Thanks for sharing, I was already using a decent anti-fingerprinting browser (Fennec) but the fact that it gave away my timezone made me research a bit more and I’m now on IronFox, which has a toggle to spoof it, and reports a fake screen resolution. Great!
My jaw dropped when I read the what angle my device is being held at, how many times I scrolled and tapped, what my position is!!!
How is this even legal?!
I always thought they just took my location, my device name etc. I had no idea it’s this deep.
I hit it with Firefox and it gave 24 points. Firefox refused to disclose my battery level. But did give it my angular geometry.
I opened it in Brave and it lied about my screen resolution and colored up my fonts, my battery. It refused to give up my angular geometry.
Why the hell doesn’t firefox just include some of those white lies?
central europe, maybe its due to architecture the isp has wifi access points around the city and people connect to them
back when it was starting there wasnt even isolation between clients, we used to send random shit to printers on the network as kids
It identified my many-years-old phone with “360x760 pixels rendered at 3x density” screen as “recent, high-end display”. Bitch, this wasn’t even high-end when I bought it. It was small, it was cheap, it was barely “recent” when I bought it.
Vibe coded af, how has nobody spotted this. The website swears the text was written by a human, and either they have contracted chronic GPT-virus or are an LLM
edit: this is made by Rise Up Labs which is an ai psychosis company
How can you tell that it was vibe coded? Genuine question.
AI is quite good at web design now, but it still has a distinct style. Claude in particular LOVES to mix serif and monospace fonts. This isn’t necessarily a guarantee based on just that, but it did trigger my alarm bells.
The second biggest thing is the language. LLMs absolutely SPAM slightly vague, short phrases separated by punctuation.
The language on each data point also is pretty repetitive which implies either sub agents were called or the model was asked individually to write something about it in a specific tone.
The final nail in the coffin was the company that made it, Rise up labs, which advertised all their AI software on their home page
One clue to me is the “how many times you moved” statement. One actual human “move” is worth hundreds of what the site calls a move. A human would notice that but the reality of it means nothing to an AI.
Secondly just the language used being quite dramatic but also generic.
LLMs always write with a very dramatic tone. I really hate that high impact language now.
You know it’s just counting the change in acceleration in your phone’s gyroscope chip or whichever it is. If you are typing something the phone “moves” twice with each swipe.
This page is just putting numbers it’s collecting from your phone into a template paragraph.
Thanks! I’ll have to keep an eye out for those things.
What is a “psychosis company”?
“We know your IP address”. No kidding, that’s how IPv4 works, even if the browser wasn’t
leakingoffering it.The point is not that they know your IP, but that even your IP already gives away information. That’s why they start with the information, rather than the IP being the source.
This is not intended to be for people who understand how this works.
And as someone else said, probably vibe coded.
The public IP is irrelevant, only shows the IP of the server used by your ISP, which can be at the other side of the country. It can maybe identify the ISP, but not the user, less if a dynamic changing IP is used. The public IP is always leaked if you don’t use a VPN or the TOR network.
Absolutely not, the public IP a website sees is your home IP. The resolved location will be inaccurate by design, but the IP definitely identifies you at that time.
What the website see is the current IP of the used ISP server in this moment. In the last check it was Madrid, several hundreds km from my real home. The public IP isn’t the same as my user IP, which only know my ISP and I (and the police by the ISP, if exist a court order). The public IP don’t show your real location, the website only can use your GPS data if you have it activated or if it appears in your account data (Google, Google Maps).
The public IP location is not precisely your location because your IP address does not convey that information at all. Services that locate an IP guesstimate based, mostly, on what range your IP is a part of, and what public data is available about that range.
I’m not sure about Spain (pretty confident it is the same, only a capitalist hellhole would do what you suggest), but in France and the Netherlands at least, your IP (the one a website sees) is always yours and yours only, not the IP of some ISP server.
If you can open your ports in your router and access them from the internet, then your public IP is yours. Most people can (even with a dynamic IP). If it was an ISP server, you wouldn’t be able to.
The thing a european ISP usually do is assign a dynamic IP, so that while your IP is assigned to your home router and yours only at a moment in time, it will likely change the next day, and will always change on a reboot of your router. But it still is your router’s IP at that moment in time, not a random ISP server. IPs are not physically assigned to a device
My home IP is mine, fixed, and I can verify that it is indeed my router. Yet the location of it according to locators is the other side of the country. The location locators give you for your IP being different to your actual location is not a proof that your public IP is not your actual home IP at all. And that is because an IP is not tied to a location and only your ISP can tell the location of their IPs.
depends on the isp, my router has its own adress on the iternet
couple of friends have a different isp that layers it users behind multiple nats so half the city would show the same ip on a website
I’ve never heard of that kind of network, is that a US thing? I can’t imagine having my traffic routed, as the person I replied to said, to the other side of the country before being routed to the proper destination. That is so incredibly inefficient and unnecessary. Not to mention the single point of failure.
Edit: And it makes hosting a public facing server at home a nightmare… I see no benefit to this except not having to get a large IP range to properly assign them to your customers, which sounds like capital efficiency rather than decent user experience. Did I get it right, is this a US thing? :D
Edit 2: And there are a lot of systems IP-banning abusers (it is, in fact, one of the most basic recommendations), meaning that if someone sharing that public IP gets IP banned, the entire customer group sharing the IP is troubled. Even worse if it ends up on a shared blacklist…
Depending on your location it can actually be geolocated into your specific city block, I geolocated an online friend’s IP just for the hell of it (I already knew where they lived) and it spit back out the city block they lived in as well as a lot of other very identifiable information
Also, if you can ping devices on that network using that IP you can also use that as a way to easily identify users. That’s if they have anything that isn’t firewalled, obviously, but the point stands!
I understand how all of it works. Whether it’s vibe coded or not it, it showed me stuff that I didn’t think about like arbitrary web pages can know my phone tilt, battery level??
The opsec implications are severe.
Oh yeah, it’s insane. The only way to truly protect your identity on the internet is by not using the internet. Second best would be tor, I suppose
Well maybe fingerprint duplication, some secure proxy provides a profile to follow/ plugin to install and all their customers look identical. Still gets your traffic pegged as a customer of that service.
I wonder, do phones have 6dof tracking (space + rotation) or 3dof tracking (just rotations)
because if it’s 3dof I’m calling bullshit on some of this.
I have 7 3dof fullbody trackers for vrchat (cough cough [email protected] cough cough) and they’re so damn inconsistent and need to constantly be ready to be calibrated to line up with what your body is actually doing. Having 1 3dof device can definitely detect walking or swinging, no shot it can tell if you’re in bed or on a couch
It told me I was likely sitting while I was sitting at my dining table. I assume if your phone is angled more towards the ground it would say you’re in bed.
Probably if its tilted to the side but still reporting a tall display.
This volume requires JavaScript. That is part of the point — your browser is what is being read.
Looks like I’m safe
Turning off JS doesn’t protect you from being FPd
Sure helps a lot
Only 50% correct in my case (similar to Browserleaks), correct the OS, Screenresolution, Country but wrong site, wrong even the ISP
Site might be linked to the node of your ISP
This ones my fave: https://amiunique.org/fingerprint
It shows the percentages of people who use your same browser features (called similarity ratios), and can determine whether you’re unique in their dataset. Can help for tweaking browser settings to try to make yourself not unique.
Yay, I’m completely unique! I won!
Wait a minute
TIL LibreWolf randomizes some fingerprinting targets.
Yes and it will appear unique every time because every visit is using a different combination.
You’ll be unique be less trackable.
I like clickclickclick.click
I am a unique signiture but it also got my OS wrong and couldn’t get my time zone
Y’all I think I won privacy
i used to think that firefox on linux and as plain-jane-generic as you could get besides windows; but no, i’m ultra unique:
Yes! You are unique among the 5084762 fingerprints in our entire dataset.
Somehow safari on an iPhone is also unique.
EFF updated their site since last check months ago, seeming to confirm theory
Nice (& I’m unique again on AmIUnique)
Check next week or in a new private tab now, prob be unique then too—think Apple’s fuzzing/reporting some noise/junk data for us.
Canvas:
& WebGL:
gotta be noisy, here’s hoping!
Look at my epic WebGL render:
How exactly is this rendering artifact generated?
Is there no add on, for Firefox, for example, to stop or confuse fingerprinting?
Any suggestions?
For Android.
About:config doesn’t work on my android Firefox.
I should switch.
I am unique cause I set language to EN-GB :D I guess their dataset is us centric
Same here with en-au, and my fucking timezone.
My Mum always said I was unique.
Now I have proof!
Just being in Australia, and setting the timezone correctly gets you to below 0.6%
😒
Attribute number 1 already says 0%. We’re done here.
They basically asked for your name, birth date, and mother’s maiden name, and your browser just gave it to them and offered even more.
that’s pretty comprehensive, and similarity ratios show how easy it is to create a unique fingerprint for somebody if you hash a few of these metrics together for example.
The percentage of, normally, privacy-aware people
dang, even with vanadium on graphene i am very uniquely identified. I suppose it can’t be helped these days.
all trackers hate this one trick
Unironically a solid way to block a lot of tracking. Although they can still fingerprint you I think.
Nothing makes you more unique than being one of the few people who disable java script
Honestly I would rather they fingerprint compared to running random code from websites.
Better a known locked door than inviting them into your home
Only a handful of data points surfaces by this website come from JS APIs, most are either header-based or some other browser behaviour that is independent from JS
And yet here they are showing me their webpage in darkmode 😒
Well they did say they don’t use the information 🤣
How many points of identification are needed to positively ID you? Something like 35 IIRC according to Cover Your Tracks/EFF? Might be remembering wrong 🤔
“31 data points”
Hell yeah! i is ghost.
