The font is used by the teamviewer website. When inviting a partner to a teamviewer session, one can do so by sharing the invitation url.
The invitation url looks like this (where XXXXXXXX is the session code).
https://get.teamviewer.com/v15/en/sXXXXXXXX
The website will check if a teamviewer font is installed (using javascript). If the font is found, the web site assumes that teamviewer is installed. The teamviewer installer also registers a protocol handler in the operating system.
The website (javascript code) will thus try to launch teamviewer directly using a url like the following:
teamviewer8://instantsupport/?sid=XXXXXXXX
Otherwise, if the font is not found, it will prompt the user to download and install the teamviewer application.
This is the benign explanation I was looking for. It's a clever hack for providing a good user experience for the person who's receiving remote support, who can't be assumed to be computer-savvy.
Of course, it would be better still if there was a standard way of setting up specific URL patterns under specific domains to automatically launch an associated desktop app if that app is installed. iOS can already do this through the "/.well-known/apple-app-site-association" URL on the domain. It's why Zoom and Teams links, when opened on an iOS device, always go straight into the native app once that app is installed.
Edit to add: BTW, the file at the well-known Apple path also gives me a way of detecting a Zoom invite URL in one of my own products, even though Zoom URLs can have custom domains.
> Of course, it would be better still if there was a standard way of setting up specific URL patterns under specific domains to automatically launch an associated desktop app if that app is installed.
The "PWA" standard for "/.well-known/apple-app-site-association" is "related_applications" [0] in the Web App Manifest standard and specifically here where "prefer_related_applications" [1] is set to true.
Interesting. Based on your comment, I did a quick check and only Zoom gives a valid response. The parent domain for Microsoft Teams don't seem to respect the convention.
Heh, I've never used teams before so when I did a few searches I got sent to www.microsoft.com and office.com. None of the links on page 1 and 2 of the SERP led to teams.microsoft.com.
Good find. Disproves the "only useful for web fingerprinting". It's also useful to their users for a fairly common flow.
Don't assume malice, but do consider side effects of your decisions.
This does add an extra bit to web-fingerprinting, it's only 1 bit. Someone intentionally trying to add fingerprinting could do much more malicious things. Unique font names or uniquely generated font w varying letter widths could completely de-anonymize a user. This seems scoped to identifying team-viewer users, not identifying/fingerprinting individuals.
This is still web fingerprinting. They are using this, specifically, for fingerprinting. They don't care about the font; they care about being able to spot TeamViewer users in a crowd. The only difference here is it's being done for a beneficial purpose. "TeamViewer installs font only useful for web fingerprinting" is absolutely true; only the word "suspicious" is untrue because now we know what it's for.
Fingerprinting requires there to be a purpose of identifying an individual device, and is done by collecting multiple data points that in aggregate are a unique combination.
Just knowing you have a font or TeamViewer, like just knowing your IP or viewport size, isn't fingerprinting your device.
They may not be baking a cake, but they have all the ingredients to bake a cake. They also give everybody else who is currently baking a cake an additional ingredient.
You don't get to call a thing something it isn't simply because you don't like that thing.
The action of taking your fingerprint to identify you is fingerprinting. Providing you a handrail without a purpose of identifying you, even though it happens to take your fingerprint for anyone else, is not fingerprinting. Changing your fingerprint is not fingerprinting.
This is an abuse of a technology with more harm then benefit if you ask me. Calling it "fingerprinting" is still a category error.
Repeatedly claiming something doesn't make it true.
Here's what the Electronic Frontier Foundation says about fingerprinting.
"""Digital fingerprinting is the process where a remote site or service gathers little bits of information about a user's machine, and puts those pieces together to form a unique picture, or "fingerprint," of the user's device"""
Here what TeamViewer is doing isn't fingerprinting. it's not combining unrealated bits of information to uniquely identify a user/computer. it's looking at literally one bit of information to identify whether the current non-uniquely-known user is in a -large- group or not, the group of "computers with teamviewer installed".
it can be claimed that this is adding to the bits that can improve a third party's ability to uniquely identify a user/computer, but that's a different claim, that's not what teamviewer is doing.
That’s why this attempt to stay anonymous — or even more ambitiously, prevent metadata from being aggregated to reveal mass patterns among many users - is useless.
Eventually, everything will be collected using an actual use case — contacts, photos etc. — and the AI will process it and make deepfakes of anything.
We won’t be able to trust any video evidence. The future is about watermarking and signing stuff using your own private keys. And even then, someone can just announce their private keys somewhere and have plausible deniability after that. Too many such renunciations though would be suspicious.
The world is going to be as unfamiliar to us, breaking enough of our assumptions, as when people didn’t know about gramophones and televisions and instant communication, assuming that it would take time for a messenger to get a message out. Today we expect a ton of info to flow over always-on connections. Similarly our assumptions about identity and privacy and democracy are going to be totally smashed by AI and bots soon.
Swarms of bots using GPT-4 and deepfakes will be able to drown out the vanishingly tiny amount of information that all the humans writing online produce, and adversarial networks will make them far more effective at convincing a crowd of humans thay X event happened or to support Y policy, or even rewrite history and science. The sams way that AlphaZero defeated AlphaGo which defeated human players, because it had far more combinations than all humanity combined did, and then downloaded the learnings to each node (Leela and others do the same).
All that is missing is decentralized swarms of bots, that have no single point of failure, and can update their weights autonomously.
I will go even further and say that CAPTCHAs will become irrelevant. Humans won’t be the primary economic actor for online services, because botnets will control far more capital and everyone will do some work for a botnet, such as being a caretaker etc. No one will even know or care who is giving the assignment or writing to them anymore.
The sad part about this is that botnets based on GPT3 and deepfakes are simply bullshittes that don’t understand things like Cyc — they literally throw bullshit at a wall and see what sticks. It’s sad but this will collectively outperform collective human reasoning at convincing humans because ALL our systems are vulnerable to be subverted that way.
No. I posit humanity has never left a glass half full.
Just wait for the deepfakes to utterly destroy video as a means of common representation of reality when it crosses the threshold of too often faked to be generally believed without independent attestation.
And even then people will question subconsciously.
A side effect is that it allows anyone running a website to build a database of TeamViewer installs behind IP addresses. If there was a TeamViewer security issue, that database could be useful.
Yes, this key point is missing from the rest of the discussion.
_Any_ website can tell whether or not you have TeamViewer installed. Ad networks could theoretically target you based on whether or not you have TeamViewer installed.
I’m not assuming malice, but it’s a much bigger privacy hole than just increasing fingerprinting by a few bits.
Precisely my thoughts, though I think this is more problematic than simple, nefarious malice.
Sometimes it is the case that no one behind the decisions is being malicious - e.g., perhaps just trying to accomplish a task at hand on a tight timeline.
As such, the default in today's society, where we are more or less 'on our own' on this issue, should be to assume that even while that vehicle over there is indeed about to plow into the crowd, there is often no one behind the wheel.
We should default to an even more suspicious approach.
Its technically more than one bit, as it has a different version of the font for each major version of Teamviewer. So there are several different fonts Teamviewer may have installed depending on when you installed it.
The fact that some corporations and governments are guilty doesn't mean they all are. And the fact that they're guilty of some things doesn't mean we should assume they're guilty of others. It's no different than with people; corporations and governments are made of people, after all.
Besides, the constant negativity is just exhausting for all involved. I'm glad intellectual curiosity won out on this thread, at least for now.
The world is, to some extent, what we make it. If we're going to make it better, we can't give up so completely; we have to have hope that the world can be made better, and that we're not alone in trying to do so. That's why I choose to assume that the TeamViewer developers are merely trying to make the best of the constraints they're working in, i.e. no proper way for a website to determine whether the custom protocol handler is already installed. In their situation, I would probably be forced to do the same thing, and I wouldn't appreciate such negativity. I assume you wouldn't either.
It would be totally sufficient to use the protocol handler. You also can not be sure teamviewer is not installed, just because the font is missing. The user could use an older version that does not include the font, or could have removed the font manually.
But can JavaScript check whether the protocol handler is installed? Or can it only attempt to use the protocol handler, then give the user if-then-else instructions to manually handle the case where it's not installed? Remember, a remote support product has to assume that the user receiving support doesn't have the knowledge or energy to go through a complex setup process, which is presumably a digression from whatever problem they were having in the first place.
It cannot. Enumerating protocol handlers is actually an excellent fingerprinting technique. That’s why platforms like iOS for instance forbid it, or you have to explicitly specify which ones you’ll query (see: https://developer.apple.com/documentation/uikit/uiapplicatio...).
> The user could use an older version that does not include the font
Teamviewer versions are not backwards-compatible
> It would be totally sufficient to use the protocol handler
The error when it's not installed could be confusing to the user. Remember this is a remote support product, you must the assume the user is not tech literate. You must also assume the user is on IE5 or something.
This could very easily be justified as a functional cookie.
Honestly if this could only be detected from a TeamViewer-owned domains it would be basically a non-issue. The more concerning bit is that this can be used to build a cross-site fingerprint.
The 2009 ePrivacy directive, also known as "Cookie law", speaks of "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user".
GDPR is concerned with all personal data processing, cookie or not is even more irrelevant to it applying.
That is a great idea, generate a font on the fly with the info you need and you have your alternative cookie. Question is, do you have to treat it as a cookie?
Clever, but still not an acceptable use of a font. There are very valid security reasons why browsers don't advertise installed software. Using a font install for reasons unrelated to having a font is still not a valid use case, even if the goal is a smooth UX.
The invitation url looks like this (where XXXXXXXX is the session code).
The website will check if a teamviewer font is installed (using javascript). If the font is found, the web site assumes that teamviewer is installed. The teamviewer installer also registers a protocol handler in the operating system. The website (javascript code) will thus try to launch teamviewer directly using a url like the following: Otherwise, if the font is not found, it will prompt the user to download and install the teamviewer application.Source: Font detection routine:
Connect routine: