A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.
Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).
An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.
The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.
It's the typical Microsoft playbook, where they release a product and convince everyone that it has to be used everywhere, and by the time people realize how unbelievably terrible the product is it's too late and it has entrenched itself everywhere.
They've run this experiment before; Windows is terrible and has been for a very long time, Microsoft Office is terrible and has been for a very long time, Sharepoint is terrible and has been for a very long time, LinkedIn is terrible and has been for a very long time, etc.
It's what they do, there is not a single thing that Microsoft does not half-ass, because all they focus on is getting embedded into places, and that does not require that any of their products be good.
> A few years ago, intentionally fingerprinting or tracking your users without disclosure was spyware and unethical. Alas, here we are.
For over 15 years reCAPTCHA has relied on browser fingerprinting to help distinguish humans from bots. And fingerprintjs.com has been around for well more than a couple years.
That said, sniffing the browser extensions someone is using is NOT a common fingerprinting method used by my examples, but just saying fingerprinting itself without explicit disclosure has been around for quite a long time. It happens on literally every CAPTCHA service. I hate it of course, but the ship sailed a long time ago.
Have you (or anyone reading this) been able to "beat" fingerprint.com without Tor or turning JavaScript off outright?
I've tried it various times over the last couple years, using different browsers with various privacy settings enabled and a VPN.
I can get good partial results and am able to reset my fingerprint by changing my OS and browser at the same time, so it's not entirely there with regards to sniffing the hardware. But I can never revisit the site and have it not recognize me. Is there no one but me using (for example) Debian testing Librewolf with resistFingerprinting on Proton VPN? If there are others, then resistFingerprinting is doing a bad job hiding my hardware.
That's depressing! Despite our genuine best efforts, enough identifiers leak that it seems to me there's no practical solution. I am genuinely at a loss for what we can do.
(If you're reading this and think it doesn't matter, it's possible you're not realizing that this means that any site collecting and storing these identifiers now will be able to talk to any site in the future and link your identity. Your past actions on every website on a given piece of hardware are liable to be linked to create a detailed profile in the future, so even if Reddit and Pornhub and Discord and the government aren't talking to each other now, you can put some decent probability in the fact that if they decided to share identifiers, they could link all your historical (signed out) activity to your real-world identity without much effort. I use those sites as examples because they're sites where people tend to generate information that they may want private, but they visit using the same hardware identifiers.)
I can beat it, but only be changing my IP. Since I'm not using a shared IP like a university/company might, my IP is giving them a lot of bits about me since I'm the only entity using it... No matter the browser switch, if I hit it from the same IP, it correctly assumes that my IP is still me. But the moment I switch to a different browser and change IPs I get a new fingerprint. Haven't dug deep on it though, like would an incognito window in Chrome on a new IP, have the same fingerprint as a non-incognito Chrome window on another IP? Not sure
I would love to play around with that fingerprint demo while on a large shared IP, where they the IP itself provides less signal and is less unique.
Fingerprint (and its ilk) use a tiered identification system to identify you, with a decrease in confidence with each step down.
They start with a supercookie approach (first-party cookies, third party cookies, indexdb, localstorage, session storage, favicon timing, etc) which is a direct look up, and unique. This is tier-1.
Next they slam as many signals as they can get your browser and network to cough up into an ML db and find your nearest neighbor. If its greater than threshold ${x} - they return its ID with a confidenc of say 85%
If that misses, they slide down to tier 3 which is your IP address plus some browser signals on a TTL so they don't just call everyone with your IP address "you". This is maybe say 50% confident.
Below that, they create a new record.
If you want to beat it - tbh - Safari, especially on IOS is a monster. Most people with an iPhone default to it, and they remove their biggest entropy signals (offlineAudio, canvas profiling), so they're left with almost nothing to work with that is really unique.
Fingerprint _really_ pushes merchants to reverse proxy their services so that they can serve cookies as first party and Apple doesn't nuke them after 1 week. Its complicated and most merchants don't want to diddle with it - but it circumvents adblockers (ps - use an adblocker and call out fingerprint specifically if you want to hit them. LLM to see who else you need to include).
After that, if you're on Apple, use their Apple-VPN service (forget what its called) - which exists _literally_ for this.
It's definitely possible to bypass fingerprinting (just take a look at countless web scraping services that manage to do that) but consumer browser actively reject this.
If I were to wear a tin-foil hat I'd say that fingerprinting is a spyware feature not a bug but it can also be explained by the fact that current web market relies on fingerprinting too much thus blocking adoption of anti-fingerprinting features. Firefox half-ass tried to but now all the anti-fingerprint features are hidden deep in the about:config somewhere because people rather see less captchas than have privacy.
Unfortunately, there's no way to patch fingerprint ressistance into a compiled browser and even then nobody actually wants this because then cloudflare won't let you visit any web page.
The only way to get anti-fingeprinting would be to force it on everyone so that the tools that rely on it would be forced to respect the user. Considering that 2 major browsers are owned by mega corporations and 3rd one by a leech that just exists to leech billions from the first two we'll never actually defeat web fingerprinting until something absolutely catastrophic happens forcing everyone to start paying attention.
At least for now. Tried many browsers and Mullvad Browser and Konform Browser are the only two that I managed to beat them with. They both enforce bundled set of fonts like Tor Browser. Firefox and other forks are fingerprintable via variations in font rendering due to system fontconf or fonts differing.
I've been getting into making and breaking these antibots recently and it's funny to me how the person who wrote this post gave so much attention to what LinkedIn was doing and left the other antibots on the page as a footnote. They grab way more, they just don't let you see it. I haven't reversed PX or Recap yet but the antibot on twitch and Nike similarly checks if you have any of these 53 apps installed (when loaded on a WebKit browser) https://pastebin.com/raw/KACvjpTK
This would make more sense if email was 100% guaranteed to be delivered. Not sure if this angle was argued, but just like regular mail, just because something was claimed to be delivered is not enough to prove that it was, hence the existence (in the US) of certified mail and signature return receipts.
TOS updates almost always go to junk/spam. So delivered doesn’t mean seen, nor having a reasonable chance of being seen.
You often don’t determine what goes to junk, that’s decided by thousands of other people and the email provider. Junk folders often auto delete so there’s no recovery.
My hot take: the dedicated PM role is becoming optional. Engineers already understand feasibility and tradeoffs, and they often end up informing the PM anyway, which usually comes at the cost of meetings and slow decisions. With clear quarterly goals, engineering and design can own product together. They would shape scope, ship in increments, measure, and iterate. So the "product" function still exists, but its not a separate PM attached to it.
I've worked without a product manager before and it was not a pleasant experience.
Without a PM: I conducted customer interviews, wrote up product requirement docs (PRD), and iterated with design on the mocks. On top of that, I had to implement the whole feature (while tweaking things with a designer), and also juggling another track of technical work.
This would be fine if I was a founding engineer, but I'm not and wasn't being compensated enough for the extra workload. And sure, now with LLMs the coding portion would be smaller, but there would still a lot of context switching and one might not able to do technical deep dives into things with all the meetings. All those meetings.
I hear you, a lot of engineers have been there. Things are changing though, roles are evolving and the org chart is starting to flatten.
A couple of things worth separating: strategic direction in most orgs is already handed down from the VP or exec level, the PM is usually executing on that mandate.
Now that coding agents exist, both the PM and the engineer end up prompting a coding agent. So, over time, the roles converge and product ownership just becomes part of building.
So… I can do it all. Product manage, code, lead a team, even be my own designer in a pinch.
But that’s far too much work and context switching for one person. Someone will try, but the reason you tend to build teams of specialists is to let people focus even when they can do lots of different things.
From what i've read, tech is over represented by folks on the spectrum who struggle with focus and multitasking. I see this new trend where you are being asked to increasingly do more and more to be an especially difficult burden to bear for those who self select for careers in programming.
My hotter take: All 3 of the engineer, PM and designer will all assume the other 2 are optional, in reality all 3 and the entire company they work for will be optional in most cases.
This requires a quality of product/program management and upper management buy-in that is rare in my experience.
The dynamic I've experienced is upper management giving the same incompetent teams projects over and over, having month after month of meetings with no deliveries and no real progress on the deliverable, and then eventually having to scramble and find someone else who can actually accomplish their goals.
Either that or so many things are broken that there's no possible way to prioritize beyond a few weeks because you can't let attention dip from any one spinning plate for too long or it'll fall.
I think that all PMs will need to get onto the engineering, design, or research ladder. We are already seeing companies eliminate the function here and there and I expect the trend to continue.
This seems crazy to me. I am a PM and I am busier than ever. People are waking up to the idea that code is cheap and things can change faster now, so deciding _what_ to make and prioritise in the deluge of ideas coming to prod is becoming completely essential.
It will be interesting as orgs flatten to see what will keep all the remaining "superhuman AI-powered all-in-one" employees from just making their own shop.
As a developer, I don't see the PM as a boss or planner. It's the guy that handles the communication with all the people that don't understand what I say and ensures that they don't annoy me.
A PM is not optional when you want to have developers that have time to code and don't get distracted by thirty people that all want something else and all ASAP.
That sounds more like a project or engineering manager role. Work environments obviously vary, and sometimes roles are assumed to counter dysfunction. But the PM here is the product manager, which owns the product direction. The argument is that their role can now venture into building. My comment extends it further that they can actually become the builders, absorbed into engineering and design.
To be fair, they do explain their motivation. It's an in-browser RSS reader, so it's fetching the RSS feed directly without a proxy server. There's not much risk since the content is public and non-credentialed. The bigger risk is misconfiguring CORS and inadvertently exposing other paths with the wildcard.
The article frames the premise that "everything will be fine" around people with "regular jobs", which I assume means non knowledge work, but most of public concern is on cognitive tasks being automated.
It also argues that models have existed for years and we're yet to see significant job loss. That's true, but AI is only now crossing the threshold of being both capable and reliable enough to be automate common tasks.
It's better to prepare for the disruption than the sink or swim approach we're taking now in hopes that things will sort themselves out.
Nice. These are the kind of boundary pushing projects I like to see. It challenges assumptions of where application logic should live. The implications around cost, latency, and recovery are going to be interesting.
This brings some interesting situations to light. Who's ultimately responsible for an agent committing libel (written defamation)? What about slander (spoken defamation) via synthetic media? Doesn't seem like a good idea to just let agents post on the internet willy-nilly.
I really liked this post. It's concise and gets straight to the point. When it comes to presenting ideas, I think this is the best way to counter AI slop.
Nothing new here. This is why they eventually rolled back Chrome's initiative to automatically reject third-party cookies. Industry backlash was that the analytics of too many sites would break. Best thing to do is to switch to a privacy centric browser.
I landed on a similar vision last year. The more I thought about it, the moat felt fragile. GitHub or GitLab could build the same capabilities and become a natural extension of what teams already use. That said, it addresses a real problem, and the SDLC needs to evolve.
Anyway, what they're calling "spectroscopy", is a combination of extension probing and doing residue detection (looking for what extensions might leave behind in the DOM).
An ad blocker is not necessarily equipped to help since the script is embedded with the application code. Since they're targetting Chrome, switching browsers will help with the probing but not the detection part and you'll still be fingerprinted.
The only way forward is for browser vendors to offer a real privacy or incognito mode where sites are sandboxed by default. When the default profile is identical across millions of users there won't be anything unique to fingerprint.
reply