I recently tried to clean up my digital life. I switched to Linux and switched to GrapheneOS and made more use of my proton subscription to replace google. But I have a few questions :
I tried https://coveryourtracks.eff.org/ on Librewolf on my PC and Vanadium on my phone and it say I have a nearly unique fingerprint. Is the benefit of using a privacy focused browser neglected by the low userbase and unique fingerprint ?
I did not have a great digital hygiene before so I have a google account, meta… How do I clean this up ? Are services like Incogni any good or is it just marketing ?
Finally I wanted to use tails with persistent storage to use as a live system if I ever need to use a PC that is not my own to connect to my accounts. However, I don’t want the ISP to know I use Tor. I see it as a big “I have something to hide” flag for the ISP. But my understanding is if I install a VPN on tails it will be Tor over VPN (bad if I understand correctly) instead of VPN over Tor. Should I use something else than tails since I only want/need always on VPN with kill switch.
Thanks a lot for your help. I want to say the journey is much easier than what I anticipated. The hardest part is making people switch around me. The lobbying has started.
TL;DR The only way to avoid a near unique fingerprint is Tor Browser
Longer explanation: There are too many styles of fingerprinting protections: randomized and normalized.
Librewolf inherits its fingerprint protections from Firefox (which intern was upstreamed from the Tor uplift project. It works by taking as many fingerprintable characteristics (refresh rate, canvas, resolution, theme, timezone, etc) and normalizes them to a static value to be shared by all browsers using the feature (privacy.resistFingerprinting in about:config). The benefit of normalizing is you appear more generic, though there are many limitations (biggest of which is OS because you cant hide that). The purpose design of these protections stems from the anonymization strategy of Tor which is to blend in with all other users so no individual can be differentiated based on identifiers. Since Librewolf has different a default settings profile to Tor (or Mullvad) and even vanilla Firefox with RFP enabled, the best you can hope is to blend in with other Librewolf users (which you really cant, especially if you install extensions or change [some] specific settings). Instead, the goal is just to fool naive fingerprinting scripts, nation states or any skilled adversary is out of the scope.
Brave (or Cromite) uses the strategy of randomizing fingerprintable characteristics. This is only meant to fool naive FP scripts but in my opinion (when done right) is better at fooling naive scripts. The biggest problem is that these attempts by other browsers and not as comprehensive as Firefox. I think Cromite does a better job than Brave: it is the only browser which fools Creepjs that I have tried by creating a new FP on refresh. Cromite required some configuring to get to place I wanted it, but so does every browser.
The advantage with Firefox forks is that vanilla Firefox has RFP and therefore so do the forks (though most dont enable), but you dont blend i with a crowd (making it far less effective than MB or Tor). The advantage of Brave or Cromite is a randomized FP, bit since it isnt upstreamed (and Google will never do that) you stand out like a sore thumb. Either way is fine though for basically everyone.
The only browsers I know that work against Creepjs are as follows:
- Mullvad (persistent FP)
- Tor (persistent FP)
- Cromite (randomized FP)
@Neptr @Username85920
by default TOR browser did not pass the fingerprint testYour browser has a non-unique fingerprint.Definitely need to change some settings in the browser , I’ll try
Thanks a lot for the detailed answer.
My goal is pretty simple : I don’t want to give my data with big tech and gov for ideological reason more than for security but I don’t want to use tools that makes me stand out like a sore thumb.
Mullvad has been recommended twice, I’ll have a look and see if it fits my need.
Their website (https://coveryourtracks.eff.org/learn) do mention the concern you have; Blocking trackers means you are a user with a very specific privacy settings. I suppose it would be like going around with a full face mask; You are technically private, but you are uniquely identifiable unless someone else does that. I also get “Uniquely Identifiable” on my personalised browser, but nothing like it when I try it out on newly installed Mullvad browser with no changes.
Not that I know much about how Tor traffic is identified, but Tor bridges seems like a potential solution? I would dig into that a bit more.
I did not tinker a lot with LibreWolf, it only has protonpass and ublock origin (it came with it).
I did not change anything on Vanadium but I understand Vanadium is security over privacy.
Is there really a way to avoid both trackers and fingerprinting ? I’ll look into mullvad to see how it fares.
I’ve heard fingerprinting tests are all sus. Don’t put too much stock into them.
Best to do the clean yourself. A tip is to look through your gmail for email with “welcome” “confirmation” in the subject line. These will be accounts you signed up to with gmail. You can also google you email address and look through your password manager or Chrome for saved passwords. The really good news is unused accounts become less valuable to databrokers as the data gets out of date.
For Tails, use a Bridge to hide your Tor usage from your ISP.
I hoped I would not have to send GDPR request myself… Long work ahead :)
NoScript will improve your privacy by a lot, and will make webpages load faster, since it stops stylish and tracker-ridden JS. If a webpage breaks, you can flick a few buttons to temporarily allow JS (or permanently if you’ll be visiting that site a lot).
Tor over VPN is a fine solution if you want to hide it from your ISP, but I don’t think you should install extra stuff on TailsOS. Consider using Tor Browser + UblockOrigin on your own PC over a VPN, it’s pretty much the same thing if you’ll just be browsing online.
Oh-- and one important thing to remember: Don’t expend more effort than necessary for your own threat model. Consider the extent of your privacy needs and act accordingly, going overboard will only leave you tired for not much in return.
P.S.: mander.xyz has a Tor-based onion frontpage ;)
Tails is probably an overkill for my threat model.
What I want is pretty simple, be able to reboot any computer (ex: work computer) on my USB live system and be able to access my files, my emails… Instead of having to connect to my proton account without VPN on a normal browser on Microsoft.
So I guess I only need an encrypted live system with any distro. Tails seemed to be the solution because it only writes to ram and purge ram before shutting down. I don’t know if it’s a nice to have or a must.
What I want is pretty simple, be able to reboot any computer (ex: work computer) on my USB live system and be able to access my files, my emails
Tails with persistent storage is absolutely a good solution for this specific usecase. It’s designed for it and provides a free and secure encrypted proxy solution (Tor). On top of that, your internet activity will likely help the activists who really need Tor by “mixing” your traffic with theirs.
Tails has thunderbird installed by default, you can connect it to your email account (but do take note that proton only seems to allow 3rd party client integration if you install their bridge app thingy)
If it is your own computer, in your home network, just install the necessary apps on any old distro. Doesn’t matter
I don’t know if it’s a nice to have or a must.
Personally, I’d say nice to have, but it’s not the end of the world if you decide to use something else
Thanks for all the answers! It helps a lot!
For the unique fingerprint, using a lot of privacy apps /extensions makes you stand out more, because you’re likely the only person to use that exact configuration. The best way to hide is by obfuscating the data and sending random garbage.
Obfuscating the data and sending random garbage. How do I do that ?
Regarding Incogni, this video explains them pretty well
Thanks a lot! I’ll have a look.
Are they trustworthy?
I tend to ignore everything that advertises itself.
The content creator? I don’t know anything about him. The video stands on it’s own merits though. It seems well researched and quite balanced.
With no expertise on the topic, but having watched a few of his videos, he seems like a trustworthy guy. He often does read through of company policy and terms and service agreements to look at privacy infractions. He also prides himself on no sponsorships.
