I wrote a fairly long comment touching on why most browser and extension privacy features are just theatre and in reality tend to reduce privacy:
reddit.com/r/GrapheneOS/c
Services like Panopticlick are also incredibly misleading. Their approach is flawed and the data is tainted.
Conversation
Also gave a shout out to Apple for shipping some genuinely useful privacy features in Safari. There are not many attempts at browser privacy features that I can say that about. It's nearly all privacy theatre. Safari does that too, but they shipped a few genuinely good features.
1
3
In general, extensions reduce privacy. Changing site-visible settings reduces privacy. Deviating from standard content filtering lists reduces privacy. If you use uBlock Origin and you deviate from the standard filters, that can be detected. Sites can enumerate what is blocked.
3
6
There are approaches aimed at actually fundamentally improving privacy, and then there are approaches aimed at gaming tests like Panopticlick or the impossible task of trying to enumerate everything bad while generally ignoring all of the tracking done via first party assets.
1
3
Privacy conscious people want to take action to improve their privacy, and when it comes to a browser fingerprint that's really the opposite of what you want to do. You don't want to stand out. It's definitely frustrating that making decent changes is bad unless upstream does it.
2
1
3
It's also worth noting that with JavaScript enabled, there is no browser that does much to prevent fingerprinting. That includes the Tor Browser. The Tor Browser does a great job at making real improvements, but if you use the mode with JS, the reality is this battle is lost.
1
2
It's possible to fingerprint users based on things like mouse movement and other forms of interaction with the site and input. This goes beyond fingerprinting a browser. You can track a user across browsers or even devices based on how they use a mouse, type, writing style, etc.
1
2
Consider what can be done even without JavaScript, like tracking mouse movement in real time over a grid:
twitter.com/davywtf/status
Now, consider what clever people working on this full time can do with JavaScript including using performance measurements and timing attacks...
Quote Tweet
Here's a PoC that confirms my hunch.
*Neither* of these windows use JavaScript but the position of the cursor in the left window is sent to the right window. This works on Tor Browser with JS disabled.
Show this thread
0:25
58K views
1
3
13
So, for example, when Apple made the change of hiding the GPU details to try to mask differences between devices, I don't understand the point behind it. In general, I don't understand what most browser 'privacy' changes are really supposed to accomplish. Make users feel better?