Posted by mwheelz 23 hours ago
https://institut-fdh.de/?2026-aya
There's also this well known page which does the exact same thing in a more ordered way:
* It's running a kind of Chrome on a kind of Linux, at a stretch.
* Nobody can infer when I work and when I sleep. That includes me.
* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.
* But yes, browser fingerprinting is annoying.
* Since you can detect light mode, would it kill you to honor it?
https://github.com/fingerprintjs/fingerprintjs
Honestly surprised to see it licensed as MIT now too. It was something less permissive before. They aren't doing anything too crazy, more like being the first ones to be open about it.
I couldn't imagine what else companies like Google or Meta or TikTok can extract out of it that no one else can't. Integrations aren't exactly hard to make, quality is hard yes, but making half assed plumbing is sufficient too.
Those advertisers benefit from monopolistic markets with zero regulation while owning the platforms they sell advertising on that requires their explicit malware in order to use, what is unique about their finger printing versus what fingerprintjs provides?
TBH, its never anything super exotic (though it helps) but simple stupid basic things like cookies that does 70% of the work here. Also, your IP address at home is _really_stable_.
If I can give you a sticky cookie (cookies, indexdb, localstorage), a half-assed fingerprint, and tie it to your IP-address, and know you're not on a cell-tower; this is probably good enough for most purposes.
Use safari on private relay in private mode.
> Since you can detect light mode, would it kill you to honor it?
It would probably still be low contrast garbage even if it did. :/
... Wait, 36 isn't old is it??
My guess this is LLM slop website generation. And they forgot to prompt to include high contrast text... And the site owner cant make the changes without a sloperator.
"English · Chinese Your browser’s primary language is English. It also carries Chinese. This tells us not just what language you speak, but often where you were raised, where you have lived, or who you live with. This is transmitted in the header of every HTTP request. It has been doing this for as long as you have used this browser."
No, the fact that I have English and Chinese as input languages does not tell it "where I was raised, where I have lived, or who I have lived with.". Might as well say "the fact that you're using a phone to look at the Internet tells reveals that you are someone who can access a phone to look at the Internet!". Yes, technologies interact with other technologies. That's how "technologies" work. Is it Orwellian? Yes. But is it more Orwellian than the surveillance states of Russia/China/North Korea. etc? We also can now find our phones/cars/devices that can share location, locate criminals by way of their online activity, record incidents that"need" to be recorded (like when ppl are committing crimes or when police officers need to be held accountable for their behavior). Catastrophizing about the "overreach" of tech is a cognitive choice. That all being said, it is good to be aware of what info our technologies "know" about us.
I'm using Apple's Private Relay VPN so it was hundreds of miles off. It's always interesting to see where websites or services think I'm located using their geolocation databases, but if I turn it off they can pinpoint me within a couple of miles. Thankfully almost nobody has ever blocked Apple's VPN, so I never have to turn it off.
> Since you can detect light mode, would it kill you to honor it?
Seriously, I'm in my mid-30s but some of these dark mode sites make me feel mid-80s. I can't see shit on this site.
Same, it claims Brussels, but I'm in Antwerp. It also got my screen resolution wrong.
Same, it said Riverside but I'm in San Diego (about 100 miles away from Riverside).
Of course, its just using a geolocation database for the IP address and thus reporting the location of some switching center Verizon runs and not my actual location.
If you're trying to prove a point about privacy its probably best not to lead off with information that can be off by hundreds of miles while presenting the fact that it "knows" this information as being darkly ominous.
Presenting this information while being wrong probably does the opposite of the site's intent and gives some people a false sense of security because what real websites and apps track about you using digital fingerprinting is a lot more detailed, personalized and (usually) correct than what this website presents.
Are you like /severed/ or something? Surely you can infer when you work and sleep from your experience living your life as you.
Not everybody has a schedule. Mine is essentially "eat when hungry, sleep when tired", and my sleep patterns more closely follow a 26-hour day than a 24-hour day.
That it should in some way affect my mental health has never once occurred to me. If anything, i assume that living on one's body's own natural schedule would be optimal in terms of related effects on mental health.
> How do you deal with times day and night are flipped?
When there's not something pressing me into a schedule, e.g. a job, i kind of "circle around" to a conventional schedule every few weeks. All things considered, i prefer the "swapped" times because it's quieter at night. e.g. less traffic driving by, fewer neighbors making various noises, and no DHL/UPS/DPD deliveries for the neighbors being dropped off here because the neighbors aren't home (whereas i am almost always at home and both the neighbors and the local delivery folks know it).
i'm a retiree so, with the exception of shopping and rare appointments, the night/day or weekend/weekend[^1] are not generally distinctions which affect me, and it's never bothered me in the slightest to not have a fixed schedule. On the contrary, a fixed schedule somewhat bums me out long-term, presumably because it does not match my biological clock.
> How does it affect your social life?
My social life is (by preference and choice) comprised solely of (A) my FOSS work, and there's no clock associated with any of that, and (B) my wife. Both my and my wife's biological families are all on another continent, so we've no family obligations which require physical presence. When i'm not FOSS'ing, we play a lot of board games.
[^1]: stores are closed on Sundays and all public holidays in Germany. More than once i've gone to the store, only to discover it's closed due to a holiday i've overlooked (like, most recently, May 1st).
* Your socks don't match anything in the room.
* The man you thought you killed in Tuscaloosa woke up and walked home an hour later and is now a chiropractor in Shreveport.
* Your daughter is pregnant by the kid who trims the hedges.
* Your dog is dreaming about the squirrel in the wood pile.
How does it know?
oOoOohh my settings worked as intended, spooky!
But I am the only person in this timezone in the world. It uniquely identified me!
My browser fingerprint was unique among the visitors in the past 45 days.
Exactly. A few weeks ago, there was an article about the age limit for social media. And everyone was full of criticism on how it affects privacy. But when there is a post about how browser profile serves de facto as a user identifier, then people are "Of course, what's the problem? We all know that, that's the way it has to be".
Gotta love Firefox with ublock origin in advanced mode, even without JavaScript disabled so the site worked.
Did you enable firefox resist fingerprinting? Also maybe letterboxing, which I think is not enabled by that flag by default, and also helps with CSS fingerprinting.
So if you use this information you still need to disclose it and process data in accordance with the law.
It is definitely not legal in Europe, when used to track individual users. The consent pop-ups are not only about cookies.
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
"We know the rest of it. We chose not to display it. Most pages would not have made that choice" this is written to frighten children maybe? Also that's not my internet provider. Maybe it's my ISPs upstream provider?
no data was cast to internet, it was all code executed with local user permissions to access the devices devices and logfiles displayed inline as "proof" that you are standing on stage with naught but your drawers.
people were at times moved into a panic and could be manipulated into making contact with malignant entities. there were casualties.
never underestimate the damage that can be caused by manipulating perceptions of the current situation,its not a joke, its handgun serious.
This is the root problem. Your browser is supposed to be your agent. It's the User Agent, after all! It should be working on the user's behalf, users should understand what their browsers are doing, and browsers shouldn't be doing anything without the user understanding and affirmatively consenting to it. I should be the ultimate authority over what my browser sends, and browsers should make it trivial to exercise that authority.
In reality, the browser is Somebody Else's Agent. It's working for the web developer, giving him all sorts of things that make his life easier. And it's working for the advertiser, providing tracking clues and fingerprinting. And it's working for the browser developer, collecting metrics and telemetry and god knows what else for them to do god knows what with. But, it's not really working for me or on my behalf anymore, I'm just a passenger in the car.
EDIT: Understood that IP address is not something under the browser's control, and it's unfortunately necessary to reveal in order to connect to a web site. It's a terrible mis-feature that IP addresses (by default without a VPN) can be reliably mapped to countries, state/provinces, and sometimes even cities. This is a huge design flaw in how we hand out IPs. In a better world, having an IP address shouldn't reveal anything about someone's geographic location.
All the features that allow web sites and ad companies to track and target ads are features that are primarily there to give functionality that makes the web a better experience for users. JavaScript allows websites that are better experiences than not having it. I know some people disagree, but I think they are either intentionally ignoring useful things or have a purity view of the web that doesn’t match most people.
Most web sites have no business knowing my time zone. Why are browsers offering it up? That should be gated on the user's permission.
Most web sites should not be able to determine what my screen resolution is, or what my operating system is. Browsers should also hold that back and only disclose it with the user's permission.
Most web sites should not by default have access to all the shit JS gives them access to. Battery Status, Web Audio, WebGL, Sensors, WebRTC, Geolocation, media devices (camera and mic), clipboard, local storage... All of these have uses, but should be behind individual, easy to access per-website preferences, and by default the site shouldn't even be able to query for their existence (which is enough to fingerprint), let alone call them. I shouldn't have to blanket turn off JavaScript to kill these things.
All a website needs to know about me, my browser, or my computing environment is I want to "GET /".
That would work if websites only displayed dates in UTC. Which is not what most people expect. Browsers need to know your timezone so timestamps can displayed with the right setting for you.
A client sends the language header or the list of supported fonts not so that the server can "do whatever they want with this data." There is (or was) a real reason for it when we came up with these standards.
The fact that website providers, or more specifically ad-networks, have chosen to use these for other purposes is breaking that implicit agreement.
(edit) but you're probably right that i'm expecting too much.
They are free to remember whatever they want about my request… but I am also free to modify the request however I want, if I choose to randomize the list of fonts or choose to not send it or whatever.
For the same reason I expect my neighbor not to kill me or steal my shit. We live in a society, with societal expectations around behaviour. I, personally, would prefer not to live in an uncivilized jungle where the only rule is "do whatever you can get away with".
This is more like, I am not offended if my neighbor notices that I leave my house around the same time everyday and come home around the same time. I don’t expect my neighbor to look away when I step outside. If I put something in my yard visible from their house, I won’t get offended if they look at it.
Killing and stealing are completely different things than “paying attention to what I do when I am doing things they can see”
[1] Although some data brokers do sell it directly to burglars too. All the burglar has to do is say "I'm a door-to-door salesman, will you sell me the information?". Your neighbor can't be bothered to do any kind of real verification of whether they're a salesman or a burglar.
Some sites can have more than 1,000 partners - you can explore their intentions in cookies consent window.
Because doing so is creepy.
Some of them are questionable: most websites do not need to know my time zone, but when a website can use that in a useful way related to its functionality, it would be annoying if the browser were to popup an allow/deny dialog, and even more annoying if I had to manually set it in the website's bespoke settings panel.
I'm not sure what the solution is here.
Unless you disallow websites from choosing their fonts, that information is really hard to hide. Most likely impossible.
What you can do is standardize the list.
> most websites do not need to know my time zone
Almost anything with a form needs this.
Every information on that page is necessary for something common and desirable. It's not using any advanced fingerprinting that can be blocked.
It knew how much my phone was charged and it made correct inferences about my device. It accurately read my gyroscope, how I interacted with the touch screen, and it demonstrated (not new knowledge to me but probably interesting to the general public) how these things could be used to identify you and also to make inferences about you (if you are sitting, standing, lying down, etc).
It starts slow but it got interesting.
Still interesting, even if not surprising.
Us not owing each other anything worked great in a prior era when people were largely correct in assuming most people were good actors. But as soon as the money and power of the internet became real, things started to turn more adversarial. The assumption of trust and lack of responsibility makes it easy for one side to take advantage of the goodwill of the other. And the technical and power imbalances inherit to the server-client nature of the web means that abuse is more likely to flow in one direction than the other.
But it's become clear that in the absence of governance, standards of behavior, and rules both explicit and implicit, the Internet has grown toward tyranny and automated exploitation rather than freedom.
We need to set some rules and expectations that people can rely on, otherwise rules will continue to be imposed on us.
I should be able to expect some privacy from my device. What if my browser starts sending a picture of my front camera with every request, is that okay?
Today, it seems that websites track and collect much data as they have partnerships with 1,000 partners (see cookies consent window).
So am I, come to think of it.
My disappointment is not with websites. It is with browsers. They have continuously prioritized dark pattern support. They have consistently removed user control.
I mean it's not the websites that default to recording every keystroke, default to tracker persistence, default to phoning home with daily telemetry, etc.
When I first started using HN, I ran four very different browser engines. Now there's no real choice.
The server knows my window's resolution? Well I think thats very useful information for the application to have for layouting.
You know what other application is recording my keystrokes right now? HackerNews. "recording keystrokes" is also known as "typing in a text box"
On the other hand, your browser might be recording each of your keystrokes just because it can and if your browser does, those keystrokes are not going to HN.
The distinction you are trying to make a is a distinction without a difference. If you don't want sites to "record your keystrokes", then don't use a computer. Trying to paint this as nefarious is a losing battle and completely undermines any awareness you are trying to bring about.
You mean like a video game? Are video games now nefarious applications tracking you? Your browser is not "leaking" anything to websites. It's hard to understand what you are even complaining about. If you don't want grammarly to record your keystrokes, then don't install grammarly.
It's like ordering a beer and then complaining about alcohol.
Fugly.
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
Needs some QA.
I've seen this exact UI style a dozen times now and it's always accompanied with tell-tale overly verbose, overly dramatic text.
Gave me a scare, thought I'm still somehow running an x86 build of Firefox.
Anyway, if you really want to know what your browser is sending: