Nothing private


#1

This website http://www.nothingprivate.ml/ remembers me (and therefore tracks me).
I’ve tried both with PureBrowser and TOR-browser.
How do they achieve this? Is there a workaround, to be forgotten?


#2

Hi @patata,

  • Is your public IP static?
  • Are you behind a VPN?
  • Do you flush the cookies regularly (e.g. when closing) in your browser?
  • Do you have javascript enabled?
  • Does your browser send the same ETag to their website when trying to reach it?

I can recommend the Electronic Frontier Foundation’s Panoticlick website. It is a goldmine of information regarding tracking.


#3

You might also look at the source code for nothingprivate.ml at Github. The project front page explains a bit about how it works, and has additional links for further reading.


#4

Just be on a VPN at all times, change your IP often (usually by disconnecting and reconnecting), block third-party cookies, and always delete all your cookies after every session.

That’ll keep sites from tracking you between different sessions.

Of course it doesn’t deal with tracking done in the same session. If you wanna turn it up even further, look into Self-Destroying Cookies, which constantly clears your cookies as you navigate the internet - deleting them as you go from site to site or close tabs. You may want to enter the settings and ensure to enable “Consider Open Tabs” and “Also Be Aware of Root Domains”. Otherwise the extension can get really annoying by clearing the cookies when you don’t actually want it to. I also tell it to only display notifications for 3 seconds instead of the default 6 because I don’t like them lingering for too long.

Of course, to achieve true anonymity… be behind a VPN + Tor and disable cookies and JavaScript entirely. There’s literally no way to be tracked in that case that I know of. However, I can’t recommend that because the internet pretty much needs cookies and JavaScript to function. Without them, you can’t log-in to any services, and many sites either look like garbage or are outright broken without JS.

Not to mention sooo many sites block Tor now. Cloudflare is definitely the biggest offender about it. Oh, and if you ever use Tor, make sure to only use HTTPS (set HTTPS Everywhere to block all unenecrypted requests). Otherwise the end-node can see your naked traffic, so yeah…

Oh, and disable WebRTC entirely as well. It can leak your IP. Some addons (EG: uBlock Origin and Privacy Badger) offer this, but their method can be subverted. The proper way to do it is to go to “about:config” and then search “media.peerconnection.enabled” and disable it. You should view the extensions as “soft” disabling it while this method “hard” disables it.

Of course just building Firefox without WebRTC at all is best… need to look into that sometime. Woolyss offers Chromium builds with NoSync, NoWebRTC, No Widevine - wish someone else did the same with Firefox.

Honestly, I have quite the Firefox and Chromium setups that I’ve been using for ages and I’m strongly considering releasing it as a “new browser distro” of it’s own. However I’m just gonna call it “Alex’s Browser” and not bother rebranding it or anything because I feel like those people who just rebrand Firefox or Chromium are misleading their audience into thinking they’ve made some new browser.

I think I’ll make a top-level post about it tomorrow or so, it’s late for today.


By the way, this probably all delved deeper than you really needed to know and I went off on a tangent a bit. Just try blocking third-party cookies and clearing your temp data, lmao.


#5

Nope, that’s none of these.
With TOR browser I change IPs and delete cookies every time I restart the browser. Javascript is disabled by default.
On PureBrowser I block all cookies (except a white list of ~50 trusted sites).
I’ve also tried FireFoxKlar (on my mobile) behind a TOR network, http://www.nothingprivate.ml/ still tracks me.

I went to Panopticlick and it returns that PureBrowser is not protecting me from fingerprinting.

For non-hackers like me, it would be nice to fix PureBrowser so that it’s not trackable by DEFAULT. If some actions are to be taken when installing the PureBrowser, a tutorial should appear upon installation.


#6

Please not that there can be false poitives with Panopticlick. When your browser generates fake information (as a protectio nagainst canvas fingrprinting as an example), Panopticlick will consider those as legitimate, and will believe those are the actual expected information.

You may have a particular signature, which would in theory make you trackable. But this signature is not consistent over time and HTTP calls, as it contains randomly generated information, making you immune to tracking. Panopticlick does not detect this.


#7

I wish this was the case, but if PureBrowser generates random signatures, how do you explain NothingPrivate remembers my name?
Try it for yourself, visit NothingPrivate with a default PureBrowser. (I have default configuration + blocked all cookies)


#8

I somehow expected this answer, I did not explain myself very well :slight_smile:
What I meant is Panopticlick can generate false positive, not that PureBrowser was a false positive.

I do believe you. I am not a regular PureBrowser user. I use mostly Firefox with some extensions (uBlock Origin, uMatrix, Decentraleyes, Containers, Canvas Blocker).

The bitter truth is privacy comes at the cost of convenience and sometimes at the cost of usability at all. I believe in Purism, in their ideal, but I do not believe privacy can be achieved on the web by Average Joe with a browser out of the box. The profiling techniques used by many are really advanced, and preventing the tracking can take a good understanding of what your browser does when you browse the web.


#9

If, with all these extensions, you manage that NothingPrivate forgets you,
then i think it might be good to put them in the PureBrowser bundle.

I prefer to consciously disable the extension for some specific sites that wouldn’t work otherwise, than being tracked by all sites, with the default settings of PureBrowser.
Isn’t it Purism’s goal to make privacy accessible to Average Joe (=me)?


#10

Purism runs on Linux. I don’t think anything about it is quite “average joe”. They deal with things like the Intel ME so you don’t need to, which is far more expert-level stuff that requires a bit of a team, but Linux in general isn’t what I’d consider user-friendly for newbies or “average Joes” who are used to Windows or MacOS. I wouldn’t bother introducing my dad or grandpa or other older family members to all this for instance - those people hate change and would get frustrated and probably chuck the laptop across the room before yelling about how stupid and ridiculous modern technology is and how we’re all better off not pissing with it.

Ultimately I think Purism’s goal is to make systems that have no closed-source firmware and are 100% hardware-compatible with Linux. Everything else is on the user.

Privacy online takes effort. It also breaks most websites nowadays. If you’re passionate about remaining private and anonymous online, it’s going to take work on your part, one way or the other.


Anyway!

Purism obviously isn’t going to make PureBrowser work that way because blocking all cookies and JS by default literally breaks the internet, more or less. And people would be coming in here griping that nothing works if they did that. Even just disabling WebRTC like I suggested would fill the forum with people complaining that Netflix doesn’t work. It has to be configured in a way that allows 99% of the internet to work without user intervention, or we’d be over our heads in “Purism is broken!” complaints and probably horrible reviews all over the internet about it. When you lay down thousands of dollars for a computer you expect it to work out of the box, and if it didn’t a lot of people would be having very negative kneejerk reactions and outrage.

As for why that site can still track you - did you ensure that your DNS isn’t leaking or something? Look-up what your VPN’s DNS’ are and configure your machine to use only those DNS.

Visit ipleak.net and ensure that you aren’t leaking your real IP.

Aside from that, it could potentially be fingerprinting. But fingerprint-blocking methods are a bit debated on how effective they are - many saying it just makes your fingerprint even more unique by blocking fingerprints.

SafeScript allows you to block all fingerprinting methods and generate a random readout for Canvas Fingerprinting. That’s what I do. I have a very custom configuration for this extension though, which I’ll elaborate on in a post about my browser configs. The TL;DR is that I configure it to only block “unwanted” scripts and block all the other things it can without impacting normal browsing too much.

I’m not looking to break normal browsing and require manual input for every single site you go to. My arrangement will block all known unwanted things while not pestering the user into constantly have to add items to a whitelist or figure out what’s breaking the websites they use.

Anyway, that’s about all the idea I have as to what the problem may be. If you’re behind a VPN, keeping your cookies cleared, and have WebRTC disabled - DNS leaking and fingerprinting are all else I can think of. If it’s none of those and they’re STILL managing it, I’d be rather baffled at that point.


#11

I will completely disagree with this.

  1. My 65 yo mother prefers Linux not Windows.
  2. People who “are used to windows and hate change” will not buy a librem in the first place.
  3. When one buys a “Security-focused laptops for everyone” it should be expected that EVERYONE (not only the ones who know programming) will have a laptop which will NOT track him.
  4. I do not add to white list “every time” i visit a website. I only do it for the 1st visit.
  5. The problem is not the IP. Nothingprivate can make the difference between 2 different devices with the same IP.

When I bought this laptop, I never wanted to make work, efforts, or learn computer languages (I already speak too many human languages).
I expect the maximum privacy, and if certain sites do not like my settings, I don’t want to visit sites that soak my data in the first place. Purism is working just fine, Netflix is broken.


#12

Well we just come from different life experience then I suppose. I’m used to getting shouted at for “cocking up” devices with security and privacy methods. Privacy will always be at odds with convenience, I think.

I stand by what I said about PureBrowser blocking everything by default though. We’d be over our heads in complaints. You’re in a bit of a minority group that’s okay with it being this way. Maintaining maximum security / privacy is a headache to most people. A headache they’d expect Purism to “figure out” for them, which is why they bother buying a Purism machine to begin with. But in truth there’s no simply “figuring out” this kind of thing for people. All Purism is gonna do is clean out the ME and Firmware and ensure the system works perfectly on Linux. Aside from that, it’s all on the user. If you can use ME_Cleaner and install Coreboot and what-not yourself then there isn’t even much of a point to buying a Purism machine other than supporting the cause and their research to reverse-engineering the ME, honestly. I mean, the design is nice and the killswitches are nice - those are the only truly unique things they have. You can just copy everything else yourself if you have compatible hardware.

If you’re buying from Purism, I assume you’re either just supporting the devs, or you’re just not tech-savvy enough to do it yourself, in which case you wouldn’t want all this stuff blocked by default and it’d probably just confuse you. It has to be designed in a way that works for the lowest common denominator, more or less.

If it has nothing to do with IP and you’re verfied that, I have no idea what it is then honestly. You’ve totally cleared your cookies and cache, right? Aside from all that, there’s fingerprinting - they’re identifying your machine based on your hardware from fingerprinting readouts. Try blocking / spoofing these and see where it gets you.

Aside from that, I honestly just haven’t the slightest clue from there and ain’t going to pretend I do.


#13

Yes we are a minority group, who choose maximum privacy. People not interested in privacy and who prefer convenience will go on Facebook Netflix and all those sites. Why buy a Librem when people want to give away their data so easily?

Let’s make a comparison :

You have a shop with organic, local food. Customers might not be interested to know how the food is grown, they simply expect NOT to find Monsanto food.
What do you do when you are out of organic local apples?

  1. You bring organic apples from far away.
  2. You bring monsanto apples from a nearby field.
  3. You tell your customers that you’re doing your best to get organic local apples.
  4. You tell your customers to grow their own apples. (What you’re suggesting me, by fixing my browser).

#14

I’d imagine most people who buy from Purism are expecting Purism to magically protect them from being tracked online. If you actually ARE tech-savvy, like I said in my last post, in that case you could just copy all the methods Purism uses and just go your own way with things with your own build.

Honestly, I think Purism is in a bit of an awkward middle-ground I think - a middle ground that ends-up being a bit unsatifactory to both tech-illiterate and tech-savvy people alike.

I think they’re marketing to tech-illiterate people who want all the positives that tech-savvy people make for themselves without having to learn anything. But that means Purism needs to be careful not to annoy them by blocking everything by default. Otherwise they’ll just be flooded with people saying their product is broken.

Meanwhile the truly tech-aware people might be arguing that buying a Purism machine is silly when you could easily just copy all the things they’ve done in their machines yourself with your own machine, and then some. They’d also protest their trying to satisfy the lowest-common-denominator, as you’ve been talking about.

The lowest-common-denominator of people in this are: People that want security/privacy but don’t want to change their habits or put any effort into getting it. That’s the only reason they even buy a Purism machine. They expect magic. The same reason they buy Antivirus software to nanny and protect them from their own ignorance. People always want to have their cake and eat it too.

Kinda hard to make everyone happy here. I think Purism is just going to go with the configuration that generates the least complaints, which is what I’d be doing. That configuration is one that uses rules that 99% of the internet works with while blocking as many known unwanted trackers and security issues as possible.

It’s a middle-ground. Not gonna make everyone happy. But the truly tech-knowledgeable can configure their own systems, and meanwhile the tech-illiterate won’t be flooding the company with complaints.


#15

Anyway! Check your fingerprinting and spoofing your user-agent randomly. I’m honestly curious of how this site is tracking you otherwise. If I’m behind a VPN + Tor and have cookies cleared and fingerpringing + user agent is blocked/spoofed, I’d start to feel a bit uneasy if they could STILL figure me out. Would start wondering if my system has been bugged or something, lmao.


#16

Yes, that’s exactly what’s going on. Nothing Private uses the Client.js JavaScript library to do its fingerprinting:

If I understand it right, nothingprivate.ml stores the 32-bit fingerprint from Client.js together with the name you enter.

To see the different things Client.js uses to compute the fingerprint, check the demo site https://clientjs.org/ .

Digging into the data there, you might be able to find out how to reduce your uniqueness, or perhaps regularly change things so that your fingerprint changes.


#17

In that case you’re best off using either random readouts, or the most common readouts.

Fingerprinting is a really tricky one to deal with. Thankfully you’d pretty much always have plausible deniability if someone could only track you down via fingerprinting. I don’t think it’d be nearly definitive enough to hold any water in court or something of that nature. Tracking via fingerprinting is a method that requires making a lot of assumptions.

There’s plenty of tools that can be used to spoof or block your fingerprints and user-agent. I’m also aware of tools that allow you to change your readouts system-side - beyond the browser and in the OS.

But ultimately the effectiveness of it all is arguable. I think it’d be really difficult to trick the FBI & NSA if they were after legitimately after you. For example, I use Mullvad VPN, they could identify that I connected via a Mullvad IP and correlate that with my fingerprint, then start making a suspect out of anyone that connects over Mullvad that has even a similar fingerprint, or speech/wording patterns, etc.

When I want to track someone for real, there’s five main things I look out for:

  • IP Address Patterns (they may come from the same ip range, general region, or VPN/proxy service).
  • Fingerprint / User-Agent Patterns (similar readouts. Seemingly random or blank readouts can ALSO be used as a correlation, and completely blocked readouts most certainly can be).
  • Patterns in the user’s choice of usernames.
  • Patterns in the user’s choice of info (sex, age, location, etc)
  • Patterns in the user’s overall speech and personality. (EG: How they talk. What words they tend to choose to use over others. How they structure their sentences and paragraphs. How they deal with grammar. Common spelling mistakes they make. What their interests are. Etc).

I think it’s REALLY hard to mix it all up enough to skirt someone who’s serious professional who’s determined to catch you. I think you’d have to use multiple VPN services, change your fingerprint to specific common readouts often (and never change it in the middle of a session), and be very careful to not sound like the same person either - essentially editing your entire personality and putting on a new face.

I figure Tor can help a lot with the IP end of things, but we all know it comes with it’s own concerns.

In the end since I’m not a criminal or anything, I pretty much just go to the reasonable extent to protect my security/privacy. Meaning just using a VPN so that my ISP or any wiretappers can’t see my naked traffic, and my passwords are safe etc. I figure if you were running from globally-influential three-letter agencies, boy, you’re in for a headache.

Ultimately, it’s incredibly difficult to keep yourself from being identified at least loosely on the internet (they’ll at least know that you’re the same person, even though they won’t necessarily know your real name and info unless you were careless and leaked it). However it’s relatively easy to keep yourself from getting hacked, which is actually a different topic altogether. Anonymity is harder than security nowadays it seems.

In the end I’m not terribly sure what the actual best way to deal with fingerprinting is. That’s a tricky one. I think you might have reasonable arguments between people who say “Use the most common readout possible” and others who would say “Randomize the readout” or “Blank readouts” or “Block the readout”.

It’d be nice if we could get some kind of movement going where everyone on the internet agreed to just use the same fingerprint readout. It wouldn’t be useful anymore in that case, since everyone would be the same! But lmao, good luck with getting that to happen right?


#18

I like your suggestion. We cannot convince everyone in the internet, but if all PureBrowser have the same readout by default, then we’re anonymized, Aren’t we?


#19

Well if we’re to go that route, we should analyze data that’s been collected from the general populace and determine what schematics are the most common.

But even if you use all of the most common individual readouts, you’re still going to end up with a readout that only a tiny percentage of users have. And one issue would be if certain hardware in the readout are never found in the same system.

I’ll bet that the most common readout is that of a MacBook or iPhone model, tbh, considering how standardized they are.

Anyway, yeah if we could have an extension that spoofs people’s user-agent and fingerprints to be the same as the most common readouts and have as many people adopt it as possible, we could probably break tracking via fingerprinting by polluting the fingerprint pool with duplicates.

Identification through fingerprinting and user-agents only works as long as everyone’s is unique. If we wage war on the uniqueness itself and make everyone’s the same, it doesn’t work anymore.

The problems of course is that some sites use user-agents and fingerprinting to execute important functions or decide how it needs to display content. Furthermore, it would also make the gathering of statistics far less useful. Quite a headache for developers who rely on collecting statistics in order to know how to tailor their designs and troubleshoot problems, probably. And users of it would need to be able to troubleshoot and allow fingerprinting for individual sites that require an accurate readout. I know some that do.


#20

Although i don’t understand much, i like to see that there’s a solution in sight.
Having a readout that a tiny percentage have is infinitely better than having a unique readout.
For the screen size, the readout should be the real size of the screen (13’ or 15’) this size is not unique (is it?).