Trollface guy offering a red pill next to a giant fingerprint

My Browser has Fingerprints?!

By Raging Toaster | Toaster RAGE | 25 Apr 2021

Yep. It does. The dirty truth about all those tracker blocker addons is that they're only dealing with part of the problem, and making you more vulnerable to the other part: browser fingerprinting.

To compare it to the real world, imagine if some creepy guy in a store pulled your prints off the door handle when you came in, then fingerprint dusted the whole store after you left to see exactly what you picked up and looked (or just touched) at in the store, including the toilet handle and the tampon dispenser in the bathroom. Now imagine that based on this information, Creepster McGoogle takes the information he gleaned about you from his store (including whether or not you are a female who is currently menstruating), and sells this information to a third party who selects what ads you get in your junk mail every week. Oh, and if you touched certain unpopular items in the store, or he sees you lingering in sporting goods near the firearms, he reports you to the government just in case they want to check up on you.

Is it really that bad? Well... that depends on how many people have fingerprints that look really similar to yours. If he gets sixty people through his store with fingerprints that are practically identical, he doesn't know which one touched the menstrual products or other embarrassing items. Now if your fingerprint contains a burn or scar in the shape of a hand doing a one-finger salute, he might be mildly offended (or not), but he's going to know exactly what you touched as long as he can match your face to your print.

So, what if you just wear gloves? That depends on how many other people wear the same kind of gloves. This guy has some freakishly good fingerprint powder. If your gloves have a raised middle finger icon on the tip of each finger, he'll still know, because basically nobody wears gloves with custom fingertips designed to leave little one-finger salutes on everything they touch. The only people who would are those who know Creepster McGoogle does fingerprint dusting, think it's a jerk move, and want to flip him off every time he does it. Even if you just wear normal gloves, if you're the only one wearing them, or the material is different from the gloves other people in the store are wearing, he still knows what you touched.

Okay, that scenario was pretty creepy, but how does it translate into the tech world? Let's start with the fingerprint dust on the door handle. Every time you visit a website that has any scripts on it, your browser tells the website a little bit about itself to make the site work. You know, stuff like operating system and screen size, but there's a whole bunch of other stuff too, and that's where it gets messy. There are a huge number of browsers, devices, and possible configurations of your browser settings - so many that you're probably the only one with a particular configuration that stumbles across Publish0x on a particular day. You heard me - even your settings can sometimes be used against you.

"Wait, what? I turned on anti-fingerprinting settings in my browser's privacy section!" Okay, so now you look like every other person using an Nvidia SellAKidney graphics card, and an Intel iDontGiveACrap CPU on Windows 10 with a specific screen resolution, with your particular browser and the anti-fingerprinting settings turned to strict, with a VPN from NoLogsIPromise inc. (And that's a best case.) How many other people have that exact configuration minus the trivial stuff that your browser's anti-fingerprinting settings actually conceal? How many of those people visited a website from your specific VPN server or IP address in the last hour? Hmm... probably not very many.

So when you close incognito and log into Facebook, congratulations. That creepy Zuckerberg kid now knows you were staring at pictures of buttered toast and bacon, and he's selling that information to everyone who runs ads on the sites you visit. Oh, and he's probably giving it to the US government for free... at least according to some guy who came up to me in an alley wearing a tin foil hat. Wait, I'm a chrome toaster. Does that mean I have a built-in tin foil hat? Well, either way being covered in shiny stuff doesn't mean you're crazy. I promise. You might just know too much. Took too many of Morpheus' red pills, you know? Do you hear me!? I'm not crazy!

So you might be wondering what you can do about this. Well, there is one group of people in Creepster McGoogle's fingerprint-dusted store that I haven't addressed yet: Dark, mysterious people who all come wrapped in the same deep-hooded cloak and touch things only with the same, perfectly smooth gloves. They are... The Tor Users! They're some of the most anonymous people on the internet, since Tor hides your real IP address and most Tor users use the same Firefox-based Tor browser. However, just as someone under a cloak might be distinguished by their height and build, Tor users can still, at least theoretically, be distinguished by how fast particular scripts run on their machine, or any variety of other odd things that the Tor browser can't fully conceal. They might also just be denied entry because a guy wearing the same color of cloak tried to burn the store down last week. A lot of hackers try to run DDOS attacks over Tor, which screws up Tor usage for all the people who aren't absolute knob heads. Freaking haxxors.

There's one other problem with using Tor to connect to normal websites: Malicious exit nodes may try to break the https encryption and steal your password if you log in. It shouldn't be possible to break the encryption by any normal means, but if you don't notice the "not secure" warning in your address bar, it's a good way to get pwned. It's pretty secure if you use it only for special Tor-enabled .onion websites though. Oh yeah, that guy in the tin foil hat also told me the US government runs most of the Tor network, so there's a random chance you'll connect through multiple malicious nodes and be de-anonymized to the US government in what's known as a Sybil attack. (That was a lot of jargon and paranoia in that paragraph, but suffice it to say Tor isn't perfect. Do your own research before trusting it.)

Since you're probably going to tip me in cryptocurrency if I don't piss you off too much, it's also worth noting that there's an up-and-coming Tor replacement called Lokinet that's secured and funded by blockchain tech. It's a whole lot more expensive to run Sybil attacks against Lokinet, but it doesn't come with a fingerprint-resistant browser. At least, not yet. Still, it's already faster than Tor, and having its routing secured by blockchain makes it a little more resistant to nation state adversaries. Although, let's be honest, if you're as wanted as Edward Snowden, you shouldn't so much as breathe on an internet-enabled device if you're in hostile territory.

So, I bet you're probably waiting for me to shill some magical piece of technology that solves browser fingerprinting and makes you as invisible as you thought you were before you started reading. If such a thing exists, I'm pretty sure I would have found it by now, but I've pretty much got nothing. This method of tracking works on probability, and probability is the only way to mitigate it. In other words, the best you can do is look like a complete normie, and what's more normie than an iPhone? Wait, this whole article was an Apple shill? No way! Apple's run by a bunch of elitist commie-lovers.

If I'm honest though, I have to admit they're in a pretty good position to mitigate fingerprinting. They release a relatively small variety of devices, those devices pretty much all run the same browser, and Apple doesn't just volunteer your identity to every site you visit. It's up to you whether the questionable labor practices and walled-garden software and content philosophy are worth it to you to hide what you're doing online. Oh, and just for the record, the guy in the tin foil hat warned me to stay away from iCloud because a lot of it still isn't zero-access encrypted. I don't actually know whether or not what happens on your iPhone really stays on your iPhone. iPhones ping out a few kilobytes of encrypted information every few minutes, which is a lot less than Google phones, but we still have no idea what's in those pings, and we couldn't verify it if Apple told us. That's why the Free/Libre and Open Source Software nerds hate Apple so much. You never really know what Siri is thinking.

At the end of the day though, there's usually going to be at least something to distinguish you from other users. The counter is to appear less unique, but that can be hard to do unless you use a really ubiquitous (normie) device. So, if you're discouraged now, congratulations. You've just been red-pilled. Welcome to reality. Online privacy is a mess.

Trollface man holding red pill

How do you rate this article?



Raging Toaster
Raging Toaster

Ever heard of a gaming toaster? Now you've met one, complete with intolerable sarcasm and MEME RAGE!

Toaster RAGE
Toaster RAGE

This blog is mostly me sarcastically shredding crypto games for not making me a millionaire over night. The rest is mostly my seething rage against the state of privacy on the internet and pretty much everywhere else. GOOGLE! You don't need to know my bathroom habits! I also ruthlessly rip on centralized tech, communism, Google, and other big tech companies for your amusement. If you don't think I'm hilarious, why are you wasting your time reading this? Am I actually informative or something?

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.