I don’t think the SPF / DKIM / DMARC stuff is overly complex nor the core of the problem.

It’s not the core of the issue, but the average joe that is a hobbyist self-hoster it will be.

IMO, the core issue is that there is no standard whatsoever. People just do whatever the hell they want with these records, pretty much. Microsoft and Google do it differently than each other, even.

The only solution for me is that we move on from email as a society.

Mmm. I like your veracity.

I see, I’ve never looked super deep into F-Droid or released anything there, I didn’t realize that a requirement for releasing on F-Droid was that they build it. Just read their inclusion criteria, interesting.

ETA: Read through the whole article, and godamn. I don’t really trust anything Android any way, but this is actually a pretty damn big WTF from F-Droid. Thanks for sharing!

I’m just not convinced it can fool google and meta

Yea, this is a great and healthy skepticism to have. It’s why I went deep on this little research tangent.

Besides browser fingerprinting, there are many other ways to tie you to online behavior. For instance, the DAITA thing has nothing to do with browser fingerprints, but specifically the size of your inbound and outbound traffic. The NSA uses that to figure out your behavior and link on-VPN and off-VPN traffic together with great success, regardless of how many hops you go through. It’s the behavior that gives you away.

I’m always on my VPN, reconnect at random times, and have all the extras turned on. Something else that may be a factor is that I have Mullvad Browser installed via Flatpak and is sandboxed to hell. Maybe you installed via .deb or something in Mint?

Any way, thanks again for humoring me in this! I think you’re right that at least you are sorta getting lumped in with others, but it’s never going to be 100% foolproof and we should all plan for that.

Shhh, that’s too advanced. Besides, CLI is outdated and slower than GUIs, this is just insane behavior /s

I honestly didn’t even need to specify tab-completed. It’s still less typing than their comment unless your paths are miles long.

hahaha… indeed what a silly name!

That’s a bummer though. It’s only going to get more difficult to view anything on YT privately.

Cool! I think you meant Newpipe? Probably autocorrect. I usually use that one as well, since I don’t really watch YT on my phone not having sponsorblock or dearrow doesn’t really bother me.

And yea, the proxy/VPN thing is a widespread issue that affects all YT alternatives. The root cause is YT themselves blocking ranges of IPs if they determine it is a data center or VPN (and also random nsig changes). Every once in a while it will start working, but then you’ll get blocked after watching one vid.

This same reason is why the amount of public Invidious instances has dwindled and they now recommend self-hosting it. Even with FreeTube, I can’t use a VPN. You might still encounter some issues from time to time even with Newpipe through a VPN.

Interesting, thanks for coming back with some info. It brings up more questions, but I understand if you don’t want to dive deeper. No worries!

1. Just to make sure we aren’t testing two separate systems, I am using the site hosted on GitHub from the maintainer: https://abrahamjuliot.github.io/creepjs/

2. What operating system are you running? I see some discourse online about even Tor being identified as long as it’s run on Windows 11, but in Linux it is not identified.

   https://old.reddit.com/r/TOR/comments/113ukg9/is_creepjs_able_to_break_tor_antifingerprinting/

3. Under prediction, what is the crowd-blending score you see? In mullvad, I see 75% ©, in my other browsers I see 60% or less (D/F). Admittedly, I don’t fully understand this section too much. I was under the impression that 0% here was a good thing, but the way you described it is the opposite. Trying to locate clarification on this and will edit when/if I find it. Edit: from the README it says failing = unique, but also goes on to say that a lower trust score is not necessarily bad. I’m still a bit confused at exactly what this is telling me, especially when I’m being clearly lumped in with a lot of other users in Mullvad, and very clearly being unique in Firefox. Yet, both datasets are almost entirely 0% under Predicitions.

4. And just to round it out, I’m curious what you see for the visits count at the top, and when the first visit was. When I’m in Mullvad, the visits count is almost touching 1000, and the first visit was at the beginning of January. These are definitely not me, as I have only run the test a handful of times, and yesterday was the first time I had ever used or heard of creepjs.

I still think there is potentially something I am misunderstanding about creepjs, so I may be wrong here. From what I understand, if the FP ID changes, visits is at 1, and first visit is timestamped right now, then you likely have been identified. The FP ID changing or remaining the same doesn’t really indicate anything without the context of the rest of the data, especially the visits counter. It’s clear that I am being lumped in with many, many other users.

Lastly, I think that you are making yourself standout from the crowd by manually installing the dark reader plugin (I assume that’s what you meant). That defeats the purpose and is likely why you are being identified so quickly. There’s a reason why Mullvad and Tor don’t make it easy to install plugins, and also why they recommend not maximizing the browser window. They actually specifically force the viewport to be a specific resolution, even if you maximize. This makes you look even more like everyone else, because out-of-the-box you are configured the same as everyone else. As soon as you add anything unique, you become unique.

We will have to agree to disagree.

At least you came back with reasons beyond “I don’t like typing.”

ETA: > learning new things is too difficult.

I could use this argument for folks that don’t want to learn CLI as well, doesn’t really track in either direction.

Lmao. Uses a computer, typing is too much. It took more typing to write your comment than to craft a tab-completed dd command, even if you had to call the help menu to refresh your available options, jus’ sayin’

I get it though, the general public are scared of the big bad 'puter magic and need GUIs.

Hell yea, fuck Google!

What OS are you running? What other apps are you having troubles replacing besides these?

I’ll give you whatever info you need to pull the plug on the crooked bastards.

I know, but just because someone doesn’t understand something or ignores it doesn’t mean it isn’t the best/simplest choice for 90% of cases.

Install Linux! /s

Yea, I noticed that, but I have never used or heard of IzzyOnDroid before. Not sure why we need an abstracted layer for F-Droid.

I don’t usually recommend things I haven’t vetted myself extensively.

Never understood why you would use anything else. It’s in coreutils!!!

There’s also a FreeTube Android fork, but it’s not on F-Droid

https://github.com/MarmadileManteater/FreeTubeAndroid

Highly recommend FreeTube on Desktop, though, if you are still in the browser. Has Dearrow, SponsorBlock, and a ton of options, plus a couple of Firefox extensions where you can redirect any YT links to open in FreeTube. Also uses Invidious on the backend.

https://github.com/FreeTubeApp/FreeTube

I’m always backing up with SyncThing in realtime, but every week I do an off-site type of tarball backup that isn’t within the SyncThing setup.

Interesting. I’m very curious at what could be causing the discrepancy between our results!

Can you elaborate? When I’m using Mullvad Browser+VPN, have DAITA and Multi-hop on, it doesn’t know who I am at all.

Since this is a VPN, there are a ton of visits with this FP ID, and the FP ends up calculating differently (and I get different visits results, trust scores) whenever I refresh my session in the browser, or even just reconnect the VPN.

The other data on the page are all completely generic guesses at my system, monitor size, etc. and maybe 10% of that info is accurate to my system. Even that info is not very useful. For instance it says I’m running “Linux x86_64”… they certainly nailed that information down…

When I do this with only the VPN and Firefox, then the data is a lot more consistent between refreshes, incognito mode, etc. and the FP ID is pretty much the same every time in Firefox.

The other data taking guesses at my system are also more accurate when using regular ol’ Firefox. For instance, it actually adds to the “Linux x86_64” that I am using an AMD GPU (no additional info than brand). Still not all that damning if it wasn’t for the FP ID in this scenario.

I’ve read through the docs, and several other articles, that explain more about creepjs, but I culd be misunderstanding something somewhere I guess.

ETA: I’m also noticing that in regular Firefox, the timezone data is all fairly accurate to the current servers my VPN is hopping through. In Mullvad Browser, though, the timezone data is all over the place and not at all accurate to what my VPN is set to, let alone where I actually am.

ETA2: maybe my settings are more specific than you expect? Maybe your data about being 100% traceable is with 0 configuration of the browser or VPN?

My setup:

• Mullvad Browser + Mullvad VPN
• DAITA turned on
• Multi-hop turned on
• Lockdown mode on
• All DNS content blockers enabled
• Extra steps to unify VPN+Browser DNS compatibility

I could see if maybe you just installed Mullvad VPN and didn’t use their browser (or didn’t configure the browser for the VPN) that you’d be way more traceable.

I personally like Mullvad’s approach to something like this.

First, use their browser and VPN together (browser was co-developed with the Tor Project folks),

In the VPN, you want to turn on DAITA. It’s an interesting concept and I hope more legit projects like Mullvad start doing these things.

They’re essentially adding bunk data to your VPN traffic to hide you from any AI analysis that might use only your throughput to identify you and your habits.