While this field is always interesting to read about, I absolutely refuse to give any technical input on how to improve fingerprinting, even if it's to fight bots. If you work on tracking, my opinion of you as a person is well summarized by apenwarr [0]:
> Can I work for a bad company and still be a good person?
By your own moral compass of course. There is no such thing as objective good or objective bad, it's all in the eye of the beholder. Surely you would've covered this in literature class in your youth? Likewise, me thinking someone is a bad person doesn't mean it's some objective and universal truth. It's literally, like, my opinion, man.
Studying philosophy doesn't make it any more of an absolute truth, the numerous and conflicting schools of thought in it are a good testament to that. Philosophy is the study of systems of thought, not an absolute truth about the world.
Most "famous philosophers" are moral relativists? Can I get a source on that? They might disagree on what exactly is moral, but they present more cogent arguments than "Can I do X and be a good person? No." or "that's just like, your opinion, man".
Surely you can see that there are trivial counter examples to this? Someone stealing to save someone's life, or to feed a starving child, or etc. From their perspective they won't be bad people, it's not universal.
Sticking to the original claim is "bad faith argument" now? Note the argument isn't that every action has a universal good/bad categorization, just that "universal truths" exist. Your comment is a bad faith argument.
i recommend taking some deep breaths. Language is a construct.
Mugging: 1939 as "a violent physical robbery;"
Stealing: Old Frisian stela "to steal, rob one of,"
tracing it back to proto-Indo-European still has "rob" in the etymology for "steal". I am using EO because i don't want to go to my bookshelf right now.
you can "steal" an apple from a store and that's not a "robbery" but if you mug someone and rob them it's still "theft", they were still "stolen from".
In a thread about universal truths (or not) this is amusing.
> Sticking to the original claim is "bad faith argument" now?
Arguing against a weak interpretation of someone’s argument is arguing in bad faith when a stronger interpretation is plausible. It is in the guidelines:
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
1. If you really want to get into rules lawyering, the guideline was arguably broken when "mugging" was substituted for "theft" a few comments up. That most certainly is not "strongest plausible interpretation of what someone says". In fact it's the opposite. Therefore calling out "mugging" =/= stealing isn't "bad faith argument".
2. The original claim is "There are universal truths". Substituting that for "There are universal truths in every circumstance" isn't "strongest plausible interpretation", it's changing the argument entirely and attacking a strawman. It's like claiming "a^2 + b^2 = c^2 holds for right angle triangles", someone else objecting "yeah but it doesn't hold for all triangles", and then invoking "strongest plausible interpretation of what someone says" when he's called out for changing the claim.
What is a "mugger"? Does someone who has ever committed a mugging carry that label with them for the rest of their life? If the mugging was committed on a serial killer, is it still morally indefensible in your view?
Someone who uses threat of violence (real or otherwise), to steal from people.
>Does someone who has ever committed a mugging carry that label with them for the rest of their life?
Easily sidestepped by claiming that they're bad people in the moment, or for that action. You can still call an law-abiding citizen that volunteers in his community and donates to charity a "bad person", if one day he goes rogue and punches someone in a fit of range, for instance.
> If the mugging was committed on a serial killer, is it still morally indefensible in your view?
Yes, because such actions are extrajudicial (how do you know the victim was actually a serial killer?), and sets a dangerous precedent (how soon until people are mugging each other for being Trump/Kamala supporters?).
> You can still call an law-abiding citizen that volunteers in his community and donates to charity a "bad person", if one day he goes rogue and punches someone in a fit of range, for instance.
Sure, but is that universally true? Would someone be necessarily wrong if they still said that the puncher is not a bad person and was not a bad person in that moment?
Yes. I've given reasons why punching people are bad in general. Unless you can give a counterargument why it wouldn't be bad, I think it's fair to conclude "punching someone in a fit of rage is universally bad". This isn't math where you have to prove the non-existence of something to prove something is a universal truth.
To play the devil's advocate: Google has vastly improved access to information. Facebook has allowed hundreds of millions of people to remain in each other's lives even while separated by oceans. Amazon made it much easier to acquire very specific items. Tinder has helped people find love.
Almost feels like a viewpoint that changes depending on how old you are & what your life experiences have been. I’m glad OP is so certain in his judgement though, especially ranking war machine companies as good for the world.
People would go to war even with sticks and rocks, but the technological advances made by those companies probably trickled down to general aviation and produced generally interesting "things".
The amount of damage you can do and how quickly you can do it with sticks and rocks is a lot more contained and your ability to force project gets exponentially more expensive exponentially more quickly.
Well researchers employed by Google are where transformers were presented which is how all modern AI companies build their models. I'd categorize generative AI as generally interesting things. Or a massively useful search platform, they solved email (until they stopped really paying attention to it). They also promulgated Android which has a lot of fans. And that's just the very visible stuff you'll see as someone not in the field. They've also contributed to storage & distributed systems research in very tangible ways. Or the research they've been doing into protein folding with AI via AlphaFold.
Amazon pioneered modern cloud computing in such a way that they were the only game in town for a long time before Google and Microsoft attempted to compete.
But sure, it sounds like your bias is against any company that's a "virtual" company and for companies that produce "real" things. However, you may want to ask yourself whether those companies would be able to build those "real" things as efficiently without all the virtual technology supporting them & letting them offload that complexity.
To be honest, they are focusing here on detecting tweaks used by scrappers to bypass bot protection, not on building an unique and stable fingerprint of a browser.
I scrape sites from time to time to back them up. I am kind of annoyed that this is going to get more difficult as time goes on thanks to societal leeches that have more rights than everyone (read "at least facebook, but probably X, and any other AI company not attached to a bookstore or book archival project") pirating content in 1998-2003.
I know i have "no right" to archive content, but it comes in handy.
Fingerprinting is terrifying. That a device (and therefore a specific person) can be reliably identified across all sites and across time is a major failure of browser design.
It seems so powerful, all I need is to have my browser have js with canvas enabled and I can be matched across websites? I know you can disable canvas in firefox, how does one do it in Chrome
>It seems so powerful, all I need is to have my browser have js with canvas enabled and I can be matched across websites?
Note the fingerprint isn't unique, it's basically a property of your graphics hardware + operating system. If you have a M4 macbook pro, in all likelihood you'll have the same fingerprint as all the other M4 macbook pro users.
>I know you can disable canvas in firefox, how does one do it in Chrome
Bad news. Disabling features is also a fingerprint vector, and having it disabled probably makes you more suspicious. Imagine you're at a border checkpoint that fingerprints you (many countries do that), and your fingerprints were burned off. How do you think the border guard will react?
> in all likelihood you'll have the same fingerprint as all the other M4 macbook pro users.
er... maybe if they're using metamask or something with the viewport pixel WxH set arbitrarily. canvas size/window size, fonts installed (are you a graphic designer or typographer?), who knows what else. the EFF has a site that shows you all the nonsense we can be tracked with.
open safari on a second monitor? at the same time? probably globally unique WxH between the two windows.
>er... maybe if they're using metamask or something with the viewport pixel WxH set arbitrarily
I was talking about canvas specifically, since the OP mentioned "js with canvas enabled". The rest can be somewhat mitigated by avoiding configurations that stick out, eg. using a "common" window size (ie. maximized). On firefox you can also use RFP with letterboxing, which rounds windows dimensions to the nearest 100 pixels, and defaults to 1000x1000. However, that's also somewhat suspicious (who perfectly sets their window to multiples of 100?) that you're better off using maximized window + common display resolution + standard taskbar/dock size. RFP also has mitigations for some of the other issues you mentioned, eg. a font whitelist.
>you'd also have to figure out where most users are in the timezone data as that narrowed my browser down to 95% unique all on its own.
The best timezone to use is the one that corresponds to your IP info, because it doesn't reveal anything about you. You'd expect 95+% of users with a Californian geo ip to be on pacific time, for instance. Using anything else makes you stick out like a sore thumb.
Statistics like "95% unique" also make little sense. Being able to identify you as one out of 400 million people (5% * world population) seems... fine? You can get better targeting through geoip/latency measurements, for instance. If you use a VPN in California, that narrows you down to 1 in 39 million people.
i'm unique in their dataset on firefox on a 2k monitor.
looks like my main culprits: useragent, timezone (lol), navigator properties (99.9% unique,) fonts, canvas (100% unique,) screen dimensions (available and .. actual?). all of these showed >99% unique.
I wouldn't read too much into that site. For instance it says my chrome browser, updated to latest version has a user-agent "similarity ratio" (whatever that means) of 0.43%. This can't possibly be true because autoupdate is enabled by default for chrome, so you'd expect everyone to have the user-agent, or at least all the windows users to have the same user-agent. For whatever reason it also thinks firefox has a 37.8% market share, which is clearly not correct. I also tested some phones, which it also claims is "unique". That clearly can't be the case either. Phones are pretty basically run the same software/hardware, and are pretty locked down from a customization/sandboxing perspective, so at the very least you'd expect most of the iPhone 15 in New York to have the same fingerprint, for instance. It certainly shouldn't single any one out as "unique".
While I agree that browser vendors could potentially have handled this better, I am more incline to view this as a regulation failure - that fingerprinting is permitted in the first place. By acting in this manner, ad companies offload the cost of to browser vendors, general public and reduce overall societal trust. This is especially concerning when Google exploits its positions as an ad company and browser vendor, see the Menifest V3 situation for an example.
Regulation isn't universal, so it won't fix the issue. A company wanting to work around that can just contract with another running out of a country without such regulations.
Browsers should do their best to make fingerprinting a non-viable approach.
I don't think fingerprinting can be stopped as long as JavaScript exists. There will always be some minor difference you can exploit or some cache you can misuse.
There is also the fact that there can be legitimate uses for APIs which expose information by design
One of the few good ideas Google proposed is Privacy Budget [1], which now appears to be abandoned. In short the browser estimates how much information each risky API call discloses, and blocks further calls if the sum exceeds some threshold
I feel conflicted about this. On one hand canvas being client side will always lead to cat and mouse game where fraudsters can always generate required "answer". On the other hand innocent users will always be fingerprinted by ad networks and similar.
The purpose is important, if my fingerprint is used to detect fraud (eg my browser has just tried 100 other credit cards), I'm less bothered than if cloudflare are reading my fingerprint then blocking me viewing a web page for no good reason.
Castle.io's customers seem to include marketing platforms, and their listed use-cases include preventing account sharing and alt accounts. Can understand why a company would want to be able to uniquely identify users, but also from a user/privacy perspective it's something I'd very much like my browser/extensions to block.
Detecting account sharing is a tricky business. It's pretty easy to detect if one account is using two different machines. But it's quite hard to unambiguously say it's one person using both machines or two different people each using one machine each.
Wow I didn't realize that Canvas Fingerprinting was exclusively used to detect fraudsters! Especially the wily ones who figured out how to delete their cookies! That's really cool - like how they scan everybody's files now to detect pedophiles (exclusively!).
I've never heard of Castle before. Do any current Castle clients care to share opinions of their service as compared to Cloudflare Turnstile or Google ReCaptcha?
While this field is always interesting to read about, I absolutely refuse to give any technical input on how to improve fingerprinting, even if it's to fight bots. If you work on tracking, my opinion of you as a person is well summarized by apenwarr [0]:
> Can I work for a bad company and still be a good person?
> No.
[0] https://apenwarr.ca/log/20201121
The quote is throwaway nonsense. No argument is made.
I counter it with my own- Yes.
By what standard are bad companies or good people measured? Do you define that? Religion? The current popular opinion?
By your own moral compass of course. There is no such thing as objective good or objective bad, it's all in the eye of the beholder. Surely you would've covered this in literature class in your youth? Likewise, me thinking someone is a bad person doesn't mean it's some objective and universal truth. It's literally, like, my opinion, man.
>Likewise, me thinking someone is a bad person doesn't mean it's some objective and universal truth. It's literally, like, my opinion, man.
There's literally an entire branch of study that tries to formalize it so it's not just "It's literally, like, my opinion, man".
Studying philosophy doesn't make it any more of an absolute truth, the numerous and conflicting schools of thought in it are a good testament to that. Philosophy is the study of systems of thought, not an absolute truth about the world.
Don't be so cynical. There are universal truths.
A significant proportion of famous philosophers would disagree.
Most "famous philosophers" are moral relativists? Can I get a source on that? They might disagree on what exactly is moral, but they present more cogent arguments than "Can I do X and be a good person? No." or "that's just like, your opinion, man".
Such as?
Muggers are bad people.
Surely you can see that there are trivial counter examples to this? Someone stealing to save someone's life, or to feed a starving child, or etc. From their perspective they won't be bad people, it's not universal.
>Someone stealing to save someone's life, or to feed a starving child, or etc.
"mugging" =/= stealing
The exact same point holds when you use mugging, which specific word you use is pretty orthogonal in this context.
This is a bad faith argument. What if they just said mugging instead of stealing?
Sticking to the original claim is "bad faith argument" now? Note the argument isn't that every action has a universal good/bad categorization, just that "universal truths" exist. Your comment is a bad faith argument.
i recommend taking some deep breaths. Language is a construct.
Mugging: 1939 as "a violent physical robbery;"
Stealing: Old Frisian stela "to steal, rob one of,"
tracing it back to proto-Indo-European still has "rob" in the etymology for "steal". I am using EO because i don't want to go to my bookshelf right now.
you can "steal" an apple from a store and that's not a "robbery" but if you mug someone and rob them it's still "theft", they were still "stolen from".
In a thread about universal truths (or not) this is amusing.
> Sticking to the original claim is "bad faith argument" now?
Arguing against a weak interpretation of someone’s argument is arguing in bad faith when a stronger interpretation is plausible. It is in the guidelines:
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
1. If you really want to get into rules lawyering, the guideline was arguably broken when "mugging" was substituted for "theft" a few comments up. That most certainly is not "strongest plausible interpretation of what someone says". In fact it's the opposite. Therefore calling out "mugging" =/= stealing isn't "bad faith argument".
2. The original claim is "There are universal truths". Substituting that for "There are universal truths in every circumstance" isn't "strongest plausible interpretation", it's changing the argument entirely and attacking a strawman. It's like claiming "a^2 + b^2 = c^2 holds for right angle triangles", someone else objecting "yeah but it doesn't hold for all triangles", and then invoking "strongest plausible interpretation of what someone says" when he's called out for changing the claim.
What is a "mugger"? Does someone who has ever committed a mugging carry that label with them for the rest of their life? If the mugging was committed on a serial killer, is it still morally indefensible in your view?
>What is a "mugger"?
Someone who uses threat of violence (real or otherwise), to steal from people.
>Does someone who has ever committed a mugging carry that label with them for the rest of their life?
Easily sidestepped by claiming that they're bad people in the moment, or for that action. You can still call an law-abiding citizen that volunteers in his community and donates to charity a "bad person", if one day he goes rogue and punches someone in a fit of range, for instance.
> If the mugging was committed on a serial killer, is it still morally indefensible in your view?
Yes, because such actions are extrajudicial (how do you know the victim was actually a serial killer?), and sets a dangerous precedent (how soon until people are mugging each other for being Trump/Kamala supporters?).
> You can still call an law-abiding citizen that volunteers in his community and donates to charity a "bad person", if one day he goes rogue and punches someone in a fit of range, for instance.
Sure, but is that universally true? Would someone be necessarily wrong if they still said that the puncher is not a bad person and was not a bad person in that moment?
Yes. I've given reasons why punching people are bad in general. Unless you can give a counterargument why it wouldn't be bad, I think it's fair to conclude "punching someone in a fit of rage is universally bad". This isn't math where you have to prove the non-existence of something to prove something is a universal truth.
Muggers disagree.
You must be a fan of the Barber Paradox.
Care to explain? This does not appear to be related.
What is "a bad company"? Google? Amazon? Facebook? Tesla? Tinder? Boeing? Rheinmetall? Lockheed Martin? Pfizer?
"Would the world be better without it (inb4 it'll be replaced in all but name)?"
Google? Amazon? Facebook? Tinder? Yes.
Boeing? Lockheed Martin? No.
Tesla? Pfizer? Unknown.
You're welcome.
Under what criterion were your answers decided?
To play the devil's advocate: Google has vastly improved access to information. Facebook has allowed hundreds of millions of people to remain in each other's lives even while separated by oceans. Amazon made it much easier to acquire very specific items. Tinder has helped people find love.
Almost feels like a viewpoint that changes depending on how old you are & what your life experiences have been. I’m glad OP is so certain in his judgement though, especially ranking war machine companies as good for the world.
People would go to war even with sticks and rocks, but the technological advances made by those companies probably trickled down to general aviation and produced generally interesting "things".
The amount of damage you can do and how quickly you can do it with sticks and rocks is a lot more contained and your ability to force project gets exponentially more expensive exponentially more quickly.
Well researchers employed by Google are where transformers were presented which is how all modern AI companies build their models. I'd categorize generative AI as generally interesting things. Or a massively useful search platform, they solved email (until they stopped really paying attention to it). They also promulgated Android which has a lot of fans. And that's just the very visible stuff you'll see as someone not in the field. They've also contributed to storage & distributed systems research in very tangible ways. Or the research they've been doing into protein folding with AI via AlphaFold.
Amazon pioneered modern cloud computing in such a way that they were the only game in town for a long time before Google and Microsoft attempted to compete.
But sure, it sounds like your bias is against any company that's a "virtual" company and for companies that produce "real" things. However, you may want to ask yourself whether those companies would be able to build those "real" things as efficiently without all the virtual technology supporting them & letting them offload that complexity.
Why is making planes that drop bombs on brown people not bad?
To be honest, they are focusing here on detecting tweaks used by scrappers to bypass bot protection, not on building an unique and stable fingerprint of a browser.
I scrape sites from time to time to back them up. I am kind of annoyed that this is going to get more difficult as time goes on thanks to societal leeches that have more rights than everyone (read "at least facebook, but probably X, and any other AI company not attached to a bookstore or book archival project") pirating content in 1998-2003.
I know i have "no right" to archive content, but it comes in handy.
Bad people win, as evidenced by almost everything. If you want to be good later you probably have to be bad now. Good on you if you don't, though.
Fingerprinting is terrifying. That a device (and therefore a specific person) can be reliably identified across all sites and across time is a major failure of browser design.
It seems so powerful, all I need is to have my browser have js with canvas enabled and I can be matched across websites? I know you can disable canvas in firefox, how does one do it in Chrome
>It seems so powerful, all I need is to have my browser have js with canvas enabled and I can be matched across websites?
Note the fingerprint isn't unique, it's basically a property of your graphics hardware + operating system. If you have a M4 macbook pro, in all likelihood you'll have the same fingerprint as all the other M4 macbook pro users.
>I know you can disable canvas in firefox, how does one do it in Chrome
Bad news. Disabling features is also a fingerprint vector, and having it disabled probably makes you more suspicious. Imagine you're at a border checkpoint that fingerprints you (many countries do that), and your fingerprints were burned off. How do you think the border guard will react?
> in all likelihood you'll have the same fingerprint as all the other M4 macbook pro users.
er... maybe if they're using metamask or something with the viewport pixel WxH set arbitrarily. canvas size/window size, fonts installed (are you a graphic designer or typographer?), who knows what else. the EFF has a site that shows you all the nonsense we can be tracked with.
open safari on a second monitor? at the same time? probably globally unique WxH between the two windows.
>er... maybe if they're using metamask or something with the viewport pixel WxH set arbitrarily
I was talking about canvas specifically, since the OP mentioned "js with canvas enabled". The rest can be somewhat mitigated by avoiding configurations that stick out, eg. using a "common" window size (ie. maximized). On firefox you can also use RFP with letterboxing, which rounds windows dimensions to the nearest 100 pixels, and defaults to 1000x1000. However, that's also somewhat suspicious (who perfectly sets their window to multiples of 100?) that you're better off using maximized window + common display resolution + standard taskbar/dock size. RFP also has mitigations for some of the other issues you mentioned, eg. a font whitelist.
I just opened edge on my 1080p monitor and made it fullscreen, and it's "you are unique among 3.4mm fingerprints".
I'm just saying it's not as easy as all of that, even on a "computer" using the stock browser.
you'd also have to figure out where most users are in the timezone data as that narrowed my browser down to 95% unique all on its own. (UTC-5)
See my other comment on fingerprinting sites: https://news.ycombinator.com/item?id=43175193
>you'd also have to figure out where most users are in the timezone data as that narrowed my browser down to 95% unique all on its own.
The best timezone to use is the one that corresponds to your IP info, because it doesn't reveal anything about you. You'd expect 95+% of users with a Californian geo ip to be on pacific time, for instance. Using anything else makes you stick out like a sore thumb.
Statistics like "95% unique" also make little sense. Being able to identify you as one out of 400 million people (5% * world population) seems... fine? You can get better targeting through geoip/latency measurements, for instance. If you use a VPN in California, that narrows you down to 1 in 39 million people.
https://coveryourtracks.eff.org for those that are curious
https://www.amiunique.org/
i'm unique in their dataset on firefox on a 2k monitor.
looks like my main culprits: useragent, timezone (lol), navigator properties (99.9% unique,) fonts, canvas (100% unique,) screen dimensions (available and .. actual?). all of these showed >99% unique.
I wouldn't read too much into that site. For instance it says my chrome browser, updated to latest version has a user-agent "similarity ratio" (whatever that means) of 0.43%. This can't possibly be true because autoupdate is enabled by default for chrome, so you'd expect everyone to have the user-agent, or at least all the windows users to have the same user-agent. For whatever reason it also thinks firefox has a 37.8% market share, which is clearly not correct. I also tested some phones, which it also claims is "unique". That clearly can't be the case either. Phones are pretty basically run the same software/hardware, and are pretty locked down from a customization/sandboxing perspective, so at the very least you'd expect most of the iPhone 15 in New York to have the same fingerprint, for instance. It certainly shouldn't single any one out as "unique".
If a site deems me too suspicious that it blocks me because it cannot track me so be it, close tab
While I agree that browser vendors could potentially have handled this better, I am more incline to view this as a regulation failure - that fingerprinting is permitted in the first place. By acting in this manner, ad companies offload the cost of to browser vendors, general public and reduce overall societal trust. This is especially concerning when Google exploits its positions as an ad company and browser vendor, see the Menifest V3 situation for an example.
> I am more incline to view this as a regulation failure - that fingerprinting is permitted in the first place.
In the EU it's not without explicit consent outside of a few, clearly defined cases.
Of course compliance is not 100%.
Regulation isn't universal, so it won't fix the issue. A company wanting to work around that can just contract with another running out of a country without such regulations.
Browsers should do their best to make fingerprinting a non-viable approach.
I don't think fingerprinting can be stopped as long as JavaScript exists. There will always be some minor difference you can exploit or some cache you can misuse.
There is also the fact that there can be legitimate uses for APIs which expose information by design
One of the few good ideas Google proposed is Privacy Budget [1], which now appears to be abandoned. In short the browser estimates how much information each risky API call discloses, and blocks further calls if the sum exceeds some threshold
[1] https://developers.google.com/privacy-sandbox/protections/pr...
What if I do:
delete CanvasRenderingContext2D.prototype.toDataURL;
Shouldn’t delete set the function back to native code?
Same with:
const offscreen = new OffscreenCanvas(1, 1); const nativeToDataURL = Object.getPrototypeOf(offscreen.getContext("2d")).toDataURL;
Object.defineProperty(CanvasRenderingContext2D.prototype, "toDataURL", { value: nativeToDataURL, writable: true, configurable: true });
Or:
const iframe = document.createElement("iframe"); document.body.appendChild(iframe); const nativeToDataURL = iframe.contentWindow.CanvasRenderingContext2D.prototype.toDataURL; document.body.removeChild(iframe);
CanvasRenderingContext2D.prototype.toDataURL = nativeToDataURL;
I beg your pardon if my question is full of innocence.
I feel conflicted about this. On one hand canvas being client side will always lead to cat and mouse game where fraudsters can always generate required "answer". On the other hand innocent users will always be fingerprinted by ad networks and similar.
The purpose is important, if my fingerprint is used to detect fraud (eg my browser has just tried 100 other credit cards), I'm less bothered than if cloudflare are reading my fingerprint then blocking me viewing a web page for no good reason.
Castle.io's customers seem to include marketing platforms, and their listed use-cases include preventing account sharing and alt accounts. Can understand why a company would want to be able to uniquely identify users, but also from a user/privacy perspective it's something I'd very much like my browser/extensions to block.
Detecting account sharing is a tricky business. It's pretty easy to detect if one account is using two different machines. But it's quite hard to unambiguously say it's one person using both machines or two different people each using one machine each.
"fraudsters" and "bots"
Sure, Jan. Whatever lets you sleep at night.
According to this post the only people who care about not being tracked are running bots and fraudsters.
Wow I didn't realize that Canvas Fingerprinting was exclusively used to detect fraudsters! Especially the wily ones who figured out how to delete their cookies! That's really cool - like how they scan everybody's files now to detect pedophiles (exclusively!).
I've never heard of Castle before. Do any current Castle clients care to share opinions of their service as compared to Cloudflare Turnstile or Google ReCaptcha?