> You cannot have a functioning "Business Internet" without identity verification.

Yes, you can. Just like you can have a functioning grocery store without checking the identity of each shopper that walks through the door.

What you cannot have is a free and democratic society or an efficient free market without robust protections for individual privacy. Privacy is the best shield the less powerful have from being abused and exploited by the more powerful.

> We accepted the SLA for the "Business Internet" in exchange for free, billion-dollar tools.

No, we did not accept. There was no informed consent. The full consequences of our use of these services was and is still is kept hidden from us. Tracking happens invisibly, without our knowledge or consent. This deprives us of the opportunity to express our true preference and opt out and choose an alternative. It's employing deception in order to subvert the consumer's ability to make a rational choice that represents their best interests.

> on the modern web, anonymity looks exactly like a security threat

An anonymous user who just uses the service normally and does not attempt to access sensitive information without authorization does not look like a security threat.

Most grocery stores in every place I have lived have security cameras so that if you did something illegal you'd be identified very quickly. At this point this is even true of small bodegas.

Also scammers can't waltz into my grocery store from the other side of the planet and wreak havoc.

Ultimately you can use privacy enhancing tools, just like servers can choose to block them. I wish there was a better system but that's what we've got.

A security camera, on its own, doesn't tell the grocery store who you are. There was a time when CCTV didn't even exist and yet we still had commerce.

"What we've got" isn't "the best we can do". There absolutely are better possibilities that would protect consumers. The best way to ensure we never get to experience those better systems is to shrug our shoulders and passively accept whatever treatment we receive.

Then let's get rid of the business internet. Every single thing I dislike about the internet is from the business internet: tracking, cookies, fingerprinting, SPAs, excessive javascript, optimizing for engagement, data brokers, I could go on.

"But won't you miss XYZ?" Nope, don't care, want it gone. If you can't be bothered to go to the store and get it then it probably didn't matter very much.

To me, it would be enough if there existed a search engine which only lists sites which do nothing of the above. But that would require that sites are honestly answering the question "are you tracking?". They won't. Corps have the same thinking as the criminals they try to keep outside.

There would have to be laws which require site owners to answer that question honestly, so that users have a choice and such a search engine can be built. But states are interested in fingerprinting too, so I guess such will never happen.

Based on your comment it sounds like you rarely travel (booking hotel / flights online), don’t have mobility issues (ordering groceries / household essentials online), don’t participate in online banking (do you write checks? carry cash with you all the time? go to an ATM weekly?), you don’t stream movies or tv shows, and you enjoy looking for apartments to rent in your local newspaper listing, and you enjoy using paper maps when traveling around the city and world. I could go on…

literally everything useful works on the business internet. Also how do you think local businesses near you operate? They don’t call each like the 1900s lol. They order stock from distributors, some local and some overseas. Often they are doing this on the business internet. Today’s global supply chain makes this a non-starter.

It’s OK if YOU personally prefer doing everything slowly and in person and don’t value the convenience of the business internet. No judgment. But don’t pretend this would be an easy transition at all. Or that most people would prefer to live that way.

IMO it would make _way_ more sense to introduce reasonable privacy regulations that are better thought out than GDPR and have proper enforcement.

Maybe a formal “community” version of the internet would be appropriate as well.

>you rarely travel (booking hotel / flights online)

Yes, and I really dislike traveling when I have to. I personally wish that air travel would become unaffordable for most people, including myself.

>don’t have mobility issues (ordering groceries / household essentials online)

No, but mobility issues existed before the modern internet.

>don’t participate in online banking (do you write checks? carry cash with you all the time? go to an ATM weekly?)

I do online banking, but I also write checks and use cash. I don't use Venmo or similar services. Once I can get ahead of my chores & projects I'm thinking about getting a local branch at a credit union and totally avoiding a banking app on my smart phone.

>you don’t stream movies or tv shows

Sometimes, but I'm getting away from it. Interestingly I'm getting a blank screen (but there's still audio) when attempting to stream on Linux. I haven't fully researched it, but some preliminary research suggests that it's anti-Linux blocking. (at least one user reported the problem went away -- in a repeatable fashion -- when switching their use agent to Windows) So although this is not confirmed, I'm preparing for a time when this is unavoidable and I won't stream movies or TV whatsoever at that point.

> and you enjoy looking for apartments to rent in your local newspaper listing

Don't see anything wrong with this. I would actually argue that you don't need authentication in the way discussed in this conversation for this, though -- all you need is the listing, which can be totally anonymous. The actual application for the apartment can happen in person, and that's when verification needs to occur.

>you enjoy using paper maps when traveling around the city and world.

I use an old-fashioned GPS in my car that I paid well over $100 for a number of years ago. There's no tracking whatsoever, unlike the GPS used in a smart phone.

>literally everything useful works on the business internet. >Also how do you think local businesses near you operate? They don’t call each like the 1900s lol. They order stock from distributors, some local and some overseas

Except we did fine for most of human history before all this. And I'm sure there were no such think as stock orders or warehouses or supply chains before the modern internet. They cropped up over night the moment the first tracking cookie existed. /s

Your opinions are totally reasonable IMO, i just hope you realize how outside the norm they are. :)

Those are some rose tinted glasses. Not having to drive a check to the city utility office to pay the power bill is quite the improvement.

You can mail checks you know.

I will happily let the internet fingerprint my browser to not have to go back to mailing checks. I am guessing this is true of most non-HN people.

No. Fingerprinting is a function of the ad network to identify ad-worth aspects of me.

That some aspects may be used to push bots away is a minor effect.

I am assuming you are not in the bot mitigation business.

An encrypted cookie from a company such as cloudflare encapsulates a multi dimensional datum such that, generating one in a legitimate browser, and letting a botnet using it will get detected and blocked.

Note that one very simple mitigation for browser fingerprinting is to simply run different browsers for "the business Internet" and "the fun Internet". You may need to do this anyway, because so many business sites only work on Chrome, with Javascript enabled, no VPN, no adblocker, and pop-ups enabled. But then you might use Chrome (which tracks everything you do anyway) for all your banking, SaaS, government tasks, so they all work, and then say Brave or Opera in an incognito window for all your fun reading. You get the adblocker, you get a different cookie jar for each session, you get easy access to Tor to hide your IP, etc.

Also recommended to have a separate sandbox for "projects" - basically things that you do that each might require their own research, toolchain, files you create, etc. I'd highly recommend doing this in a virtual machine though - oftentimes you need to install apps to do your project work, and that presents its own attack vector. Plus if it's all in a VM you can just backup the VM and start fresh on new hardware without having to install all the dependencies, while if you're just saving random files and backing them up they probably won't work as software gets updated and dependencies get out-of-date.

I don't think separate browsers is a very effective mitigation. If both browsers are running on the same machine, from the same ip address, using the same email address for logins, the same phone number for 2FA, it will be pretty clear that both browsers represent the same person. Even cross-device identity tracking is a real thing.

In general you shouldn't be logging in to any of the "fun" sites. If you do, you should create a burner email address and separate logins (and obviously separate passwords) for each site. A lot of the "fun" Internet doesn't require 2FA, but for sites that do (which is an increasing number of social media providers), I'd highly recommend getting a Google Voice number and using that. That shifts the trust boundary to Google, who is going to have all your info anyway, rather than dozens of fly-by-night websites.

IP address is covered by VPN or Tor.

If the definition of "fun" sites doesn't even include anything with a login (no youtube, no forums, no HN...), then it feels like it includes so little as to be meaningless. The "business" internet (at least most of it) needs to be anonymous if we want to have a free society and efficient markets.

I don't see why banks need browser fingerprinting at all. Every credit card I've had in the past 10 years required two-factor authentication. If your theory was correct, trying to do a purchase in a new browser wouldn't work.

This is an excellent insight.

I think there is still some hope that technical solutions could be developed so that only the "Business Internet" gets access to verified identity, with the user somehow understanding this, while the "Fun Internet" doesn't have such capabilities. This is what stood behind, e.g., Google's proposed WEI [1] that got such huge backlash, or Apple's Private Access Tokens [2] which are essentially the same thing but quietly slipped under the community radar.

Other proposals are Google's in-limbo Private State Tokens [3], or the various digital-wallet/age verification proposals (I think Apple and Google both have stuff in that space).

But even basic stuff, like IP protection, can really throw off the anti-fraud and anti-botnet mechanisms. Your Lego fan site wants to be behind a CDN for speed and protection from DDOS? Well, people using VPNs or in Incognito mode might end up inconvenienced, because the CDN thinks it's dealing with bots. Rough stuff.

[1]: https://en.wikipedia.org/wiki/Web_Environment_Integrity

[2]: https://developer.apple.com/news/?id=huqjyh7k

[3]: https://privacysandbox.google.com/protections/private-state-...

> Fingerprinting is often just the immune system of the commercial web trying to verify you are human.

I don't think so.

Yes, it is being used for such purposes, but the older reason for tracking users was the hunger of the ad networks to serve ads with higher impact, and I think 'personalization' is still the big driver here.

Not only that, but it's becoming increasingly difficult to get to legitimate data advanced web apps need in order to work properly, or to get legitimate analytics.

Everything is obfuscated. And this is not the situation on iOS and Android.

I am working on multiple products which use webassembly and cameras on mobile devices. It's impossible to reliably know how many workers to spin up, what's the safe memory limit and how much memory the device has, which compile-time optimized bundle to load, which camera to select for ideal focus lengths...

Especially on iOS.

And I often get customer complaints that the product is crashing. Eventually it ends up being a single (iPhone) that needs a restart to stop it from aggressively managing memory in Safari. Fingerprinting a device would solve SO MANY issues. And this is, again, possible on native apps.

I find it a bit hard to relate to the "privacy nightmare". I've not worried about such things in ~27 years of using the web and are yet to notice ill effects from the stuff he worries about. I don't know if my ads are targeted because I have an ad blocker and don't see any. Maybe the answer to the nightmares in general is not to worry about stuff that doesn't affect you?

Re insurers knowing you've been browsing heart disease etc, I have sometimes had issues like that, more you get a cheap initial price from an insurer/airline/car hire and then they jack it up when you visit again. You can sometimes do better by having a go from a different browser. I regard that more as me trying a hack to get a discounted price than a privacy nightmare but whatever I guess.

It’s less about targeted ads and more about how little right you have to your own information. Politically, you really should care that you have a right to your own data! Everyone generates so much data through their online activity, and privacy policies everyone agrees to allow your data to be collated, sold, and analyzed really without your knowledge or true consent. While it might not have a negative impact to you today, there are more and more compelling business incentives for companies to turn your data against you.

For example, did you know your car manufacturer sold information about their customers to data brokers? Which then combined that data with anything else they can buy and get their hands on to calculate a “risk score?” Which then gets sold to car insurance companies, which increases your insurance rate? https://youtu.be/X6UW4CFz71s

This kind of BS is why we all need to care and assert our right to privacy. Companies don’t have a right to your data, but aren’t forced to do informed consent, and somehow data brokers are legal. Why is my data being sold without my informed consent?

I also think about this sometimes. On the one hand, I have a natural instinct to give away as little personal data as I can, and it intuitively makes sense to me that it’s in your favour to keep as much private as possible; I assume many of us here feel the same way. But on the other hand, it takes a lot of energy to keep track of all the data that you leak, and often you have to give up better tools or workflows for a small perceived privacy gain.

Does this matter? Even if I do everything “right”, nobody around me does it. I can try to keep my shopping preferences and my searches private, but there is so much to gather from everyone else who doesn’t care about this that my efforts are very likely in vain. Even without my cookies, if you have as much data as a big tracker does, you can definitely make pretty good assumptions about what I like.

The response I usually see to this is that if everybody cared about privacy, then the picture would be different. But I’ve been reading exactly the same argument about using Firefox for the last ~15 years, and look where the Firefox share of the market is now…