Companies like Flock that started out with just ALPRs are expanding to collect SIGINT data harvested by Bluetooth sensors at traffic lights.
This technology allows ALPRs to collect information the devices inside your car (what phone, fitness tracker, headphones, etc.). So now, the enforcement agencies using this tech will be able to tell exactly who is in the car based on unique device combinations.
While there are already cases of this data being abused by ex-partners and stalkers, we are overlook the abuse that can be done by this growing surveillance apparatus. What about the harm that can be done to journalists, activists, immigrants, or protestors when their movements are logged and reported to enforcement agencies?
Companies like Palantir already provide governments with information on our online activities, search history, sites visited, stuff like that, so the expansion of this monitoring just makes me feel uneasy.
Not only are they ignoring these opt-out signals, they're certifying CMPs that have useless opt-out banners and continue to set cookies after the banner is clicked.
Students often ask me why privacy matters if they have nothing to hide. The short answer is that surveillance changes behavior before the question of guilt ever comes up.
The Stoycheff research on NSA surveillance and search self-censorship and even the prison experiment are concrete examples of this.
(I meant to put a comment on my last post with this link. If you're moderating, please delete the other one)
Aurornis, I appreciate your comment and want to step in to defend myself.
The LLM writing style is simply not true. I am a high-school English teacher and if my students caught me using AI to do my writing, they'd rip me to pieces.
I included the GH link as a source of proof. While I did read the browsergate piece and ended up publishing my article as a result of, I noticed this was happening months ago because I am a developer myself and saw this very strange behavior in the LinkedIn dev console. The nature of my work is that I spend many hours sometimes staring at the dev tools to debug my JS injection, CSP rewriting, and header modification that 404 does.
Is 404 a tool to stop this? Yes. But that's the point. The reason why this type of thing is allowed to happen, browser fingerprinting, is because the public is unaware of it, so trying to educate the public is a part of my outreach. There are almost no tools on the market that allow for browser fingerprinting protection. Mullvad and Tor are close options, but they're often met with their own levels of scrutiny just for using their tools. For example, my school blocks the Tor network from being accessed altogether. Some websites can block the Tor fingerprint.
The original source is more technical, of course, but I was also in communication with the Browsergate team and continue to be so this is not a one-off journalist just trying to peddle his project. This has been my life for the last 2 years and I don't appreciate you discounting the work that privacy advocates do by splitting hairs and mincing my words.
While it may not be things I would think to install, maybe they're not extensions someone with certain affiliations would think to install.
I agree, and this is why I built 404. If you poke around the page a bit, you'll see a tool that prevents browser fingerprinting.
404 catches JS calls in JS proxies and returns mocked-up values (assigned by a profile), it also has protections against TLS fingerprinting, canvas fingerprinting, device enumeration, TCP/IP fingerprinting, HTTP header fingerprinting, and more.
The predatory practices that browser fingerprinting have enabled guised behind "fraud protection" are atrocious. Even with a VPN, even in incognito mode, a website can track me and see what I've been doing EVEN IF ITS NOT ON THEIR SITE.
Then a data broker buys all this data and uses an AI model to put it all into a pretty little package and sell it to Google, or the gov't, or something. It's scary.
This is unfortunately common practice on the internet.
Browser fingerprinting is the new norm. LinkedIn just didn't disclose it in their privacy policy. They do mention canvas fingerprinting and collecting other signals, but not specifically this extension enumeration stuff.
Yeah, the source I used is browsergate.eu. I do a lot of developing in the dev tools (browser fingerprinting protection tool on the same site) and so I was looking at the dev tools for linked in and saw the extension enumeration a few weeks ago. I didn't realize that's what was going on, but there was a repository from a few years ago that started tracking this. There's a HN link somewhere... nefariouslinkedin I think it was called.
Then, I saw the browsergate story drop on mastodon and thought "no way," lo-and-behold, there's a lawsuit in the works for it.
I found the audit to be a bit dense and hard to read, this is a response to that. I
This is made to fight client-fingerprinting. This is not a browser extension, but a network app that aims to give you full control over your fingerprint.
Included:
- localhost mitmproxy addons - for JS injection and HTTPS header rewriting.
- JavaScript - Comprehensive JS proxies and property overrides. Fights font enumeration, navigator fingerprinting, webRTC leaks, and much much much more. Take a look to find out, or ask a question!
- Kernel level packet spoofing - eBPF program attached at traffic control hook allows for low-level packet header modification.
This technology allows ALPRs to collect information the devices inside your car (what phone, fitness tracker, headphones, etc.). So now, the enforcement agencies using this tech will be able to tell exactly who is in the car based on unique device combinations.
While there are already cases of this data being abused by ex-partners and stalkers, we are overlook the abuse that can be done by this growing surveillance apparatus. What about the harm that can be done to journalists, activists, immigrants, or protestors when their movements are logged and reported to enforcement agencies?
Companies like Palantir already provide governments with information on our online activities, search history, sites visited, stuff like that, so the expansion of this monitoring just makes me feel uneasy.