08/21/2019 17:38:19
If you are a regular visitor, you know that I normally I update my site with new content on a monthly basis. However the events of the last 24 hours have compelled me to break with tradition and reach out to the wider world as soon as possible.
I already hear you asking, "What happened Jay?" Well the modern web happened, that's what. Since I'm a web developer you are probably operating under the assumption that I'm acquainted with the modern web and it's basic rules more-so than most. You aren't wrong. However I am not infallible. That having been said, the events of the last 24 hours have forced me to take a long hard stare at one of my blind spots, produce a full accounting of the horrors that were subsequently revealed to me and react accordingly.
So how did my world get upended? Well it started with this Reddit thread in which the subject of discussion is a video Linus Tech Tips made about browsing the web anonymously. Please note: I am not endorsing this video. It contains so much inaccuracy and bad advice that it should probably be pulled from their channel. Now while I was reading through the thread and enjoying reading rants about the inaccuracies in the video, it occurred to me that I haven't spent much time considering my browsers fingerprint.
For those not in the know, fingerprinting refers generically to any technique in tech that can be used to identify a specific device and/or user. This makes browser fingerprinting insanely important because it means that unless you make an effort to make your fingerprint less specific and less unique, you can still be tracked regardless of whether or not you block ads, trackers and use a VPN to browse the web.
Keep in mind that at this point, I was still feeling damn good. But at some point somebody posted a link to the EFFs fingerprint testing utility in the thread and I clicked on through thinking that the results would only serve to further reinforce how great I was doing with privacy. I couldn't have been more wrong. The schadenfreude I was experiencing suddenly became the sinking feeling in the pit of my stomach as I realized that I was completely and utterly full of shit.
But wait, what the hell happened? I use Linux. I use Firefox. I do all kinds of things that make my life harder but also theoretically increase my level of relative privacy in a variety of circumstances. Turns out that a lot of these choices were actually serving to make my browser fingerprint more unique. After all how many people are in the habit of browsing the web from a Linux laptop? How many people actually use Firefox as their primary browser? Hint: the combination of those two factors alone makes me much easier to identify. Throw in a few odd font choices and the fact that my odd screen resolution combined with my specific UI config in Firefox creates a situation where not only was I easy to identify, but my signature was actually unique:
This was not an easy revelation for me to bear. Everything I was doing was thrown into flux. I immediately began trying to find another more secure browser that wouldn't allow people to do this to me. After about an hour of madly bouncing around the web like a chicken with my head cut off (and likely being tracked quite competently the entire time, hopefully the irony won't be lost on our tech overlords) it suddenly hit me like a bag of bricks:
Without JavaScript, most of this shit is not possible.
While I could have just disabled JavaScript for every single website in my browser, as a web developer I knew that this approach was doomed to end poorly. Too many sites and apps that I actually trust and use on a daily basis actually require JavaScript in order to work at all. In addition, browser fingerprinting actually makes sense when paired with multi-factor authentication (MFA) methods as it allows me to validate my device once and not bother with doing so until something important changes. Hell I would even argue that a more unique fingerprint actually enhances my security in that particular scenario. For more information on both the upsides and downsides of unique browser fingerprints as well as other possible mitigations that I don't cover here, feel free to read this wonderful Pixel Privacy article on the subject.
So now I needed a way to globally disable JavaScript by default but be able to turn it back on for specific domains that I am willing to trust. Well that road leads to one place and it is a place that I have resisted going for a long time. What is this place called? NoScript. Just to provide the proper context here, I once hated the idea of NoScript so much that I went out of my way to mock users who had it enabled that came to this website. Lets take a gander at some of the source code for version 4.x of the Presentation Engine:
Now in case you aren't picking up on the full joke there, markup between the noscript tags in HTML will only render for users that have JavaScript disabled. In addition that content was encased in blink tags which though deprecated in every web browser worth talking about, I had added JavaScript code to re-enable. The joke of course was that since you were using NoScript I couldn't even competently annoy you.
However by the time I started writing version 5.x (the version you are using now), I was feeling a bit more sympathy for NoScript users and made an extra special effort to make Presentation Engine support NoScript users who choose to consume content. The admin tools still very much require JavaScript but as a consumer, no JavaScript is required at this point. At the time my purpose wasn't to support NoScripters as much as it was to build the fastest website imaginable.
To summarize I installed NoScript into Firefox and set it up appropriately. Here are the results of the EFF test afterwards:
Much much better, right? And since I'm able to conditionally re-enable JavaScript for sites and apps that I trust, I can still benefit from my unique fingerprint in situations where it makes sense for me to have that. The bottom line here is that I strongly encourage every single one of my readers to install and configure NoScript in their browser as soon as possible.
Beyond installing NoScript, the real goal of this post is to get people to ask the question: How did we get to this place? Who is writing all of this nefarious code that is tracking all of us? Who is designing all of these apps which exploit our addictive tendencies in order to keep our eyeballs glued to them?
The answer is simple: Web Developers. I am a Web Developer and I have refused and will continue to refuse to do these kinds of things. I used to work with a client that wanted me to maintain their corporate website and help them create more ways to track their users activity. I refused and eventually dumped the client while citing those kinds of requests as one of my primary reasons.
As a web professional, I am disheartened by the reality that we aren't doing any better than this. As a tech professional, I am disgusted at the growing collection of evidence which indicates that not only are we stunningly amoral but that we are apparently okay with exploiting the trust of our users in an effort to turn them into mindless click bots who might be more willing to buy shit they don't need.
We can do better and we should do better. I can only hope that fellow professionals who stumble on this post will take my words into consideration and at least consider changing their ways by not only adopting consistent and ethical standards but by holding themselves accountable to them. Because at the end of the day, the JavaScript itself isn't the problem as it is only a tool which does what it is told.
2020-02-03 Update: I have since switched from NoScript to uMatrix. It provides a much better end user experience and the default settings (which allow resources loaded from first party domains) allow a lot of sites to at least somewhat work without tweaking the rules.