This defeatist attitude is dangerous, especially when the solution is simple: just stop browsers from leaking >= ~30 bits of entropy.
Deprecate HTTP headers that leak entropy (like the user agent). Rewrite fields like If-Modified-Since so they can only express a value quantized into values no smaller than days. Remove JS APIs that leak information (like the ability to read CSS attributes). Impose stricter same-origin policies to eliminate 3rd-party cookies and javascript. Some people will complain that this breaks some use cases. Just as Dan Geer put it when discussing software liability, "Yes, please! That was exactly the idea."
Unless a platform puts user safety first - without exception - then it inevitably creates moral hazard. If for some reason this does not entirely fix the problem, then we apply the force of law - just like we do in every other area of society. If this concerns you, you should encourage self policing and removal of the business models based on any kind of fingerprinting, so no legal remedy is necessary.
People may indeed deserve jail time (or other legal remedy) for stalking. Technical literacy does not except you from social responsibility. As for your concerns about a jury: the problems with our legal system are far broader than your concerns over "technical literacy. A lot of work is needed in that area, with great urgency. That aside, a jury is also not expected to be an expert in advanced kinematics when they hear a case involving cars that crashed into each other at an intersection. It is the responsibility of the lawyers involved to explain such technical details to the jury. My grandfather - a physicist who reconstructed accidents and a frequent expert witness - has given quite a few remedial lessons in physics from the witness box.
I understand the concern about having to worry about this kind of legal threat. It is scary, but you will learn to live with it, just like surgeons learn to live with the possibility of malpractice charges or civil engineers that could be liable if the building they design falls down. Really, the concerns of a developer shouldn't be that bad compared to the doctor or civil engineer who have to worry about people dying if they make some kinds of mistakes.
What I find a far scarier future would be the future where people are not only afraid to speak their mind out of fear of being recorded, but where they are afraid to even seek out knowledge because of the trail it leaves. Our judicial system certainly has problems, but I'll take it over de facto feudalism, where the only people that can freely speak their mind are the lords that control the aggregate databases of everything their peasants do.
By the way - while it certainly isn't perfect, the EFF's Panopticlick tool reports my browser as only leaking 14.03 bits of entropy. The user agent accounts for ~9 of those bits, and ~4 more bits from the HTTP accept headers. Both of those are trivially removable, and the remaining entropy would not be easily to fingerprint. I'm sure this analysis misses some entropy sources, but this should be sufficient to show that it is possible to fix this problem.
Panopticlick doesn't use everything available. WebGL alone adds an additional 5.11 bits of entropy[1]. Other things such as your local network address from WebRTC, core count, etc. all can add a lot more entropy for fingerprinting.
Deprecate HTTP headers that leak entropy (like the user agent). Rewrite fields like If-Modified-Since so they can only express a value quantized into values no smaller than days. Remove JS APIs that leak information (like the ability to read CSS attributes). Impose stricter same-origin policies to eliminate 3rd-party cookies and javascript. Some people will complain that this breaks some use cases. Just as Dan Geer put it when discussing software liability, "Yes, please! That was exactly the idea."
Unless a platform puts user safety first - without exception - then it inevitably creates moral hazard. If for some reason this does not entirely fix the problem, then we apply the force of law - just like we do in every other area of society. If this concerns you, you should encourage self policing and removal of the business models based on any kind of fingerprinting, so no legal remedy is necessary.
People may indeed deserve jail time (or other legal remedy) for stalking. Technical literacy does not except you from social responsibility. As for your concerns about a jury: the problems with our legal system are far broader than your concerns over "technical literacy. A lot of work is needed in that area, with great urgency. That aside, a jury is also not expected to be an expert in advanced kinematics when they hear a case involving cars that crashed into each other at an intersection. It is the responsibility of the lawyers involved to explain such technical details to the jury. My grandfather - a physicist who reconstructed accidents and a frequent expert witness - has given quite a few remedial lessons in physics from the witness box.
I understand the concern about having to worry about this kind of legal threat. It is scary, but you will learn to live with it, just like surgeons learn to live with the possibility of malpractice charges or civil engineers that could be liable if the building they design falls down. Really, the concerns of a developer shouldn't be that bad compared to the doctor or civil engineer who have to worry about people dying if they make some kinds of mistakes.
What I find a far scarier future would be the future where people are not only afraid to speak their mind out of fear of being recorded, but where they are afraid to even seek out knowledge because of the trail it leaves. Our judicial system certainly has problems, but I'll take it over de facto feudalism, where the only people that can freely speak their mind are the lords that control the aggregate databases of everything their peasants do.
By the way - while it certainly isn't perfect, the EFF's Panopticlick tool reports my browser as only leaking 14.03 bits of entropy. The user agent accounts for ~9 of those bits, and ~4 more bits from the HTTP accept headers. Both of those are trivially removable, and the remaining entropy would not be easily to fingerprint. I'm sure this analysis misses some entropy sources, but this should be sufficient to show that it is possible to fix this problem.