Maybe it's just because I am old, or have worked on internet software for almost 30 years, but none of this seems surprising or even concerning?
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.
> You appear to be in Denver, United States. Your internet provider is Netskope Inc. We know this because your IP address — 163.xxx.xxx.32 — was the first thing your device sent us. We know the rest of it. We chose not to display it. Most pages would not have made that choice. We did not ask for your location. Your address arrived before you did.
"We know the rest of it. We chose not to display it. Most pages would not have made that choice" this is written to frighten children maybe? Also that's not my internet provider. Maybe it's my ISPs upstream provider?
there was a prank way back, that used simple html, css and javascript, to instruct the browser to display IP address, public, and local, popup a stream from the webcam, and place them among a crafted document intended to trigger i.e. troll people.
no data was cast to internet, it was all code executed with local user permissions to access the devices devices and logfiles displayed inline as "proof" that you are standing on stage with naught but your drawers.
people were at times moved into a panic and could be manipulated into making contact with malignant entities. there were casualties.
never underestimate the damage that can be caused by manipulating perceptions of the current situation,its not a joke, its handgun serious.
> Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives.
This is the root problem. Your browser is supposed to be your agent. It's the User Agent, after all! It should be working on the user's behalf, users should understand what their browsers are doing, and browsers shouldn't be doing anything without the user understanding and affirmatively consenting to it. I should be the ultimate authority over what my browser sends, and browsers should make it trivial to exercise that authority.
In reality, the browser is Somebody Else's Agent. It's working for the web developer, giving him all sorts of things that make his life easier. And it's working for the advertiser, providing tracking clues and fingerprinting. And it's working for the browser developer, collecting metrics and telemetry and god knows what else for them to do god knows what with. But, it's not really working for me or on my behalf anymore, I'm just a passenger in the car.
EDIT: Understood that IP address is not something under the browser's control, and it's unfortunately necessary to reveal in order to connect to a web site. It's a terrible mis-feature that IP addresses (by default without a VPN) can be reliably mapped to countries, state/provinces, and sometimes even cities. This is a huge design flaw in how we hand out IPs. In a better world, having an IP address shouldn't reveal anything about someone's geographic location.
I don’t think it is as simple as saying browsers are working for the web developer and advertisers.
All the features that allow web sites and ad companies to track and target ads are features that are primarily there to give functionality that makes the web a better experience for users. JavaScript allows websites that are better experiences than not having it. I know some people disagree, but I think they are either intentionally ignoring useful things or have a purity view of the web that doesn’t match most people.
I guess what I'm advocating for is that it should not be all-or-nothing, and it should not default-on:
Most web sites have no business knowing my time zone. Why are browsers offering it up? That should be gated on the user's permission.
Most web sites should not be able to determine what my screen resolution is, or what my operating system is. Browsers should also hold that back and only disclose it with the user's permission.
Most web sites should not by default have access to all the shit JS gives them access to. Battery Status, Web Audio, WebGL, Sensors, WebRTC, Geolocation, media devices (camera and mic), clipboard, local storage... All of these have uses, but should be behind individual, easy to access per-website preferences, and by default the site shouldn't even be able to query for their existence (which is enough to fingerprint), let alone call them. I shouldn't have to blanket turn off JavaScript to kill these things.
All a website needs to know about me, my browser, or my computing environment is I want to "GET /".
There are browsers that offer that level of control, but most people don't want to use them because they are confusing and don't offer the things most people actually care about.
> Most web sites have no business knowing my time zone.
That would work if websites only displayed dates in UTC. Which is not what most people expect. Browsers need to know your timezone so timestamps can displayed with the right setting for you.
Ideally, the user would decide whether to display UTC or local time, based on their system or browser's preference, the web site would just send UTC or an opaque datetime object, and the browser would render it in the user's preferred date/time format.
They dont need to collect your accelerometers information of your irl movements or your devices' automatic time zone stuff i dont think. That basically gives away you're using a VPN and makes it easier to fingerprint you
Maybe it's because I'm idealistic in addition to being old, but I think a lot of this functionality was in fact added for explicit purposes.
A client sends the language header or the list of supported fonts not so that the server can "do whatever they want with this data." There is (or was) a real reason for it when we came up with these standards.
The fact that website providers, or more specifically ad-networks, have chosen to use these for other purposes is breaking that implicit agreement.
(edit) but you're probably right that i'm expecting too much.
I don’t understand why that would be an implicit agreement, though? Why would I expect that the website would not try to figure out who I am?
They are free to remember whatever they want about my request… but I am also free to modify the request however I want, if I choose to randomize the list of fonts or choose to not send it or whatever.
> Why would I expect that the website would not try to figure out who I am?
For the same reason I expect my neighbor not to kill me or steal my shit. We live in a society, with societal expectations around behaviour. I, personally, would prefer not to live in an uncivilized jungle where the only rule is "do whatever you can get away with".
This is more like, I am not offended if my neighbor notices that I leave my house around the same time everyday and come home around the same time. I don’t expect my neighbor to look away when I step outside. If I put something in my yard visible from their house, I won’t get offended if they look at it.
Killing and stealing are completely different things than “paying attention to what I do when I am doing things they can see”
If we want to make the metaphor a little more faithful: the neighbor tracking what time everyone is home is selling it to door-to-door salesmen who use that information to harass you. Meanwhile, both the guy tracking it and the door-to-door salesmen are leaving copies of the information in the open. They aren't directly selling it to burglars[1], but they are making it extremely accessible to burglars, who then use that information to rob you. There is a data breach every other day, with companies and people routinely getting extorted and in some cases victims have killed themselves. This is a direct result of the unethical behaviour of hoovering up a permanent record of everyone's every last little action, far beyond what is necessary to provide any service.
[1] Although some data brokers do sell it directly to burglars too. All the burglar has to do is say "I'm a door-to-door salesman, will you sell me the information?". Your neighbor can't be bothered to do any kind of real verification of whether they're a salesman or a burglar.
Sure, but I think some of the stuff it sends isn't necessary. A website doesn't need to know the list of fonts on my machine, for example.
Some of them are questionable: most websites do not need to know my time zone, but when a website can use that in a useful way related to its functionality, it would be annoying if the browser were to popup an allow/deny dialog, and even more annoying if I had to manually set it in the website's bespoke settings panel.
The location it chose was laughably inaccurate (and since I'm the kind of person who posts here I know why). Censoring the IP address was a little cheesy, but down at the bottom it gets better.
It knew how much my phone was charged and it made correct inferences about my device. It accurately read my gyroscope, how I interacted with the touch screen, and it demonstrated (not new knowledge to me but probably interesting to the general public) how these things could be used to identify you and also to make inferences about you (if you are sitting, standing, lying down, etc).
You don't need an angle for that. That is highly invasive and can be used to target unique individuals. Why not default to a pro-human oriented mindset rather than pro-corporation?
I think a lot of us old tech folks want to still believe in those techno-libertarian ideals of the old web. However, in order to do that we largely need to ignore the capitalistic and authoritarian ideals of the modern web.
Us not owing each other anything worked great in a prior era when people were largely correct in assuming most people were good actors. But as soon as the money and power of the internet became real, things started to turn more adversarial. The assumption of trust and lack of responsibility makes it easy for one side to take advantage of the goodwill of the other. And the technical and power imbalances inherit to the server-client nature of the web means that abuse is more likely to flow in one direction than the other.
I agree entirely. Those of us old enough to have experienced those dreams are naturally going to mourn the loss of the Internet as a place for wild experimentation because we know so much good came from it and there isn't any true replacement.
But it's become clear that in the absence of governance, standards of behavior, and rules both explicit and implicit, the Internet has grown toward tyranny and automated exploitation rather than freedom.
We need to set some rules and expectations that people can rely on, otherwise rules will continue to be imposed on us.
One thing is using information about my connection like my IP and a different one is my browser exposing the angle that I'm holding my phone.
I should be able to expect some privacy from my device. What if my browser starts sending a picture of my front camera with every request, is that okay?
No, that wouldn't be ok, but if my browser did that, I wouldn't be mad at the website for doing something with the data I sent them. I would be mad at my browser, not the web site.
I remember some users with phpBB signatures some 20 years ago that did the "I know where your IP address lives" trick. Yeah, a bit surprised this is still being done, only today not as some silly troll move in a forum but on some professionally designed website.
That seems more of an issue with the school, though, rather than the actual web request. In this case, there IS a prior agreement between the school and MS, so there can be additional expectations about how that works.
I didn't know the browser made an agreement between myself and it. Here I am thinking that I am forced to use monopolistic tech because I a US citizen have zero say in the direction of technology in the country, that's decided by undemocratic financiers gambling with pension funds in SF. Silly me.
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
My disappointment is not with websites. It is with browsers. They have continuously prioritized dark pattern support. They have consistently removed user control.
I mean it's not the websites that default to recording every keystroke, default to tracker persistence, default to phoning home with daily telemetry, etc.
When I first started using HN, I ran four very different browser engines. Now there's no real choice.
There's a difference between HN getting the final text when you hit "reply" and a site using JavaScript to time how long it takes you to hit each individual key press and how many times you hit backspace or moved your mouse to switch to a different tab to look something up or if you made up some facts in the comment or if you used an extension like grammarly or anything else.
>site using JavaScript to time how long it takes you to hit each individual key press and how many times you hit backspace
You mean like a video game? Are video games now nefarious applications tracking you? Your browser is not "leaking" anything to websites. It's hard to understand what you are even complaining about. If you don't want grammarly to record your keystrokes, then don't install grammarly.
It's like ordering a beer and then complaining about alcohol.
HN does not record your key strokes until and unless you click the reply link…and then only if recording your final edited comment counts as recording your keystrokes.
On the other hand, your browser might be recording each of your keystrokes just because it can and if your browser does, those keystrokes are not going to HN.
It's trivial for HN to record your keystrokes. Any application that can read your keys can record your keystrokes - its fundamental to how software works. You wouldn't be able to write a game if you couldn't.
The distinction you are trying to make a is a distinction without a difference. If you don't want sites to "record your keystrokes", then don't use a computer. Trying to paint this as nefarious is a losing battle and completely undermines any awareness you are trying to bring about.
Someone sets up a server that accepts connections to it and then someone sends a connection request to it.
There has been no agreement on anything, no expectations or rules established. No one forces the server to accept any connection request it gets, and no one forces someone to make a connection request to that server. What the server returns and what the client does with that are completely up to each side.
I feel like this agreement (or lack thereof?) works both ways. I don't think users should get mad if a website decides to use information about your connection request in anyway it chooses, but I also don't think a website should be able to get mad if I do whatever I want with the data it sends to me.
In other words, websites can choose to remember whatever they want about my IP address and my request details, and I can choose to do whatever I want with what they send back to me (i.e. I can block ads or refuse to make followup requests that the site tells me to make, and i can choose to display the response in whatever way i want to) I asked for data, they sent me data.
If I don't want them knowing stuff about me, I shouldn't send that stuff in my request. If they don't want me to have that data unless I also display ads, then they should make me agree to that before sending me the data.
Of course, I know in practice most people don't understand what their browsers are doing, and there aren't a ton of practical choices for people around what their browser sends, and the internet is no longer an optional thing for a lot of our lives. I also know that things like DDOS attacks and the like make a completely 'anything goes' setup impractical.
However, I still have this gut feeling that we shouldn't expect too much from either side when we make an internet request.