Duh
So people using ad-blockers who don't see online ads are vulnerable to advertisers tracking you and putting targetted ads on websites you visit that you still won't see as you are using an ad-blocker. And this is a bonus to advertisers how?
The recent explosion in people installing ad blockers for their browsers may have an ironic side effect: identifying them to advertisers. French researchers digging into online privacy issues have built on a 2010 study by the EFF that used people's browser configurations to identify individuals. The researchers account for the …
If they know you're using an ad-blocker, they'll profile you as a leech and perhaps start using ad-gates. Either that or they'll see that as a cue to get more aggressive with the ads by triggering the original website to insert inline same-domain ads, which will be tougher to block without collateral damage. Plus since they'll be able to track you across websites, they can wait for other opportunities to bombard you which you may not always be able to block. Heck, if they can tie you to a social account or e-mail address, they can probably use them to get to you as well.
@ Charles 9. If people are using ad-blockers in the first place it likely indicates they are not receptive to internet adverts anyway, so using alternate means to shove them in your face is likely to have a negative brand image effect for the product and website rather than induce a sale. If websites block me for using an ad-blocker I go elsewhere, there are very few sites that have exclusive content that I absolutely must see. Similarly, if adverts manage to sneak past my ad-blocker and make a site too annoying, then I'll simply stop visiting that site.
Note: I also use No-Script too and block third party cookies etc so have even less exposure to advertisers and trackers. I also use a throwaway email address on social media.
"What about a manufacturer's website for drivers?"
You keep raising that. Let's look at it.
Where do these manufacturers make their money?
By selling the H/W that their drivers support.
What would happen if they poisoned their drivers?
They'd burn their main business. (Remember how quickly HP had to row back after the shit-storm they raised by playing silly buggers with their ink cartridges.)
Why would they want to do that?
Why wouldn't they? Plus I'm not talking the drivers themselves but the sites on which they're hosted: packed full of mandatory scripts and so on ripe to be drive-by'ed with no viable alternatives if they don't provide high performance drivers to kernels (kernel can't do that themselves many times due to patent-based black-boxing, and as for Windows...).
so only 48 others are using the single extension Privacy Badger on a locked-down chrome?
>PB logo.gif identified in only 49/~6000 Browser tests,
>whilst on FF 52 there were around 2000 Privacy Badger blocker users, so a bit more dilution
>Safari - a locked down Ghostery (without Evidon direct tracking) seemed OK - but I don't really trust it
however the standard fingerprinting, OS, resolution, fonts canvas etc individualised me in all cases.,
then there's server side cookies, evercookies, telemetry [Apple still get a packet with your UUID everytime you query "About this Mac" on your own desktop/laptop!]
"however the standard fingerprinting, OS, resolution, fonts canvas etc individualised me in all cases.,"
Not sure why you got down voted. I found the same, even after make sure I wasn't logged into anything, changed the browers id string to remove all reference to X, FreeBSD and AMD, ie plain old Firefox ID string, remove all add-ons and yet it still identified my as unique. I'm betting it's my font list.
On the other hand, the test only runs if I whitelist scripting for the testsite domain.
As it hasn't been mentioned and almost everybody here will have an old redundant 1st generation RaspberryPi gathering dust in their drawer - You can give it a great second life using https://pi-hole.net/ on it to replace your network DNS. Works a treat for all connected devices. No need for browser add-ons and works within your smartphone apps (when using wi-fi).
I've found it the most effective way of blocking all ads - and if any ad does show up it will be the most obvious product/service to avoid purely on being so subversive.
The only issue so far was the TfL website would omit tube/trains from its journey planner. But by checking the easily view-able blocking log, whitelisting solved that problem immediately.
"The researchers account for the 2017 internet: they look at what browser extensions people have and what social media services they are logged into."
This seems more like a (well known) social media issue than something related to ad blockers. I'd thought it was common knowledge by now that if you visit a website you're often also downloading 3rd party contents, which allows said 3rd party to perform a bit of tracking. Especially when it's being used on multiple places (such as social media like buttons, Google Analytics javascript, etc.).
It's for that reason why I use both an Ad blocker but also the StopSocial plugin; a small plugin which prevents my browser from contacting any social media website whenever I'm on a website other than the social media site itself. Next using a reference blocker (NoRef) also does miracles.
The only risk is that some websites might break (sometimes they rely on references) but that's easily fixed with setting up a (small) whitelist.
Happy tracking that :)
Never hurts to check your browser fingerprint with a visit to https://panopticlick.eff.org/
as many machines running Adblock & NoScript can still be uniquely identified. Even with 3rd party plugins, Cookies, Javascript & Flash disabled it's fascinating how much data can be gleaned.
That's the trade-off for ad-blocking/privacy - running your connection through a VPN, using an 'exotic' browser (Vivaldi in my case), using uBlock or similar (TunnelBear Blocker's nice by the way) all give you a relatively unique fingerprint in comparison to the proles - given that my ISP has no clue what websites I'm looking at and that I'm ad/malware free whilst I do it, I think that's a worthwhile trade*
Of course, if you're doing something naughty and you get tracked down as a consequence of trying to be anonymous you may consider otherwise.
*That doesn't mean I wouldn't be keen to adopt anti-fingerprinting though - I'm hopeful that's coming in the next round of the privacy wars.
Just tried the test - it showed I was unique to 4403 so far tested. HOWEVER, it did say that I appeared to be logged in to LinkedIn (never had an account - ever) and logged into Forbes (whomever they may be). So, the question is: As I did try to find someone through LinkedIn - quite some time ago - has it left a marker somewhere on my laptop and how do I get rid of it?
And what about Forbes - I've never heard of them let alone knowingly been there. I don't 'do' any social media.
Running Firefox with AdBlockerPlus.
An inquiring mind would like to know.
Phil
@Phil - Forbes do news (FSVO news), you may have picked up a cookie from there by following a news story from somewhere
I never bother with Forbes as they have served malware via ads on their site in the past yet have the temerity to tell you to disable ad blockers!
Like most people main role of ad blocker is as part of a series of measures (e.g. scripts run from sites on whitelists only) to reduce malware risk, loss of in your face / page rearranging ads is just a bonus side effect
"Kind of an ugly solution, but it works."
I'll try that.
I have a HUGE number of fonts, to duplicate fonts to replicate vintage packaging / labels.
Also for other graphic design tasks.
I also use NoScript, not an ad blocker, as I'm more concerned about security & privacy, so 3rd party cookies are blocked, I log out of evil tracking orgs, and I only white list enough to make a site work. Some sites, even though used regularly, are only getting scripts Temporarily allowed.
Rats!
Courier, Helvetica, Times New Roman, Verdana, MONO
Unique out of 7501 browsers that were tested so far!
Maybe install User Agent and pretend I'm on Windows and not Linux. I needed that on last PC to download Kindle Reader for Wine, but I decided it's spyware, so I convert Kindle to ePub with Calibre now. (a plug in uses my real Kindle's serial number).
Whitelisting feature in Firefox 52 and later is no use to limit Browser Fingerprinting:
1) It's whitelisting the fonts the browser uses, which only incidentally affects reporting of fonts to a website.
2) Whitelisting ALSO blocks fonts loaded from websites (I think this is the reason for the feature, if so it's a broken idea, whitelisting/blocking the domain providing makes more sense?)
3) Makes too many websites look rubbish that use "wingding"/"symbol" fonts as Icons
4) I already downloaded and installed lots of commonly used 3rd party on the fly fonts on websites to reduce tracking via font providers. There is website for them. This also speeds up page loading.
My conclusion is that currently this is a lost cause. Browsers should only report current browser window size and perhaps resolution, though physical DPI is more useful than X by Y screen pixels, it's the window X by Y needed for "responsive" sites / served image sizes etc.). Browsers are simply reporting too much. It was good that Mozilla backtracked and removed the battery state.
For now the best solution against tracking is:
1: Block all 3rd party cookies always (Default sadly is allow on Firefox).
2: Install Noscript and only whitelist enough to make a site work. Some sites best only temporarily whitelist, such as Twitter, Facebook, Google applications.
3: Always log out of social media and Google. Sometimes restart the browser so as to lose the temporary whitelistings that Social Media icons use on other sites.
4: If maintaining a website, DO NOT copy/past "code" offered for icons and widgets. Download image of icon/widget, upload to your site and put a simple HTML link (maybe set to open in new window/tab). These 3rd party icons/widgets (with javascript) may even be illegal for you to put on your site if you are in EU.
5: If building / maintaining a website, put copies of all fonts, images, javascript etc in your own domain (or ideally same site) to make whitelisting easier for users, make your site self contained and avoid leaking the user's history / browser to 3rd parties.
6: Install your own analytics on your own site. Google's Analytics are a privacy slurp. They can't be trusted.
7: Only implement cookies for users that login. Do not use 3rd party log in APIs such as Facebook or Google.
8: If the site captures unique user data or has a login, then use HTTPS.
9: Use a Mozilla based browser, such as Firefox, Seamonkey etc. Not Edge, Safari, IE, Chrome or Opera. I don't know what the story is on Chromium. Not ideal, but better than some of the spyware.
10: Change firefox setting so URL bar fails if you mistype, no search or autocorrect. Don't use a browser without a separate search box and url bar.
11: Do not install toolbars.
1. Because more and more sites won't work AT ALL without cookies. More and more sites won't let you get past the front page, and that includes sites I used to frequent.
2. More sites tie basic site function to those scripts. No scripts, no content. And other sites like Forbes use ad-blocker-blockers that deny you access. If they're the ONLY source of something (like a manufacturer's website that protects its property, so no internal drivers for you), God help you.
4. Those widgets are often copyrighted and impose terms on their use, meaning NOT copying/pasting them is in violation. It's THEIR way (copy/paste) or NO way.
5. Same problem. Some fonts, etc. ONLY allow you to source them from the official source.
9. Mozilla captures user data, too. So do IE, Edge, and Opera. Last I heard, Vivaldi also records stuff. Basically, unless you can roll your own from scratch or use a pre-commercialization browser like NetSurf, don't trust the browser.
10. ISPs tend to screw up this solution these days, and some of them are bold enough to intercept requests to third-party resolvers (easy enough to do, as DNS uses a fixed port number). And let's not get started with resolutions hard-coded into the clients.
Well, now I'm not so sure this new FF whitelist setting fully works. EFF's Panopticlick is still able to enumerate fonts (unless it's just guessing?), although the site referenced in this article now only sees what's in the whitelist. Not quite sure what Panopticlick is doing to get around the whitelisting - assuming it really is.
Ditto - NoScript meant NoTest until I allowed it.
Having done so, unique amongst 6114 so far. However, my extensions came up N/A and I got a 'no' for being identifiable by logins (this will be because cookies don't survive a browsing session, and I've only visited three sites this morning since switching on - including El Reg and the test). It's my browser fingerprint that gets a yes - but that's all.
(Okay, the combination of all three gets a yes as well, but that's as much because of the browser fingerprint as anything else!)
With such a small number of people having run the test, this is not that much of a surprise. So meh.
When I tried it, it couldn't detect them. Apparently only Google is stupid enough to allow that, since it said it only works in Chrome.
In the login leak, I was one of 1532 collisions among 4650 browsers, so hardly unique there.
In the standard fingerprint I was unique as I guessed I would be - I'm running Firefox on Linux! But that's easily fixed by changing my user agent string, if I cared to bother.
"since it said it only works in Chrome"
But using Chrome means you don't care about privacy anyway.
The logins and extensions usages is irrelevant anyway, their browser fingerprinting is completely rubbish.
It told me I was the same as about 680 among 5200 while this https://panopticlick.eff.org tells me my browser is unique among 213k.
Well Said!
And any ads that get through are a complete waste of time. I never buy anything that is advertised to me.
All part of me being a true 'Grumpy Old Man' and proud of it.
Adverts are a disease that needs eradicating.
Sorry El Reg, I know that Ads kees this site alive but I worked at an Ad Agency for 18months and what they did with your data was shocking. That turned me off them for good.
"I worked at an Ad Agency for 18months and what they did with your data was shocking."
What, if anything, did they or could they do to measure negative effects of advertising campaigns?
I can't see how they could do that other than going round with clip-boards and we know how that can be subverted by the way the interview is constructed.
My report disagrees with others. I'm using Chrome, with several extensions ( 1 being uBlock, not exactly a rare fringe case they didn't test ), and it reported no extensions.
I have other questions about this being so amazing for tracking: For example, they try to claim I have a 0 on the scale of how unidentifiable I am, yet they were not able to identify me by my extensions. ( For the obvious reason of them detecting none. ) So, it seems when you don't have any...instead of counting that as 0 extensions found, and being unidentifiable, they just throw it altogether.
Also, according to a post a bit above, about 1 in 3 people so far were NOT identifiable. With such an insignificant sample size, it seems that this would quickly get to the point where virtually no one was identifiable. I mean, they supposedly identified me because I was logged into 5 of the most popular websites in the entire world, and a 6th that is still quite common. ( Yahoo, Gmail, Reddit, Youtube, Twitter and Github. )
I have a distinct feeling that even just with a few more Reg people checking, that I will no longer be identifiable by my sites either.
NTM: This ignores the part where say you log out of a website, or log into a new one. Suddenly you are now a whole different person according to this.
Finally, I think the main thing that narrowed me down for properties was probably my timezone. Mountain time is by far the least populated us timezone. How many people do you think have visited this french domain site from Mountain timezone? ( Especially when it's only had about 4700 people test it so far. )
The principle of it is all fairly sound though. It's just mainly the execution at this point. It's sort of the tech equivalent of identifying a person based on their likes and dislikes. Get enough to check, and eventually you can tell pretty much every one apart.
Tested again from same PC and same browser, still claims i'm unique (which is true, but not the point) my browser is still Palemoon with the same extensions - ABP, Stylish & Adblock Latitude and the counter incremented by +1 so either it's counting tests (and getting the test wrong) or visitors (and incrementing incorrectly)...
Since it recognised my normal setup with all its fonts, I tried two small Linux systems that were a standard CD image, no further installations or changes.
1. System Rescue Disk v4.1 + Midori browser. Could not connect to site, SSH handshake failure.
2. Tiny Core Linux + Firefox v52. I am in 26 out of 10,000+ users.
So to be anonymous, use a small Linux system.
Interestingly it didn't find me logged into any social media sites, despite Twitter and Facebook being present. From another comment, it ought to have found Forbes too, so I guess whatever I've done to Chrome has stopped that bit leaking. It only found one extension too, so I guess the rest are well behaved or obscure enough not to be tested (I don't believe that). My browser fingerprint is unique though.
I had the initial defence up though, NoScript stopped the site doing anything until I gave it permission.
Don't get caught out like Danny Baker reported on Radio 5 this morning.
The newsagent wanted to charge him 65p for using a card to pay for his paper and stuff. I wonder if it was a contactless payment?
Anyway, Cash rules then the Ad agencies and the spooks can't track you (unless the new £1 coin has RFID inside it)
(unless the new £1 coin has RFID inside it)
I thought that right at the outset when they said it had a special "hidden, high security" feature which - one report said - would be readable by the likes of vending machines.
Having visited the Royal Mint Experience (Blue Peter badge holders get in free) last week, the "exploded diagrams" of the coin do have a kind of "radio wavey" thing going on, and if you watch the video here you'll see something similar.
M.
It isn't just the newsagents and small shops. EVERY retailer has to pay to process card transactions (that's how the processors make their living), and it's usually the larger of a certain percentage of the sale (say %2-3 if your sales are slow) or a flat minimum fee. Because of that, most firms pay too much for small transactions which is why the minimum transaction. Larger retailers have the benefit of a lower percentage because of higher overall sales (economies of scale, basically) and the balancing effect of that high activity making small transactions bearable (somewhere there'll be a big transaction to offset small ones). Plus many retailers if they can do it will prefer bank debit to credit transactions (the percentage is lower).
As I work in countries where privacy is still deemed of some value by the population, the problem with such identifications is that there is thus ample evidence I wanted to protect my privacy. Circumventing that in any way does not negate the expression of my desire, and thus, by extension the total absence of my permission.
That's not going to work much with US companies which don't even bother complying with US legislation for as long as they can get away with it (AFAIK, for companies like Microsoft, Google, Facebook and Uber that appears to be a default operating stance), but any outfit in Europe can get into big trouble if they're found out.
And they will.
This Firefox addon removes cookies for a site when you close the tab. Another tool in the arsenal with which to fight back/regain privacy
https://addons.mozilla.org/en-GB/firefox/addon/self-destructing-cookies
I did some tests using my usual web browsing configuration: VM, never logged-in to mail or social, over vpn. Running an ad-blocker with some sites white-listed & no script.
I visited multiple times from different IP addresses. First I changed nothing but IP address (and cleared browser history in between)
attempt 1) unique
2) 2
3) 3
So each consecutive visit from different IPs reduced my uniqueness. Then I did what I normally do which is arbitrarily modify the resolution of the VM. All consequent visits I was unique, but differentiated only by resolution.
For all visits, including the 1st three I was in a non-standard resolution.
So my fonts are the default installed with Mint, I have ad-block & no-script & flash - for those I was 1 of 2-3 thousand. Only my ever changing resolution identified me, which only works if I keep it the same really?
So whilst I will never feel secure against law enforcement, shady government agencies or determined criminals, I'm probably a bit too much effort for advertisers.
As others have mentioned though. Any advert that encroaches on my consciousness without me explicitly seeking information, only serves to make me avoid that brand.
Now, where did I put my tinfoil?
That has been my thought, we need a browser that deliberately randomises things like canvas drawing and reported fonts, plugins, etc, so every site you visit has something a bit different.
OK, your IP address is an issue but you can use an IP-sharing VPN to anonymise that if you really need to and typically IPv4s get shared in many cases as a few machines behind NAT, and ISPs typically change them anyway.
IPv6 could be a whole nasty bag of worms though if folk get a fixed block so advertisers know that they can ignore the bottom 16 bits and the rest is basically fixed by your ISP and not CG-NAT'd or anything..
I think this article is kinda misleading, yes you might get identified based on an ad blocker. But if you don't have an ad blocker you WILL be identified, immediately.
P.S. I did get a good laugh out of all the comments of people who are worried about being tracked online and the lengths they're willing to try not to be tracked... And still not doing everything necessary not to be tracked. I've given up at this point. The Web is basically unusable if you actually make yourself untraceable and doing so is an enormous pain.
I'm unidenitfiable on my old Vista machine, but not on my W7 - I think it's the fonts.
Firefox user and don't do social waste of time.
For plugins I have Adblock Edge, BetterPrivacy and SelectiveCookieDelete - that deletes every cookie when I close the browser, apart from any I've nominated to keep. How long before ISPs let them slurp IP to address..?
All that code that these ad slingers are running on my machine (in my browser). Did they ask me permission to do that ? No! I give implicit permission for Javascript to help with the page layout, form manipulation, ... but not for them to Sherlock who I am, if I want to let them do that then I agree to keep one of their cookies -- all else is without my permission.
Having said that our chocolate teapot that is the ICO would just find an excuse to not do anything.
So: should they have to ask permission to run this stuff, how many users would that turn away ?
It's a trade off.
Run an ad blocker and they might identify you as a browser with an ad blocker.
Don't run an ad blocker and they'll identify you and the internet is practically unusable.
Left field idea, why not use advertising on your sites in a way that isn't so intrusive and disruptive. Then I might not need an ad blocker at all. But right now on many sites if I can't block the ads I won't visit the site