EnhancedTracking prevention in IOS12 and MacOS Mojave

[magizh-okta]

With EnhancedTracking prevention in IOS12 and MacOS Mojave - Is there any known issue or should we be worried websites getting blocked when using fingerprintjs2 ?

https://www.apple.com/macos/mojave-preview/

When you browse the web, the characteristics of your device can be used by advertisers to create a “fingerprint” to track you. Safari now thwarts this by only sharing a simplified system profile. And now improved Intelligent Tracking Prevention keeps social media Like buttons, Share buttons, or comment widgets from tracking you without your permission. We know you’ll like that.

PS: Apologies if this is not a real issue but just wanted to check if there are any good practices for tracking or any known issues.

[jonashaag]

Haven't tried it so far!

[mndominguez]

I have this version of macOS running currently. @jonashaag if you want and can point me in the right direction, I could help you test this.

[magizh-okta]

I tested this on safari technology preview and fingerprint computation works fine. http://valve.github.io/fingerprintjs2/

I dont think fingerprinting would be affected https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/

[jwest75674]

Hello,

I was about to open a new bug report, when I noticed this and wanted to share some data which indicates that Apple tracking prevention may be impacting fingerprinting from working as expected going back at least a few weeks, maybe more. Alternatively, possibly an issue with Apple device compatibility with hasLied detection.

Scenario

I am leveraging Fingerprintjs2 to gather data from many websites into a single location. As a part of my data capture, I am also sending data to Google Analytics to more easily understand the data at a glance.

I've setup each of the "hasLied" items to send a unique event to Google Analytics, so I can tally up some stats to make a report.

As part of the reporting, I wanted to show the number of "hasLied" events (resolutions, os, language, etc.) which had been captured as true. I believe I may have accidentally stumbled onto evidence that apple is indeed impacting fingerprintjs2.

Also this is worth sharing: https://developer.apple.com/documentation/safari_release_notes/safari_12_1_release_notes

Added Motion & Orientation settings on iOS to enable the DeviceMotionEvent and DeviceOrientationEvent events.

Removed support for the expired Do Not Track standard to prevent potential use as a fingerprinting variable.

All the info below is from the frame of reference of Google Analytics, so, please keep in mind that someone who hasLied about their OS or browser, etc. May cause the analytics data to become untrustworthy. But even taking that into consideration, the below warrants discussion.

The sample set is from over 4,000,000 analytics events. From the last couple of months or so.

Here are the things which jump out:

-- Broken down by Mobile Device Info --

hasLiedResolution
Of all hasLiedResolution events tracked, (over 16,000), the highest density is Apple iPad at 69.2% of Ipad users being flagged as hasLiedResolution.
This makes up 93.9% of all hasLiedResolution events tracked from mobile users as being iPads.

Apple iPhone is the next up to bat with 3.96%, and the remaining 2.11% spread across all other mobile devices combined.
--> 3.96% is on the high end of what I would expect for percentages by this breakdown, but within a possible range for bots and crawlers, etc.

hasLiedOS
The numbers are smaller here, with only ~1000 events tracked, and not too crazy, but I wanted to share anyways.
Only 0.75% of all data showed hasLiedOS = true. That sounds very normal, however, of the 'true' data, 64.08% were Iphones.
This could also make sense, as Iphones are likely a target for click fraud or crawler type spoofing.

-- Broken down by Browser --
The only thing that jumps out is that Safari is showing as being the source of 89.98% of all hasLiedResolution events. (Again, over 16,000 total). This obviously goes hand in hand with iPad use.

Fingerprint data

Unfortunately, I do not actually own an IPad, but will see about getting my hands on one for testing.

Summary

Not sure if Apple is doing something to impact these elements, or if it's simply an issue with iPad detection in fingerprintjs2.

I did have a thought: How do iPads handle windowed browsers for multitasking compared to how fingerprintJS2 detects hasLiefResolution?

[jonashaag]

Could also be a bug in the library.

[jwest75674]

For sure, it's possible. The implementation is pretty quick and dirty at best.
(I definitely have more experience with analytics rather than javascript. Haha)

Here's what I am using. (This is inside of the Google Tag Manager, all the rest is native Google Tag Manager tags, etc, nothing custom)

<script src="https://cdn.jsdelivr.net/npm/fingerprintjs2@2.0.6/dist/fingerprint2.min.js"></script>
<script type="text/javascript">

var fingerprint; // Variables to allow the Google Tag Manager to capture the data after this script has ran.
var adblock;
var liedLanguages;
var liedResolution;
var liedOS;
var liedBrowser;

if (window.requestIdleCallback) {
	requestIdleCallback(function () {
		Fingerprint2.get(function (components) {
			var values = components.map(function (component) {
					return component.value
				})
				fingerprint = Fingerprint2.x64hash128(values.join(''), 31);
			adblock = components[20].value;
			console.log(adblock);
			liedLanguages = components[21].value;
			console.log(liedLanguages);
			liedResolution = components[22].value;
			console.log(liedResolution);
			liedOS = components[23].value;
			console.log(liedOS);
			liedBrowser = components[24].value;
			console.log(liedBrowser);

			dataLayer.push({
				"event": "gtm.fingerprint" // This event triggers the tag manager to get the variable data and send it to Google analytics.
			});
		})
	})
} else {
	setTimeout(function () {
		Fingerprint2.get(function (components) {
			var values = components.map(function (component) {
					return component.value
				})
				fingerprint = Fingerprint2.x64hash128(values.join(''), 31);
			adblock = components[20].value;
			console.log(adblock);
			liedLanguages = components[21].value;
			console.log(liedLanguages);
			liedResolution = components[22].value;
			console.log(liedResolution);
			liedOS = components[23].value;
			console.log(liedOS);
			liedBrowser = components[24].value;
			console.log(liedBrowser);

			dataLayer.push({
				"event": "gtm.fingerprint"
			});
		})
	}, 500)
}
</script>

Edit:
Last week detection rates:

hasLiedBrowser: 1% of users
hasLiedResolution 4% of users
hasLiedOs: 41% of users
hasLiedOS, omitting "Safari" browser and iOS: 8% of Users.

When omitting iOS and Safari from the data, it's much much closer to what I would expect to see for OS spoofing.

I am happy to help if I can, just le me know what I can do. Fingerprintjs2 is awesome, I am getting a ton of insights as a result, so I am more than eager to contribute some way.

Edit2+3:
Just doing some research, found a few elements which are quite compelling:

...companies use this data to try to uniquely identify your device — known as fingerprinting. To prevent this, whenever you visit a web page, Safari presents a simplified version of your system configuration. Your Mac looks more like everyone else’s Mac, which dramatically reduces the ability of trackers to uniquely identify your device.
src: https://support.apple.com/en-gb/guide/safari/sfri40732/mac

It turns out that when you browse the web your device can be identified by a unique set of characteristics like its configuration, its fonts you have installed, and the plugins you might have installed on a device.
~Craig Federighi, Apple, SVP Software Engineering
src: https://youtu.be/UThGcWBIMpU?t=6814

I also came across amiunique[dot]org, which is using some interesting attributes for further improving fingerprint diversity. Included here are both food for thought, as well as potential extra elements to consider for fingerprintjs2

HTML5 canvas and the WebGL tests in particular seems like it could be a workaround if Safari is indeed working around current measures.

[jonashaag]

For sure, it's possible. The implementation is pretty quick and dirty at best.

No no I'm talking about a bug in fingerprintjs2. Can you by any chance check the "has lied" components with an untampered-with iPad/iPhone? I'll check with my iPhone later.

Just doing some research, found a few elements which are quite compelling:
[...]

Umm, we're already using all of these things :)

[jwest75674]

Thanks jonashaag!

-No no I'm talking about a bug in fingerprintjs2. Can you by any chance check the "has lied" components with an untampered-with iPad/iPhone? I'll check with my iPhone later.

Umm, we're already using all of these things :)

My apologies, have to put my foot in my mouth on this, once I started working on the below, I saw that.

The two sources from Apple indicate they are putting in place measures to defeat fingerprinting for Safari. Which does make me think that the issue is not a bug in finerprintjs2, but Apple adding extra privacy measures.

I've been asking around, trying to get an ipad, have one lined up and will report back once I get my hands on it.
Just thinking: Assuming Apple is indeed spoofing portions of the device setup to defeat fingerprinting, this could actually be leveraged in reverse to identify spoofing where the OS is NOT showing as Apple's generic output. As, (again, assuming that this is actually what is happening), then anyone who is spoofing to show as a safari browser, but is not dumbing down their component characteristics properly would actually be exposing themselves, by poorly attempting to blend in.

I am going to see about temporarily expanding my data capture to create a history of more individual fingerprint components by JSON.stringfy ing the full component variable on each site load. In a few days, I should be able to share the most likely component setups to flag as liedOS.
--> This can't be done through analytics, so will be passing data to BigQuery, and will query it once some time has passed to share the findings here. Should be a few days at least before we have a statistically relevant sample size of data.

JW

[Finesse]

The hasLied... components are removed in v3 because they give no information when used in addition to other components.

Safari tracking prevention prevents placing cookies in some scenarios but it doesn't thwart fingerprinting.