Browser fingerprinting is where JavaScript or other means are used to scrape uniquely identifying information from the browser metadata and functions such as how it draws a canvas object. In it's latest release Apple will defeat browser fingerprinting by making all Mac users look alike to advertisers and websites that use fingerprinting to track users. Apple can afford to do this as it doesn't have skin in the online advertising game.
[This is likely only going to be for the Safari browser. - Ed]
This discussion has been archived.
No new comments can be posted.
Latest Apple Release to Defeat Browser Fingerprinting in Safari
|
Log In/Create an Account
| Top
| 48 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
(Score: 3, Disagree) by Thexalon on Tuesday August 14 2018, @05:53PM (20 children)
Apple is trying to undermine Google and Facebook's business model. They want it so that only Apple can really track what users of their products are doing.
I wouldn't be surprised in the least if Microsoft tries to do the same to Edge/Explorer.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1, Insightful) by Anonymous Coward on Tuesday August 14 2018, @06:02PM (10 children)
Is that a general comment, or a criticism? Regardless of the motivations, I think this is overall a good thing. I would hope other browsers follow suit.
(Score: 1, Insightful) by Anonymous Coward on Tuesday August 14 2018, @06:15PM (6 children)
Sounds like criticism to me. While I applaud the stated goal I think they OP has a good point, this way Apple can silo the data of millions of users. Data is valuable, they will now be able to gatekeep the targeting data for advertisers and Apple users are a prime audience that is willing to pay excessive amounts of money for things.
(Score: 4, Interesting) by Immerman on Tuesday August 14 2018, @07:21PM (5 children)
*IF* Apple is recording peoples browsing activities (is there any evidence of this?), I'd say siloing is *still* a good thing - the more separate, secret silos such data is spread across, the more difficult it is for malicious actors (advertisers, governments, etc) to use that data to manipulate the population at large. And even on a personal level - if advertisers have to buy my data from Apple, rather than collecting it themselves for (practically) free, then fewer advertisers will find it worth their while to try to target me specifically with their behavior manipulation engines (aka ads).
(Score: 0) by Anonymous Coward on Tuesday August 14 2018, @07:28PM (4 children)
They are a malicious actor themselves for siloing data in the first place.
(Score: 0) by Anonymous Coward on Tuesday August 14 2018, @07:29PM
You're right: your data wants to be free!
(Score: 3, Interesting) by Immerman on Tuesday August 14 2018, @07:44PM (2 children)
No, they're malicious for *collecting* it (assuming they are. Evidence?). Your browsing habits are nobody's business but yours. Siloing such data would just make them profiteers, in a manner that actually benefits the users at least slightly compared to selling it or spreading it around.
But again- do we have any evidence that they're actually collecting such data, rather than just making it much more difficult for others to do so? Because the two are basically unrelated, and defending people's privacy seems to me to fall pretty clearly on the side of "good". Even if they're only defending it from other parasites, while mining it themselves, it's *still* good - they could far more easily just continue to let everybody mine it, and let you suffer the subtle price of having far more parasites tracking you.
(Score: 2) by Thexalon on Tuesday August 14 2018, @08:36PM (1 child)
My evidence that they'll be collecting and siloing it is the following:
1. They can, and basically nobody has either the ability or inclination to stop them (a small number of techies might filter out the traffic, but that's a blip among their customer base).
2. They believe it's profitable for them to do so.
And that makes the decision very very simple for management.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Immerman on Wednesday August 15 2018, @01:25AM
That's not evidence - that's reasoning. Sound perhaps, but still not evidence. And we are talking about one of the very few tech companies in the world that has actively fought government spying on citizens, rather than bending over backwards to make it easier for them like most do.
And yes - it would be very hard for many to stop them, especially among their target customer base, but it would be very easy for them to be exposed, and for now at least they seem to be embracing the privacy thing as a marketing tool.
(Score: 4, Insightful) by Thexalon on Tuesday August 14 2018, @06:20PM (2 children)
If all browsers follow suit, that only kinda helps protect your privacy if you are not running an operating system with spyware installed, which means not Apple and not Microsoft. Otherwise, all that's shifted is which megacorp has control of advertising targeting aimed at you.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @05:26AM (1 child)
Mozilla has been doing a bit in this direction for a while. E.g. accepting anti-fingerprinting patches from the Tor project (Tor's "uplift" project to get as much of Tor browser into upstream Firefox as they can).
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @02:43PM
Palemoon has had inbuilt canvas poisoning for a long time.
(Score: 3, Insightful) by nwf on Tuesday August 14 2018, @06:32PM (3 children)
I don't think they care about undermining Google and Facebook. I think they've heard complaints from non-technical users that find the web advertising model very creepy and of no value. They are responding to those users' complaints and are trying to make the web better for them. This does help them look better in the press, for sure, but it's definitely in keeping with their recent privacy push.
(Score: 0) by Anonymous Coward on Tuesday August 14 2018, @08:14PM (1 child)
Will it improve the actual experience? The only ads with a sufficiently universal appeal are from porn and viagra right? How many people want more of that?
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @03:09PM
Irrelevant. I know the url for pornhub by heart. How will advertizing help here?
(Score: 2) by driverless on Wednesday August 15 2018, @01:10AM
Don't they already all look alike? Whenever I see a latte-sipping hipster kitted out with iEverything-you-can-buy I immediately know, "Apple user".
(Score: 5, Insightful) by Runaway1956 on Tuesday August 14 2018, @08:41PM (2 children)
Others have already asked for citations about Apple tracking it's users. I don't know - I've never heard of it. I've avoided Apple products, primarily because they are expensive compared to comparable stuff.
But - Apple recently stood up to Gubbermint over the case of the Inland shooter. The G-men said, "Apple, we want you to unlock this phone." Apple said, "We can't do it." Eventually the phone was unlocked, but apparently without the cooperation of Apple. Apple's stance was that they don't install trash on their phones, there is no back door, and even if they have a genuine terrorist, Apple can't break the encryption.
Now, unless all of that was just hot air, released for public relations at the behest of Marketing droids, WTF would Apple be tracking users?
Yeah, I know, I can't say that they aren't. But without citations, you can't say that they are.
Despite the whole closed garden nonsense, and all the idiot phanboy bullshit, it seems that Apple thinks of their customers in a much better light than any of the competition.
(Score: 1, Interesting) by Anonymous Coward on Wednesday August 15 2018, @11:37AM (1 child)
How about https://www.gnu.org/proprietary/malware-apple.html#surveillance [gnu.org] for starters?
(Score: 2) by Runaway1956 on Wednesday August 15 2018, @03:03PM
Your link is informative. But, some of that has to be salted a little. It is gnu.org, after all. The gnu philosophy is preferable to MS and many other major actors in the field of software. But, these guys might be considered extremists in regards to libre software. They're pretty good hearted, and well intentioned, but sometimes, you have to wonder how firmly they are anchored to reality.
As for Apple's many sins - well - those who choose to live in a cathedral might expect to live by the dictates of the priests and priestesses. Those of us who live in the bazaar - or the bizarre, if you wish - don't have to worry about those dictates.
But, I'll admit. Now and then I look at the cathedral, and wonder about converting. Life in the cathedral isn't as bad as life with MS, IMO. But, then I look around, and remember that priests and priestesses don't like assholes like me very much. I would soon get into far more trouble than the experience was worth.
(Score: 0) by Anonymous Coward on Tuesday August 14 2018, @11:19PM
Since Macs comprise something of like 5% of the PC market, I'm not sure how Apple doing this would undermine anyone's market.
(Score: 3, Insightful) by Mykl on Tuesday August 14 2018, @11:26PM
Apple's money doesn't come from advertising. It comes from selling products to its customers, not selling its customers to marketers.
Now that Apple is using this as a differentiator in the market, there is a disincentive for Apple to track their users in the way that FB and Google do.
See also: Apple Pay (the payment scheme where Apple and the banks get less information about your purchasing habits than other payment methods)
(Score: 2) by SomeGuy on Tuesday August 14 2018, @07:24PM (1 child)
I thought Mac users already looked all the same. :P
(Score: 0) by Anonymous Coward on Tuesday August 14 2018, @07:31PM
Clearly a Mac user:
https://www.politico.com/magazine/story/2013/12/opinion-rich-lowry-obamacare-affordable-care-act-pajama-boy-an-insufferable-man-child-101304_full.html [politico.com]
It has something to do with soy.
(Score: 0) by Anonymous Coward on Tuesday August 14 2018, @08:15PM (9 children)
Spoofing this stuff is only as useful as that which you spoof is common. Apple users are common.
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday August 14 2018, @09:35PM (8 children)
Yup, I'd like to see the values returned by Apple become the default for all OSS browsers as well, or at least have an extension to do that.
My rights don't end where your fear begins.
(Score: 2) by Pino P on Wednesday August 15 2018, @01:15PM (7 children)
Why? So users of free browsers can get reduced-functionality versions of web applications that limit themselves to the subset of web APIs that Safari supports? Some video hosts whose server software is free software will refuse to serve video to Safari because Safari for macOS and Safari for iOS support zero (0) royalty-free video codecs. If not, a website could send a WebM video (muted so that it'll autoplay), and then if it plays, the site's fingerprinting script would conclude that the user isn't really using Safari.
(Score: 2) by The Mighty Buzzard on Wednesday August 15 2018, @01:47PM (6 children)
For the same reason you lock your car doors when you park it. There's nothing stopping anyone from easily breaking a window but it does make the job of screwing you slightly more difficult. I'm very much in favor of making it as difficult as practically possible to follow my every movement and fuck anyone whose business model requires constant surveillance of me.
My rights don't end where your fear begins.
(Score: 2) by Pino P on Thursday August 16 2018, @12:22PM (5 children)
The problem with that analogy is that locks on doors aren't illegal. Non-support of free video codecs with full support of AVC, AAC, and HEVC is illegal for free software in SN's home country because of patent law.
(Score: 2) by The Mighty Buzzard on Thursday August 16 2018, @12:45PM (4 children)
Erm, no. Not supporting free codecs is perfectly legal here, barring specific anti-trust rulings to the contrary.
My rights don't end where your fear begins.
(Score: 2) by Pino P on Thursday August 16 2018, @12:55PM (3 children)
An attacker would be able to distinguish your browser from Safari because Safari supports AVC, AAC, and HEVC, and your browser supports none of them.
(Score: 2) by The Mighty Buzzard on Thursday August 16 2018, @01:23PM (2 children)
Which has nothing to do with legality. I'm not seeing what you're trying to say here.
My rights don't end where your fear begins.
(Score: 2) by Pino P on Thursday August 16 2018, @01:57PM (1 child)
In this comment [soylentnews.org] you recommended that all free web browsers disguise themselves as Apple Safari by default. I'm saying that there are two methods of pretending to be Safari: one ineffective, the other civilly illegal to implement in free software. The ineffective one is not supporting nonfree codecs. The illegal one is supporting nonfree codecs. Which would you prefer that free web browsers adopt?
(Score: 2) by The Mighty Buzzard on Thursday August 16 2018, @02:03PM
The one you say is ineffective. It's not anymore than locking your car door is but that's the label you chose.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday August 14 2018, @08:45PM (5 children)
I've set up my browser to not support the "toDataUrl" function on the canvas object. So they don't get the fingerprint back.
But the way this kind of tracking works, is by rendering a test text in an array of different fonts, to see what is rendered different than the fallback font. So what does Safari have in mind? Mask all system fonts to the browser, except 5 standard fonts? Every other font that a document wants to use needs to be supplied as a downloadable woff?
(Score: 2) by Runaway1956 on Wednesday August 15 2018, @02:37AM (4 children)
Everyone should routinely block remote fonts from the get-go. I don't give the smallest damn what font the author uses on his word processor. I want his thoughts, not his preferences. I can read those thoughts in any of the three fonts installed on my system. If I had a Mac, I might have five fonts? Hmmm - interesting. Maybe I will upgrade.
(Score: 2) by Pino P on Thursday August 16 2018, @01:00PM (3 children)
That's fine up until someone's thoughts are about a language, and zero (0) fonts for that language's script are installed on your machine. Then you just get boxes. Browsers' views of Wikipedia articles about languages of South Asia often suffer from lack of installed fonts.
(Score: 2) by The Mighty Buzzard on Thursday August 16 2018, @01:25PM (2 children)
Unifont and/or Noto are pretty good for that, despite Noto being a Google product.
My rights don't end where your fear begins.
(Score: 2) by Pino P on Thursday August 16 2018, @01:52PM (1 child)
So what mechanism for a website operator to ensure Noto is available best balances security with convenience?
A. The web font mechanism
B. Writing "Best viewed using Noto. See installation instructions" on every page, as Wikipedia articles about foreign languages do. This method does not work on iOS or Android because end users can't easily install fonts locally on these operating systems. In my experience, Samsung Android allows installing only fonts from Samsung's store, which lists only fonts from major foundries that pay substantial dues to Samsung. Other systems (iOS and stock Android) don't allow the unelevated user to install fonts at all.
C. Something else I missed and you'll explain
(Score: 2) by Runaway1956 on Thursday August 16 2018, @02:00PM
Every language in which I am fluent is already installed on my machine. In my case, that is one language. I'm sure that people like Aristarchus already has all the fonts necessary to read all of the world's languages are installed on his machine. I mean, seriously, if you enjoy Fu Manchu's Ancient Silly Wing Dings, you probably have it installed, right? Me? I don't like Wing Dings, not even if they are Buffalo Wing Dings - so don't try to sneak it in with a web font.
(Score: 5, Informative) by MichaelDavidCrawford on Tuesday August 14 2018, @10:29PM (7 children)
127.0.0.1 www.google-analytics.com
127.0.0.1 ssl.google-analytics.com
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by jasassin on Tuesday August 14 2018, @11:07PM (1 child)
Even better, install uBlock Origin. I can't believe how many things it blocks! Some sites, over 100 blocks. Crazy.
Not a single block on Soylent! Nice.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 3, Informative) by The Mighty Buzzard on Wednesday August 15 2018, @01:50PM
No longer being updated for Palemoon, unfortunately. Doesn't mean it won't work fine for a while but known bugs will absolutely pile up over time.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @10:10AM (4 children)
127.0.0.1? How about using 0.0.0.0?
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @02:59PM
why?
(Score: 2) by MichaelDavidCrawford on Wednesday August 15 2018, @07:41PM (2 children)
I'm not clear as to how that relates to the RFCs.
If you run a personal webserver as I do, to map a bunch of domains to 127.0.0.1 will result in your local webserver's log being stuffed chock full o' 404s. That's somewhat annoying when I'm trying to debug a local server's config.
All my boxen have local versions of each of my domains so I can make Server Side Includes work locally:
127.0.0.1 soggy.brak . # One one machine
127.0.0.1 soggy.frylock # On another machine
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Informative) by Pino P on Thursday August 16 2018, @02:00PM (1 child)
Then configure your webserver's name-based virtual host mechanism to put the real domains' log entries in one file and other domains' log entries in another file. Instructions for this depend on whether you are using Apache, NGINX, or something else.
(Score: 2) by The Mighty Buzzard on Thursday August 16 2018, @02:38PM
Yup, that's webserver with vhosts admin 101.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday August 15 2018, @02:52PM
if a online service is financed by advertisement/tracking and has enough money to buy
spare hardware to do all this fingerprinting then surely this service is WAAAYYY to expensive.
ofc, trying to sell crap does require to catch the would-be customer in a weak moment. crap doesn't sell well.