I am not concerned for me. It’s others and the principle of it. I also don’t want anything collected, even a noise fingerprint, a data center IP, and a ping time. A site like that should either not track users or specifically warn them and allow them to opt out first or not enter the site.

There is google javascript on that site. Google is primarily an ad and surveilance company. Why does there need to be google third-party javascript on a recovery website? If the US government demanded google alter javascript for the site to collect more data on certain users, it could be done without notifying anyone, including EU users subject to GDPR. Third party javascript can be altered at any time as well for “updates.” To combine this with canvas fingerprinting is outrageous and a recipe for addicts and former addicts getting tracked when they think it’s private. The fact that the website is behind Cloudflare means there is probably already IP logging by a US company of EU users and Cloudflare could easily be required to turn over that data anyway, which could be used for various political reasons, but at the very least, there shouldn’t be canvas fingerprint tracking. There is absolutely no justification at all for that.

Thank you for adding this.

Also, even if the TOS of their many “trusted partners” didn’t specify selling it, and there’s a huge amount of third party javascript on their site, taking a canvas fingerprint of a browser is highly sensitive and often is close to getting identification, since most people use Chrome for everything including online shopping sites. Why is a canvas fingerprint needed at all? What’s next, adding Persona? Even if the canvas fingerprint is coming from cloudflare, US companies are allowed to lie to users in their terms and share data with the war-tech-bro-complex and lie to everyone. This is not a conspiracy theory; this was recently an admission made by Microsoft in regards to handling EU data with Azure; US companies can always be forced to lie. There’s no way to verify that information isn’t stored in a dataset, no matter who is obtaining the fingerprint, including for users of the site from other countries like those in the EU.

Why would it be unlikely?

I have no reason to lie about this. Here’s more proof:

Smartrecovery.org may be getting lower cost or free services by allowing these companies to collect user information and then sell it, which likely would not show up in a public financial statement.

As I said previously: “This is incredibly irresponsible and selfish and dangerous and either is a result of extreme technological ignorance or just willful disregard of people visiting those sites.” I am not claiming smartrecovery.org is an advertising company.

I appreciate the effort to look into this but am skeptical that 6 months from now the third-party javascript will look any different, and for now I will continue to not use your site.

Also, for comparison:

This is from na.org which also has much less third-party tracking and no third-party google scripts, but still take canvas fingerprints which can usually uniquely identify users, unless the site is being accessed at a library or using a specialized browser:

aa.org, in comparison, does not use canvas fingerprint tracking in the site, but does have a google maps api javascript request and although I have no proof, I can’t fathom google doesn’t collect information from that api including the origination IP and the website it’s embedded into, which is possibly tracking aa users as well for google. Why does aa need to call up a ad tracking and surveilance company api instead of something like openmaps which does not have a business model of tracking users?

My prediction is none of these organizations will have changed any of these things within the next year, if ever, despite the fact it could have real-world consequences for people visiting these sites.

I am not concerned for me. I am concerned for a recovering drug addict who views the website with chrome, then applies to work at target using the same chrome browser.

You’ve said you work at large companies that do strict hiring checks. Do you work in HR? I am not referring to a background check. No offense, but you’re just wrong on this. When a company uses a data broker check and then rejects a candidate, a resume gets thrown in the trash and the candidate is not told why. You are greatly underestimating the privacy risk for someone naive who thinks they are attending something “anonymous.”

https://workology.com/shadow-employee-profiles-how-third-party-data-brokers-impact-workplace-privacy/

"In the data-driven world of today, privacy in the workplace is not confined to what is seen on security cameras or tracked by email monitoring systems. A more subtle and sophisticated threat is developing: shadow employee profiles created with data secretly obtained by external actors. Without employees even knowing they exist, these profiles can impact hiring, promotion, and even termination. What is a Shadow Employee?

A shadow employee profile is a digital file produced without direct permission or knowledge of the employee. It covers data not only from internal systems but also from outside sources such as credit records, online shopping, public databases, and social media activity.

Often working in legally murky areas, third-party data brokers gather, compile, and market this data to companies or background screening companies."

https://time.com/archive/6595428/data-mining-how-companies-now-know-everything-about-you/

from the article from 2010:

" Google’s Ads Preferences believes I’m a guy interested in politics, Asian food, perfume, celebrity gossip, animated movies and crime but who doesn’t care about “books & literature” or “people & society.” (So not true.) Yahoo! has me down as a 36-to-45-year-old male who uses a Mac computer and likes hockey, rap, rock, parenting, recipes, clothes and beauty products; it also thinks I live in New York, even though I moved to Los Angeles more than six years ago. Alliance Data, an enormous data-marketing firm in Texas, knows that I’m a 39-year-old college-educated Jewish male who takes in at least $125,000 a year, makes most of his purchases online and spends an average of only $25 per item. Specifically, it knows that on Jan. 24, 2004, I spent $46 on “low-ticket gifts and merchandise” and that on Oct. 10, 2010, I spent $180 on intimate apparel. It knows about more than 100 purchases in between. Alliance also knows I owe $854,000 on a house built in 1939 that — get this — it thinks has stucco walls. They’re mostly wood siding with a little stucco on the bottom! Idiots."

I’m sorry. There’s really no way to undo this. Grieving and and moving on is the only option, and I am not being sarcastic. If my privacy was violated like that by google, I would be very upset and would grieve. Even if you complain, they won’t remove it from AI training or whatever they intend to do, even if they lie and say they will. Librem 5’s have no google in them if you want to switch to something else. FuriLabs also make a Debian smartphone.