←back to thread

Supercookie: Browser Fingerprinting via Favicon (2021)

(github.com)
357 points vxvrs | 3 comments | 16 Nov 25 19:39 UTC | HN request time: 0s | source
Show context
jmward01 ◴[17 Nov 25 04:29 UTC] No.45950851[source]
At some point we need actual consequences for sites that intentionally hide their tracking. It should be criminal. It is stalking and has real world consequences. Just because an exploit exists doesn't mean it should be used. That logic is like saying it is OK to break into a house because the lock on the door was weak. If we don't get real protections, at what point does it become justified to go offensive against sites that exploit things like this? If I found someone putting trackers on me with the intent to sell that information (harm me) I would defend myself. When am I allowed to do that in the digital world?

Quick side note here. I appreciate the research calling this out. We need to know the dangers out there to figure out how to protect ourselves, especially since governments don't seem to take this seriously.

replies(6): >>45951535 #>>45952021 #>>45952606 #>>45952627 #>>45952643 #>>45954161 #
dragochat ◴[17 Nov 25 09:12 UTC] No.45952021[source]
If you visit my eg. physical clothing store I'm allowed to monitor your in-shop behavior to better optimize my store for your needs. Same for a restaurant etc. That's how _you_ get _much improved services_ and I get _happier customers_.

Ofc I'm not allowed to freaking resell that data. THIS is the problem in online: releseling and data-brokers. Just KILL these categories of businesses off completely and make _them_ criminal (like even give f prison sentences to their operators).

We should get back to our sanity in ONLINE. As long as you're on _my (online) property_ and using _my services_ I can of course see EVERYTHING you f do, and should stop pretending I don't (as a business, ofc - anonymization exists and not any random employee can access any customer's data, probably should never access both data and identity correlated unless they're actively investigating some serious fraud). As long as I'm not sharing this data with anyone else, I should be 100% allowed to use every drop of this data to improve my services to you and totally differentiate myself from the incompetent competition that can't properly do this.

Data privacy (from EU's GDPR to... everything else) only helps big corporations fend-off competition from small startups or boutique shops that could easily out-compete them by offering hyper-personalized hand tailored micro-optimized experiences for their smaller number of customers based on the loads of data they collect from them. In the EU I've only ever seen these kinds of laws severely hamper small boutique or family businesses that wanted to hyperpersonalize to everyone's gain while big corpos easily surf around them with their teams of lawyers.

...we've all been brainwashed by this privacy psyop to sheepishly "fight for our privacy" in ways that are detrimental to us and only help our corporate oligarch overlords maintain an even tighter grip on power, while offering us worse and worse services. Wake the f up, DATA IS MEANT TO BE USED to IMPROVE goods and services, not remain uncollected or sit unused!

replies(2): >>45952097 #>>45952647 #
1. 1718627440 ◴[17 Nov 25 11:21 UTC] No.45952647[source]
> As long as you're on _my (online) property_ and using _my services_ I can of course see EVERYTHING you f do

That's fine, but you are not allowed to send me malware, that runs on _my property_ and snoops on _my data_.

Also data doesn't stop being mine, just because you have it. You also can't take photographs of random people and claim this is yours now. That's an important difference between the USA and European countries.

replies(1): >>45954179 #
2. dragochat ◴[17 Nov 25 15:00 UTC] No.45954179[source]
Well, we'd probably agree on most things... and re the photography example, afaik model release forms work similarly in the EU and US, right?

Now website code does typically run on your device, but I'd say that once you're a paid logged in user you clearly accepted to run it, under the conditions of it staying in its browser sandbox so... if you think it's "malware" then just stop being a customer. Otherwise software has a right to monitor its own operation.

...but yeah, maybe I missed the context a bit, a tracking pixel style tool will likely be used to track not customers but leads, so I do get your point, it gets trickier there and maybe privacy laws have a point there (as long as they stop there... hint: they usually don't!)

replies(1): >>45955073 #
3. 1718627440 ◴[17 Nov 25 16:24 UTC] No.45955073[source]
> under the conditions of it staying in its browser sandbox so

I consider fingerprinting my browser, by running programs and measuring the timings and characteristics of the browser to be a side-channel attack on the browser sandbox.

> Otherwise software has a right to monitor its own operation.

If websites would only "monitor its own operation", we would hardly have any discussion.

> if you think it's "malware" then just stop being a customer.

Easier said than done, when >90% of websites do this. Show me a mainstream corporations website, that work without Javascript. You can hardly pay for a train ticket and make an appointment to government services, without these crap.

Also there must be some rules what software vendors are allowed to do, since the average user can hardly reverse-engineer all the websites they (need to) visit. This is what regulations like GDPR try to enforce.

> and re the photography example, afaik model release forms work similarly in the EU and US, right?

It's not about contracting a model, it's about doing a random photoshot in public. People have the right to their own picture here, irregardless of who takes that picture and who posses it.