from NannerBanner@literature.cafe to nostupidquestions@lemmy.ca on 23 May 13:51
https://literature.cafe/post/32014466
So the other day someone linked to a website that highlighted how much information is just gifted to any place you visit on the web.
I’m aware of some of it being intrinsic to the manner of connection. A website knowing your IP (even if that is the IP of the vpn or tor exit node you’re using) is basically essential to the function of the internet. Why everything else though? What fucking idiot/asshole decided to even have an api for your gpu? Why the fuck is my browser reporting on the battery status? Light/dark mode? Visibility (whether or not the tab is ‘active’, the fuck?!? My OS?!!???!?!!!?!?!?
As a side question, why is the capability built in by a browser, but the user is never given a choice about whether or not any of this is shared?
#nostupidquestions
threaded - newest
Your entire existence is a money making opportunity for someone else.
The logic is so that web devs can better tailor sites to your set up. Like don’t run fancy graphics for a battery mode laptop, change the theme to match user’s theme, etc.
But obviously this is (now) just used to fingerprint and track users for more ad revenue.
I feel like most people are missing that the issue is with data selling and brokering.
Ban that and 99% of these concerns go away.
I’m surprised many of these aren’t obvious to you.
A website serving a video will need to know if you’re actually watching so it can stop playback or if background playback is desired, they know they can lower the quality of the video being delivered to save bandwidth.
Sites are often designed to align with the light/dark theme set in the browser or OS.
Less demanding objects are often delivered to visitors with low battery.
Some objects being delivered benefit from knowing which drivers/GPU they need to be compatible with.
etc. etc.
The creators of a browser doesn’t benefit from providing this information. It’s all stuff that can sometimes result in a better browsing experience and since the browser doesn’t know which sites would, it provides the information for every page load in the handshake.
If you don’t like it, use a privacy-focused browser or an extension to randomize the data.
This one still pisses me off! Just because my batt is charged, does not mean they are to waste it!
It’s not wasting it, the low power mode is probably a worse / degraded experience. Think like serving up a lower resolution video or song rather than a high quality one.
I’ve been on websites … i’d rather have my battery charged than their ‘improved’ experience. For 99.9% it’s all about form over function.
You can probably find a config setting or browser extension or dev tools way of forcing the browser to always report low battery… Thought probably not in iOS given their mandate for safari.
As a web dev I’ve never seen a single website do that.
Well, most websites in 2026 don’t use 3D stuff, but some do, and for some of those, there isn’t really an alternative. Take Google Earth as an example.
I think that given its limited use, you could realistically make 3D an opt-in thing where each website has to have user authorization, the way location data is.
There’s also some more-widely-used HTML5 Canvas stuff, which permits for rapidly-drawn 2D stuff. I think that, say, MarineTraffic uses it to draw its map. That provides a lot unique identity stuff to be leaked, but its hard to, for example, let Javascript rendering pixels run without knowing, say, the DPI of the screen.
That isn’t your systemwide mode, but provides a request from your browser as to whether to use the light or dark version of the website. Not all websites have handmade dark and light versions, but for those that do, it’s generally preferable from a user standpoint to using something like Dark Reader to dynamically generate a dark mode.
I’d guess that it probably permits a tab with Javascript running to deactivate itself in the background and to stop using CPU time.
That’s been around for a long time, as IIRC it’s in the User-Agent string. You can fake that if you want, and honestly, it’s probably not a critical piece of information, but a lot of websites that let one download software use it to preselect the appropriate version for whoever is downloading stuff. May be some other uses; not sure.
A lot of it can be disabled or faked, but websites that rely on it may not work. Firefox has CanvasBlocker, which prevents a lot of HTML 5 Canvas queries in a way that still lets most things work, faking approximate information. It may break some websites for you, but that’ll avoid leaking some of that information.
If you disable Javascript with something like NoScript, you can block a lot of that by only letting Javascript run on a per-website but…a very high proportion of websites in 2026, unfortunately, won’t work without Javascript.
So that you can run interactive 3D applications like games in your browser.
To adjust the performance of a web application to save more power.
To give you matching website.
Again to adjust performance or to pause an application.
Is often used to give you a download link that matches your OS.
You can disable or fake most of the stuff. But that usually makes you stand out even more in their statistics.
Hardware info does not need to be sent server side to accomplish this. OpenGL and Vulkan APIs can both say what the current hardware supports without hardware identifiers. A malicious website could probably still fingerprint based off those listed features, but that’s just a justification for “don’t accept requests for GPU hardware acceleration without user permission”. Currently modern web browsers broadcast it no matter what the page is requesting.
Name me one web “page” that does this. A web “application” doesn’t count. My native browser should should never broadcast this, ever.
Can/should be ran client side.
Can/should be ran client side. Its none of the websites/applications business whether I have frozen its process or not.
A small quality of life, isn’t worth it. Thankfully its the easiest thing to fake/lie about on this list. Most of these “features” on this list are not user facing and cannot be turned off with basic configurations.
In a non-malicious way it can all be helpful to websites to know the capabilities of your device to allow it to change what the site delivers/how it renders. Knowing your GPU allows it to know if your device supports WebGL/DirectX/Vulkan etc., knowing light or dark mode allows for it to set the site the same as your system, if the tab is not active it can pause content, and if you have a low battery the site can try to be less power hungry by perhaps not asking to render a ton of active content. Knowing if your on a mobile device can allow the site to deliver a mobile optimized layout, or if you have touch capability to render buttons larger.
The fact that advertisers and data brokers use this to fingerprint you as a user is just a non-intended use of good intention features. In reality, if you do hide this information (which you often can using developer tools in many browsers) you’ll find the some sites will just not work or will act wonky and data brokers will still fingerprint you using things like tracking pixels, your IP, or user agent string info that you can’t really hide without fully breaking the web. You only need three or four individual pieces of information to pinpoint specific individuals in most cases so they don’t really need all of it, it’s just easier and more accurate the more information they have.
Lmfao, US Congress could ban all data selling and brokering in a single session, and you think browser makers are the asshole for providing basic APIs for web apps?
I can hate them both. 90% of this info has no legitimate reason to leave the clients machine. In a world where open source development is still legal and available, I don’t see why its so hard to have a web browser that doesn’t broadcast every single hardware detail about your machine.
I hate how this situation is spoken about as a lost cause. People in the comments section here are acting like this information is required for the web to work at all. Probably weren’t alive at a time where websites could be stored offline because they didn’t expect constant client validation. Multiple comments acting like light/dark mode requires a server request, and couldn’t just be handled offline by the clients browser choosing how to render stuff after its been downloaded. Bet they think the web server needs to know the time zone too.
Theres no way to control that.
Some of us are professional software developers old enough to have started programming in Windows 95. Rather than being dismissive, maybe you should question whether you have a full understanding of how everything works.
Light / dark mode doesn’t require a server request. It’s a client side API. The client side JavaScript or CSS can request to know what mode the system is wants and can adjust itself accordingly.
The problem is that there’s no way of preventing the client from knowing what mode it ends up in and sending that information back. The client need to be able to query what’s rendered for a variety of reasons, not least of which is maintaining backwards compatibility with all of the 90s and 00s era web APIs that use these to update what’s displayed.
You can disable JavaScript if you want, and that will prevent much of this information being sent back, but you’ll also break most websites because most websites need client side JavaScript to provide a modern UX that people expect, because at a fundamental level, dynamic software that responds to what the user is doing and adjusts itself accordingly is more powerful then static software that just consists of a preset information laid out. You can build basic websites that consist of just static documents and forms and work without JavaScript but you’re limited to basic document sites without interactivity like blogs.
And guess what happens then? Everyone downloads programs and applications for anything with interactivity and they have even deeper access to system information.