A fundamental question

[puzumaki]

Does this not violate someone's privacy by finding a way to bypass no-tracking tools? How is this practice ethical? Why do developers using CSS to fingerprint people have the authority to take that privacy from someone or override their decision to not be tracked?

[OliverBrotchie]

This repository is purely for research purposes and to attract more attention to the issue. I have raised this as a concern with Firefox and Chromium, however, sadly nothing has been done to address this yet - perhaps because I have not emphasised the impact of the CSS cookie section enough. I have also raised this as a concern with the W3C, but their general stance is that 'untrusted' CSS should not be run and that CSS is inherently unsafe (despite users having no choice in running it or not).

[nausicaa-rose]

I have to concur this project seems ethically suspect, to put it mildly. To me, the project website and readme come across much more as promotional material than as warnings. The repository itself serves as a pretty good how-to-get-started-with-CSS-fingerprinting code base. "Purely for research" doesn't excuse one from ethical considerations.

If your goal is truly cautionary, please consider making that clearer in the language you use around this project and devoting future research to circumventing CSS fingerprinting rather than improving and expanding it as a method of surveillance. If the software is only for educational and research purposes, you could also license it under a more restrictive non-commercial license, rather than the anything-goes MIT license (perhaps even an "Ethical Source" license) to make your intentions clearer.

[OliverBrotchie]

This issue has been known since 2015 and no work has been done to fix it. If I do not draw attention to how easy this attack is to perform and to what extent this attack may affect people, it will remain unfixed.

I very much doubt that a licence would apply to the things discussed in this repo nor do I think that an attacker would care about a licence even if it did, as they would already be breaking data protection laws.

If you wish to suggest changes to the readme or website, please open a pull request!

[elandorr]

Critics can rest assured that corporate has known about this since at least a decade and probably had plans for it the second tracking became profitable. The spying/marketing/political manipulation industries are worth trillions upon trillions of dollars, it'd be foolish to assume one of their millions of willing thugs hadn't thought about a feature that may be exploited yet. They have all the money in the world to go feature-by-feature.

Remember when the 'supercookie' and stuff became widely known?

I personally didn't consider CSS, even though I'm way too deep in this. Even though I heard jokes about CSS being 'basically turing-complete'. (Some guy made a complete game in CSS!) It's so counterintuitive, I bet there are other ways I never thought of.

This repo is great to point out just how hostile the modern web is.

Nothing has changed, yet people still think they're 'safe' when using the latest product. I thought of your repo again due to this: mullvad/mullvad-browser#45.

Did you ever get any useful reply from the W3C or similar by now @OliverBrotchie?