Killing Browser Fingerprinting

[Deleted member 9563]

. . . like language preferences or if you prefer to stay logged in. These bigger sites have advertisers who want to know the same thing, or slightly different, in their own way. Sometimes it sets what your device is so I can serve better pages for that. And on and on. . . .

In fact, the vast majority of sites don't do much more than that with cookies.

Don't do much more? For somebody who's threat model includes browser fingerprinting, that's probably already way over the top.

 

[shepper]

In fact, the vast majority of sites don't do much more than that with cookies.

These are the cookies I accumulated with one visit to www.nytimes.com. I did not click on any content and my browser core dumped as I scrolled to the bottom.

.imrworldwide.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent IMRID / Fri, 09-Mar-2018 00:52:41 GMT 0 0 X
.scorecardresearch.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent UID / Tue, 27-Feb-2018 00:52:43 GMT 0 0 X
Session + Persistent UIDR / Tue, 27-Feb-2018 00:52:43 GMT 0 0 X
markets.on.nytimes.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent 1977%5F0 / Wed, 09-Mar-2016 01:52:29 GMT 0 1 X
Session + Persistent GZIP / Mon, 08-Mar-2021 00:52:28 GMT 0 0 X
.nytimes.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent RMID / Thu, 10-Mar-2016 00:51:55 GMT 0 0 X
Session + Persistent optimizelyEndUserId / Sat, 07-Mar-2026 00:52:19 GMT 0 0 X
Session + Persistent optimizelySegments / Sat, 07-Mar-2026 00:52:19 GMT 0 0 X
Session + Persistent optimizelyBuckets / Sat, 07-Mar-2026 00:52:19 GMT 0 0 X
Session + Persistent NYT-wpAB / Thu, 09-Mar-2017 00:52:19 GMT 0 0 X
Session + Persistent __gads / Fri, 09-Mar-2018 00:52:28 GMT 0 0 X
Session + Persistent walley / Fri, 09-Mar-2018 00:52:37 GMT 0 0 X
Session + Persistent _gat_r2d2 / Wed, 09-Mar-2016 01:02:37 GMT 0 0 X
Session + Persistent WT_FPC / Fri, 09-Mar-2018 12:30:22 GMT 0 0 X
Session + Persistent __CT_Data / Thu, 09-Mar-2017 00:52:56 GMT 0 0 X
Session + Persistent WRUID / Thu, 09-Mar-2017 00:52:56 GMT 0 0 X
Session + Persistent NYT-mab / Wed, 09-Mar-2016 03:53:14 GMT 0 0 X
Session + Persistent adxcs / Wed, 09-Mar-2016 01:53:18 GMT 0 0 X
Session + Persistent nyt-a / Thu, 09-Mar-2017 00:53:52 GMT 0 0 X
.flite.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent __uuc2 /t Fri, 18-Mar-2050 14:29:51 GMT 0 0 X
cigawsloadbalancer-17715275.us-east-1.elb.amazonaws.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent SERVERID / Wed, 09-Mar-2016 01:52:33 GMT 0 0 X
.doubleclick.net

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent id / Fri, 09-Mar-2018 00:52:31 GMT 0 0 X
Session + Persistent IDE / Fri, 09-Mar-2018 00:52:31 GMT 0 1 X
wt.o.nytimes.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent ACOOKIE / Fri, 09-Mar-2018 00:52:57 GMT 0 1 X
.nytimes.activate.ensighten.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent uuid / Thu, 08-Mar-2018 00:52:44 GMT 0 0 X
Session + Persistent si / Thu, 08-Mar-2018 00:52:44 GMT 0 0 X
Session + Persistent ei / Thu, 08-Mar-2018 00:52:44 GMT 0 0 X
.voicefive.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent BMX_G / Wed, 09-Mar-2016 01:52:51 GMT 0 0 X
Session + Persistent UID / Tue, 27-Feb-2018 00:53:01 GMT 0 0 X
Session + Persistent UIDR / Tue, 27-Feb-2018 00:53:01 GMT 0 0 X
Session + Persistent ar_p346305802 / Tue, 07-Jun-2016 00:53:24 GMT 0 0 X
Session + Persistent BMX_3PC / Wed, 09-Mar-2016 01:53:25 GMT 0 0 X
.twitter.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent guest_id / Fri, 09-Mar-2018 00:52:50 GMT 0 0 X
pixel.keywee.co

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent sp / Thu, 09-Mar-2017 00:53:47 GMT 0 0 X
.tagx.nytimes.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent tagx-l / Thu, 09-Mar-2017 00:52:28 GMT 0 0 X
Session + Persistent tagx-s / Wed, 09-Mar-2016 01:52:28 GMT 0 0 X
Session + Persistent tagx-p / Thu, 09-Mar-2017 00:52:28 GMT 0 0 X
www.nytimes.com

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent _cb_ls / Sat, 08-Apr-2017 00:52:51 GMT 0 0 X
Session + Persistent _chartbeat2 / Sat, 08-Apr-2017 00:52:51 GMT 0 0 X
Session + Persistent flt.frq.man.620eb790-1067-449c-a884-0317de553a7b_L4bd01234 / Thu, 10-Mar-2016 00:52:54 GMT 0 0 X
Session + Persistent _sp_id.ddc6 / Fri, 09-Mar-2018 00:53:47 GMT 0 0 X
Session + Persistent _sp_ses.ddc6 / Wed, 09-Mar-2016 01:23:47 GMT 0 0 X
.nr-data.net

[ Remove All From This Domain ]
Type Name Value Path Expires Secure HTTP
only Rm
Session + Persistent JSESSIONID / Wed, 09-Mar-2016 01:53:03 GMT 0 0 X

I would wager that .nr-data.net, .twitter.com, pixel.keywee.co, .flite.com, .scorecardresearch.com and .doubleclick.net have nothing to do with providing me with a quality browsing experience.

 

[drhowarddrfine]

For somebody who's threat model includes browser fingerprinting

I haven't a clue what you are talking about. And "fingerprinting" always sounds to me like link bait versus reality.

shepper As I think I said (but didn't look back to see if I did), big sites, such as the one you showed, have so much advertising associated with them, I'm not surprised but, again, it's for marketing purposes. No different than when you buy something from my little corner restaurant and I get your address or your local department store. I keep track of what you bought so the next time you come in I can market toward that. In fact, they did that to me when I was a kid in the 1960s and I bought something for my Dad for his birthday.

have nothing to do with providing me with a quality browsing experience.

Of course it might. Maybe you don't get brassiere ads anymore but you do get ads for fishing gear like the one you were searching for on Amazon yesterday. Or you won't, at least, see the same ad over and over again.

If nothing else, it might show the NYTimes that you, along with thousands of others, don't care about visiting certain pages. Then those pages get removed from their site due to a lack of interest.

And don't forget that you don't have to login and the site saved the last page you were reading you're welcome very much.

That's what cookies are used for. And more creative things which I can't recall at the moment. Meh. So, what? Me, worry? No.

 

[Deleted member 9563]

I haven't a clue what you are talking about. And "fingerprinting" always sounds to me like link bait versus reality.

"Fingerprinting" is in the subject title, and "threat model" is a security term. (see here)

For a quick sense of the range one might consider in a browser have a look at the Tor browser privacy and security settings.

 

[drhowarddrfine]

OJ I know what they are. I thought you were talking about some specific person or article.

 

[protocelt]

I block all cookies and most javascript most of the time with a few exceptions. Both can be convenient and useful to both users and websites but can also be used maliciously. Besides that, my online browsing habits are really none of anyone's business. That said I do understand their use and am not against that as long as I have a choice in blocking them.

As far as fingerprinting itself, my understanding is it's almost impossible to do fully though admittedly it's above my knowledge level.

 

[shepper]

As far as fingerprinting itself, my understanding is it's almost impossible to do fully though admittedly it's above my knowledge level.

Actually, I think it is currently being done. The same NYTimes site I referenced provides viewing of 10 free articles/month. Exceed 10 and a javascript, to pay a subscription, materializes over the content making it unreadable. In xombrero, I can delete all history, cookies, change the user agent and delete ~/.xombrero. After doing all that, my article tally does not change.

Edit: Toggling javascript off in xombrero and the subscription window, that obscures the content, is closed and the content becomes readable. If I then fire up my Debian system and look at the NYTimes with Iceweasel, I will also have a new article tally.

 

[ronaldlees]

I haven't a clue what you are talking about. And "fingerprinting" always sounds to me like link bait versus reality.
...
shepper No different than when you buy something from my little corner restaurant and I get your address or your local department store. I keep track of what you bought so the next time you come in I can market toward that. In fact, they did that to me when I was a kid in the 1960s and I bought something for my Dad for his birthday.
...

It's always a matter of who's ox is being gored. Dr Howard is in the biz, so would have an opinion that leans towards what he perceives is necessary to make biz sites work.

I feel my ox gets gored in a couple ways. The first, and most obvious way, is that they "take" my address from me. I don't voluntarily give it to them. In Europe, "not taking" someone's particulars is called "opt-in" while in the US "taking" the particulars is called "out-out". I think the US needs to implement some of those EU legislation bills relative to "opt-in".

It's not really the same as handing over your address in the department store.

 

[protocelt]

Actually, I think it is currently being done. The same NYTimes site I referenced provides viewing of 10 free articles/month. Exceed 10 and a javascript, to pay a subscription, materializes over the content making it unreadable. In xombrero, I can delete all history, cookies, change the user agent and delete ~/.xombrero. After doing all that, my article tally does not change.

I was under the impression that fingerprinting also encompassed browser uniqueness as well. Is that not the case?

 

[ronaldlees]

It's true that if I know all the technical details, I can make the browser refuse to cooperate with the "taking" of my address, ID number ... fingerprint ... or whatever else you want to call it. Disabling javascript in some browsers is neither obvious or necessarily easy (especially for the 99 percent). So, if some archane configuration is needed to "opt out" - that is not good enough from my perspective. In the US, not only do we have "opt out" but we often make that nearly impossible for regular folks to do.

So, it's like saying it's OK to swipe your address/ID number/etc from your pocket, because you didn't button the flap.

While it may be true that you have accepted this situation, if you follow the "legal terms" link, or some such, but an indirect, fine print disclaimer is often disqualified in contract/biz law, etc. This part of the problem is really on the browser end, rather than the site end, because when you go to a site you're presenting what you present, in public. So, the legislation would involve browser makers. We might say the browser vendors make it too easy to leave the pocket flap unbuttoned.

 

[Deleted member 9563]

This part of the problem is really on the browser end, rather than the site end, . . .

I agree that browsers could do a lot to help here. That said, the Tor Browser seems to do that quite nicely. It's simply a version of regular Firefox which is adapted to privacy needs and comes with Tor already. It installs like any other browser with a click or two. The browsing experience is pretty normal with the security slider set to low, which is the default.

 

[ronaldlees]

I agree that browsers could do a lot to help here. That said, the Tor Browser seems to do that quite nicely. It's simply a version of regular Firefox which is adapted to privacy needs and comes with Tor already. It installs like any other browser with a click or two. The browsing experience is pretty normal with the security slider set to low, which is the default.

I don't know how much I'd trust Tor beyond just obscuring my fingerprint from (relatively) benign sites. Additionally, you're routing your traffic through the nether regions of the world, potentially. Are the nether regions better? Good question.

I think the term "swipe" in my previous message is a bit harse. Of course, if you leave the pocket flap open, it's possible to say that you're making some of your info public (since it's easy to see the edge of the VISA card, and know you're a VISA user). But, getting a fingerprint, in my mind is more like scanning a person with xrays, in the sense that much more effort is then applied to ferret out a way to subsequently identify a patron. The bottom line though, is that the patron probably doesn't realize the pocket's not buttoned, and his underwear is showing. This may be because of his posture in life.

 

[shepper]

But, getting a fingerprint, in my mind is more like scanning a person with xrays, in the sense that much more effort is then applied to ferret out a way to subsequently identify a patron.

To me the wonder of the Internet is that it allows one to quickly gather information. I'll date myself by remembering when I went to the library, with a pack of 3x5 cards and manually searched for relevant articles. Even though I now search for information from home, I feel like I'm wearing an ankle bracelet or being shadowed. I wonder if it matters that I read content written by Glen Greenwald at theintercept.com?

 

[drhowarddrfine]

Most of the fingerprinting stuff is inocuous. I don't know what's to be lost in that. As far as getting your address, I assume you mean IP, it must be known to respond to you, as you know, so how do you get around that. If by using Tor, then you are putting everything you do in the hands of untrusted people.

 

[Deleted member 9563]

I don't know how much I'd trust Tor beyond just obscuring my fingerprint from (relatively) benign sites. Additionally, you're routing your traffic through the nether regions of the world, potentially. Are the nether regions better? Good question.

No idea what you mean by "nether regions". It sounds like a pejorative. If, by chance, you're interested in Tor here is the description. There's a FAQ here.

Most of the fingerprinting stuff is inocuous. I don't know what's to be lost in that. As far as getting your address, I assume you mean IP, it must be known to respond to you, as you know, so how do you get around that.

I agree that most fingerprinting is indeed innocuous. Although I use a VPN for most regular on-line use I can be easily traced through the server anyway. I have basically no anonymity except for IP as a website would see it. I'm not too worried about me as an individual. Few people are easier to find on the net. However, there are some principles that are important to me and which relate here. It only takes one bad actor to make ubiquitous tracking worth avoiding. I'm not the least bit concerned about the way you do it with your websites - seems fine to me - but the fact that www users can be surveilled using these methods (and taking advantage of the whole framework) makes me want to minimize the effectiveness of that.

If by using Tor, then you are putting everything you do in the hands of untrusted people.

Trust, of course, is a central subject in security. Most of the web does a very poor job of addressing trust and generally only does so minimally through the use of certificates. Tor considers the trust issue much more comprehensively by using a model of distributed trust. I'm sorry, but to just refer to putting "everything you do in the hands of untrusted people" sounds like a slur to me. There's a lot of easily digested information in the TOR FAQ, but this paper by Roger Dingledine is a bit more academic.

In all, I highly recommend that people actually study the workings of Tor before making off the cuff or pejorative comments about it and its use. Nevertheless, my earlier comment about using the Tor Browser was not meant to be a recommendation of Tor itself, but rather to point out that the Tor Browser being simply a recent version of Firefox could likely easily be replicated without Tor support for the purpose of having a browser which makes privacy issues easy to manage for a casual user simply by moving a slider.

 

[Maxnix]

I don't know how much I'd trust Tor beyond just obscuring my fingerprint from (relatively) benign sites. Additionally, you're routing your traffic through the nether regions of the world, potentially. Are the nether regions better? Good question.

For what I know, obscuring fingerprint is peculiarity of the Tor browser itself (being a modified version of the official firefox) more than the Tor network.
That said, you are right about routing the traffic through possibly untrusted regions; and if perhaps you may not care about relays, you should about Tor exit points. Indeed, even if using Tor, it's important to use https for browsing.
Here an infographic from the EFF.

 

[getopt]

If by using Tor, then you are putting everything you do in the hands of untrusted people.

You miss the point. People better should think about the whole Internet as an area of not trustworthiness. Depending on who uses an Intranet and how it is separated from the Internet you may have similar problems even there.

Tor is designed for anonymity and really nothing else. And this feature Tor covers pretty well. When you are using Tor you need to encrypt from end to end. And encrypting is clearly the task of the user himself.

Trusting in the Internet is not always a wise behavior. In fact it is a big problem as the quality of trust can only be evaluated in hindsight.

 

[getopt]

For those interested in Internet-related fingerprinting here is some stuff for reading:

The paper "FPDetective: Dusting the Web for Fingerprinters" (PDF) describes the first comprehensive effort to measure the prevalence of device fingerprinting on the Internet.

https://www.cosic.esat.kuleuven.be/fpdetective/

The Web never forgets: Persistent tracking mechanisms in the wild is the first large-scale study of three advanced web tracking mechanisms - canvas fingerprinting, evercookies and use of "cookie syncing" in conjunction with evercookies.

https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html

Those using Tor might be interested in the following, as fingerprinting is a method attacking anonymity:
http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html

I do know, that those who are talking here about fingerprinting like "So what? I do not care" probably won't study it. And even more probably they won't stop talking like they did before.

 

[ronaldlees]

No idea what you mean by "nether regions". It sounds like a pejorative. If, by chance, you're interested in Tor here is the description. There's a FAQ here.

Sorry. "Nether regions" came through my syntax checker erroneously, and conveys an entirely inaccurate thought. I meant what MaxNix said. Anyway, who knows? Poor third world countries have less money/resources/technology to waste on tracking my many trips to forums.freebsd.org, so may in fact be less likely to engage in certain types of surveillance.

Overall, I think I must agree with the quote Maxnix used, apparently attributed to Theo de Raadt:

The world doesn't live off jam and fancy perfumes - it lives off bread and meat and potatoes. Nothing changes. All the big fancy stuff is sloppy stuff that crashes. I don't need dancing baloney - I need stuff that works. -- Theo de Raadt

Outside of Netsurf, major graphical browsers are in the "big fancy stuff" category, and that includes what's in the Tor bundle. I haven't looked at any code, am sure that I can't really have an opinion about whether or not any of it is "sloppy" - and I'm sure the applicable parties work very hard to make it all nice and tidy. It's a tough job, no doubt.

There is a common thread among the legendary software personalities of the stratosphere ... De Raadt, Stallman, etc. They all are engaged in a seemingly futile battle to use the most simple technology, that which is more easily vetted for problems, to do ordinary tasks that the commercial world tries hard to keep them from doing (via the use of that simple technology). On the RMS site, IIRC - there was a blurb about that particular person of legend, and his preferred browsing and email reading technology (all text browsers, text mode stuff, nothing fancy at all).

By my reckoning, they all have "too much knowledge" and (seemingly) little trust in the software that the ordinary mortals use (the 99 percent). Or, maybe they just like it simple. Like me.

 

[drhowarddrfine]

You miss the point.
...
Trusting in the Internet is not always a wise behavior.

Well, you're missing my point. When you visit a site, you generally know what you're getting into. With Tor, you have no clue who's handling your traffic and if they're doing anything with it. Not a slur, as OJ stated earlier.

Many, here, are showing concern about using the internet cause there are bad people out there. There are bad people walking down your street, too, but you don't cloak yourself before going out your door, cover up your street address, and so on. The internet doesn't know anything more about you than you tell it. Knowing which browser you use and OS isn't saying anything worthwhile.

I am more concerned about making sure who I am communicating with is who they say they are than someone knowing something about me randomly just by surfing the web.

 

[Deleted member 9563]

Sorry. "Nether regions" came through my syntax checker erroneously, and conveys an entirely inaccurate thought. I meant what MaxNix said. Anyway, who knows? Poor third world countries have less money/resources/technology to waste on tracking my many trips to forums.freebsd.org, so may in fact be less likely to engage in certain types of surveillance.

I don't think that the location of who is doing the surveilance is important. Both five eyes and major western commercial concerns make profiles based on information gathered on the whole net. FVEY has direct taps in many places.

Outside of Netsurf, major graphical browsers are in the "big fancy stuff" category, and that includes what's in the Tor bundle. I haven't looked at any code, am sure that I can't really have an opinion about whether or not any of it is "sloppy" - and I'm sure the applicable parties work very hard to make it all nice and tidy. It's a tough job, no doubt.

The Tor bundle is deprecated. Please don't use it.

Tor is a very sophisticated piece of software that was started in the 90s by the United States Naval Research Laboratory and a lot of money has been put into it. Look into how it works and you'll be amazed.

 

[Deleted member 9563]

Well, you're missing my point. When you visit a site, you generally know what you're getting into. With Tor, you have no clue who's handling your traffic and if they're doing anything with it. Not a slur, as OJ stated earlier.

Why does it matter who's handling the traffic?

Many, here, are showing concern about using the internet cause there are bad people out there. There are bad people walking down your street, too, but you don't cloak yourself before going out your door, cover up your street address, and so on. The internet doesn't know anything more about you than you tell it. Knowing which browser you use and OS isn't saying anything worthwhile.

Anything is "worthwhile" because when you put it together it associates you with your history and you do become an individual by simply running a targeted search. Surely you've read about the processes which Snowden has detailed, but you will note that Google and Facebook have similar capabilities.

I am more concerned about making sure who I am communicating with is who they say they are than someone knowing something about me randomly just by surfing the web.

Fair enough, but surveillance is not usually a matter of individuals being targeted but rather information on everybody being gathered. How that information is processed now is not the only issue.

I think the OP was interested in not having his browser identified and had pointed out how this and related information makes him unique. Whether one is against mass surveillance or not is a personal choice that someone should be allowed to make and I can't see an argument for making it mandatory.

PS: Tor solves the browser identity problem by having all users appear alike. This is a solution they adopted after much research into the problem.

 

[Maxnix]

ronaldlees,

apparently attributed to Theo de Raadt

Yeah, it's him. You can read the full article here (it's a bit dated, but the meaning have not changed): http://www.itwire.com/opinion-and-a...onthly-releases-openbsd-shows-the-way?start=1

Outside of Netsurf, major graphical browsers are in the "big fancy stuff" category

Right. Seem that including more and more functionalities (at any cost) is the main aim (even if I would save even Opera. At least I find it less bloated than others). But perhaps it's just my perception.

and that includes what's in the Tor bundle.

I don't know if it can be defined sloppy, but ,at least in my experience, generally Firefox is becoming more nad more heavy and resource consuming.

By my reckoning, they all have "too much knowledge" and (seemingly) little trust in the software that the ordinary mortals use (the 99 percent). Or, maybe they just like it simple.

IMO both. After all, how I said before, including more and more seem the only important thing.

drhowarddrfine,

The internet doesn't know anything more about you than you tell it.

Well, this is not always true (or can be referred to data explicitly submitted by the user). Websites can collect more infos about who visit them than users may want or know. The last link posted by getopt explains it very well:

Those using Tor might be interested in the following, as fingerprinting is a method attacking anonymity:
http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html

There are of course even sites that use such technologies only to offer a better experience, but before really trusting a site I would be very careful.

 

[getopt]

When you visit a site, you generally know what you're getting into.

Really? I have to admit, that I do not have such capabilities.

First of all you have the right to say such sentences as it is protected by Freedom of Speech and is a matter of dissent and truth.

Your sentence might be the description of your honorable perception, but ...

... what can been known ex ante?
... "generally knowing" is a really big word!
... undercomplex models provide a limited reach of findings

Let's take an example for a restaurant owner:

A customer is going to pay the bill you presented to him.
He is giving you a piece of paper that looks like a hundred Dollar note.
Do you generally know what you are getting?
And what about smaller Dollar notes? Can you ever be sure?

Now don't come across saying this is a wrong example. It was you presenting this:

"There are bad people walking down your street, too, but you don't cloak yourself before going out your door, cover up your street address, and so on."

Remember we talk about security aspects. Shared basic knowledge in industry is that 100% security simply cannot be achieved, as one can generally never know. But risks can be minimized by taking appropriate steps.

 

[drhowarddrfine]

getopt Your examples only prove what I was saying in my quote. Yes, people know what they're getting when they exchange money with a restaurant they are visiting. Yes, sometimes things go wrong. No, hardly anything ever goes wrong.

In your first sentence, you seem to be saying that if you visit Amazon to browse for books, you have no expectations of how that will turn out. I find that strange. (And my point is that your expectations are more predictable than if you visit Joe Death's Meth Emporium.)