StartPage has apparently started to fingerprint users

What, you can develloper if possible and what’s this story about 3 extensions on Firefox?

JShelter, User-Agent Switcher and Spoofer, and Chameleon on Firefox is enough to fool both fingerprint.com and CreepJS. Custom configurations are used. This is kind of off topic, though.

Not even close to being over. Bad smell/taste remains and will remain till the end of StartPage as this kind of thing is ‘do it once, but for good’ type of thing.

Lets face it: reputation StartPage had been building up until now, is gone forever. They would need excessive amount of time and effort to regain that level of reputation.

1 Like

Whether or not Startpage is trustworthy is not a question I can answer. Regardless, I don’t think they will attempt something like that any time soon. Not after what just happened.

I’m not trying to argue about how trustworthy Startpage is. I think that their actions were somewhat sketchy (not telling us about it then not bothering to check if it’s collecting too much info until later). I’m just not willing to type in the nuclear launch codes on a company just because an incident happened.

Yeah, I agree with both of these things. It’s kind of a marketing blunder to not write about the new things you’re doing to improve user experiences while preserving privacy (e.g. Introducing Proton CAPTCHA | Proton). It’s reassuring to people, and also some people just find it interesting to know what goes on behind the scenes – win-win. Instead, 3 of the first 4 posts on Startpage’s blog homepage are from 2022 lol

As with all browser fingerprinting, I kind of feel like it’s only really problematic when used to correlate traffic and users (especially across different sites). Since Startpage is not doing that, I don’t think changing the recommendations is necessary personally.

People who have concerns beyond that should probably be preventing it with a smarter browser choice (like Tor) anyways. They shouldn’t be reliant on just choosing services that don’t fingerprint you now, because whether or not a service fingerprints you is outside of your control.

5 Likes

Im willing to. Especially if (and when) these kind of actions speak volumes about true intentions of perpetrator.

For me its either:

  • stick to what had been said initially, or
  • close down company

Once company breaks its initial promise, its all over for them in my eyes. Want to have nothing to do with them.

Thats just me.

2 Likes

@spsupport I believe you should offer a choice. Users prefering captchas (please use hCaptcha or other friendly ones) to tracking should be able to go to whatever.startpage.com and have this choice.

I also believe there is a lack of transparency here, these changes should be listed on your documentation. Especially when you prompt users to disable tracking and ad protection. https://support.startpage.com/hc/en-us/articles/8832676731028-Make-an-exception-for-Startpage-in-your-ad-blocker

3 Likes

WebGL fingerprinting (specifically) is now disabled on Startpage.

2 Likes

@mastery3 how do you know? Dare to share?

I know this because I happened to be using Startpage at the time, noticed a 502 Bad Gateway error, assumed they made a change in the servers, and went to check uBlock Origin and JShelter when the website came back up (I did this sequence like 20 times, that’s also how I know about WebGL being disabled).

uBlock Origin no longer shows the domain being blocked, disabling uBlock Origin doesn’t lead to JShelter firing (it actually stopped when WebGL was disabled, but now it doesn’t even display Medium), and visiting the website from a new browser profile doesn’t show any connections being made to vf.startpage.com. You can verify this yourself by executing the steps in the video I had provided in the initial reddit post (JShelter should no longer fire), or otherwise attempting to reproduce the symptoms (none should appear).

1 Like

vf.startpage.com IS still being used. It appears that they disabled the fingerprinter only on the Startpage homepage (the page I was testing), and not on the page containing the search results.

1 Like

After sending an email to Startpage 2 weeks ago (I’ve mentioned it earlier):

Hello, Startpage. Can you roll back some more signals? There are still some signals like WebGL and Speech Synthesis (and exact time info, although that’s not as bad) that I do not believe are beneficial for bot detection, but are immensely helpful for user tracking purposes.

Original forum:
StartPage has apparently started to fingerprint users

I’ve received this reply:

Hello and thanks for bringing this to our attention. We have been following and commenting on the Privacyguides forum and have also rolled back more signals, including WebGL and others.

We’ll continue to monitor these signals and remove those that aren’t beneficial for bot detection.

I followed up with this message:

Here’s some more data points being collected that I think you should disable:

  • Speech Synthesis fingerprinting is both identifying and annoying. It can likely identify anyone on a browser that supports that feature. I had already mentioned this one in the previous email, but it seems that vf.startpage.com still attempts to collect this info. When the browser does not support Speech Synthesis (mine doesn’t), the “Speech Synthesis is not supported” banner that Firefox displays every browser session is annoying for anyone who has not blocked the domain. Screenshot of the banner below.

  • I’d also disable the function that accesses localStorage. I don’t believe the script puts anything there, but I’d rather keep fingerprinting scripts miles away from that.

I would prefer that the “signals” collected by vf.startpage.com be selected on a whitelist basis. I suppose that’s more difficult than blacklisting, but this is a privacy-focused search engine.

Additional message I sent 5 hours later:

After some more testing, it appears that the browser extension Chameleon can be exposed via the fingerprint. Some of the data points provided to your servers appear to contain the stringified variants of functions, which if modified from the default values, can expose usage of certain browser extensions. I would disable these too, in correspondence with the claim that “We never collect or store add-on details either, as they are specific enough to enable fingerprinting” (https://support.startpage.com/hc/en-us/articles/5012065088020-Startpage-and-user-agents).