If You Clicked Anything Online, Google Probably Knows About It

Discussion in 'privacy general' started by Dermot7, May 19, 2016.

  1. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    http://news.softpedia.com/news/if-you-clicked-anything-online-google-probably-knows-about-it-504262.shtml
    https://www.technologyreview.com/s/...king-proves-google-really-is-watching-us-all/
     
    Last edited: May 19, 2016
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,068
    Another way to fingerprint. Just great.
    Otherwise, blocking 3rd party content should prevent most tracking conducted from those domains.
     
  3. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Ahhh, so this thread is related to the one that @TheWindBringeth created... thought I saw the OpenWPM reference somewhere...
    It''ll break the internet!
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Thing is, browsers are not what people imagine them to be (or what they started out life as). So fingerprinting is not only inevitable but actively making money for the people who are providing the browsers and services for "free".

    Until there are decent internet consumer protection laws, this form of abuse will continue and intensify.

    Of course, aside from ad-blocking (which can also be fingerprinted!) - running browsers in virtual machines provides some measure of obfuscating the real host machine.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    WebGL fingerprints are truly evil. Systems using a given graphics driver seem to have the same WebGL fingerprint on hardware with a given GPU. Reinstalling the OS, or using a related OS with the same graphics driver, doesn't change the WebGL fingerprint. But host and VMs use different GPUs (real vs virtual) so there is no overlap in WebGL fingerprint.

    But all VirtualBox VMs on a given host use the same virtual GPU. So all VMs on a given host that use a particular graphics driver seem to have the same WebGL fingerprint.That's true for all browsers on Debian and Lubuntu VMs, for example. But the "same" browsers on other OS (unrelated Linux distros, FreeBSD, Windows and OSX) have different WebGL fingerprints. That's presumably because they use different graphics drivers. VirtualBox may also create different virtual GPUs for OS that are different enough.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,068
    So solution to this kind of fingerprint would be to have separate VM for each online service?
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Nope. Let's say that you have a host machine running several VMs. And let's say that you have three Linux VMs: Debian, Lubuntu and Fedora. For all WebGL-enabled browsers on both Debian and Lubuntu VMs, EFF's Panopticlick will display exactly the same WebGL fingerprint. I haven't found another test site that reports full WebGL fingerprints, but I doubt that EFF's Panopticlick is the only site that can manage this. But the Fedora VM will have a different WebGL fingerprint. And so will Windows, OSX and PCBSD VMs. And Debian and Lubuntu VMs on a different host will have a different WebGL fingerprint.

    The point is that having multiple VMs isn't enough to protect from WebGL fingerprinting. On a given host, they need to be different enough, presumably by using different graphics drivers. I haven't tested whether one can change WebGL fingerprint in a given OS by changing graphics driver. But stuff tends to get updated, so maybe it's better to err on the side of being too different.

    Whonix VMs are somewhat an exception. Because Tor browser has WebGL locked out quite well. But there is some risk. And so segregating VMs in different hosts would be safer.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,068
    Thank you for additional explanation. So best bet would be different physical machines (with different hardware) running different VMs. I wonder if different audio driver is also needed for AudioContext API fingerprinting?
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    There's also an argument for using a minimal set of browser add-ins or anything different from the vanilla install, and using snapshot reversion using Firejail or the VM software.

    From a host hardware perspectives, there are now low priced Soc ITX boards (e.g. for the J1900) with 4 cores and adequate VM performance given decent RAM. Point being, those hardware configurations will be more common as time goes by. I guess the same could be said of a vanilla i5 or i7 gpu rig.

    However, I guess they will know you are deeply suspicious because you know enough to be using a VM - which is also fairly trivially detectable and adds to the fingerprinting.

    An alternative I use for online banking - but which also protects generic browsing - is to use a lightweight linux distro booting off a USB stick, with persistence. This allows an up-to-date distro to operate at full speed. But before I go browsing, I remove the stick so it's operating from RAM only (my form of snapshotting). As far as any website's concerned, that's the first time it's seen me, on fairly standard hardware and a stock OS freshly updated, and no ability to persist stuff beyond the session.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Tried it 1st on FF v1.9.2.14 with Scripts on but no cookies. Nothing worked :D

    Then with FF portable v1.7.9.0 with Scripts & cookies enabled.

    AudioContext Fingerprints

    Was able to FP !

    No luck with the other stuff though:D

    det-ec.png

    I guess those trackers will keep on doing it, & trying to find as many other ways too ! So it's good to know that there are people continuing to research & publish, & also others who provide methods of blocking. Apart from ourselves of course doing all we can too.
     
  11. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    83
    How do you get that? I get fingerprinted by AudioContext (but not by the 3 Fonts tests) even with JonDoFox Broser with cookies disallowed. And the Flash Font detection is not empty, although Flash plugin is desactivated in my browser??
     
    Last edited: May 21, 2016
  12. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    When it comes to privacy defenses including anti-fingerprinting, blocking javascript is crucial. Also, at least some browsers allow you to run with WebGL and/or other specific APIs/features disabled. You and all the other regulars would know this.

    A while ago I played around with NoScript's Surrogate feature, and used it to selectively inject a content script that blocks navigator.plugins and navigator.mimeTypes accesses on a per-site basis and shows an alert overlay when it does. I think the code I'm using now is different from what I posted in the Lockdown thread. Anyway, it is too primitive to differentiate fingerprinting from other activity, but it does go off when I run into fingerprinting. I've wanted to revisit the subject and try to take it further, but haven't had the time and probably won't any time soon.

    However, I had to tweak that surrogate rule yesterday and got to wondering how OpenWPM does its fingerprinting detection. I took a quick look at the code and saw they are using an extension to inject a content script which monitors more things and logs accesses so that they can be analyzed later. Their content script is based off of one used by Privacy Badger, and Privacy Badger's script was based off of one used by the Chameleon extension. All three repositories are at Github. Somewhere in there I saw WebGL mentioned, so there may be some code that focuses on that. Regardless, the point is that there are approaches that can be used to selectively block things and/or assign a score to sites/scripts based on how much their actions match fingerprinting code. If someone is looking for a summer project, this area might be fun and productive. Chameleon looked to be on hold and I think I saw comments in Privacy Badger source indicating they want to improve the functionality of their content script.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Thanks. There is an option in NoScript to disable WebGL entirely.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    A clarification on the FF versions i used. The 1. etc's were actually the file versions, not the release versions. Not sure why i posted those ! Anyways,

    Install v 1.9.2.4066 = 3.6.14

    Portable V 1.7.9.0 = 27.0.1

    @ Lyx

    I don't know how i got those results, because the Port FF is run as it came, with NO plugins etc.

    AudioContext is a clever way to FP, but requires Scripting, which 99% of the time i block.
     
  15. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    261
    Location:
    USA
    If it hasn't already been mentioned, Decentraleyes add-on for Firefox/PaleMoon/SeaMonkey blocks some Google 3rd-party content from being downloaded remotely by replacing it with locally served content: https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/
     
  16. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    761
    Location:
    SW USA
    So if you whack Fingerprint me! and you get all this white space, you're OK??

    AudioContextFingerprintTest.jpg
     
  17. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    Roger that. I was just using that as an example to speak to.
     
    Last edited: May 23, 2016
  18. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,087
    That looks like the result you would get if javascript were disabled on that page. In order to "be OK" against such tests across the board, you'd have to disable javascript across the board.

    On the bright side, having javascript disabled for that page also means that your result isn't submitted to their server. Arguably, they shouldn't be collecting that since the tests do not require any server side processing of data.
     
  19. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    271
    Location:
    USA
    @gorhill @Dermot7 @TheWindBringeth @Windows_Security @J_L Would Umatrix with all privacy setting checked and only allowing the minimum for site to work and block all domains except .com and ones allowed and using Ublock with all filters that don't overlap( look at signature) and using privacy settings protect against this?
     
    Last edited: Jul 12, 2016
Loading...