Get the top HN stories in your inbox every day.
card_zero
cush
The amount of fingerprinting this page reveals pales in comparison to what actually happens in the wild
jwally
its ease is also vastly inflated. If it was as simple as this site makes it out to be, companies like fingerprint.com don't exist.
shimman
Don't know about easy but their JS lib doing this is quite good:
https://github.com/fingerprintjs/fingerprintjs
Honestly surprised to see it licensed as MIT now too. It was something less permissive before. They aren't doing anything too crazy, more like being the first ones to be open about it.
I couldn't imagine what else companies like Google or Meta or TikTok can extract out of it that no one else can't. Integrations aren't exactly hard to make, quality is hard yes, but making half assed plumbing is sufficient too.
Those advertisers benefit from monopolistic markets with zero regulation while owning the platforms they sell advertising on that requires their explicit malware in order to use, what is unique about their finger printing versus what fingerprintjs provides?
BugsJustFindMe
* That's the wrong battery percentage and the wrong charging status.
> Since you can detect light mode, would it kill you to honor it?
It would probably still be low contrast garbage even if it did. :/
mwheelz
The 100% charging readout is the desktop-with-no-battery phantom. I pushed a stricter filter for that earlier, you may be on a cached copy (try a hard refresh). On the light-mode call: the page detects your preference but doesn't honor it, intentionally. The irony being that the demo ignores the same signal it points out. I take the cost of the annoyance.
fragmede
Okay but it's really hard to read for those of us with old people eyes.
mystraline
> It would probably still be low contrast garbage even if it did. :/
My guess this is LLM slop website generation. And they forgot to prompt to include high contrast text... And the site owner cant make the changes without a sloperator.
EchoReflection
yeah it told me I'm "in Los Angeles" but that's just the time zone I'm in. It also "thinks" that because I have two different languages as inputs that it has scored some kind of "gotcha", but I just happen to also frequently use a second language .
"English · Chinese Your browser’s primary language is English. It also carries Chinese. This tells us not just what language you speak, but often where you were raised, where you have lived, or who you live with. This is transmitted in the header of every HTTP request. It has been doing this for as long as you have used this browser."
No, the fact that I have English and Chinese as input languages does not tell it "where I was raised, where I have lived, or who I have lived with.". Might as well say "the fact that you're using a phone to look at the Internet tells reveals that you are someone who can access a phone to look at the Internet!". Yes, technologies interact with other technologies. That's how "technologies" work. Is it Orwellian? Yes. But is it more Orwellian than the surveillance states of Russia/China/North Korea. etc? We also can now find our phones/cars/devices that can share location, locate criminals by way of their online activity, record incidents that"need" to be recorded (like when ppl are committing crimes or when police officers need to be held accountable for their behavior). Catastrophizing about the "overreach" of tech is a cognitive choice. That all being said, it is good to be aware of what info our technologies "know" about us.
nozzlegear
> I'm not in that city.
I'm using Apple's Private Relay VPN so it was hundreds of miles off. It's always interesting to see where websites or services think I'm located using their geolocation databases, but if I turn it off they can pinpoint me within a couple of miles. Thankfully almost nobody has ever blocked Apple's VPN, so I never have to turn it off.
> Since you can detect light mode, would it kill you to honor it?
Seriously, I'm in my mid-30s but some of these dark mode sites make me feel mid-80s. I can't see shit on this site.
cobbaut
> I'm not in that city.
Same, it claims Brussels, but I'm in Antwerp. It also got my screen resolution wrong.
georgemcbay
> I'm not in that city.
Same, it said Riverside but I'm in San Diego (about 100 miles away from Riverside).
Of course, its just using a geolocation database for the IP address and thus reporting the location of some switching center Verizon runs and not my actual location.
If you're trying to prove a point about privacy its probably best not to lead off with information that can be off by hundreds of miles while presenting the fact that it "knows" this information as being darkly ominous.
Presenting this information while being wrong probably does the opposite of the site's intent and gives some people a false sense of security because what real websites and apps track about you using digital fingerprinting is a lot more detailed, personalized and (usually) correct than what this website presents.
mwheelz
[dead]
quietsegfault
> Nobody can infer when I work and when I sleep. That includes me.
Are you like /severed/ or something? Surely you can infer when you work and sleep from your experience living your life as you.
sgbeal
> Surely you can infer when you work and sleep from your experience living your life as you.
Not everybody has a schedule. Mine is essentially "eat when hungry, sleep when tired", and my sleep patterns more closely follow a 26-hour day than a 24-hour day.
yard2010
This is fascinating, please do tell more about it! How does it affect your mental health? How do you deal with times day and night are flipped? How does it affect your social life?
delichon
It was much better for me.
* Your socks don't match anything in the room.
* The man you thought you killed in Tuscaloosa woke up and walked home an hour later and is now a chiropractor in Shreveport.
* Your daughter is pregnant by the kid who trims the hedges.
* Your dog is dreaming about the squirrel in the wood pile.
How does it know?
vitorfblima
This is all common knowledge, unfortunately.
flux3125
[flagged]
noelsusman
I am once again asking privacy advocates to try sounding normal for once. Trying to make a browser accessing your timezone sound nefarious isn't going to convince anyone of anything.
Unai
> You prefer dark interfaces — your operating system told us.
oOoOohh my settings worked as intended, spooky!
aucisson_masque
Agree, sending my language, if I use dark mode or time zones is all data that can be used to give me a better experience so I don’t mind.
mpalmer
It's the usual terse LLM voice that makes everything sound dramatic. Nails on a chalkboard
downrightmike
That's what helped L figure out Kira was in Japan, and likely a student given the times of deaths, in Death Note. Ruled out 7.8 billion people in one step
warkdarrior
> Trying to make a browser accessing your timezone sound nefarious isn't going to convince anyone of anything.
But I am the only person in this timezone in the world. It uniquely identified me!
AlecSchueler
The claim was that a site could "infer when you sleep, when you work, and when you browse because you cannot sleep." Is that not true? I know that the timing of my HN comments tells a pretty clear story about my schedule having recently looked at a histogram.
karmakaze
Whether or not the information is accurate isn't really the point. It's that it serves as a way to identify you even without cookies. I looked for better websites, the EFF one[0] is informative.
My browser fingerprint was unique among the visitors in the past 45 days.
ifh-hn
> Our tests indicate that you have strong protection against Web tracking.
Gotta love Firefox with ublock origin in advanced mode, even without JavaScript disabled so the site worked.
therealdrag0
I got the same in my iPhone using Safari with Firefox Focus installed.
capitainenemo
uMatrix + NoScript personally (yes, seems silly, but I find NoScript's UI more convenient for script toggling, while liking uMatrix's fine grained controls)
Did you enable firefox resist fingerprinting? Also maybe letterboxing, which I think is not enabled by that flag by default, and also helps with CSS fingerprinting.
ifh-hn
I used to use umatrix, preferred it to ublock origin advanced mode. However, isn't umatrix unsupported?
eikenberry
Did you specifically re-enable javascript? Ublock origin on medium mode blocks all the tracking javascript and I'd think advanced would follow the same basic starting point.
ifh-hn
Yeah, didn't work without it.
m4ck_
If i run that (or similar sites) multiple times, shouldn't I like.. not be unique each time?
tossandthrow
At least in Europe the gdpr still counts, even when you don't use cookies but fingerprinting.
So if you use this information you still need to disclose it and process data in accordance with the law.
internet2000
"It doesn't matter that the FUD isn't accurate" Hmm.
globalnode
id still prefer the information be inaccurate. since sites are rude enough to try and track me, the least i can do is feed them unique garbage.
kykat
Visiting without JS: "With JavaScript off, the page cannot tell you what your browser disclosed. The data is still there. The disclosure still happened. Only the telling of it stops."
I find this hyper dramatic LLM language extremely off putting, but appreciate the signal that allows me to completely disregard it.
cortesoft
Maybe it's just because I am old, or have worked on internet software for almost 30 years, but none of this seems surprising or even concerning?
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
1-more
> You appear to be in Denver, United States. Your internet provider is Netskope Inc. We know this because your IP address — 163.xxx.xxx.32 — was the first thing your device sent us. We know the rest of it. We chose not to display it. Most pages would not have made that choice. We did not ask for your location. Your address arrived before you did.
"We know the rest of it. We chose not to display it. Most pages would not have made that choice" this is written to frighten children maybe? Also that's not my internet provider. Maybe it's my ISPs upstream provider?
rolph
there was a prank way back, that used simple html, css and javascript, to instruct the browser to display IP address, public, and local, popup a stream from the webcam, and place them among a crafted document intended to trigger i.e. troll people.
no data was cast to internet, it was all code executed with local user permissions to access the devices devices and logfiles displayed inline as "proof" that you are standing on stage with naught but your drawers.
people were at times moved into a panic and could be manipulated into making contact with malignant entities. there were casualties.
never underestimate the damage that can be caused by manipulating perceptions of the current situation,its not a joke, its handgun serious.
ryandrake
> Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives.
This is the root problem. Your browser is supposed to be your agent. It's the User Agent, after all! It should be working on the user's behalf, users should understand what their browsers are doing, and browsers shouldn't be doing anything without the user understanding and affirmatively consenting to it. I should be the ultimate authority over what my browser sends, and browsers should make it trivial to exercise that authority.
In reality, the browser is Somebody Else's Agent. It's working for the web developer, giving him all sorts of things that make his life easier. And it's working for the advertiser, providing tracking clues and fingerprinting. And it's working for the browser developer, collecting metrics and telemetry and god knows what else for them to do god knows what with. But, it's not really working for me or on my behalf anymore, I'm just a passenger in the car.
EDIT: Understood that IP address is not something under the browser's control, and it's unfortunately necessary to reveal in order to connect to a web site. It's a terrible mis-feature that IP addresses (by default without a VPN) can be reliably mapped to countries, state/provinces, and sometimes even cities. This is a huge design flaw in how we hand out IPs. In a better world, having an IP address shouldn't reveal anything about someone's geographic location.
cortesoft
I don’t think it is as simple as saying browsers are working for the web developer and advertisers.
All the features that allow web sites and ad companies to track and target ads are features that are primarily there to give functionality that makes the web a better experience for users. JavaScript allows websites that are better experiences than not having it. I know some people disagree, but I think they are either intentionally ignoring useful things or have a purity view of the web that doesn’t match most people.
ryandrake
I guess what I'm advocating for is that it should not be all-or-nothing, and it should not default-on:
Most web sites have no business knowing my time zone. Why are browsers offering it up? That should be gated on the user's permission.
Most web sites should not be able to determine what my screen resolution is, or what my operating system is. Browsers should also hold that back and only disclose it with the user's permission.
Most web sites should not by default have access to all the shit JS gives them access to. Battery Status, Web Audio, WebGL, Sensors, WebRTC, Geolocation, media devices (camera and mic), clipboard, local storage... All of these have uses, but should be behind individual, easy to access per-website preferences, and by default the site shouldn't even be able to query for their existence (which is enough to fingerprint), let alone call them. I shouldn't have to blanket turn off JavaScript to kill these things.
All a website needs to know about me, my browser, or my computing environment is I want to "GET /".
Obscurity4340
They dont need to collect your accelerometers information of your irl movements or your devices' automatic time zone stuff i dont think. That basically gives away you're using a VPN and makes it easier to fingerprint you
fjni
Maybe it's because I'm idealistic in addition to being old, but I think a lot of this functionality was in fact added for explicit purposes.
A client sends the language header or the list of supported fonts not so that the server can "do whatever they want with this data." There is (or was) a real reason for it when we came up with these standards.
The fact that website providers, or more specifically ad-networks, have chosen to use these for other purposes is breaking that implicit agreement.
(edit) but you're probably right that i'm expecting too much.
cortesoft
I don’t understand why that would be an implicit agreement, though? Why would I expect that the website would not try to figure out who I am?
They are free to remember whatever they want about my request… but I am also free to modify the request however I want, if I choose to randomize the list of fonts or choose to not send it or whatever.
applfanboysbgon
> Why would I expect that the website would not try to figure out who I am?
For the same reason I expect my neighbor not to kill me or steal my shit. We live in a society, with societal expectations around behaviour. I, personally, would prefer not to live in an uncivilized jungle where the only rule is "do whatever you can get away with".
sixtyj
Website is a good dog. But its owners don’t have to be good as they can re-sell data about you to someone else.
Some sites can have more than 1,000 partners - you can explore their intentions in cookies consent window.
kelnos
> Why would I expect that the website would not try to figure out who I am?
Because doing so is creepy.
kelnos
Sure, but I think some of the stuff it sends isn't necessary. A website doesn't need to know the list of fonts on my machine, for example.
Some of them are questionable: most websites do not need to know my time zone, but when a website can use that in a useful way related to its functionality, it would be annoying if the browser were to popup an allow/deny dialog, and even more annoying if I had to manually set it in the website's bespoke settings panel.
I'm not sure what the solution is here.
marcosdumay
> A website doesn't need to know the list of fonts on my machine
Unless you disallow websites from choosing their fonts, that information is really hard to hide. Most likely impossible.
What you can do is standardize the list.
> most websites do not need to know my time zone
Almost anything with a form needs this.
Every information on that page is necessary for something common and desirable. It's not using any advanced fingerprinting that can be blocked.
jrumbut
The location it chose was laughably inaccurate (and since I'm the kind of person who posts here I know why). Censoring the IP address was a little cheesy, but down at the bottom it gets better.
It knew how much my phone was charged and it made correct inferences about my device. It accurately read my gyroscope, how I interacted with the touch screen, and it demonstrated (not new knowledge to me but probably interesting to the general public) how these things could be used to identify you and also to make inferences about you (if you are sitting, standing, lying down, etc).
It starts slow but it got interesting.
footy
I learned that either my phone's gyroscope is broken or my browser obfuscates it.
Still interesting, even if not surprising.
slg
I think a lot of us old tech folks want to still believe in those techno-libertarian ideals of the old web. However, in order to do that we largely need to ignore the capitalistic and authoritarian ideals of the modern web.
Us not owing each other anything worked great in a prior era when people were largely correct in assuming most people were good actors. But as soon as the money and power of the internet became real, things started to turn more adversarial. The assumption of trust and lack of responsibility makes it easy for one side to take advantage of the goodwill of the other. And the technical and power imbalances inherit to the server-client nature of the web means that abuse is more likely to flow in one direction than the other.
jrumbut
I agree entirely. Those of us old enough to have experienced those dreams are naturally going to mourn the loss of the Internet as a place for wild experimentation because we know so much good came from it and there isn't any true replacement.
But it's become clear that in the absence of governance, standards of behavior, and rules both explicit and implicit, the Internet has grown toward tyranny and automated exploitation rather than freedom.
We need to set some rules and expectations that people can rely on, otherwise rules will continue to be imposed on us.
gonzalohm
One thing is using information about my connection like my IP and a different one is my browser exposing the angle that I'm holding my phone.
I should be able to expect some privacy from my device. What if my browser starts sending a picture of my front camera with every request, is that okay?
cortesoft
No, that wouldn't be ok, but if my browser did that, I wouldn't be mad at the website for doing something with the data I sent them. I would be mad at my browser, not the web site.
xg15
I remember some users with phpBB signatures some 20 years ago that did the "I know where your IP address lives" trick. Yeah, a bit surprised this is still being done, only today not as some silly troll move in a forum but on some professionally designed website.
reddalo
Yeah I totally remember people embedding an "image" which was in fact dinamically generated with PHP, showing the reader's IP or geolocation.
sixtyj
I remember late 90s - we made a website that greeted incoming readers with message “Hey, you come from {ip address}.”
Today, it seems that websites track and collect much data as they have partnerships with 1,000 partners (see cookies consent window).
pona-a
A vibe-coded EFF Cover Your Tracks. The fact this made it to front-page is spookier than its contents
moritzwarhier
exactly, it even looks like a page created by someone asked to "replicate this, non-obviously, add fancy landing page theme".
Fugly.
camillomiller
Yes! By a user who’s 21 days old, has never commented and it’s not even following this thread as he has absolutely never replied and never will. Having these kind of submissions not flagged is killing hacker news
EricBetts
I think at least they're following the thread: https://news.ycombinator.com/item?id=48064959
serial_dev
I disagree, the discussion is still interesting to me. The page might be low quality AI slop (though it claims it’s not), I did find the discussion about it informative to a degree.
lucideer
The website is pretty & the overdramatic copy is fun, but there's much better fingerprinting demos out there.
The number of data points shown here is low - there's plenty more it could be checking - & a good number of them seem to be wrong (it's only detecting one as explicitly "withheld" but I believe a few of them actually are, leading to garbled output).
Needs some QA.
InsideOutSanta
The overdramatic tone is pretty funny. "You are in [wrong city]. We could send a team on ninjas to kill you right now, but we chose not to. You are welcome."
acid__
In short, another AI-generated slop project.
I've seen this exact UI style a dozen times now and it's always accompanied with tell-tale overly verbose, overly dramatic text.
ebolyen
There's really a lot more you can look at here. Lot's a prior art on super-cookies and fingerprinting:
nottorp
Hmm interesting. I tried the EFF site and among other things it told me I'm on "MacIntel".
Gave me a scare, thought I'm still somehow running an x86 build of Firefox.
mwheelz
Both linked in the Sources & Confessions modal at the bottom. Cover Your Tracks is the spiritual ancestor of this whole piece. amiunique is more rigorous; this is the editorial cousin.
cf100clunk
Brutally dark site doesn't seem to show much to my eyes. No modal appearing at the bottom.
cf100clunk
Another info leakage feedback tool:
mmh0000
Wow! Somebody with ChatGPT discovered the concept of browser headers, then for some odd reason made the verbiage really ... weird "We chose not to tell you"... okay...
Anyway, if you really want to know what your browser is sending:
RHSeeger
> We did not ask for your location. Your address arrived before you did.
Bunk. You asked a geolocation api/service to map my ip address back to a location. You _did_ ask for my location, using my IP as a key. And my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
ygjb
Nah. The browser has a mechanism to request geolocation. This is the ask that was not performed. The user was not asked, which is the important piece.
If I have a dictionary, I don't have to ask the meaning of a word I hear from someone I am speaking to, I can look it up in the dictionary. I may infer an incorrect meaning because the word has multiple meanings or is a colloquialism.
If I need to clarify that inaccuracy, I need other data points (for example, the context of the conversation), or I can ask my conversational partner for clarification).
nozzlegear
> Nah. The browser has a mechanism to request geolocation. This is the ask that was not performed. The user was not asked, which is the important piece.
The geolocation API requires prompting the user for permission before it can be used: https://developer.mozilla.org/en-US/docs/Web/API/Geolocation...
ygjb
Yes, that would have tripped the prompt asking the user, which would have had explicit user acceptance or refusal. The point is you don't need consent to do a fuzzy match usibg other data in most jurisdictions.
cortesoft
I think you are misreading this. It isn't saying they didn't ask ANYONE, they are saying they never asked YOU as a user for it.
Also, though, of COURSE your address arrived first... how else are they going to send back the data you are requesting?
mmooss
> my IP is pretty much required in order for communication on the internet to work (outside of using services to hide it, but then _they_ have your info instead).
Tor and similar multi-hop proxies, depending on construction, supposedly can't match source to destination IPs.
amarant
It has.. Shall we say tradeoffs.. In terms of latency mostly, but I suspect bandwidth is likely affected too
Swizec
I love that the very first thing it showed was wrong
> San Pablo, California, United States > You appear to be in San Pablo, United States. Your internet provider is AT&T Enterprises, LLC. We know this because your IP address — 108.xxx.xxx.233 — was the first thing your device sent us
I am in San Francisco. IPs are not a reliable location identifier and never have been. Especially on mobile. Thank you for coming to my ted talk
troyvit
> Your graphics processor identified itself as or similar.
That checks out. I think what I have is similar to a graphics card but isn't quite.
wlesieutre
My GPU identification is off by about a decade but it did get the brand right
Sohcahtoa82
Seriously. My laptop was manufactured last year, and the site identified it as a Radeon R9 200 series. That was a top-of-the-line GPU...back in 2014.
wlesieutre
Same ID for mine. Are you running Firefox? Maybe that's a lie it tells to fingerprinters.
Get the top HN stories in your inbox every day.
* I'm not in that city.
* It's running a kind of Chrome on a kind of Linux, at a stretch.
* Nobody can infer when I work and when I sleep. That includes me.
* The recent, high-end display is the screen of a low-end tablet I bought in a supermarket five years ago.
* But yes, browser fingerprinting is annoying.
* Since you can detect light mode, would it kill you to honor it?