so is creepy.
What makes it creepy?
Sure, but I think some of the stuff it sends isn't necessary. A website doesn't need to know the list of fonts on my machine, for example.
Some of them are questionable: most websites do not need to know my time zone, but when a website can use that in a useful way related to its functionality, it would be annoying if the browser were to popup an allow/deny dialog, and even more annoying if I had to manually set it in the website's bespoke settings panel.
I'm not sure what the solution is here.
> A website doesn't need to know the list of fonts on my machine
Unless you disallow websites from choosing their fonts, that information is really hard to hide. Most likely impossible.
What you can do is standardize the list.
> most websites do not need to know my time zone
Almost anything with a form needs this.
Every information on that page is necessary for something common and desirable. It's not using any advanced fingerprinting that can be blocked.
The location it chose was laughably inaccurate (and since I'm the kind of person who posts here I know why). Censoring the IP address was a little cheesy, but down at the bottom it gets better.
It knew how much my phone was charged and it made correct inferences about my device. It accurately read my gyroscope, how I interacted with the touch screen, and it demonstrated (not new knowledge to me but probably interesting to the general public) how these things could be used to identify you and also to make inferences about you (if you are sitting, standing, lying down, etc).
It starts slow but it got interesting.
I learned that either my phone's gyroscope is broken or my browser obfuscates it.
Still interesting, even if not surprising.
I think a lot of us old tech folks want to still believe in those techno-libertarian ideals of the old web. However, in order to do that we largely need to ignore the capitalistic and authoritarian ideals of the modern web.
Us not owing each other anything worked great in a prior era when people were largely correct in assuming most people were good actors. But as soon as the money and power of the internet became real, things started to turn more adversarial. The assumption of trust and lack of responsibility makes it easy for one side to take advantage of the goodwill of the other. And the technical and power imbalances inherit to the server-client nature of the web means that abuse is more likely to flow in one direction than the other.
I agree entirely. Those of us old enough to have experienced those dreams are naturally going to mourn the loss of the Internet as a place for wild experimentation because we know so much good came from it and there isn't any true replacement.
But it's become clear that in the absence of governance, standards of behavior, and rules both explicit and implicit, the Internet has grown toward tyranny and automated exploitation rather than freedom.
We need to set some rules and expectations that people can rely on, otherwise rules will continue to be imposed on us.
One thing is using information about my connection like my IP and a different one is my browser exposing the angle that I'm holding my phone.
I should be able to expect some privacy from my device. What if my browser starts sending a picture of my front camera with every request, is that okay?
No, that wouldn't be ok, but if my browser did that, I wouldn't be mad at the website for doing something with the data I sent them. I would be mad at my browser, not the web site.
I remember some users with phpBB signatures some 20 years ago that did the "I know where your IP address lives" trick. Yeah, a bit surprised this is still being done, only today not as some silly troll move in a forum but on some professionally designed website.
Yeah I totally remember people embedding an "image" which was in fact dinamically generated with PHP, showing the reader's IP or geolocation.
I remember late 90s - we made a website that greeted incoming readers with message “Hey, you come from {ip address}.”
Today, it seems that websites track and collect much data as they have partnerships with 1,000 partners (see cookies consent window).
Browser volunteering an angle at which I'm holding my phone is a bit surprising.
Why? Some web apps might want to present a different interface if you’re in landscape.
You don't need an angle for that. That is highly invasive and can be used to target unique individuals. Why not default to a pro-human oriented mindset rather than pro-corporation?
It's for games that rely on the tilt.
That's much more reliably conveyed by looking at the viewport dimensions.
My students are essentially forced to use MS services. So... there is that.
So am I, come to think of it.
That seems more of an issue with the school, though, rather than the actual web request. In this case, there IS a prior agreement between the school and MS, so there can be additional expectations about how that works.
I didn't know the browser made an agreement between myself and it. Here I am thinking that I am forced to use monopolistic tech because I a US citizen have zero say in the direction of technology in the country, that's decided by undemocratic financiers gambling with pension funds in SF. Silly me.
Missing the deforestation for the tree-trimmers? If it was only one or two websites blocking people it wouldn't be a problem.
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
My disappointment is not with websites. It is with browsers. They have continuously prioritized dark pattern support. They have consistently removed user control.
I mean it's not the websites that default to recording every keystroke, default to tracker persistence, default to phoning home with daily telemetry, etc.
When I first started using HN, I ran four very different browser engines. Now there's no real choice.
None of the information on the website I would argue is a dark pattern. The remote server knows my IP address? Yes that's how the web works.
The server knows my window's resolution? Well I think thats very useful information for the application to have for layouting.
You know what other application is recording my keystrokes right now? HackerNews. "recording keystrokes" is also known as "typing in a text box"
HN does not record your key strokes until and unless you click the reply link…and then only if recording your final edited comment counts as recording your keystrokes.
On the other hand, your browser might be recording each of your keystrokes just because it can and if your browser does, those keystrokes are not going to HN.
It's trivial for HN to record your keystrokes. Any application that can read your keys can record your keystrokes - its fundamental to how software works. You wouldn't be able to write a game if you couldn't.
The distinction you are trying to make a is a distinction without a difference. If you don't want sites to "record your keystrokes", then don't use a computer. Trying to paint this as nefarious is a losing battle and completely undermines any awareness you are trying to bring about.
There's a difference between HN getting the final text when you hit "reply" and a site using JavaScript to time how long it takes you to hit each individual key press and how many times you hit backspace or moved your mouse to switch to a different tab to look something up or if you made up some facts in the comment or if you used an extension like grammarly or anything else.
>site using JavaScript to time how long it takes you to hit each individual key press and how many times you hit backspace
You mean like a video game? Are video games now nefarious applications tracking you? Your browser is not "leaking" anything to websites. It's hard to understand what you are even complaining about. If you don't want grammarly to record your keystrokes, then don't install grammarly.
It's like ordering a beer and then complaining about alcohol.
Why isn't there choice anymore? Aren't all the major browsers open source?
[flagged]
A vibe-coded EFF Cover Your Tracks. The fact this made it to front-page is spookier than its contents
exactly, it even looks like a page created by someone asked to "replicate this, non-obviously, add fancy landing page theme".
Fugly.
Yes! By a user who’s 21 days old, has never commented and it’s not even following this thread as he has absolutely never replied and never will. Having these kind of submissions not flagged is killing hacker news
I think at least they're following the thread: https://news.ycombinator.com/item?id=48064959
I disagree, the discussion is still interesting to me. The page might be low quality AI slop (though it claims it’s not), I did find the discussion about it informative to a degree.
The website is pretty & the overdramatic copy is fun, but there's much better fingerprinting demos out there.
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
Needs some QA.
The overdramatic tone is pretty funny. "You are in [wrong city]. We could send a team on ninjas to kill you right now, but we chose not to. You are welcome."
In short, another AI-generated slop project.
I've seen this exact UI style a dozen times now and it's always accompanied with tell-tale overly verbose, overly dramatic text.
There's really a lot more you can look at here. Lot's a prior art on super-cookies and fingerprinting:
https://coveryourtracks.eff.org/
https://amiunique.org/
Hmm interesting. I tried the EFF site and among other things it told me I'm on "MacIntel".
Gave me a scare, thought I'm still somehow running an x86 build of Firefox.
Both linked in the Sources & Confessions modal at the bottom. Cover Your Tracks is the spiritual ancestor of this whole piece. amiunique is more rigorous; this is the editorial cousin.
Brutally dark site doesn't seem to show much to my eyes. No modal appearing at the bottom.
Another info leakage feedback tool:
https://www.ipleak.com/full-report/
Wow! Somebody with ChatGPT discovered the concept of browser headers, then for some odd reason made the verbiage really ... weird "We chose not to tell you"... okay...
Anyway, if you really want to know what your browser is sending:
https://browserleaks.com/
https://coveryourtracks.eff.org/
> We did not ask for your location. Your address arrived before you did.
Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
Nah. The browser has a mechanism to request geolocation. This is the ask that was not performed. The user was not asked, which is the important piece.
If I have a dictionary, I don't have to ask the meaning of a word I hear from someone I am speaking to, I can look it up in the dictionary. I may infer an incorrect meaning because the word has multiple meanings or is a colloquialism.
If I need to clarify that inaccuracy, I need other data points (for example, the context of the conversation), or I can ask my conversational partner for clarification).
> Nah. The browser has a mechanism to request geolocation. This is the ask that was not performed. The user was not asked, which is the important piece.
The geolocation API requires prompting the user for permission before it can be used: https://developer.mozilla.org/en-US/docs/Web/API/Geolocation...
Yes, that would have tripped the prompt asking the user, which would have had explicit user acceptance or refusal. The point is you don't need consent to do a fuzzy match usibg other data in most jurisdictions.
Ah I see what you're saying. I think the website's wording is just confusing, which made me think you, in turn, were saying something you weren't.
I think you are misreading this. It isn't saying they didn't ask ANYONE, they are saying they never asked YOU as a user for it.
Also, though, of COURSE your address arrived first... how else are they going to send back the data you are requesting?
> my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
Tor and similar multi-hop proxies, depending on construction, supposedly can't match source to destination IPs.
It has.. Shall we say tradeoffs.. In terms of latency mostly, but I suspect bandwidth is likely affected too
I love that the very first thing it showed was wrong
> San Pablo, California, United States > You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us
I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk
> Your graphics processor identified itself as or similar.
That checks out. I think what I have is similar to a graphics card but isn't quite.
My GPU identification is off by about a decade but it did get the brand right
Seriously. My laptop was manufactured last year, and the site identified it as a Radeon R9 200 series. That was a top-of-the-line GPU...back in 2014.
Same ID for mine. Are you running Firefox? Maybe that's a lie it tells to fingerprinters.
I am running Firefox. Firefox does not report you GPU according to the site, instead returning a generic "Mozilla" GPU.
More of you should be running current Firefox. It actually has serious engineering work going into protecting you from web tracking.
I work for a team entirely dependent on web tracking for Fraud prevention. The things Firefox does work to protect you and make our job harder. They genuinely make it harder for websites to track you.
Other things that genuinely help: Apple private relay. Some VPNs. Generated unique credit cards.
I appreciate the intent here, so this is constructive feedback:
"Your browser allocated 39322 MB of storage to this page alone"The 39 GB number is a bug. I was reading quota (browser allow-up-to ceiling) and calling it "allocated." Fixed; pushing now. Contrast is intentional but I hear you. not changing it but noted, and a cleaner reading mode is on the to-do later.
Contrast is a violation of accessibility guidelines.
This site is already violating your privacy. Do you think they care about your accessibility needs?
The site isn't violating your privacy.
An instant loading page without animations and more contrast would have been more fun.
The fact that it begins with my IP address reminds me of those dubious VPN ads.
City is wrong, I may speak English but it's not my native language.
As other people said, there are much better pages showing you your browser fingerprint.
And like most people discussing these things, you entirely miss the point.
It doesn't matter whether you actually speak english natively or not, nobody cares about the actual values. Web sites don't actually care whether you have a robust font package in some way to discern whether you are a font hipster or something, they are just collecting signals.
What matters is that your physical machine and web browser combo report these values about the same way every single time they are probed, and that is used to reliably track YOU, uniquely, with great accuracy, with EVERYTHING you do on the internet, every site you visit, every mouse movement, every purchase linked back to you.
Everything.
The actual values don't have to match "reality" in any way. It's just about generating bits of signal about your setup.
> It doesn't matter whether you actually speak english natively or not
So don't you think presenting the info as it's a great uncovered secret and then getting it wrong will lead the layman to disbelieveing everything?
Of course, the other extreme is the EFF site that says "Currently, we estimate that your browser has a fingerprint that conveys at least 18.33 bits of identifying information.".
There must be some middle ground to present this info.
> Where you were before
> news.ycombinator.com
This has always bothered me the most. I disabled the 'Referer' header once, but it breaks many websites.
I just found a new(?) setting in Firefox, to spoof the Referer header, instead of omitting it. Will try that for a while and see how it works.
The Referer header is the one that's hardest to opt out of cleanly, strip it at the network level and too many things break. Referrer-Policy lets the origin set the rule, but the visitor doesn't get to choose. There's a quiet move toward Referrer-Policy: strict-origin-when-cross-origin as a sane default in modern browsers but it's still origin-dictated, not visitor-dictated.
I strip/forge it with a old, probably outdated firefox extension (Referer Control.) But you still got news.ycombinator.com. How? I thought the extension was broken, but it's not.
That was actually my only surprise, everything else I was expecting.
edit: ignore this, looks like I just needed to save my preferences again. Thanks for showing me that I have been leaking my referer for some mysterious amount of time.
It's interesting that this breaks things. When trying to link to an internal password vault at work it would always break. People would have to click the link on my site, then reload it to get the page to load. This wan an issue for years, across multiple versions and despite many people offering up ideas to help solve it. One day I thought maybe it was a referrer issue, so I had it open with noopener,noreferrer, and that fix it.
It seems odd that any site would require a user come from somewhere.
Hah I remember the picture of the scrotum.
Aren't LLMs smart enough to choose better color contrast by now?
Not when they've been trained on low contrast garbage.
> We know this because your IP address was the first thing your device sent us.
First paragraph, and I don't like this wording already. It's as if "my device" has any choice in the matter.
And actually, it's the reverse! Often enough your own device does not know your _actual_ public IP address without asking some kind of public service to snitch on your internet connection.
Happy to say that my browser didn't tell anything that I didn't expect it to. It even identified my IP from a location 1000km away from me.
Firefox on Android with ublock
I guess I shouldn't be surprised that it gives my exact GPU, but that was surprising to me. Just so everyone knows, its an AMD Radeon RX 6900 XT and I paid way too much for it during the covid/crypto price explosion when they were sold out everywhere. Still a bit raw about that, but it is an excellent card on Linux (fedora)
"Your graphics processor identified itself as or similar"
guess mine isn't such a specific model as yours. so I don't have a real GPU, i have something similar to a GPU??? did I get a knock off Alibaba version?
Real bug. Firefox returns "Mozilla, or similar" for the renderer string and my parser was grabbing the second half. Fixed; pushing in a minute. Your GPU is fine. Your browser is doing the right thing.
I got "or similar" from Firefox and exact make and model from chrome. Probably a browser issue and not a hardware issue.
Confirmed. Firefox's privacy hardening returns "Mozilla, or similar" or just "Mozilla" as the renderer string. Chrome doesn't (yet). My parser was treating the Firefox string as if it were ANGLE format and grabbing the wrong half. Fixed.
not regretting choice of browser at all
The GPU string really is the spicy one combined with screen + fonts it's enough to single you out across most of the open web. The card itself is a tank.
Yea that is a strong fingerprint. Especially if any of the other things were correct or someone has a way to model your behaviors. How long you scroll vs how often you type etc. and somehow that's still not enough for big tech and they need biometrics, photo IDs, etc.
Yeah, the bottom counter on the page is meant to make exactly that point. Mouse movements, scroll velocity, tab switches, reading pauses are all features in modern fraud / "trust" scoring systems alongside the static fingerprint. Biometrics is the next layer, and it's already happening on the back of "passive" liveness detection most people never see.
Yeah the exact kind shouldn't matter - just the WebGL capabilities.
It got mine quite wrong (Firefox).
The thing that bothered me is that browser are still sending the Referer info. I thought that was not supposed to work under https?
you are using a Radeon RX 6900 XT on Fedora Linux. we know this because you admitted it in the previous comment.
My battery is at NaN%, the site is cool but it should probably change the text if I’m not actually exposing that information.
It got the city wrong but close to where I live. This stuff would be wildly wrong if I fired up my VPN. Although its annoying when I connected to a VPN to Steam it’ll often show my prices in Canadian dollars instead of USD.
Heh, my battery (which I don't have cause this is a desktop) is at 100% apparently
Battery: kept back Your browser kept your battery level back. Firefox removed this API entirely in 2016, after researchers proved it could be used to track a visitor across websites without cookies, without consent. The API still exists in the specification. It was simply hidden — from you, and from any page that might ask after it.
Well, at least something positive from the shit I take for not sheepling my way through life using Chrome
I got this message and I'm on Chrome, on a laptop. I tested in the console on that site and was able to get the battery level though, so I'm pretty sure their check is just broken.
Might be bugged or you might have some setting that doesn't allow websites to use it. Try https://googlechrome.github.io/samples/battery-status/
[dead]
It seems like they know I have an iPhone with dark mode enabled, that I speak English, and that I'm in the USA (but wrong city wrong state). I am kinda unimpressed, I'm pretty sure they can get a lot more info than that.
> Your screen is 320 by 568 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display.
It’s been a long time my 2016’ iPhone as been called recent or high-end but I’ll take the compliment, thank-you.
Ya, I'm not running my Pinephone's display at x2 cause its a high end display on a $200 phone.....
Text is so dim is really hard to read.
If you're on FF, this could be helpful for these kinds of sites (I use it all the time):
https://addons.mozilla.org/en-US/firefox/addon/site-color-ch...
Would be nice if more people were focus on fixing these issues instead of just a bunch of "we already know", and making fun up the tone of the site.
Thanks op for reminding us of the privacy issues with our browsers. The EFF and others already told us, but the issues remain. Lets hope you're hear to stay and fight for our privacy alongside us.
Thanks for that. The page isn't trying to tell anyone something they don't already know, it's trying to put it in front of the people who haven't been told. The bug reports today have been gold and the volume is meaningfully better for them.
Mine told me my graphics card was "or similar" so my stock Firefox is doing at least okay.
While I still follow the general privacy first tenets, I have ended up backing off on some tools (noscript and librewolf) at the extremes of privacy because if every site is going to track everything by my IP or by my ASN or browser fingerprint, I do have a happy medium of being private enough while not being utterly broken in my browsing.
Roughly that looks like email aliases on demand via sieve rules, ublock origin with liberal use of filter lists, different handles and a password manager, frozen credit ratings, and Tailscale exit nodes or Mozilla(Mullvad) VPN for uncontrolled WiFi access points for my jnrootabke android device and mostly signal for comms.
I'm getting to old to be a privacy extreme enthusiast when all of my family side channels everything straight to Facebook, so this is the impure level of privacy I can sustain.
Same for me, also the "screen" size is off (just shows window size), the location is off by hundreds of kilometres and other information is quite generic (battery level "kept back", small set of standard fonts available...).
Yet even with all this information most webpages still insist on showing me the language version of the country who's IP address I have rather than, you know, using the preferred language selection.
It's almost like web devs don't know the concept of traveling outside ones county.
> Your device carries these typefaces, of the seventeen commonly probed by fingerprinting checks. The specific combination of fonts on your device is nearly unique
The set of fonts available in stock iOS is hardly going to be unique now is it?
That it is even possible to install fonts onto iOS would be news to most users.
Aside from the fingerprinting methods, the graphics processor string seems to be the most immediately personal data given up (other than location, which was incorrect for me). I could see sites tailoring ads around an assumed class, income, and level of digital literacy based on this data point alone.
The gyroscope and battery should not be getting exposed without permission. That seems unexpectedly invasive, and I'm in tech.
Also we should disable referrer field.
Access to the available font list might be useful for identifying devices likely issued by a particular organization. Unusual fonts that are part of an org's branding usually are installed as part of a standard device image. This allows employees to produce brand-compliant presentations, etc. I was an intern at GE in the mid-90's and we had a custom font with just one character defined - the "meatball" corporate logo.
https://coveryourtracks.eff.org/
does the same or better, without AI regurgitation and a WordPress theme.
Dunno what it is with the wording but my brain started reading it in a bit of a "Hello Clarice" Hannibal Lecter style lol
>The specific combination of fonts on your device is nearly unique — like a fingerprint made of letters
Is this one true? I've not made any changes to fonts on my phone that I know of, wouldn't it just be bog standard iPhone fonts?
Curiosity not challenge
Would be cool if you actually did track just to prove the point like "you've opened this page 6 times now, 2 of those were via VPN and one time was using the Firefox Focus browser. Have you found any flaws in the data yet?"
As far as this website reports, I'm undistinguishable from most other Mac users in Brooklyn, New York. Seems like it's not actually highlighting the frightening aspects of fingerprint.
Yeah, your browser fingerprint might be a needle in a needlestack. You might not be able to distinguish one needle from another needle easily, but if you have enough needle samples you can start to identify what the needles are pointing at. Data aggregators collect enough pseudo-indistinguishable needles to be able to disambiguate and associate them with a known identity or cohort. For example, your mobile browser might be indistinguishable from most other Mac users in Brooklyn, but your mobile browser might be the only one running on a device from an IP address that regularly logs a meal in MyFitnessPal at that Starbucks wi-fi before making Apple Pay/Google Wallet purchase, hits the next 8 stops on the train before connecting to the same cell tower at the narrow window as you enter your office (telling on myself a bit, tho I am in Vancouver, not Brooklyn).
Span this across all of your movements and activities across multiple aggregators and it's a trail of movement through a fog of data that is fuzzy, but enough to identify you, or a small cohort of similar users.
AI really has a problem picking proper fonts, this is barely readable...
Perhaps this illustrates the ridiculous level to which website operators make assumptions about website visitors
This phenonemon is much older than "browser fingerprinting"
Opening this page in text-only browser, i.e., no Javascript, CSS, auto-loading resources, etc., it appears to contain zero information about the visitor. Not even an IP address
https://web.archive.org/web/20260508131253if_/https://sincey...
> You came here from news.ycombinator.com. Your browser told us the address of the page you were reading before this one. Every link you follow tells the destination where you were. The page you just left knows you left. This page knows where you came from. Neither was asked.
I thought this didn't work anymore and browsers left out the referer in the case of https, is that not so then?
I believe you only lose the referer header when switching between http and https.
They forgot to add timing attack on images load time which can be used to tell if you visited X website.
https://www.ieee-security.org/TC/SP2011/PAPERS/2011/paper010...
Not since browsers started partitioning caches in 2020: https://developer.chrome.com/blog/http-cache-partitioning/
I don't think this protects from sidechannel/timing attacks applied to images load time completely.
Edit: Reading more thoroughly, probably it does to a great extent after all.
I doubt the fonts on my iPhone identify me. As far as I know, they would be the fonts it came with. Or can apps install fonts?
> Your device carries these typefaces, of the seventeen commonly probed by fingerprinting checks. The specific combination of fonts on your device is nearly unique
Is this actually true? Because I don’t even know if I have any control over this on iOS, and if I do then I’d guess almost nobody diverges from the default?
Fair point, and you're right. On iOS the stock font set is essentially uniform across devices in the same OS version, so the "nearly unique" claim doesn't hold there. Just pushed a hedge: prose now distinguishes between desktop (where fonts accumulate via apps and OS over time, and the bundle is genuinely identifying) and iOS/Android (where it isn't, on its own). Combined with screen + GPU + language + timezone the iOS version still narrows the field, but the prose shouldn't overclaim. Thanks.
So if they can figure out whether I have an expensive laptop/computer based on my graphic card, then they can adjust the prices I see on the page (e.g.higher prices for game devs/players and lower prices for plumbers). Not fair.
You can't gaurentee any of this is fingerprintable without checking twice (i.e. give the user a unique url, then ask them to restart the browser and visit it). In privacy browsers like LibreWolf or Mullvad Browser this is almost all spoofed, save for things like the IP which needs to be hidden/changed independently of the browser.
Correct on rigor. Proving a fingerprint requires the two-visit protocol you describe. The page doesn't actually compute a stable fingerprint or attempt to track returning visitors, it shows you the signals that go into one. The barcode at the bottom is deterministic from the data shown but isn't compared against anything stored. Sloppier than a real fingerprinting tool, by design.
Huh? The user mwheelz seems to have been [dead]'d in the time this post has been on the front page. If I look at their comments page, those posted more than 46 minutes ago (at the time of writing) are normally visible and the rest are [dead].
https://news.ycombinator.com/threads?id=mwheelz
Mods, is there something we should know? Is there maybe a reason to stay away from the linked website?
How did you prompt Claude to be so paranoid but also bad at fingerprinting?
Of course the browser knows my IP and language. Nothing on this page is really surprising
It seems to have a little trouble with lynx... https://en.wikipedia.org/wiki/Lynx_(web_browser)
Most of this is pretty standard stuff but one thing I did learn is some of the fingerprinting techniques I wouldn't've thought of. Like Mozilla/Apple not sharing GPU or battery information being used to confirm which browser I use even if I fake the User Agent String.
"With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
This is surely only partially true.
I thought the referer was not available under https anymore
[dead]
Its mixing confidential info. For example, you know I'm connected from a location, but you do not know my precise location. I connected from a tower that is from Odido, but I am not paying Odido for a subscription.
Right, IP-to-geo is approximate and gets a lot of cases wrong (yours among them). Most ad networks use it as a region/DMA hint, and not precise positioning. The point of including it isn't precision. It's that any location is more than nothing, and the visitor never opted in.
DuckDuckGo browser helped mask some stuff, but definitely a fair amount still goes through.
Annoyingly the web is becoming a bit more annoying to browse as a DuckDuckGo (mobile) and Brave (desktop) user. With a VPN on top it gets even worse.
Cute detail: if you switch to another tab and then back again it shows a banner at the top:
> You left for 6.3 seconds. We noticed.
Trying this in Lynx I'm surprised it didn't at least get some information from me in the request headers. You don't need JavaScript to pull things out of them.
Someone should do a demo where they take all the info from the browser and feed it to an LLM to describe the person as accurately as possible. I bet it would be 10x better than any horoscope.
Browsers are stuck between compatibility and privacy. Every bit of environment detail has some site that claims to need it, and every extra bit makes users easier to distinguish.
I prefer https://fingerprint.com/demo
Terrible company-at least you know you are testing what is being used.
What's terrible about them?
They track us around the web.
But anybody knows (in tech I mean) that a browser client leak a lot of things and sustained tracking is easy even cross-browsers (and cross-devices too with more advanced techniques), including history (easy to know which websites were visited with timing analysis in loops and iteration), it falls on the responsibility of the user to achieve privacy, but it requires heavy sacrifices that frankly most users are not willing to do, fingerprint.com is really basic and doesn't go to a great length at all actually to track users (fortunately).
Reality is that most do not care about privacy (look at the number of Google users, even developers themselves who are completely aware of it and continue to "embrace" the mass tracking). There is also the mass brainwashing which is an issue where people that use VPNs think that they are anonymous and this is terrifying to think (thank you NordVPN non-sense, which also use Google Analytics which then correlate entire traffic later-on, what a joke).
Similarly, just like how somebody would think that a company selling weapons that are expressly used to harm protestors is a terrible company, a company that tracks its users and invades their privacy is a terrible company.
We can see that big companies are able to do a great deal for privacy like Cloudflare and Apple (relatively speaking).
>Reality is that most do not care about privacy
Most people don't understand how much they are being tracked online, and even less know how to start preventing it. The vast majority of people care deeply about privacy. It is a natural human desire. Ask someone that says they have "nothing to hide" if they would be willing to let you install a camera pointed at their bed. Are they doing anything wrong in bed? Anything to hide? No. They still deserve privacy.
Saying you don't care about privacy because you have nothing to hide is like saying you don't care about free speech because you have nothing to say. [1]
Just because people don't care about the issue doesn't mean they shouldn't have the right by default. Privacy should be the default. It is bad for you to have less privacy because it gives governments, corporations, and other people significant power over you and allows them to harm you more easily. Also it is your right, just like the 1st amendment.
[1] Edward Snowden
I would never use NordVPN–I think their marketing is deceptive and they don't accept private payments, among other issues, but there is a big difference between the VPN collecting data and just their website. Bitwarden has a privacy respecting pw manager, but their website uses analytics.
Absolutely, Nord is a sh*t company when it comes to privacy, they removed the anonymity claim as well recently and changed it by "Security", but anyway a VPN is far (very far) from being enough to reach decent level of Opsec. Anyway, VPNs that care can start use Enclave at the very minimum, but it's insufficient as traffic can easily be correlated if you disconnect peers one by one (gov can just sniff DC firewall, then DDoS each IP connecting through it, check if the guy is still online... (ton of ways)). Mullvad is clearly more trustable regarding the steps taken to ensure more privacy, but it's not enough on its own and even them say so.
For Bitwarden, well, US government (and Google, and more) is aware of your usage of it through their analytics so I wouldn't say it's really privacy respecting but sure, there is a bigger effort yeah.
pretty interesting but why's this website so dramatic, like it thinks it's making me uneasy and paranoid or something
Because it's AI slop. It's the same tone every time
Yes, I'm on a MacBook Air in Eastern Time and I speak English. I'd have told the website that myself if they had asked it.
Eastern Time, USA, or closer to Bangladesh?
The text legibility of the gray on black is a serious problem. My eyes aren't that bad but I can barely read this.
My eyes aren't great and I had to pinch-zoom to read parts of this page.
You could have used show hn since you made it
Tell me what kind of smell my last fart had. Now this will be scary.
With javascript off it just stalls at "reading" forever. There are certainly some viewport properties and other things it does know even without JS execution, but the mitigation is significant. And the page itself (the JS application) cannot act on that data or communicate it. Instead it has to be processed by some other application on the backend or wherever. Not in my browser by my computer.
I can't help feeling that if you're turning JS off, you might as well turn off your computer to protect your data.
As an experiment, I made a small retail shop (< 30 products) that would use JS for modern style async/await calls, but would then use old school POSTs if JS was disabled with full page reloads on every POST. it sucked to dev and as UX, but it was possible to do. Had the non-JS POST style updates been any less annoying, it might have been viable. Nobody likes full reloads. They suck. JS can do nice things for UX. It's just that we can't have nice things because people suck
That's what frames are for. Only reload the frame with the important data in it (total cost, list of products in cart) and point the category links in the page to open in the same frame as the shopping cart. You can even style the frame contents with the main page's stylesheet so it only needs to load a `$41.29` total if that's all that's changed.
No, I did not defile myself that badly by using frames nor layout with tables either. <shudder> I did layout with CSS. It wasn't just an update to the total. It was a proper modern day UI look (if not so much feel) so that it had a collapsible shopping cart on the side so you could see the items and quantities and link back to the item's page.
Nah, HTTP logs still leak my circadian rhythm.
This site actually works just fine without JS.
That's actually a fantastic idea!
Oh wait, no, I'm an e-addict. Drat! Curse this monkey!
If the color scheme weren’t so atrocious, it would almost be possible to read what it says.
How do we get our browser to stop sending all this information? It's really maddening.
I tried it with a VPN running and in the Mullvad browser and it got all the big stuff wrong.
Where are you was sent to another location due to the VPN, this was all it really impacted. When you arrived was wrong because of the Mullvad browser, even without the VPN enabled it reports that I'm in Reykjavik, which I'm not. What you brought with you, it got the resolution wrong, as the browser locks itself to various resolutions to prevent this kind of fingerprinting. GPU and Battery both say "kept back", I assume this means it couldn't get anything, because when I run in Safari it says Apple GPU.
2/3 of the big browsers are open source, you could just change it this year! (Assuming your mobile device isn't from the former personal computer company turned status symbol manufacturer).
Harder problem is getting the economic system that relies on this information swapped out. Have fun when 99% of web doesn't 'work'.
Something attacked my computer. I shut the page, and some old one popped up. I shut it, and they popped up again I shut my browser, and Notepad++ was filling with <cr><lf> I closed Notepad++, closed every open app, and restarted.
I'm not worried about my privacy. No one can read the dark text on that page anyhow.
Update: I pushed two rounds of fixes for things people caught.
1. GPU "or similar" stranded prose. Firefox returns "Mozilla, or similar" as the masked renderer string and my parser was grabbing the second half. Masked-GPU case now gets its own observation.
2. Desktop battery showing NaN/100%. Chromium reports a phantom 100%-charging battery on machines without one; my filter was too narrow. Stricter check, falls through to "kept back."
3. Storage quota of 39+ GB reading as implausible. Now expressed in GB, and the prose was reworded ("would let this page write up to" rather than "allocated to").
4. Screen size matching window size (Firefox letterboxing / Brave farbling). Page now names it: "your browser appears to be returning the viewport in place of the real screen — anti-fingerprinting at work."
5. "Recent, high-end display" being claimed on old retina devices (iPhone 5-class). Tightened the heuristic.
6. No-JS hangs at "reading." <noscript> block added.
Worth saying directly since it came up. The prose is hand-written. Each observation has a small set of templated registers and the code selects among them based on what the data returns. There is no LLM in the runtime path. AI helped me iterate on the spec like it does for most projects now. The sentences on the page are mine. If that's not the kind of work you're in the mood for, fair, but the slop charge is wrong.
But why don't you show real tracking capabilities? Not what's accessible via the browser directly and legally :/
It's somewhat interesting but over half of what it talked about is just silly.
- Reverse IP/geocode (while be cute about "we won't show your IP", oh no, not my IP!)
- Timezone - Ok, yeah, lots of websites need/make use of that for completely legit tasks
- Browser/OS/Screen size - boring, again mostly needed or historical
- GPU - Again, not super interesting IMHO
- Battery - Ok, this is the first one I think should be behind a permission dialog
- Language - Come off it, that's just table stakes
- Fonts - Again, not sure how else this should work in a "perfect" world
- Cookies/dark mode/DnT/etc - Ehh, again aside from fingerprinting (which ruins everything) these are all QoL improvements IMHO
- Referrer - Again, this is just how the web works
I think the websites that take all of that and show you a fingerprint or show the data in a more data-oriented way are way more compelling.
This, almost certainly vibe-coded, website doesn't do anything novel and hits on a huge pet peeve of mine: using low-quality arguments for a legit issue (fingerprinting). By mixing in stuff like your IP/Language on the same level as Battery/GPU/other-fingerprinty-things it makes the whole argument less compelling.
I'm with you on almost all of this, but since you (almost) asked, here's how I think fonts should work:
The server tells your browser to display a line of text in a specific font. If that font is available, your browser does so, and if not, it displays the text in your default font, or a backup font if the developer specified one. There's no need for the server to know if it's there or not.
That's essentially how things used to work, and the problem is that it too can be gamed using JavaScript. For example, a relatively naive approach might be:
1. Make an HTML <span> element that contains "The quick brown fox jumps over the lazy dog" written in the default font.
2. You can't query what font that was, but you can use the getComputedStyle() DOM function of that element to work out the width (for example) of the resulting element. Note this down.
3. Do the same for all the different fonts that you want to test.
4. If any element's width differs from the default's noted in step 2, then the corresponding font is guaranteed to be installed on your system.
As written, this won't detect the font that the user has selected to be the default font (because it won't detect the width as being different). However, you can work around this (and remove most false negatives to boot) by a simple addition:
5. Pick one of the fonts that you detected as being installed.
6. Create more elements (as in step 1) that correspond to all the fonts that were detected as being the same width as the default, but have the font you selected in step 5 as a fallback. (eg. 'font-family: Testing, Fallback;')
7. Any element with a width that differs from the font you selected in step 5 is installed on the system.
What you get will be a relatively complete list of what fonts are on the system out of the ones you tested. If you want more accuracy, you can do a similar thing with individual letters instead.
Fair pushback, and partially right. Most of these data points are individually defensible. Accept-Language helps with localization, Referer is just how links work, timezone is universally useful. The page's argument isn't that any single one is bad; it's that the bundle is identifying. Panopticlick / Cover Your Tracks measures combinatorial uniqueness, not any single point. The piece could be sharper about the distinction. Noted.
People discovering "just how the web works" have spawned myriad complaints, misguided laws, and general anger and confusion. I wish there was a test people had to take before they go online or something. Otherwise they'll still be mad that Chrome Incognito didn't prevent ads.google.com from registering them as a pageview statistic.
good stuff but useful for non tech ppl. We already knew those things are exposed by the browser. probably worth putting in x/reddit
> This volume requires JavaScript. That is part of the point — your browser is what is being read.
> With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops.
What? When I enable JS it shows me a lot of stuff that is only queriable with JS.
This is just... silly. Everything it told me, while browsing on my iPhone, seems entirely reasonable.
> Every page you have ever visited knows at least this much. Most of them know more. None of them told you.
So? Why would I want the news site I'm visiting to "tell me" it knows my preferred language, that I'm using light mode, or the estimated location of my IP address...?
It's not surprising that a browser which renders text can be used to identify which fonts are available. It's not surprising that a browser which allows calculation with your GPU will identify your type of GPU.
The "without asking" framing is just silly. I expect to be asked for consent to use my webcam or microphone or exact precise location. But the last thing I want is to be asked for permission around detecting my local time zone or preferred language or my screen resolution or 20 other totally reasonable things for a website to be able to know.
Right that most of these aren't surprises individually, and right that nobody wants a permission prompt for Accept-Language. The argument isn't that you should, it's that the combination is enough to identify you across sites without your awareness, and that the wider tracking ecosystem trades on that bundle. The piece is editorial about the thing existing, not a proposal to gate every header. Reasonable to push back if you find the bundle isn't the point.
Fingerprinting has exited for a long time. But this site is specifically saying "None of them told you".
The site does seem to be implying that disclosure and consent are the issues:
> We did not ask for your location.
> Nothing about this was requested. The information arrived on its own.
> Your device volunteered all of this in the first milliseconds of the connection. It will do this again on the next page you visit, and the one after that.
> No permission is required.
It's framing this as if browsers are maliciously volunteering information that ought to be protected, and that sites are maliciously hiding the information available to them.
It does seem to be clearly suggesting that even basic pieces of information ought to be available only upon request and that this must be disclosed to users.
You say this is "not a proposal to gate every header", but it's sure looking like something close to that to me.
> Your screen is 1512 by 982 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display. Your device volunteered all of this in the first milliseconds of the connection.
No it didn't. It was queried by the JS running on the page. It's a fun demo but it could really do without the slop prose.
Pedantic but right. The JS queries them; the browser returns them without prompting the user. "Volunteered" is the editorial verb for that round-trip but it does paper over a layer.
It's relevant because connection-level fingerprinting is directly visible to intermediaries like cloudflare.
Yeah, no need JS to track resolution or even mouse movements with timing, pure HTML/CSS can do.
the breathless fearmongering but also condescending tone of this really makes it hard to take seriously. yeah, you can "digitally fingerprint" me when i browse the web. do you know when else you can get my fingerprints? literally any time i touch something in the real world, i leave my fingerprints behind. and nobody is making websites telling us all what a risk to privacy that is.
if you want to make me afraid of browser fingerprinting, try explaining how that information can be used to harm me. i'm aware that it's possible, i just don't care because it doesn't seem like it's that big of a deal.
dark gray on black text was a terrible choice, virtually unreadable contrast
It's Claude that chose this and it doesn't really have eyes, so that's the reason
what a terrible reason lol. i should mention i use light mode and it got that wrong to boot
Man what a awful looking site. I shouldn't have to crank my brightness to max to kind of read the words
I agree, this site is an eyesore.
I use windows color filters (Grayscale inverted is my preferred, in the past I used plain inverted) for poor man's dark mode (or light mode in this case) for stuff that doesn't honor my color scheme and hurts my eyes. It also has a hotkey, so it is really handy sometimes, but you need to enable it in the settings.
Assistive technologies are great, not only because they benefit those who have no choice but to rely on them, but also they can benefit the luckier people.
Vibecoded slop with LLM-written copy. When will it stop
According to the "Sources" popup, creator can't even excuse the slop as AI slop:
> The prose
> Hand-written · Template-based, not generative
> Every sentence on this page was written by Matt. The code selects among prose templates based on what your browser returned. No language model writes or rewrites anything at runtime. If a condition is not covered by hand-written prose, the page stays quiet about it — we'd rather say less than say something false.
We desperately need some tagging system/convention here. Maybe just putting [AI] into the title. This bullshit is getting really tiring.
It looks like this is an ad by the way, check op's posting history
All these submissions come from bots, and users with accounts younger than a month with one single submission (in this case three times the same submission). Maybe the system should block anyone with lower than xyz points and 20 comments to post any link? I dunno, I guess it's hard but this shit is really affecting the community.
Unreadable and useless vibe coded shit. Submissions like this are why I've all but stopped using HN
I didn’t find it unreadable. It was pretty neat in my opinion.
45% grey text on a 10% grey background set in a light serif font.
The stats are wrong - on Android my finger has not moved triple digit times, and I haven't tapped double digit times. In 4 seconds.
My general location is also wrong.
This site's theme is barely visible.
And the entire idea for the site is at least couple decades old.
Unoriginal slop.
Its pretty scary when you see it like this
It's really bad, it's not using proper fingerprinting techniques, no network stack fingerprinting, no browser history via DNS poisoning, no narrowing down exact country with timing and so on. I mean this is even inferior from basic tools like amiunique, what's the point?
It's a piece of AI slop that this user, with an account created 21 days ago, has been spamming here for the third time.
None of the information identified for me was surprising using an up-to-date Firefox on Mac w/ a mostly default configuration. I had to unblock Javascript in NoScript for the page to work.
I get the point, but I think the EFF Panopticon page is a better representation of browser fingerprinting and how it works, because most of the things shared are really basic elements of data that aren't personally identifiable. You can absolutely fingerprint Firefox with a default config, so obviously this was vibe-coded and just doesn't do much. Cool, you did a GeoIP lookup, read the user-agent, the referrer header, and the accessibility data, exactly zero of that should be surprising to anyone that knows how you access a website.
"Your screen is 320 by 568 pixels, rendered at 2x density — which means it is almost certainly a recent, high-end display."
Not quite, I'm on a 2016 iPhone SE
I wish it knows that I absolutely hate dark modes with such low contrast.
I can’t even read this on my phone, the text is too small and the contrast is terrible
> You have been on this page for 92 seconds. You scrolled 0% of the way down. You never left this tab.
Uhm... how did I get to the bottom if I scrolled 0%?
Another vibe-sloped false-integrity derivative. Cmon, OP..
Wow! A significant amount of that information is wrong. I guess my corporate security is doing their job pretty well.
Jokes on them, they got the wrong IP address, dummies!!! My IP address is 127.0.0.1!
This is a great exercise, it's generally accurate on location but it's hard to express how granular they can be Identifying users through browser information. fonts? display size? processor? how unique is that really in laymans terms?
Your browser discloses a lot more fingerprinting data than this
hrm. We need a modified browser that just randomly switches the finger prints for linkndin.
Another unreadable piece of slop with Claude fonts and style that this user has already spammed three times here with an account created 21 days ago.
This is out of control, and y'all just comment these threads as if they're made by humans.
Ok…
Are we supposed to care?
At least it doesn't know my age
Oh wait
Netscape user. Always a giveaway.
We've seen tens of pages like this, all done better. Now the vibe coders got into it and completely fuck up the idea.
Lol, the description text is so dramatic.
it got both my city and browser wrong i am not too concerned lol
[dead]
[flagged]
>OH MY GOD WE KNOW STUFF ABOUT YOU
peoples obsession with 100% privacy while operating in a public space is immature. if you're that risk averse dont connect to the internet.