• WANTED: Happy members who like to discuss audio and other topics related to our interest. Desire to learn and share knowledge of science required. There are many reviews of audio hardware and expert members to help answer your questions. Click here to have your audio equipment measured for free!

Stop browser trackers once and for all

bullshoy55

Member
Joined
Dec 18, 2023
Messages
10
Likes
0
Or you can just use iVPN like a normal person. It has a built-in AntiTracker mode and Firewall, plus IPv6 and WireGuard support for Quantum Resistance.
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,839
Location
BC, Canada
If at least one of the fingerprinting methods identifies the user, then all those privacy settings become useless. And they are in fact useless, because the commercial solutions I use in my work, as well as the open source telemetry research projects, easily captures a specific browser user.
Sure, it's a cat and mouse game. There's always interested parties that are looking for ways to fingerprint your identity online. Browsers and browser extensions are fighting back against fingerprinting. You're saying that the browser and browser extensions are losing this war, and that could be the case. But that doesnt mean consumers (or browser vendors) should stop trying to fight against fingerprinting.

Your methodology is completely wrong, which just reinforces my impression that you don't know what you're doing.
Shocked pikachu face.

You're supposed to look at total views count, not browser trust score. Visit creepjs, wait for a couple of seconds, close and reopen your browser, visit again. If the number is <1 — congratulations, your browser loses against real world tracking ;)
Your message is conflicting. According to you, I have to look at "views count", which doesnt exist on CreepJS. You probably meant "visits count". Also, you probably meant if you visit the page again (after closing tab) and if the "visits count" increases past 1, then the browser loses against real world tracking.

If you open CreepJS and the "FP ID" on top keeps changing to a different value with every visit, this means the CreepJS will report the "visits count" as 1, because CreepJS thinks it's a different visitor with every visit. That's how you know the browser is randomizing your fingerprint on this website, with every visit.

I haven't published my results on this yet, but I'd like to know which browser you know that passes this CreepJS test. I await your results.

Brave browser has Safe Browsing as well
Sure, but Brave's Safe Browsing doesnt report your website visits to Google, as per official documentation.
Plus, if you're that paranoid of using Google's Safe Browsing technology, Safe Browsing in Brave can be disabled in the settings.
I really don't see this "Safe Browsing" as a threat to user's privacy, even if enabled.

as well as telemetry enabled by default, which literally tracks your activity.
Sure, but what operating system or browser doesn't track your telemetry?
You're saying this like it's unique to Brave or something.
Everybody on the internet is tracking your telemetry.

And, once again, Brave doesn't protect against real world tracking libraries.
What libraries are you referring to?
Are these libraries publicly available?
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,839
Location
BC, Canada
Changelog:
2023-12-19:
- Added colors to sections, for similar topics. Makes it much easier to see.
- Added 'Disable 3rd-party cookies (for all Android mobile browsers)'
- Added 'Enable Maximum Protection (for all Android mobile browsers)'
- Added 'Force 'Global Privacy Control' (for all Android browsers)'
- Added 'Device Fingerprinting Results for Android, using CoverYourTracks'
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,839
Location
BC, Canada
What's concerning me right now is why Firefox for Android keeps failing the 3rd-party GRC's cookie test!?

That's after I changed the settings to ensure all 3rd-party cookies are blocked:
Settings, "enhanced tracking protection", change from 'standard' to 'custom', then under 'cookies', change from 'isolate cross-site cookies' to 'all third-party cookies (may cause websites to break)'

Here's my Firefox for Android version 120.1.1:
1703057256960.png

1703057261417.png

For comparison, here's Firefox Focus (where 3rd party cookie blocking works after you make the setting change):
1703057671737.png

Can anyone else confirm this?
 
Last edited:

Blumlein 88

Grand Contributor
Forum Donor
Joined
Feb 23, 2016
Messages
20,652
Likes
37,318
What's concerning me right now is why Firefox for Android keeps failing the 3rd-party GRC's cookie test!?

That's after I changed the settings to ensure all 3rd-party cookies are blocked:


Here's my Firefox for Android version 120.1.1:

For comparison, here's Firefox Focus (where 3rd party cookie blocking works after you make the setting change):

Can anyone else confirm this?
I get same results as you on both versions of Firefox. Using an Android phone.
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,839
Location
BC, Canada
I get same results as you on both versions of Firefox. Using an Android phone.
I figured it out. :)

Steve Gibson (the creator of GRC.com's cookie test), said that after Firefox introduced the Total Cookie protection by default in June 2022, the GRC's cookie forensics test started failing.
Security Now Episode 876:
1703060267608.png

Security Now Episode 877:
1703060300566.png

In summary, Steve didn't have the time to fix his Cookie Forensics test, in order to take into account Firefox's new "Total Cookie Protection" technology, since he's busy with other projects.

In other words, this looks like a false positive. Great news!
Firefox for Android was always safe to use! :D
 
Last edited:

kysa

Member
Joined
Jan 22, 2023
Messages
77
Likes
58
If you open CreepJS and the "FP ID" on top keeps changing to a different value with every visit, this means the CreepJS will report the "visits count" as 1, because CreepJS thinks it's a different visitor with every visit. That's how you know the browser is randomizing your fingerprint on this website, with every visit.
FP ID value is based on a multiple fingerprinting techniques. different FP ID doesn't necessarily mean that fingerprinting libraries can't track you down, since, if one metric jumps within a certain pattern/stays the same, a tracking algo will eventually figure it out. creep.js is the only good enough fingerprinting demonstration i could find.
Also, you probably meant if you visit the page again (after closing tab) and if the "visits count" increases past 1, then the browser loses against real world tracking.
Yes. But there's no way to change chromium engine properties on-the-fly, hence why spawning new browser session, not closing tab, is necessary.

Your message is conflicting
How so? There used to be a trust score rating instead of the total views count, i swear :rolleyes:
1703072535252.png


I haven't published my results on this yet, but I'd like to know which browser you know that passes this CreepJS test. I await your results.
Tor Browser, Arkenfox.js, one nasty, close sourced Anti-detect browser for affiliate marketing purposes can pass the creep.js test as well as fool a real world tracking.
Sure, but Brave's Safe Browsing doesnt report your website visits to Google, as per official documentation.
Cool. It used to proxy Safe Browsing requests.

Sure, but what operating system or browser doesn't track your telemetry?
You're saying this like it's unique to Brave or something.
Everybody on the internet is tracking your telemetry.
Different flavours of *NIX, many browsers.
Are these libraries publicly available?
Unfortunaely, no. I have to plug the "trust me bro" assertion on that.


You're saying that the browser and browser extensions are losing this war, and that could be the case. But that doesnt mean consumers (or browser vendors) should stop trying to fight against fingerprinting.
All i'm saying is that Tor Browser is the only consumer-friendly option that really protects your privacy. Everything else gives users a false feeling of privacy, and, essentially, is a privacy theatre. Simply disabling 3rd party cookies and turning Firefox Enhanced Tracking protection won't harden your browser at all.
 
Last edited:

flor

Member
Joined
May 13, 2022
Messages
63
Likes
125
@sweetchaos no iOS browsers are “based on chromium”. Apple enforces that they all use the same rendering engine as Safari i.e. WebKit.
 

Digby

Major Contributor
Joined
Mar 12, 2021
Messages
1,632
Likes
1,557
I tend to think the only way to truly block tracking from the people you'd care about (Google, Amazon, Facebook, Apple) inside a normal browser, is to block all Javascript and cookies. This breaks many websites, so you'd probably have to use several browsers to achieve something approaching this. Some browsers you'd use with scripts/cookies disabled, others with these things enabled (where you need to login to a website), essentially various browsers for various activities. It becomes messy/difficult to sustain quickly.

Google APIs and Amazon AWS are used by so many websites (this website uses Google APIs), it is borderline impossible to stop those companies knowing a fairly significant amount of what you're up to, without blocking these things & making many websites inoperable.
 
Last edited:
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,839
Location
BC, Canada
In the latest episode of Security Now (with Steve Gibson), Steve talks about the latest Chrome change to eliminate 3rd-party cookies by 2nd half of 2024.
Starts at 31min:41sec
Ends at 39min:24sec

In summary, 3rd-party cookies are about to be killed by Chrome and seeing how Chrome has 62% marketshare, this is huge news (as I've stated in my intro post).
Hence, my initial interest in this thread, just to see what all the browsers are doing.
Firefox really did the world a favor by implementing their Total Cookie Protection by default, since April 2023... Bravo!

I find it kind of ironic, since Google always had 3rd-party cookies enabled by default and even prior to announcing this major change in 2024, they rolled out this new tracking technology "Topics" like 3 months ago, just so they can maintain their $ generating stream. Plus, the YouTube agressive anti-adblocking behaviour that started a few months ago, also explains their panic to maintain as much ad revenue as possible before completely being forced (by the industry) to kill 3rd-party cookies once and for all.

Good riddance!
 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,839
Location
BC, Canada
I tend to think the only way to truly block tracking from the people you'd care about (Google, Amazon, Facebook, Apple) inside a normal browser, is to block all Javascript and cookies. This breaks many websites, so you'd probably have to use several browsers to achieve something approaching this. Some browsers you'd use with scripts/cookies disabled, others with these things enabled (where you need to login to a website), essentially various browsers for various activities. It becomes messy/difficult to sustain quickly.
For years, I used to use NoScript for both Chrome/Firefox, where I was blocking javascript.

Blocking 1st-party javascript for website broke everything, which made the internet unusable. So I stopped doing that.

Then I just blocked all 3rd-party javascript, which made like 50% of websites usable and 50% unusable. So i started doing whitelisting approach to allow 3rd-party javascripts and maintain this list across multiple computers. This worked for a while, until you get annoyed just allowing 3rd-party javascript on new websites, just to make the website usable. So I stopped going that after a few years.

Then I just blocked 3rd-party cookies for as long as I can remember. Which made all website work again, and stopped me from fiddling with each website's javascript.

Javascript blocking is really not a user-friendly approach.
 
Last edited:

Digby

Major Contributor
Joined
Mar 12, 2021
Messages
1,632
Likes
1,557
Then I just blocked 3rd-party cookies for as long as I can remember. Which made all website work again, and stopped me from fiddling with each website's javascript.

Javascript blocking is really not a user-friendly approach.
The problem is that cookies aren't the only things doing tracking. People clear cookies all the time and yet are still tracked, so javascript browser identification is what is being used. Without blocking javascript, how do you get around that? I'm not sure you can, which bring us back to this:

My point about "it makes you stand out more" was that some of the things that supposedly increase user privacy by making tracking impossible actually make it easier for tracking libraries, because when you don't harden your entire browser (as Tor Browser does), such tracking only narrows the circle of suspected devices, since fewer people have certain features enabled. An already classic example of this reverse effect in action would be uBlock regional lists. if you were to enable it, the tracking libraries will immediately realize that you are using it, which would enable them to narrow the pool of similar fingerprints.
 

Blumlein 88

Grand Contributor
Forum Donor
Joined
Feb 23, 2016
Messages
20,652
Likes
37,318
The problem is that cookies aren't the only things doing tracking. People clear cookies all the time and yet are still tracked, so javascript browser identification is what is being used. Without blocking javascript, how do you get around that? I'm not sure you can, which bring us back to this:
Which why this response to my question was informative, but discouraging. It means most of the web is constructed so you cannot use it without being tracked. Using Tor browser or noscript with a browser breaks so many things it is near useless.

 
OP
sweetchaos

sweetchaos

Major Contributor
The Curator
Joined
Nov 29, 2019
Messages
3,896
Likes
11,839
Location
BC, Canada
What a fantastic piece of work, thank you so much for taking the time!! If you get a chance, check out Arc Browser (https://arc.net/) I ran it through a few of the tests you posted and it did pretty well.
After some quick browser testing, using Little Snitch (host-based traffic analyzer) for MacOS, along with a basic DNS ad-list, I don't trust or recommend this "Arc" browser.

In a period of about an hour, there's over 120 network attempts of sending data to api.segment.io (which is data analytics platform hosted on segment.com). That's just me opening the browser and not visiting any websites, so it's running in the background. That's about 2 DNS entries for every minute that it's running. While you can block this easily with DNS, I don't see any reason to recommend this browser, knowing they do this at this frequency.

I then looked at their documentation to see if they disclose the fact that they're tracking your telemetry data. Their site https://arc.net/security shows that they disclose it. Which is at least transparent enough. They claim they don't collect any personal data, so I guess you have to trust them? Anyway, I won't recommend a browser that does this by default.

By the way, none of the other popular browsers (Chrome, Firefox, Brave, Safari for MacOS) utilize this data analytics platform.

I'll rework OP, at some point in the future.
 
Top Bottom