StartPage has apparently started to fingerprint users

Pragmatic · May 29, 2024, 12:19am

What, you can develloper if possible and what’s this story about 3 extensions on Firefox?

mastery3 · May 29, 2024, 12:27am

JShelter, User-Agent Switcher and Spoofer, and Chameleon on Firefox is enough to fool both fingerprint.com and CreepJS. Custom configurations are used. This is kind of off topic, though.

wojciechxtx · May 29, 2024, 5:44pm

Not even close to being over. Bad smell/taste remains and will remain till the end of StartPage as this kind of thing is ‘do it once, but for good’ type of thing.

Lets face it: reputation StartPage had been building up until now, is gone forever. They would need excessive amount of time and effort to regain that level of reputation.

mastery3 · May 29, 2024, 7:40pm

Whether or not Startpage is trustworthy is not a question I can answer. Regardless, I don’t think they will attempt something like that any time soon. Not after what just happened.

I’m not trying to argue about how trustworthy Startpage is. I think that their actions were somewhat sketchy (not telling us about it then not bothering to check if it’s collecting too much info until later). I’m just not willing to type in the nuclear launch codes on a company just because an incident happened.

jonah · May 30, 2024, 5:45am

Yeah, I agree with both of these things. It’s kind of a marketing blunder to not write about the new things you’re doing to improve user experiences while preserving privacy (e.g. Introducing Proton CAPTCHA | Proton). It’s reassuring to people, and also some people just find it interesting to know what goes on behind the scenes – win-win. Instead, 3 of the first 4 posts on Startpage’s blog homepage are from 2022 lol

As with all browser fingerprinting, I kind of feel like it’s only really problematic when used to correlate traffic and users (especially across different sites). Since Startpage is not doing that, I don’t think changing the recommendations is necessary personally.

People who have concerns beyond that should probably be preventing it with a smarter browser choice (like Tor) anyways. They shouldn’t be reliant on just choosing services that don’t fingerprint you now, because whether or not a service fingerprints you is outside of your control.

wojciechxtx · May 30, 2024, 11:01am

Im willing to. Especially if (and when) these kind of actions speak volumes about true intentions of perpetrator.

For me its either:

stick to what had been said initially, or
close down company

Once company breaks its initial promise, its all over for them in my eyes. Want to have nothing to do with them.

Thats just me.

Encounter5729 · May 31, 2024, 8:31am

@spsupport I believe you should offer a choice. Users prefering captchas (please use hCaptcha or other friendly ones) to tracking should be able to go to whatever.startpage.com and have this choice.

I also believe there is a lack of transparency here, these changes should be listed on your documentation. Especially when you prompt users to disable tracking and ad protection. https://support.startpage.com/hc/en-us/articles/8832676731028-Make-an-exception-for-Startpage-in-your-ad-blocker

mastery3 · June 4, 2024, 3:16am

WebGL fingerprinting (specifically) is now disabled on Startpage.

wojciechxtx · June 8, 2024, 5:42pm

@mastery3 how do you know? Dare to share?

mastery3 · June 8, 2024, 7:45pm

I know this because I happened to be using Startpage at the time, noticed a 502 Bad Gateway error, assumed they made a change in the servers, and went to check uBlock Origin and JShelter when the website came back up (I did this sequence like 20 times, that’s also how I know about WebGL being disabled).

uBlock Origin no longer shows the domain being blocked, disabling uBlock Origin doesn’t lead to JShelter firing (it actually stopped when WebGL was disabled, but now it doesn’t even display Medium), and visiting the website from a new browser profile doesn’t show any connections being made to vf.startpage.com. You can verify this yourself by executing the steps in the video I had provided in the initial reddit post (JShelter should no longer fire), or otherwise attempting to reproduce the symptoms (none should appear).

mastery3 · June 10, 2024, 8:22pm

vf.startpage.com IS still being used. It appears that they disabled the fingerprinter only on the Startpage homepage (the page I was testing), and not on the page containing the search results.

mastery3 · June 13, 2024, 3:40pm

After sending an email to Startpage 2 weeks ago (I’ve mentioned it earlier):

Hello, Startpage. Can you roll back some more signals? There are still some signals like WebGL and Speech Synthesis (and exact time info, although that’s not as bad) that I do not believe are beneficial for bot detection, but are immensely helpful for user tracking purposes.

Original forum:
StartPage has apparently started to fingerprint users

I’ve received this reply:

Hello and thanks for bringing this to our attention. We have been following and commenting on the Privacyguides forum and have also rolled back more signals, including WebGL and others.

We’ll continue to monitor these signals and remove those that aren’t beneficial for bot detection.

I followed up with this message:

Here’s some more data points being collected that I think you should disable:

Speech Synthesis fingerprinting is both identifying and annoying. It can likely identify anyone on a browser that supports that feature. I had already mentioned this one in the previous email, but it seems that vf.startpage.com still attempts to collect this info. When the browser does not support Speech Synthesis (mine doesn’t), the “Speech Synthesis is not supported” banner that Firefox displays every browser session is annoying for anyone who has not blocked the domain. Screenshot of the banner below.

I’d also disable the function that accesses localStorage. I don’t believe the script puts anything there, but I’d rather keep fingerprinting scripts miles away from that.

I would prefer that the “signals” collected by vf.startpage.com be selected on a whitelist basis. I suppose that’s more difficult than blacklisting, but this is a privacy-focused search engine.

Additional message I sent 5 hours later:

After some more testing, it appears that the browser extension Chameleon can be exposed via the fingerprint. Some of the data points provided to your servers appear to contain the stringified variants of functions, which if modified from the default values, can expose usage of certain browser extensions. I would disable these too, in correspondence with the claim that “We never collect or store add-on details either, as they are specific enough to enable fingerprinting” (https://support.startpage.com/hc/en-us/articles/5012065088020-Startpage-and-user-agents).

crossroads · December 1, 2024, 7:34am

I just noticed that Startpage search result for official page has additional data in url. This even looks like a scam and something users should avoid.

Encounter5729 · December 1, 2024, 11:08am

The srsltid is a tracker id from Google merchants. It seem they are trying to make quick bucks by replacing normal links with affiliated links!
Relevant Thread of this new id.

Google now includes it on some search results like this one. But not on the one you included.

uBlock Origin with Legitimate URL Shortener removes it (with all filters enabled + real

Edit: after some testing, they seem to have more of those links than Google, seemingly boosting them. (This remains to be confirmed, only anecdotal for now).

crossroads · December 1, 2024, 12:14pm

Thanks for the info. As I see, it is needed to enable annoyances lists in UBO. And it works for this one, but not for the 2nd one I tried earlier

jerm · December 1, 2024, 1:07pm

Startpage is just a google proxy, is that tracker unique or forwarded from google results?

Would be great is someone cross tested google & startpage with same queries and compared the result.

mastery3 · December 1, 2024, 9:29pm

Found an instance where both have the same tracking ID. The website I’m talking about that has the tracker in both search engines is www.cablestogo.com/learning/connector-guides/usb, with random tracker data appended.

Google refuses to show the tracking info, you have to hover over the link and look at the bottom to see what they did to the URL. Startpage shows it in the URL directly in the search results, no hovering needed.

Notably, on @crossroads’s “keyshot” search query, Google did NOT have the tracking data in the KeyShot URL despite Startpage having it, although that was probably “random chance” on Google’s part (no, it’s not random chance; that was an oversimplification; it’s obviously whatever Google’s doing with the user data).

Okay, I see two possible options for what happened:

Google gave Startpage money to put that tracker in.
Startpage is severely negligent and failed to do their job.

Either option warrants Startpage being removed from the list in my opinion. I had given them the benefit of the doubt earlier, but come on. Even if Hanlon’s Razor held, that still wouldn’t be enough to change my opinion.

anonfox · December 1, 2024, 9:37pm

Aren’t they just supposed to proxy the results without altering them anyway?

“We do not modify these results in any way, but deliver them to you exactly as they are delivered to us”
Seems like expected behavior

Encounter5729 · December 1, 2024, 9:42pm

If Google includes tracking they should definitely removes it, or they aren’t a private search engine and shouldn’t be included.

mastery3 · December 1, 2024, 9:43pm

The link is a statement that they don’t alter the actual search results you get from Google. I highly doubt that their guarantee extends to obvious malicious activity from Google. The link doesn’t really have anything to do with why Startpage didn’t remove obvious trackers from URLs, which is an entirely separate concern from manipulating search results.