What about virtualization? It seems to me that something like Qubes might not at present protect against this (I don't know what information is available to guest/isolated domains on that system), but could be made to? One can easily lie to a browser about battery status and fonts from the OS too, for example.
I guess my point is that it depends on what you view as pathological? I surmise that this is the kind of thing that needs an algorithmic countermeasure, such that systematic deception by user agents is no more difficult for the end user than browsing the web is currently.
It's very difficult to prevent side channel thumbprints—something as simple as traceroutes, wifi hotspots, caches (DNS, routing) can be uniquely identifiable. Add on top of this biometrics like how you type, how you move your mouse, etc, and it becomes very difficult to avoid concerted tracking efforts.
Of course, if you're not pissing off state actors, you're probably fine with qubes/tails.
if you're not pissing off state actors, you're probably fine
Thank you, this seems to be a point that is often ignored. Most of us don't need to hide our trail from a full wing of CIA analysts, just drive-by snooping and the like. (It of course doesn't help the Snowdens of the world)
I usually prefer to think of the middle case: someone with a grudge against me, who would love to blackmail me if they could get the dirt, and who has money to hire some blackhats and buy some zero-days and set up spear-phishing—but who doesn't actually have any access to the things that states get by default by sending fancy letters with Important Signatures.
It's interesting to work through the case of an absurdly rich private actor, because it works out differently for diferent companies; for some, they can just get a "man on the inside" to leak out your data easily enough, while for others (e.g. Gmail) the employees themselves aren't trusted to access user data, and have been firewalled/ACLed away from it to prevent just such intrusions. State actors get pretty much the same "help" from every service (save for the rare Lavabits of the world) but corporate actors get a rather unpredictable response landscape.
Presuming you are being pursued by a state actor, isn't using a computer at a library or Internet cafe enough to thwart most of that? Especially if you're using asynchronous store-and-forward protocols like NNTP or Freenet, where you can be long-gone from wherever the computer you used was, before anyone else ever sees "your" activity.
I remember at least one security expert commenting that if he ran an actual attack, his precautions would be "sitting in a computer lab using a stolen library card". Physical anonymity is by far the best cure for some of these things.
Qubes VMs cannot get the battery state. Assuming that the user didn't install custom fonts, the font list should be the same across all the installs.
I think Qubes closes most of the low hanging fruit in this space, but completely preventing fingerprinting is very hard and there are probably ways to leak identifying info.
I guess my point is that it depends on what you view as pathological? I surmise that this is the kind of thing that needs an algorithmic countermeasure, such that systematic deception by user agents is no more difficult for the end user than browsing the web is currently.