From selectel: this is the second part of the translation of the article about browser fingerprints (). Today we will talk about the legality of collecting browser fingerprints of different users by third-party services and sites and how you can protect yourself from information collection.
So what about the legality of browser fingerprinting?
We studied this topic in detail, but could not find specific laws (we are talking about US law - ed.). If you can point to the laws that govern the collection of browser fingerprints in your country, please let us know.
But in the European Union, there are laws and directives (in particular, GDPR and ePrivacy Directive) that regulate the use of browser fingerprints. This is perfectly legal, but only if the organization can prove the need to perform such work.
In addition, the use of information requires the consent of the user. Is it true, from this rule:
- When a browser fingerprint is required for "the sole purpose of carrying out the transmission of a message over an electronic communications network".
- When browser fingerprinting is required to tailor the user interface of a particular device. For example, when you surf the web from a mobile device, technology is used to collect and analyze the browser's fingerprint so that you get a customized version.
Most likely, similar laws apply in other countries. So the key point here is that the service or site needs the consent of the user in order to work with browser fingerprints.
But there is a problem - not always a clear question. Most often, the user is shown only the banner "I agree to the terms of use." Yes, the banner always has a link to the terms themselves. But who reads them?
So usually the user himself gives permission for the collection of browser fingerprints and analysis of this information when he clicks on the "agree" button.
Test your browser fingerprint
Okay, above we discussed what data can be collected. But what about a specific situation - your own browser?
In order to understand what information can be collected with its help, the easiest way is to use the resource . It will show what a third party observer can get from your browser.
See this list on the left? That's not all, the rest of the list will appear as you scroll down the page. The city and region on the screen are not displayed due to the use of VPN by the authors.
There are several other sites that help you test your browser's fingerprint. This from EFF and , open-source site.
What is browser fingerprint entropy?
This is an estimate of the uniqueness of your browser fingerprint. The higher the entropy value, the higher the uniqueness of the browser.
The entropy of the browser fingerprint is measured in bits. You can check this indicator on the Panopticclick website.
How accurate are these tests?
In general, they can be trusted because they collect exactly the same data as third-party resources. This is if we evaluate the collection of information on points.
If we talk about the assessment of uniqueness, then everything is not so good here, and here's why:
- Testing sites do not take into account random prints, which can be obtained, for example, using Brave Nightly.
- Sites like Panopticlick and AmIUnique have huge data archives containing information about old and outdated browsers whose users have been verified. So if you're taking the test with a new browser, you're likely to get a high score for uniqueness in your fingerprint, despite the fact that hundreds of other users are using the same browser of the same version as you.
- Finally, they don't take screen resolution or browser window resizing into account. For example, the font may be too large or small, or the color may make the text difficult to read. Whatever the reason, the tests don't account for it.
In general, fingerprint uniqueness tests are not useless. They are worth trying out in order to find out your level of entropy. But it's best to just evaluate what information you're giving out.
How to protect yourself from browser fingerprinting (simple methods)
It should be said right away that it will not be possible to completely block the formation and collection of a browser fingerprint - this is the basic technology. If you want to protect yourself 100%, you just need to not use the Internet.
But the amount of information that is collected by third-party services and resources can be reduced. This is where these tools can help.
Firefox browser with modified settings
This browser is not bad in terms of protecting user data. Developers recently protected Firefox users from third party fingerprinting.
But the level of protection can be increased. To do this, you need to go to the browser settings by entering "about: config" in the address bar. Then select and change the following options:
- webgl.disabled - select "true".
- geo.enabled - select "false".
- privacy.resist Fingerprinting - select "true". This option provides a basic level of protection against browser fingerprinting. But it is most effective when choosing other options from the list.
- privacy.firstparty.isolate - change to "true". This option allows you to block cookies from first-party domains.
- media.peerconnection.enabled - an optional option, but if you work with a VPN, you should select it. It makes it possible to prevent WebRTC from leaking and showing your IP.
Brave Browser
Another browser that is user friendly and provides serious protection for personal data. The browser blocks all sorts of trackers, uses HTTPS wherever possible, and blocks scripts.
In addition, Brave gives you the ability to block most browser fingerprinting tools.
We used Panopticlick to estimate the entropy level. Compared to Opera, it turned out to be 16.31 bits instead of 17.89. The difference is not huge, but it is still there.
Brave users have suggested a ton of ways to protect against browser fingerprinting. There are so many details that it is impossible to list them in one article. All details .
Specialized browser extensions
Extensions are a sensitive subject, as they sometimes enhance the uniqueness of a browser's fingerprint. To use them or not is the choice of the user.
Here's what to recommend:
- - modification of user-agent values. You can set the frequency "once every 10 minutes", for example.
- - protection against different options for collecting prints.
- - does about the same as Chameleon.
- - protection against the collection of digital prints from the canvas.
Use one extension rather than all at once.
Tor browser without Tor Network
On Habré, there is no need to explain what the Tor browser is. By default, it offers a number of tools to protect personal data:
- HTTPS is everywhere.
- NoScript.
- Blocking WebGl.
- Blocking canvas image extraction.
- OS version change.
- Blocking information about the time zone and language settings.
- All other functions to block surveillance tools.
But the Tor network is not as impressive as the browser itself. That's why:
- She works slowly. This is because there are about 6 thousand servers, but about 2 million users.
- Many sites block Tor traffic, such as Netflix.
- There are leaks of personal information, one of the most serious happened in 2017.
- Tor has a strange relationship with the US government - you could call it a close collaboration. In addition, the government financially .
- Can connect to .
In general, it is possible to use the Tor browser without the Tor network. This is not so easy to do, but the method is quite affordable. The task is to create two files that will disable the Tor network.
The best way to do this is in Notepad++. Open it and add the following lines to the first tab:
pref('general.config.filename', 'firefox.cfg');
pref('general.config.obscure_value', 0);
Then go to Edit - EOL Conversion, select Unix (LF) and save the file as autoconfig.js in the Tor Browser/defaults/pref directory.
Then open a new tab and copy these lines:
//
lockPref('network.proxy.type', 0);
lockPref('network.proxy.socks_remote_dns', false);
lockPref('extensions.torlauncher.start_tor', false);
The file name is firefox.cfg and should be saved in Tor Browser/Browser.
Now everything is ready. After launch, the browser will show an error, but you can ignore this.
And yes, turning off the network will not affect the browser fingerprint in any way. Panopticclick shows an entropy level of 10.3 bits, which is much less than with the Brave browser (it was 16,31 bits).
The files mentioned above can be downloaded .
In the third and final part, we'll talk about more hardcore methods of disabling surveillance. We will also discuss the issue of protecting personal data and other information using a VPN.
Source: habr.com