You could always ask first for a FLoC Id and then ask for the JS things, it's a dynamic language and there are always corss-domain redirects with tracing in url Id's.
Also some of them are very fundamental parts which are not at all thinks "you need to ask for". Like Chromium is a serve offender when it comes to accidentally providing unnecessary identifiable information. E.g. my Chromium user agent string is more identifiable then the Firefox one, the canvas fingerprints are way worse. There are additional attack vectors like list of plugins, some with names containing way to much information.
Also just combining things like Language + TimeZone + User Agent are probably enough to narrow down a FLoC group from multiple thousand to just a view hundred or even less users if you are not in the US/China/India.
(Or if you limit yourself to HTTP headers: user agent header + accept lang header + accept header + accept encoding header).
Also don't forget you have a fixed Ip address as long as you don't to VPN perma-bouncing.
IMHO all the "fixes" are trying to fix a massive hole with a few thin sheets of paper, i.e. at best it will look fixed, for a short moment. But it's not fixing anything.
Lastly this doesn't change the point that this basically makes sure Google stays in it's pseudo monopoly position. Tbh. independent of privacy this should be shut down by courts handling problematic monopolies.
The entropy budget is also supposed to cover other things, like user agents or canvas finger prints, such that if you've already asked for too much stuff, you're not getting those either.
I'm also not sure if it cna really work, but if we can't remove all identifiable information from the browsers, it seems like a good idea.
I don't know how well ip tracking works. Can you track most people on ip alone?
You could always ask first for a FLoC Id and then ask for the JS things, it's a dynamic language and there are always corss-domain redirects with tracing in url Id's.
Also some of them are very fundamental parts which are not at all thinks "you need to ask for". Like Chromium is a serve offender when it comes to accidentally providing unnecessary identifiable information. E.g. my Chromium user agent string is more identifiable then the Firefox one, the canvas fingerprints are way worse. There are additional attack vectors like list of plugins, some with names containing way to much information.
Also just combining things like Language + TimeZone + User Agent are probably enough to narrow down a FLoC group from multiple thousand to just a view hundred or even less users if you are not in the US/China/India. (Or if you limit yourself to HTTP headers: user agent header + accept lang header + accept header + accept encoding header).
Also don't forget you have a fixed Ip address as long as you don't to VPN perma-bouncing.
IMHO all the "fixes" are trying to fix a massive hole with a few thin sheets of paper, i.e. at best it will look fixed, for a short moment. But it's not fixing anything.
Lastly this doesn't change the point that this basically makes sure Google stays in it's pseudo monopoly position. Tbh. independent of privacy this should be shut down by courts handling problematic monopolies.