8/21/2019 5:38:19 PM
If you are a regular visitor, you know that I normally I update my site with new content on a monthly basis. However the events of the last 24 hours have compelled me to break with tradition and reach out to the wider world as soon as possible.
I already hear you asking, "What happened Jay?" Well the modern web happened, that's what. Since I'm a web developer you are probably operating under the assumption that I'm acquainted with the modern web and it's basic rules more-so than most. You aren't wrong. However I am not infallible. That having been said, the events of the last 24 hours have forced me to take a long hard stare at one of my blind spots, produce a full accounting of the horrors that were subsequently revealed to me and react accordingly.
So how did my world get upended? Well it started with this Reddit thread in which the subject of discussion is a video Linus Tech Tips made about browsing the web anonymously. Please note: I am not endorsing this video. It contains so much inaccuracy and bad advice that it should probably be pulled from their channel. Now while I was reading through the thread and enjoying reading rants about the inaccuracies in the video, it occurred to me that I haven't spent much time considering my browsers fingerprint.
For those not in the know, fingerprinting refers generically to any technique in tech that can be used to identify a specific device and/or user. This makes browser fingerprinting insanely important because it means that unless you make an effort to make your fingerprint less specific and less unique, you can still be tracked regardless of whether or not you block ads, trackers and use a VPN to browse the web.
Keep in mind that at this point, I was still feeling damn good. But at some point somebody posted a link to the EFFs fingerprint testing utility in the thread and I clicked on through thinking that the results would only serve to further reinforce how great I was doing with privacy. I couldn't have been more wrong. The schadenfreude I was experiencing suddenly became the sinking feeling in the pit of my stomach as I realized that I was completely and utterly full of shit.
But wait, what the hell happened? I use Linux. I use Firefox. I do all kinds of things that make my life harder but also theoretically increase my level of relative privacy in a variety of circumstances. Turns out that a lot of these choices were actually serving to make my browser fingerprint more unique. After all how many people are in the habit of browsing the web from a Linux laptop? How many people actually use Firefox as their primary browser? Hint: the combination of those two factors alone makes me much easier to identify. Throw in a few odd font choices and the fact that my odd screen resolution combined with my specific UI config in Firefox creates a situation where not only was I easy to identify, but my signature was actually unique:
This was not an easy revelation for me to bear. Everything I was doing was thrown into flux. I immediately began trying to find another more secure browser that wouldn't allow people to do this to me. After about an hour of madly bouncing around the web like a chicken with my head cut off (and likely being tracked quite competently the entire time, hopefully the irony won't be lost on our tech overlords) it suddenly hit me like a bag of bricks:
To summarize I installed NoScript into Firefox and set it up appropriately. Here are the results of the EFF test afterwards:
Beyond installing NoScript, the real goal of this post is to get people to ask the question: How did we get to this place? Who is writing all of this nefarious code that is tracking all of us? Who is designing all of these apps which exploit our addictive tendencies in order to keep our eyeballs glued to them?
The answer is simple: Web Developers. I am a Web Developer and I have refused and will continue to refuse to do these kinds of things. I used to work with a client that wanted me to maintain their corporate website and help them create more ways to track their users activity. I refused and eventually dumped the client while citing those kinds of requests as one of my primary reasons.
As a web professional, I am disheartened by the reality that we aren't doing any better than this. As a tech professional, I am disgusted at the growing collection of evidence which indicates that not only are we stunningly amoral but that we are apparently okay with exploiting the trust of our users in an effort to turn them into mindless click bots who might be more willing to buy shit they don't need.
2020-02-03 Update: I have since switched from NoScript to uMatrix. It provides a much better end user experience and the default settings (which allow resources loaded from first party domains) allow a lot of sites to at least somewhat work without tweaking the rules.