Solved Vivaldi Browser: Privacy Review

Priest72

A pay to gain site perhaps.?
In our endeavour to remain anonymous and private we unwittingly make ourselves stand out.

jane.n

@kshitijsubedi
The same website has been discussed in this thread https://forum.vivaldi.net/topic/68059/vivaldi-browser-privacy-review/.

In that thread my colleague @MattEclipsed replied with the following:

The tests on that page are largely aimed at fingerprinting and tracking heuristics. Rather than relying on heuristics to detect fingerprinting or tracking being used - which can either break websites or create false positives and negatives - Vivaldi's tracker blocking simply blocks the websites that use it. This allows the APIs to work on websites that use them for legitimate purposes. There are pros and cons to either approach, but we favour the approach that causes least disruption on legitimate websites, while still protecting your privacy. That page does show a couple of minor things that should be different, however, and we are looking into those.

guigirl

Speaking of fingerprinting...

• https://www.bleepingcomputer.com/news/security/researchers-use-gpu-fingerprinting-to-track-users-online/
• https://www.ghacks.net/2022/01/31/your-devices-gpu-may-be-used-for-fingerprinting-purposes/

It's all beginning to feel pretty hopeless.

leo32345

This is a good test: https://coveryourtracks.eff.org

jamesbeardmore

@guigirl said in Vivaldi performed severely on the privacy test.:

Speaking of fingerprinting...

• https://www.bleepingcomputer.com/news/security/researchers-use-gpu-fingerprinting-to-track-users-online/
• https://www.ghacks.net/2022/01/31/your-devices-gpu-may-be-used-for-fingerprinting-purposes/

It's all beginning to feel pretty hopeless.

I disable WebGL on Firefox (via about:config) and use an extension to spoof the fingerprint on Vivaldi. Therefore, if I ever came across a site that actually used/needed WebGL, Vivaldi would still be able to work on it.

If you don't crank-up the fingerprinting-resistance too high, you can give false and ever-changing font/WebGL/canvas/audio-context fingerprints without even breaking realtime communication things like MS-Teams.

I follow a general principle of using the most broken/restricted/locked-down browser (or browser-profile) I can that still allows the site I'm viewing to work. I therefore have a few different browsers/profiles for different sites/purposes. I don't mind the additional inconvenience - but I used the net in the era before tabs, when you signed out of a given service the moment it didn't have your attention anymore, so it's just a habit to me... most people nowadays are permanently signed-in to their Goggle, Facecrook and Microspy accounts as they wander round the web, and like the convenience of opening everything in one browser-session and never having to type a password.

Pathduck

@guigirl Every time we read about fingerprinting, it's always "researchers find this, security boffins find that..." etc, but has anyone ever shown that fingerprinting is actually being used to track users outside of purely theoretical research?

Even if something is theoretically possible, does not necessarily mean it's being used in practice.

The way I see it, when 99.99% of web users don't even know/care about 3rd-party cookies or how to turn them off in the browser, the tracking companies have very little incentive to implement costly tracking based on fingerprinting, when they already get all the data they need through the traditional cookie-based means.

And even if working - since it's based on creating a unique fingerprint - it's prone to failing if even a single one of the values change, like IP (most ISPs change user IP at least every couple of weeks) or other values like version of the browser etc. Any single one of these change, and the fingerprint is useless for identifying a user.

When you see the protests over stuff like FloC and Chrome planning to phase out 3rd-party cookies, coming not just from privacy advocates but also coming from competing tracker companies, it's clear that these companies have a lot of vested interest in cookies being used for tracking, and that fingerprinting is not a feasible alternative for them, at least not yet.

Maybe if 3rd-party cookies are phased out some day, let's say five years from now (at the earliest?), then fingerprinting might have matured enough to be practical for the tracker companies to use. It remains to be seen.

Until then I wouldn't worry too much about it, the trackers already have such huge amounts of data on user interests, they care little about the miniscule minority of users that are concerned enough about privacy to take active measures like fingerprint-blocking.

Caveat: If I was say, an investigative journalist working under an oppressive regime, or a criminal dabbling in darkweb stuff, then yes - I would take serious measures to protect my identity whatever way I could. However, this would be to protect against intelligence agencies and police trying to find my identity, not against ad-trackers trying to serve me targeted ads. There is a big difference here.

guigirl

@jamesbeardmore said in Vivaldi performed severely on the privacy test.:

disable WebGL on Firefox

Ditto. No site i use seems yet to have broken.

@jamesbeardmore said in Vivaldi performed severely on the privacy test.:

extension to spoof the fingerprint

Ditto, V + FF.

@jamesbeardmore said in Vivaldi performed severely on the privacy test.:

I follow

Yes, but... the point of the two links i posted is that GPU F/P is utterly immune / impervious to any of that "easy" stuff. That's why i feel despondency encroaching.

@pathduck said in Vivaldi performed severely on the privacy test.:

has anyone ever shown that fingerprinting is actually being used to track users outside of purely theoretical research?

Yeah yeah, i know this line [iirc we've discussed this same theme before], & i do indeed see your point, which afaik might be utterly correct. However... i bought this gross of aluminium foil [special deal; buy one, get 143 free!]... gotta use it for sumfink!

Even if something is theoretically possible, does not necessarily mean it's being used in practice

I have a feeling that the last time we jousted on this, some silly purple-lover riposted with something about Manhattan Project.

jamesbeardmore

@pathduck said in Vivaldi performed severely on the privacy test.:

@guigirl Every time we read about fingerprinting, it's always "researchers find this, security boffins find that..." etc, but has anyone ever shown that fingerprinting is actually being used to track users outside of purely theoretical research?

Even if something is theoretically possible, does not necessarily mean it's being used in practice.

The way I see it, when 99.99% of web users don't even know/care about 3rd-party cookies or how to turn them off in the browser, the tracking companies have very little incentive to implement costly tracking based on fingerprinting, when they already get all the data they need through the traditional cookie-based means.

And even if working - since it's based on creating a unique fingerprint - it's prone to failing if even a single one of the values change, like IP (most ISPs change user IP at least every couple of weeks) or other values like version of the browser etc. Any single one of these change, and the fingerprint is useless for identifying a user.

When you see the protests over stuff like FloC and Chrome planning to phase out 3rd-party cookies, coming not just from privacy advocates but also coming from competing tracker companies, it's clear that these companies have a lot of vested interest in cookies being used for tracking, and that fingerprinting is not a feasible alternative for them, at least not yet.

Maybe if 3rd-party cookies are phased out some day, let's say five years from now (at the earliest?), then fingerprinting might have matured enough to be practical for the tracker companies to use. It remains to be seen.

Until then I wouldn't worry too much about it, the trackers already have such huge amounts of data on user interests, they care little about the miniscule minority of users that are concerned enough about privacy to take active measures like fingerprint-blocking.

Caveat: If I was say, an investigative journalist working under an oppressive regime, or a criminal dabbling in darkweb stuff, then yes - I would take serious measures to protect my identity whatever way I could. However, this would be to protect against intelligence agencies and police trying to find my identity, not against ad-trackers trying to serve me targeted ads. There is a big difference here.

I couldn't have said it better myself. I forgot to say on my post, I go out of my way to resist tracking more out of principle and to make a point, however small... not because of my actual threat-model. I resist because I don't consent.

The main forms of tracking I see around the web are the easy, "low-hanging fruit" type of stuff: pixels, ads, cookies, and that garbage that gets added to URLs. I see the occasional bit of canvas fingerprinting. It's rare I notice much else being triggered. That's not to say it's not happening, I could be not noticing it all (that's the point of tracking, isn't it) - but I think most average users are so oblivious to it all (or uncaring/complacent) that the spyware companies can get 90% of the data they need from these easy methods (10% of the effort). Until more people start blocking these, it probably doesn't make commercial sense for them to expend resources attempting much more yet. There is still a handful of fingerprinting techniques I've not yet observed "in the wild" anywhere I tend to browse.

Not that I'd say we can become complacent - but at present, I'd suggest that you can easily block the majority of tracking without too much inconvenience, unless you have a rather unnerving threat-model - at which point, your web browser is only scratching the surface of your problems.

We can only dream of the day that surveillance-capitalism is outlawed and abolished worldwide, and those responsible for it are executed (preferably in an extremely slow, painful and undignified manner) and sent back to hell where they belong.

guigirl

@jamesbeardmore said in Vivaldi performed severely on the privacy test.:

sent back to hell where they belong

Pffft, nah, don't let them off so easily. They actually deserve the TPV, then the B Ark.

jamesbeardmore

@guigirl said in Vivaldi performed severely on the privacy test.:

Yes, but... the point of the two links i posted is that GPU F/P is utterly immune / impervious to any of that "easy" stuff. That's why i feel despondency encroaching.

In order to fingerprint the GPU, surely certain conditions have to be met, which can presumably also be disabled?

• WebGL is enabled
• You allow the tracking/fingerprinting resources to load, and/or the tracking/fingerprinting script to run
• Your browser responds truthfully and consistently to the tracking/fingerprinting script's commands

Therefore, disabling WebGL and using NoScript or Ublock Origin's advanced (UMatrix-like) mode should go some way towards resisting this. And potentially, regular simple-mode UBlock users and those with ordinary antifingerprinting extensions should have at least a small degree of protection.

As long as at least one person remains somewhere, who has not yet been fully assimilated by the Borg, there's still hope.

Pathduck

@jamesbeardmore said in Vivaldi performed severely on the privacy test.:

unless you have a rather unnerving threat-model

If your threat-model consists of "I don't like targeted advertising" then I'd say there are worse things to worry about

Sure data collection can be a threat to democracy, as we've seen in the Cambridge Analytica case. But man, shouldn't people at least be able to think for themselves?

It's the old dilemma of democracy I guess - even the anti-democrats (and idiots) have the right to vote...

guigirl

@pathduck said in Vivaldi performed severely on the privacy test.:

people at least be able to think for themselves

You're right, Shirley.

You’re ALL individuals!
Yes! We’re all individuals!
You’re all different!
Yes, we ARE all different!
I’m not …
Sch!

DoctorG

@cocreate We had many posts here about PrivacyTests

Ayespy

@westlaner Without brand loyalty, there can be no growth of the brand. With brand loyalty, there will always inevitably be some defense of the brand. Goes with the territory. There is nothing untoward with folks offering reasons why they feel their loyalty is justified.

Ayespy

@westlaner I don't think so. I think you may mistake brand loyalty for "circle the wagons." You say "there is a..." without citing an instance or source of this thing that "there is..." resulting in an unprovable and unfalsifiable generality. I think you may see people showing loyalty, and interpret it as defensiveness, but there really is no way for me to know because you have not cited an instance or a source. So, potayto, potahto...

Ayespy

@westlaner That is lesson no. 1 and the first basic law concerning internet argumentation. No one ever wins, and no one ever changes their mind.

Ayespy

@cocreate said in Vivaldi Browser: Privacy Review:

he also regrets dropping Presto of Opera.

That's not strictly true. He said if he were still at Opera, Opera would still have its own engine. The reason it changed was because he was leveraged out of control of the company (which is also why he decided to leave, as they changed in a direction he could not support). So he can't really regret something that someone else did after he lost control of the company. Just trying to be accurate.

Of course he also explained why, today, no one is building their own engine. It's just too much work to first, build it, and second, try to keep it compatible with a web that is following another engine around like a puppy dog. What he told me, in a chat we had at the Magnolia Vivaldi offices, was that his estimate was that to keep the Presto engine competitive would have required an additional 100 core team developers or so. He was ready to go that direction. The Opera investors, who had gained control of the company, were not.

Catweazle

@cocreate , currently everybody depends direct or indirect on Google (Blimk, Mozilla/Geckko, sponsored by Google and surveillance advertising by Alphabet and NEST), Apple (Webkit) or M$ (Google AND M$). all other engines are with compatibility issues, outdated or discontinued, this is the problem, privacy only depends on the browser companies, stripping out the spyAPIs, and the user himself, using privacy search engines, VPN, ad/trackerblocker and common sense in the use of services of certain companies.

ImaginaryFreedom

So this may be a flawed - perhaps highly flawed or even downright deceptive - comparison, but Vivaldi is not looking very great here.

The guy who created this page actually works for Brave in "privacy engineering" and he does not outline the test methodology. For all we know he leaves the ad and tracker blockers in Vivaldi disabled or something. (Especially considering my overall opinion of that project's ethics)

But it's certainly "interesting" in any case.

PrivacyTests.org

ImaginaryFreedom

@Pathduck said in Vivaldi Browser: Privacy Review:

@guigirl Every time we read about fingerprinting, it's always "researchers find this, security boffins find that..." etc, but has anyone ever shown that fingerprinting is actually being used to track users outside of purely theoretical research?

Yes, over and over again. These adtech companies would not spend millions and millions of dollars on developing this tech if it didn't benefit them greatly. (And by benefit, I mean "track everything on the web that people do and make boatloads of money from it", because that's their business-model)

This ignorance is not impressive for someone who deleted my post from last night and subsumed it into this thread which 99.99% of the people browsing the Vivaldi forums will now never see.

Convenient.