Mastodawn

RE: https://infosec.exchange/@beyondmachines1/116340430386264988

The story here focuses on LinkedIn, who should definitely be held accountable for what they’re doing with our data, but the real question is “Why does Chromium allow this?”

If Chromium allows this, then anyone—not just LinkedIn—can do this.

Most certainly, Google already knows all of this if you use Chromium. Meta probably does this. I’m sure others do, too.

Show thread

muddle

@ramsey While it's not as intrusive/invasive in and of itself, browser fingerprinting can also be employed against Firefox (and other browser) users, especially if you don't use JavaScript blockers.
This isn't me letting Chromium off the hook, though. We should be targeting any sort of fingerprinting or persistent IDs that track us across the web.

Show thread

Guillaume Rossolini 5d ago

@muddle looks like in this case, LinkedIn isn’t doing it as much to fingerprint their users (though that was possibly a nice side effect for them), but rather to actually protect their brand and their users against known scrapers

… and about that, the “whistle blowers” here were apparently the developers of such a scraper that got banned, so they’re just looking to even out the competition

https://fosstodon.org/@webaware/116343475348499438

So yeah I’m all for re-evaluating such permissions that were granted early on and have since stopped making sense

This also goes for the ability to change your number when making a phone call, and so many others

@ramsey

Show thread

muddle 5d ago

@GuillaumeRossolini @ramsey it was a fast-moving story so I'm not sure I kept up with all of it, but wasn't there a bit about an initial fingerprint being sent on all subsequent requests?

Show thread

Guillaume Rossolini 5d ago

@muddle dunno, I guess that’s possible but like I said: 1- it makes sense for them to try and fingerprint their users regardless of current session and this story, and 2- it also makes sense infrastructure wise

@ramsey

Show thread

muddle 5d ago

@GuillaumeRossolini @ramsey I think I'll have to have another glance over all of this at a later date and maybe reevaluate/recontextualise. If I do come back and reply negatively to your suggestion that it "makes sense for them to try and fingerprint their users," please don't be too pissed off by that.

Show thread

Guillaume Rossolini 5d ago

@muddle hahaha that’s funny: I don’t agree that they should do this!

I’m just pointing out that as a company that’s a thing they do, generally speaking and LinkedIn in particular, because there are ways to extract monetary value out of it

And we may have gone full circle to Ben’s first post, if I’m not mistaken

@ramsey

Show thread

muddle 5d ago

@GuillaumeRossolini @ramsey yeah, like I said, I'll have to reread things (in context) to figure out what's being said, by whom, and what truths may fall out as a result. Maybe we'll get to talk about the ethics of extracting monetary value from PII.