As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
>As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
the problem, for those tracking and using uniqueness tied to tech as a measure (as opposed to uniqueness tied to identity), is not that it is easy to change you to be non-unique, it is that you will probably be a different "unique" user in a few days.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
They will fuzz your uniqueness into a profile no matter how many times it changes. There’s enough there to identify you based on your fingerprint and behavior.
right, but it is most powerful if they can combine unique fingerprint with identity fingerprint via login over time, so as to build up a long term behavioral profile. Identity is not good enough because you will sometimes not be logged in, fingerprint via uniqueness may not be enough because your behavior may change in different environments.
There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
”NVIDIA Corporation” is a rare vendor because most browsers (Chrome, Edge, Firefox on Windows) use ANGLE and will report ”Google Inc. (NVIDIA Corporation)” as a vendor.
Basically, ”NVIDIA Corporation” means you are Firefox on Linux with an NVIDIA GPU — or Firefox on macOS with an NVIDIA GPU, which is probably even rarer.
0.74% does seem a bit low, but most people browse the web on mobile phones, so knock off 50-70% immediately, then of the remaining most will be integrated GPUs from Intel or AMD in laptops. Take away Macs and you’re basically just left with gaming PCs, and laptops where the browser decided the task was difficult enough to spin up a discrete nVidia GPU.
My vendor “Apple Computer, Inc” was less than 10% (I’m on iPhone) so I suspect HN crowd probably uses unusual hardware.
While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.
It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.
Hn referrer already up to almost half a percent of their database at the time of writing. Either a lot of lurkers followed your link or a lot of bots crawl this site.
> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
You really can't put too much faith into the "you're unique!!" conclusions that fingerprinting sites give out. The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best. Most (all?) also take into account volatile attributes like the version number, which makes the previous problem worse by further reducing the actual sample size.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community. Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
>You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community.
They theoretically could but which sites are actually doing this?
>Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
That basically boils down to what phone model you have. The number of iPhone 16 users (for instance) in a given city isn't exactly small.
>Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
If you read the comment more carefully you'd understand that it was toy example to prove a point, not a claim that you can only be fingerprinted by those attributes. I even specifically prefaced it with "suppose".
> The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
> so any conclusions that you're "unique" (in the world?)
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)
Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.
Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)
Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.
I wouldn't call it a lie. The canvas jitter for each iPhone 15 Pro will be different. Different battery ages, different lifetime workloads. And no manufacturing process currently results in identical CPU performance.
That results in different nanosecond ranges of performance, for your canvas.
It is lie. They're making up stuff to spin their position
> The canvas jitter for each iPhone 15 Pro will be different.
There is no such thing. I write tests for GPUs and iPhones in particlar. They don't produce different results
> Different battery ages, different lifetime workloads.
This is not something you can check from a webpage on an iPhone
> That results in different nanosecond ranges of performance, for your canvas.
There is no nanosecond measurement you can use to generate a fingerprint in a browser. All you'll get is noise which will give you a different fingerprint.
Maybe if you ran for several minutes with a frozen page doing nothing but timing could tease some signal out but no sites are doing that. No one would continue to use a site that froze for seconds every time they visited.
That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.
>That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.
It doesn't look like you read the comment you're replying to either, because you failed to respond to any of the specific objections that were raised. Let's try again with the first one: do you have any proof that "canvas jitter" as you described it (ie. it varies between devices of the same model) actually exist?
Have you bothered to look, yet? It's been in use since 2012. Responding to specifics, when someone is acting out of bad faith, isn't generally a good idea. But fine.
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits. This is so even though the user population in our experiments exhibits little variation in browser and OS.
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits
The claim being disputed was "canvas jitter for each iPhone 15 Pro will be different", not the broader claim of whether canvas fingerprinting exists at all. 116 unique fingerprints out of 294 doesn't really prove the former is true, especially when you consider that people on Mechanical Turk are probably all on laptops/desktops, which have more hardware diversity compared to smartphones. Moreover if the claim is that every (?) iPhone of the same model has different canvas outputs because of "canvas jitter", wouldn't we expect far more unique fingerprints?
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
Not really.
They can‘t see a list, as navigator.plugins is dummy data in every major browser, but they might able to detect eg. Adblockers by other means
Nobody installs plugins in 2025. Content language is basically like the geo-data the parent said, but coarser. And billions of people just have the same (default OS) fonts - plus iirc, there are broswer mitigations against font enumeration for fingerprinting.
> the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
In theory, this would be a rich landscape for an entirely different abstraction layer for fingerprinting… However, I am skeptical that the typical fingerprinting tool chains are receiving data that reaches that far down in the stack…
Also TCP timestamp if the network stack doesn't apply a randomized offset. As of 4.10 Linux added randomization; no idea about others.
Getting a bit farther out there, CPU clock skew can be derived from the (randomly offset) TCP timestamps. That varies with temperature and thus load so it can be used to pick out otherwise indistinguishable traffic streams originating on the same physical host.
Back in the realm of commonly employed techniques, higher levels of the networking stack are fingerprinted in the wild. https://blog.cloudflare.com/ja4-signals/
Moving even farther up, the human interaction streams themselves are commonly fingerprinted. I realize that's a bit of a tangent but OP had suggested that fingerprints had short half lives and this is a very strong counterexample that I failed to mention earlier. https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymizat...
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
>consider hardware interrupts and their handling delays depending say on the combination of apps installed
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
And, at least previously, the timing of interrupts have been used to facilitate information leakage. For example:
"Through analyzing the interrupt time series produced from touchscreen controller, attacker’s chance of cracking user’s unlock pattern is increased substantially. The interrupt time series produced from Display
Sub-System reveals unique UI refreshing patterns and could be leveraged as fingerprints to identify the app running in the foreground"
>"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
I'm not claiming interrupts don't exist, I'm claiming that they're not really a fingerprinting vector because Android is so locked down that all phones of the same model/OS version are going to have the same behavior. It might be an issue if you're using a xiaomi phone in the US or something, but if you're a normie with an iPhone there's tens and maybe hundreds of thousands of people with the same phone in a major metro.
I thought you were confused because you said "hardware interrupts (whatever that means)", and put it in scare quotes?
>so locked down that all phones of the same model/OS version are going to have the same behavior.
That's not how hardware interrupts work, though. The behavior is 100% user dependent. Me and you type at different speeds, times, etc. The hardware interrupts that result from me and you typing are, therefor, going to be completely distinct. The interrupt itself will be the same, but the timing of those interrupts is unique.
Whether or not /proc/interrupts remains globally readable is something I'm not confident on, but at the time of the paper (which was after sandboxing was first implemented in Android), it was globally readable and a valid side-channel for information leakage including as fingerprinting vector.
Hopefully that clears up what a hardware interrupt means, and why they are (or, at least used to be), a valid fingerprinting technique.
Siteimprove Analytics appears to be confident enough about their cookieless tracking technology (compared to cookie based tracking) to claim:
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
Every person says this, but it's a massive industry for a reason. It's the same as with The North Face logo on jackets. You're never paying attention and you don't recall any specific person wearing the jacket. But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
>But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it. //
Yes, but it's not usually a conscious thing. People assume that advertising doesn't affect them -- it does, it's brainwashing.
However, I've recently found that I'm so eager not to be swayed by advertising that I can't buy things I've consciously seen advertised at me because then `they` will have won. Of course I still pick out the fizzy drink brand advertised to me when I don't want to engage my brain over a triviality like picking a cold drink at work ...
I wouldn’t claim to not notice ads. Especially ads that interrupt videos. I remember quite a few of them. But, even the ones that are initially a little amusing become annoying with repetition, and what initially seemed mildly amusing instead seems just stupid.
I don’t know what “north face” is. Personally I have a strong preference to not display any brand logos myself. People considering some brand to be “fashionable” seems kind of absurd to me?
I don’t feel like the ads I’ve seen influence my purchasing decisions much? Because most of the things I see ads for, aren’t things I would be interested in. I get ads for like, women’s clothing (I’m a man) home shopping sites (not in the market to buy a house at this stage of my life), horror movies (which I hate to see).
Well, I guess some candy ads have influenced me, in the opposite direction from what they intended. A kind of candy which was once among my favorites, I found the ads objectionable to a degree which I have pretty much committed to not buying any of it until they substantially change their advertising. Another brand I’ve never purchased because an ad of theirs covered the content of a webpage I was trying to view and kind of broke the site, and so I kind of regard them as bad actors?
I’d be willing to give advertisers a lot of information about what I would be interested in if I could be assured that they wouldn’t try to combine that information with any other information about me.
Personally, I block them. But the people running these programs think they can get all of us. They don't seem to understand that the harder they try the more they piss off people like me. Meaning I'll put in more effort to circumvent or poison their data, making them spend a disproportionate amount of money on people like me. At this point I don't they'll give up, so let's find out who can live the longest. The number of people on my side are growing
I'm with you, but my take is that advertainment only scales big, so we are mostly collateral noise to the designers who have to balance many different factors, the main one bieng that the market they have brainwashed is as a result, fickle, and insists on bieng entertained, with most of the work force in advertising also consuming the product in a world of always almost, never quite satiated quest for the something™ that will get them off the treadmill.
The very fact that anything imaginable is availible, anywhere, right now, up front, delivered ,only highlights the sameness of it all, where the tracking and fingerprinting results in people buying whatever they glanced at,casualy and inocently, but now own some glitzy cheap, likely broken facsimily, and are now under intense pressure to buy another one.
So advertainment gives it's reek of edgy mindless frustration to the whole world.
So ya, turn off scripts and storage, run some blockers, and remember to be nice to all the people actualy helping and doing things in the real world.
Sure but it's about pareto efficiency. How much do you capture? It's a percentage. But you have to spend infinite resources to get to 100%. They just see number go up...
Ads definitely have an effect on me: the more intrusive they are, the more I remember them and tend to not buy that product and ignore the company altogether.
But generally I'm not exposed to a lot of ads thanks to the adblockers I use. And the Duckduckgo browser on Android, besides generally blocking network access for apps with Netguard.
The massive industry exists vor various reasons, but mainly because people have been trained from early on to get something "for free" without pondering the hidden longtime costs.
Disclaimer: prefer to pay or sponsor useful apps or services instead. And my North Face wind stopper west is more than 20 years old, the raincoat 10+ years and both are still serving me well ;-)
Every person says this too, but it ignores the diversity in types of people. I know somehow who happily watches ads and makes purchasing decisions off it. I ignore them and do not. I don't believe I am being manipulated by the ads. The companies choose to advertise to target other people, and they lose money serving ads to people like me. But it's still a net win for them.
I stopped drinking soda this year and alcohol years ago. If you consumed any heavily advertised product this year, then you can't say ads don't work. Including products like Cursor.
I mean, ads work same way those obnoxious Mr Beast faces in thumbnails work: I never click on any video like that, but they obviously work for attracting a general public. It's even kind of funny how aggressively the algorithm tries to push them to me: if I were to anthropomorphize it, I'd say it's palpable its desperation to drag me to a popular cluster
So, "ads work" doesn't mean they will work for everyone at the individual level or won't have the opposite effect for some.
On iPhone check out Orion browser. Blocks ads, even on YouTube. Though sometimes video quality goes low (manually set it higher to fix). Firefox focus also works, but only one tab
If on Android, check out revanced. You can remove ads from lots of apps. Highly recommend Firefox as well.
Brave is also extremely effective at removing ads while keeping websites functional (including YouTube). It even has some fingerprinting protection. (and before someone complains, you can disable all the crypto stuff)
Sure but personally I'm against recommending different flavors of chrome. Brave is a nice idea but it still gives undue power to Google because at the be of the day, they control chromium. It also makes a hard problem for chromium reskins as they keep finding things chromium can use to track their users...
Wouldn’t things like iCloud Private Relay and other VPN-ish things throw a wrench into IP-geo-based tracking? Seems like it’d make the targeting so broad as to be useless.
As an aside, we just spent a couple of weeks camping in our RV with a cellular router connected to a VPN at home. Now that we're back home, Google maps (on a non-GPS equipped device) and Roku still think we're at the campground several states away. I guess my GPS equipped tablet reported the new location of our home IP address. On past experience, it takes about a week to reset.
I don't know a lot about iCloud in particular, but in general there are not enough active VPN users to make a noticeable difference in tracking. By its nature ad tracking does not have to be super accurate in the aggregate to beat a wild guess.
Conveniently for them, iCloud private relay only really impacts browser usage, third party apps are only impacted when using unencrypted connections, which is unlikely.
A fingerprint is composed of many signals. Even if a few of those signals change, the less-specific fingerprint made by the remaining signals can still be used to infer who a user is. And it doesn't need to be perfect: having a good idea that someone who almost looks like you from yesterday was interested in cat food is a good enough reason to auction ad space to cat food companies today.
> A lot of the big ad networks right now instead rely heavily on geo-data
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
Not sure about US, but Indian ISPs are doing this already to conserve IP space given huge userbase. In theory it would work similar to how a NAT gateway works for outbound communication. Skan + geo would be hard nut to crack in India.
In UK I'm now on FTTP but even on ADSL the house would have an IP address that normally stayed constant until a router reboot. This seems to be pretty common in the UK. Probably on cable internet (and on mobile ofc) you get NAT-ed but I've never had that.
It still works because those CGNAT shared IPs still vaguely correspond to a certain geography. It won't be accurate enough to target a specific home, but still accurate enough to target a specific neighborhood, for instance.
Assuming an ext-IP (60k ports) can easily represent 100 household if we statically assign ports. Given CGNAT with dynamic port allocation this can easily go up to 5x? That's wildly inaccurate given the core problem is to "target" a small set of users which is based on this geo info. Not sure how well this elephant sits in a room full of engineers solving this specific targeting problem.
Billboards are still among the most effective forms of advertising in terms of efficiency. You don’t need to be very close. I see myself popping up probably 10 miles from where I’m actually at, but the businesses aren’t that inaccessible.
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
I'm not sure if I understand this. If you show up on a website one day with one fingerprint, but on the next day it was a different fingerprint, there's no way to connect that it's the same device unless it wasn't a core trait of the fingerprint in the first place.
I think you’re thinking that the fingerprint is reported as a single hash (e.g. SHA512) of multiple attributes, which would of course change if a single bit was different. But there’s no reason they would be reported that way. It could be (and probably more likely) a big data structure of all the values. It would be easy to see that only a few things changed.
> As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
>A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
> then Google used anticompetitive practices to squash it
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
All the front-end devs I knew at the time switched to Macbooks after the Intel switch, because you could get a Unix-based machine that could run Safari and Firefox natively, and Internet Explorer in a VM. Chrome wasn’t even released at that point.
Google didn't use anticompetitive practices to squash it. They just made a better browser. When Chrome came out it was significantly better than Firefox. That's why people switched.
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
I think it's pretty debatable that Chrome is currently better, but you're definitely correct. When Chrome first debuted (and for years afterwards) it was clearly superior to Firefox.
What's surprising is that, over time, Firefox has done virtually nothing to reduce the impact of fingerprinting.
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
Because the users of web browsers expect compatibility. If one vendor unilaterally decides to stop supporting some browser APIs, the result isn't better privacy. The result is that people switch to other browsers.
> Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
2. is almost immediately fingerprintable even with JS enabled. 0.00% similarity for canvas, 0.09% similarity for font list, 0.39% for "Navigator properties", 0.57% for useragent. with JS disabled (best practices for tor) it's even worse. maybe this works for windows users?
(debian, latest tor browser 14.5.3, no modifications)
If you have Firefox with "resist fingerprinting" enabled then you are feeding it some dummy data. People worry about the fact that this might make you "unique," but fail to grasp that if you look differently unique every time you're not necessarily identifiable.
I think its matter of "least common denominator" as in the sum of all fields will surely be unique, but what's the _minimum_ number of fields needed to isolate one user? You can download the JSON from each test and compare the diffs yourself - there's a lot of noise from "cpt" and "ratio" fields, but some that stand out are "referer" and "cookie" fields as well as a few SSL attributes. Not sure if controlling for those is all it takes to de-anonymize, but either way it's not great.
FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests. That was an original selling point of FF, and to this day the user base is mainly comprised of individuals (who were at one point or another) seeking free and open alternatives. Sadly Mozilla as an organization has made increasingly user hostile decisions (deals with Google, recent changes in privacy policy, some telemetry on by default) and FF no longer lives up to the original promise. But yes, thanks to the code being open source there are off-shoots like LibreWolf and WaterFox that may be worthwhile (I haven't vetted them) but its the same dilemma as with chrome, the upstream code is captured and controlled by an organization that I don't trust to respect user privacy.
> FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests.
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
At one point, Firefox (3.5 specifically) was #1, for a brief moment:
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
> “Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
This isn't about bubbles or ignorance of the "Real World (TM)". I think this reading shows own biases about academia vs industry more than anything else.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
Tracking pixels aren't for fingerprinting, they're just regular tracking. You can block them fairly easily (just block the 3rd party request to the known tracker). Fingerprinting is a lot more difficult to detect and prevent. Companies claiming they reserve the right to do it is a good reason to take precautions, but without insight into what is actually being done, that's hard to effectively do (without resorting to blocking all possible vectors, like Tor Browser).
Aren't the companies who say they're doing this actually selling these capabilities to others? So it's in their interest to pretend to be able to do more / better than what they actually can do. Especially when the clients have little capability to verify what actually happens. So no, their saying "we can do it" doesn't actually mean that they can.
As a user who doesn't have a horse in this race (I work for a "captive clients" company, so ads don't help much, nor do we sell any ads), what I notice is that ads I'm served are absolutely absurd. It's either Google Maps trying to sell me some hotel 50 meters from my home (I live alone, so I fail to see any reason why I'd go for that), or Instagram which somehow figured I'd be interested in buying bras for pregnant women (I'm a male, and I'm single).
More recently, Instagram tries to sell me Range Rovers. Where I live, there's a tax on "heavy vehicles", traffic is absolutely crazy, and we have usable public transit (which I use – while scrolling Instagram). Buying a big-ass car wouldn't help me in any conceivable way, and would be an all-round nuisance.
What leaves me flabbergasted, is that my only interactions with Instagram are around photography. I only follow photographers, who shoot landscapes and similar, I always leave the app when I'm presented with naked girls or other "reels'. So I could maybe, possibly, be convinced to buy some new camera or photo gear. Guess what I never see advertised on Instagram?
As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
So then:
What to do with this massive infrastructure and billions of dollars of investment and workers employed by this global machine?
> As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
At least from my own anecdotal observations (including conversations with confused less technical friends and relatives started by questions like "how does this website know enough about me to show me that ad?"), the issue to me seems less that ad tech doesn't ever produce relevant ads, but that in practice very few people actually click ads, much less buy things from the destination, regardless of whether the ads are relevant or not. If anything, seeing a well-targeted ad often makes people feel creeped out, and their reaction isn't to go "oooh yes, that's perfect for me, let me click it", but to immediately close the browser tab and maybe even avoid the website that showed it to them in the future (because it's not obvious to a lay user that the ads are usually sourced from another party rather than the website itself). Slightly more tech-savvy users might even be aware of how ads are sometimes a vector for malware and avoid clicking them because the risk of getting something nasty isn't worth the probably quite low reward of buying something they could probably find just as easily on their own by actively looking. In practice, I have to wonder if it even matters whether adtech is effective at targeting or not, because I'm skeptical that the way people interact with ads ever would generate enough revenue to be worth it.
You're coming at it from this type of tracking being an accusation of bad behaviour and the company having to admit it, like they have to admit a security breach losing personal data.
That's a reasonable approach. It's also incorrect. These companies think tracking users is a great thing. They aren't admitting it, they are boasting about it.
They consider me to have different visitor IDs when opening their demo page[1] in a regular window, and an incognito window on the same device. If this is state of the art I'm not too worried.
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
This has suddenly made me wonder how often fingerprinting of installed fonts is used to find targets working for particular companies. Quite a lot of organisations now have their own font, or a particular uncommon font they favour for brand purposes at least.
Well, nobody has Flash installed anymore (I hope) and I don't believe there is a "modern" way to obtaining a font list (that works on all/majority of browsers). So, at face value, looking at installed fonts doesn't sound like a meaningful attack vector these days.
I believe you can do some stuff with CSS by providing a list of fonts to try and then comparing the size of a block of text, but yes, it is quite a bit harder now.
I’m not saying we should stop caring about online privacy, but the extent to which we fight fingerprinting while not actually solving the problem has made the web worse. It’s kinda like the argument for gun control: the unsavory folk will still fingerprint your browsing while the well-mannered sites suffer from lack of features due to aversion to any persistent handle on the users they might provide, like strong crypto because uh-oh a pub key would give your a “super-cookie” so we can’t have that.
I think the nuance here is that academic research often wants concrete, measurable evidence that can't just be hand-waved away by "well, it was mentioned in a privacy policy."
You know what's tracking you more than websites? Apps! You know why sites want you to install an app and keep begging you to install one? Because all the protections a browser adds to make it hard to track disappear once you're in an app. They require you to login, then they share all your data with anyone and everyone.
My app doesn't do that. The reason I push the app is because we don't ask for your email address, so the only way I have to notify you of new messages or stuff is via an app. Apps are sticky, websites aren't.
I’d like to see better fingerprinting tests than coveryourtracks.eff.org and amiunique.org. Both have the flaw that they test only uniqueness, not persistence, with the result that they’d flag a random number generator as a fingerprint, too. Real fingerprinting protection does often involve random, not binned, results, and this results in both websites flunking even the browsers that do pass their tests, like Tor, Safari, and LibreWolf.
CreepJS[0] allows you to "add a signature" (basically give your fingerprint a name). If you re-open the page, and it can correlate your fingerprint, it will show you your signature.
I guess we all knew this was happening, but it's hard to "prove" that they track you across devices without resorting to anecdotes. This seems to be a framework for performing studies + a large-scale study in order to get some more concrete proof that it is actually happening in practice, and the fingerprinting isn't just used for other things like anti-abuse.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
This is a problem because unlike cookies, that are tied to specific domains and isolated by security boundaries, fingerprints can be computed across any domain.
It's easy to imagine how a website that tracks users and serves ads solely using fingerprints could be exploited to gain informations about a victim, simply by collecting their fingerprint.
The browser is a sandbox with a bunch of discoverable features. Those features exist for the user but a side effect is they leak data which individually is probably not interesting but collectively is a fingerprint.
To be less of a fingerprint you'd need to remove JS from the entire web.
Because most of it is useful or even needed. There's perhaps one or two things that can be removed, but not that much.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
The first point - there are usecases but it probably all ought to be user prompted. The vast majority of sites don't need any of it. For example when testing webgpu on chromium I had to globally enable it with a flag which prompted a security warning. A per-site prompt would have been much more secure - I was only using it on localhost.
The second point - you don't need to measure it (that I'm aware) but you _can_ measure it because disparate features that all have legitimate usecases on their own can be leveraged in tandem to accomplish things that weren't intended by the authors of the specification.
> but why does the website that's sending me HTML and CSS and Javascript need to know?
The website doesn't get told by the browser, but the website is sending you Javascript, and the browser will tell the Javascript when the Javascript politely inquires as to the width and height of the root html element, or some element with text in a funny font in it, and the Javascript is then free to report home.
I think hiding layout information like that from Javascript isn't really within reach without a radically different model that breaks a ton of websites.
And when I block js, most websites are still readable. (some even look better!) The fact that some sites work just fine without js mean that most could. Certainly the sites load much, much quickly without the js. 90% of the time all I want is the text, which loads perfectly without it. JS is a huge waste of resources with no real benefit to consumers. Some web apps need it, yes, but even those could still do fine without it. (until recently there was still an HTML gmail app which worked just fine.)
Required for showing the right resolution images. The alternative is blurry images or wasted bandwidth.
> time zone
Most people expect to see times in their local time.
> device model
This could probably be removed but can be useful for showing the right download button. Also I'm not sure this is explicitly shared? I'm curious what exactly they mean here.
Some mobile devices (especially cheap Androids) often have device model numbers and build version in the User-Agent headers. A few examples from a quick look at my access log:
Mozilla/5.0 (Linux; U; Android 15; zh-CN; V2301A Build/AP3A.240905.015.A2) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/123.0.6312.80 Quark/7.13.1.851 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 13; STYLO RAIN Build/TP1A.220624.014) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.7151.89 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 14; moto g04 Build/ULA34.89-193; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/137.0.7151.89 Mobile Safari/537.36
All of these contain both the device/model name and specific software version.
This is only an issue on Android and some other devices really (e.g. "smart" TVs and whatnot); I'm not aware of any desktop browser that does that. Not all Android devices do either.
This is a major reason why I stopped storing User-Agent headers in the database for my analytics app. I originally assumed there would be a relatively limited set of headers, but at some point I had millions of unique ones. Now it just stores the extracted information (e.g. "Chrome 137 on Android 14"). It's a pretty silly situation and completely unnecessary, but it is what it is.
It’s been getting progressively stripped back but there’s risk of breaking changes too. Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
The referer field has had the path removed or even dropped outright for some browsers.
> Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Because they pretty much all power some kind of actual functionality. Users want the website to show up in their timezone, in their language, and to respect the light/dark mode options. Those are all legitimate functions, which also get used for tracking.
Security and privacy focused browsers and tools like Apple Lockdown Mode make some pretty significant compromises to maximise security.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
Everytime I go to the EFF fingerprint page it tells me I have a unique fingerprint. If I revisit it an hour later it tells me I have a unique fingerprint.
It would be great if it would give me a hash of that fingerprint so I could compare it in a few months time.
I'm guessing that my "fingerprint" changes every time I load the page, which makes it somewhat harder to use for fingerprinting me.
It is noteworthy that there are browsers that resist fingerprinting much better than Chrome or Firefox. But these browsers are made not by a reputable companies but by shady Russian hackers, they are called "anti-detect browsers". Their purpose is to allow using multiple social network accounts from one machine and avoid getting banned for this.
There is a way - provide random garbage via browser APIs, for example, fake GPU name, fake core count, fake IP addresses for WebRTC. But browser vendors do not want to do it. You have to compile your own browser.
Such browsers that allow you to masquerade as a different browser do exist but they are targeted at people doing social network marketing (spam and scam) from multiple accounts. Because social networks do not allow using multiple accounts from the same device. These browsers are called "anti-detect browsers" and you can find info about them on Russian underground forums.
There's only so much you can fake without breaking sites. You may be able to fake the specific elements that a site is looking at today, but it'll always be a cat and mouse game.
I've always found fingerprint tracking more disturbing than cookies. At least cookies give you a sense of control. You can clear them, block them, and even isolate them by site. Browser fingerprinting is like an ID card that you can't get rid of even if you don't apply for it.
One thing I'm interested are the EFF demo sites which try to identify if you're "uniquely fingerprint-able." What I've seen a lot in the discourse is people attempting to increase the privacy of their browser (via add-ons, configurations, etc) only to see their browser become _more_ unique. They then conclude that you cannot get away from fingerprinting.
I think there are a few potential problems with this approach.
- A lot of browser-based mitigations (such as Firefox's "resist fingerprinting" settings) send dummy data to websites. So yes, you may have a unique fingerprint according to the EFF site. But, when you visit it later, you could in principle have a different unique fingerprint. I haven't seen much discourse which discusses whether this is a viable point of not. Yes, my Linux Firefox with a bunch of weird settings clearly stands out. But maybe I have a different fingerprint across visits?
- Additionally, this strategy seems to say "don't be unique, blend in with the crowd. Look like Windows 10 and Chrome." I think there must be some validity to this. But clearly, advertiser fingerprinting is _most_ interested in the vast middle of the bell curve, ie that huge mass of users with Windows 10-11 & Chrome & Edge. If looking just like everyone else were somehow an effective mitigation, then the advertisers' tracking technology would not actually be effective for the vast majority of cases; the ones they care about the most.
- I also wonder what the difference is between what security researches at EFF and other places can do in principle vs. what various websites are actually doing in practice. It's important to remember that advertising is now like a warrant; if an advertiser thinks you're a different person and serves you the wrong ad, no one will ever notice or care. They have no way to verify it, and whatever error exists won't ever show up in their promotional materials. Even if the fingerprinting technology is quite strong, I sincerely doubt the statistics we hear from advertisers (ie, "we can identify 90% of users") can be very accurate.
I don't mean to suggest that my points are strictly correct -- however I also don't think the usual discourse around the realities of advertising and tracking really gets to the bottom of things in a very accurate or useful way.
That fingerprints exist is nothing new to someone who has visited https://amiunique.org whenever I get a new device or install a new distro for many years. (It also tells me that the project is not very alive, they had the same job offer for many years.)
So what would have interested me is how and what kind of impact the researchers measured. The article seems to say pretty much zero about that. Disappointing.
I used to think blocking cookies was enough, but recently I’ve been learning about browser fingerprinting and realized it’s a whole other level of tracking.
I’ve tried using Firefox with privacy settings cranked up, but I’m still not sure how much it actually helps. Has anyone found a good way to stop or reduce fingerprinting?
I spent a lot of time testing this recently and the only browser which consistently resists fingerprinting is Brave. Firefox has some plugins which enable spoofing fingerprints, but I haven't found one which randomises it.
I used to think incognito mode was enough, until I found out browser fingerprinting is even worse than cookies. It tracks so many tiny details that sometimes it can recognize you even after switching devices. These days, going online feels like being watched.
Has anyone made a plugin that forces your browser to resize slightly to help avoid fingerprinting? I feel like this is an annoyance I could tolerate, even if over the course of a day or two it causes me to resize it manually to something larger.
Firefox has this built in, about:config privacy.resistFingerprinting.letterboxing. It was contributed upstream by Tor, and off by default in Firefox.
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
The name for that is letterboxing. The Tor Browser (and the Mullvad browser, based on the Tor one, and Firefox as of v. 67 with an about:config flag) all support it.
There are also add-ons that perform the same basic function with some added customisability [0].
Also there doesn't seem to be anything one can do about it. Traditional privacy countermeasures like privacy plugins just make you more unique not less
When I discovered fingerprinting, I tried tinkering with every single bit of information possible, but it was hopeless.
The error lies in the candid nature of software developers, who couldn’t imagine a world in which every human thought or interaction could be economically exploitable. Why does my browser have to give away so much information?
Why do browsers share so much information? A standards-compliant website has no need to know which browser version I am using, which operating system I am running, etc..
One of the more effective techniques is measuring the speed at which JS renders to your canvas. That's a sidechannel I don't think can be closed easily.
As long as JS exists, there will be effective means to examine the sandbox.
(I do agree they have unsafe defaults info. It's just removing it isn't enough.)
There is some noise, but there are bounds. Everyone tends to have fairly common habits and periods of transition into new habits, that combined with IPs, or geolocation, or screen sizes, that you can fairly accurately pin individual devices..
Your processors, memory, and so on all have manufacturing quirks, and then workloads provide some more. The fuzzy circle of rendering times becomes easy to use.
Various places have used it since before '14. But here's one random paper that goes into more depth. [0]
Can’t a good privacy browser randomize some of the ‘nonessential’ elements it sends, thereby creating a new fingerprint for each website? Or change them all to the same one so everyone using that browser has an even more similar fingerprint?
Its always struck me as odd that your browser just volunteers so much information every time you go to a site. Then again, my knowledge of how the web works is limited to HTML+CSS from the 00’s…
There is a lot of discussion in this thread about the novelty of this research. This is because TAMU's PR piece is not accurately describing what this research is about. The paper's abstract highlights a different contribution altogether. They show the evidence that fingerprinting is used for advertising (which might be violating GDPR in some cases)
While advertising has become commonplace in today's online interactions, there is a notable dearth of research investigating the extent to which browser fingerprinting is harnessed for user tracking and targeted advertising. Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. It is imperative to address the mounting concerns regarding the utilization of browser fingerprinting in the realm of online advertising.
This paper introduces "FPTrace" (fingerprinting-based tracking assessment and comprehensive evaluation framework), a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments. Using FPTrace, we emulate user interactions, capture ad bid data, and monitor HTTP traffic. Our large-scale study reveals strong evidence of browser fingerprinting for ad tracking and targeting, shown by bid value disparities and reduced HTTP records after fingerprinting changes. We also show fingerprinting can bypass GDPR/CCPA opt-outs, enabling privacy-invasive tracking.
In conclusion, our research unveils the widespread employment of browser fingerprinting in online advertising, prompting critical considerations regarding user privacy and data security within the digital advertising landscape.
There's a second side of this story, that nobody ever really talks about, because the cost is so diffuse.
There are real, legit, uses for fingerprinting.
One of the more common ones is anti-fraud for payments, as well as anti-abuse for social sites.
I'm sure you've been to forums or other social sites where ban evading trolls, astroturfers, card checkers, and the like cause constant pain for both legitimate users and site operators.
When I ran a large site with social interactions and payments/credits, I got deep insights into all the abusers who try to bilk the system for whatever they can.
Because fingerprinting is so hard, bad users have an easy time to return with a zillion sock puppet accounts.
As a normal user, my estimation is that I suffer more from the actions of those bad users who poison the well, than I would suffer from an internet that made everyone non-anonymous.
My web browser is abrowser (firefox derivative) and I am not using Windows like it says. I do have my javascript restricted though. The site considers my computer unique.
Evidence aside, it always seems impossible to have any serious discussion of (non-behavioural) fingerprinting online. There is a meme that always shows up about how anything someone does to avoid fingerpringting makes them stand out even more, like some sort of Catch-22.
But this meme rests on an assumption that people must use, now and forever, certain software that sends many details that can be used to construct a fingerprint, namely, a software program that web developers call a "modern browser". If those are the conditions, if this is the only software web users are allowed to choose, then yes, I agree, web users have no chance against fingerprinting; they will be involuntarily sending copious details to websites, automatically. The small number of popular "modern" web browsers are generally distributed by surveillance advertising companies, companies increasing their surveillance advertising services or organisations that send data about users to such companies in return for payment. Using this complex software to attempt to "defeat browser fingerprinting" is, no surprise, a losing game.
Ultimately, the goal of anti-fingerprinting should be to significantly reduce the number of details sent, which in effect reduces the number of details that can be used to construct a fingerprint. The reason this should be the goal is that when there are fewer details to copy then it is easier to make fingerprints so generic that they are not very useful for surveillance advertising. The Catch-22 meme often refers to the goal as "blending in", achieved by trying to duplicate popular but complex configurations reported to websites by the popular browsers. Truthfully, if the choice of software is smaller programs that have minimal configuration and send almost no details, then it is easier to "blend in", if that is the goal.
If a user-modifiable string from an optional User-Agent HTTP header is one of only a few, or perhaps the only, detail in a fingerprint, e.g., if web users make HTTP requests using simpler software that does not run Javascript, then, _if web users wanted too look alike_, it is easier for them to do so. The alleged Catch-22 created by the complexity of "modern" browser can be resolved.
As it happens, according to "web security" reports, over half of web traffic comes from simpler clients that do not display advertising. What are the (non-behavioural) "browser fingerprints" of these users. Generally, it is a user-modifiable string in a User-Agent HTTP header. If the header is omittted, or if different "bots" use the same string, then the "browser fingerprint" becomes even less distinguishable.
Alas, web users who choose simpler software instead of the larger, more complex "modern" browsers often get mistaken for "bots" based on crude heuristics with high false positive rates. Alas, website operators often do not focus on behaviour, e.g., rate-limiting, when it's easier to simply label anything that is not sending many details and running Javascript as a "bot". The characteristic bad behaviour of "bots" is assumed. Even when it does not exist. A single, one-time HTTP request can trigger a heuristic-based block designed to stop repeated, excessive HTTP requests.
The surveillance advertising ecosystem relies on web users all choosing the same few browsers that run Javascripts indiscriminantly without any user input. Even using an add-on/extension like uMatrix with a "modern" browser may trigger "bot" heuristics, because uMatrix lets the user run Javascript discrimantly.
Fingerprinting may not be 100% dependant on Javascript. But the most useful fingerprints for advertising, not to mention serving the advertisements themselves, rely on Javascript.
“Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,”
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
As someone who's been building an adblocker for the last 6 years: yes, there's plenty of proof in the devtools console on more websites than you'd think.
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
From over a decade ago, a paper on then-commercially-available browser fingerprinting tech, including a study of its deployment in the wild:
https://dl.acm.org/doi/10.1109/SP.2013.43 Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13).
Iovation is at least one companies script I know that the financial sector tends to use to get some fingerprinting on. Youngsters, please don't be skeptical. Surveillance hellhole-wise, fingerprinting is and will remain a perennial corporate favorite thing to do.
Luckily most of this is done by web devs using their normal tools which means if you just turn javascript off that gets rid of 99%. Sure, there are ad companies and related out there using actual webserver logs but more and more it's relying on you the user blindly executing their code on your machine. After all, everyone does it. Anyone not running javascript is weird, probably not monetizable, and therefore is a bot and doesn't exist.
Yep. Native applications are much faster, more reliable (can't change underneath you unless you let them), incomparibly more private, and generally longer lasting.
Using the web for applications forces you into behavior and situations you wouldn't accept otherwise. Web sites are best made of web pages. Not executable code. And there are still more web sites made out of web pages out there than corporate web apps. The web is huge and there's a lot beyond the top 100 web apps everyone use.
Turning off JS auto-execution helps one avoid falling into those traps as well as avoiding fingerprinting in general. And the vast majority of the non-commercial web still works just fine.
Yes. Today you cannot register Vk, Google or Telegram account without scanning a QR code from smartphone or installing an app. I am surprised that there are people that agree to go through all these difficulties instead of going to a competitor.
Because most people do not find it difficult to install an app. And many people started with the mobile app anyway, and/or use their mobile device as their primary computer.
As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
>As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
the problem, for those tracking and using uniqueness tied to tech as a measure (as opposed to uniqueness tied to identity), is not that it is easy to change you to be non-unique, it is that you will probably be a different "unique" user in a few days.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
They will fuzz your uniqueness into a profile no matter how many times it changes. There’s enough there to identify you based on your fingerprint and behavior.
right, but it is most powerful if they can combine unique fingerprint with identity fingerprint via login over time, so as to build up a long term behavioral profile. Identity is not good enough because you will sometimes not be logged in, fingerprint via uniqueness may not be enough because your behavior may change in different environments.
I assure you it’s enough even without a login
More please
There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
”NVIDIA Corporation” is a rare vendor because most browsers (Chrome, Edge, Firefox on Windows) use ANGLE and will report ”Google Inc. (NVIDIA Corporation)” as a vendor.
Basically, ”NVIDIA Corporation” means you are Firefox on Linux with an NVIDIA GPU — or Firefox on macOS with an NVIDIA GPU, which is probably even rarer.
0.74% does seem a bit low, but most people browse the web on mobile phones, so knock off 50-70% immediately, then of the remaining most will be integrated GPUs from Intel or AMD in laptops. Take away Macs and you’re basically just left with gaming PCs, and laptops where the browser decided the task was difficult enough to spin up a discrete nVidia GPU.
My vendor “Apple Computer, Inc” was less than 10% (I’m on iPhone) so I suspect HN crowd probably uses unusual hardware.
While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.
It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.
Mine says zero percent match for everything, and claims I have a NaN % overall match. Does this site work?
Definitely works for me although it was rendering the result a lot faster six hours ago.
Hn referrer already up to almost half a percent of their database at the time of writing. Either a lot of lurkers followed your link or a lot of bots crawl this site.
> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
Did not the EFF have a long time ago a fingerprint analysis that showed how unique a user profile is.
You really can't put too much faith into the "you're unique!!" conclusions that fingerprinting sites give out. The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best. Most (all?) also take into account volatile attributes like the version number, which makes the previous problem worse by further reducing the actual sample size.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community. Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
>You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community.
They theoretically could but which sites are actually doing this?
>Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
That basically boils down to what phone model you have. The number of iPhone 16 users (for instance) in a given city isn't exactly small.
>Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
If you read the comment more carefully you'd understand that it was toy example to prove a point, not a claim that you can only be fingerprinted by those attributes. I even specifically prefaced it with "suppose".
> The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
> so any conclusions that you're "unique" (in the world?)
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
>privacy nuts
No need to use such self-deprecating language.
Yea, and it was effectively a lie.
I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)
Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.
Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)
Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.
I wouldn't call it a lie. The canvas jitter for each iPhone 15 Pro will be different. Different battery ages, different lifetime workloads. And no manufacturing process currently results in identical CPU performance.
That results in different nanosecond ranges of performance, for your canvas.
It is lie. They're making up stuff to spin their position
> The canvas jitter for each iPhone 15 Pro will be different.
There is no such thing. I write tests for GPUs and iPhones in particlar. They don't produce different results
> Different battery ages, different lifetime workloads.
This is not something you can check from a webpage on an iPhone
> That results in different nanosecond ranges of performance, for your canvas.
There is no nanosecond measurement you can use to generate a fingerprint in a browser. All you'll get is noise which will give you a different fingerprint.
Maybe if you ran for several minutes with a frozen page doing nothing but timing could tease some signal out but no sites are doing that. No one would continue to use a site that froze for seconds every time they visited.
That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.
No one enjoys a conversation with a blank wall.
>That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.
It doesn't look like you read the comment you're replying to either, because you failed to respond to any of the specific objections that were raised. Let's try again with the first one: do you have any proof that "canvas jitter" as you described it (ie. it varies between devices of the same model) actually exist?
Have you bothered to look, yet? It's been in use since 2012. Responding to specifics, when someone is acting out of bad faith, isn't generally a good idea. But fine.
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits. This is so even though the user population in our experiments exhibits little variation in browser and OS.
https://hovav.net/ucsd/dist/canvas.pdf
https://securehomes.esat.kuleuven.be/~gacar/persistent/the_w...
https://doi.org/10.14722%2Fndss.2022.24093
https://web.archive.org/web/20141228070123/http://webcookies...
https://www.torproject.org/projects/torbrowser/design/#finge...
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits
The claim being disputed was "canvas jitter for each iPhone 15 Pro will be different", not the broader claim of whether canvas fingerprinting exists at all. 116 unique fingerprints out of 294 doesn't really prove the former is true, especially when you consider that people on Mechanical Turk are probably all on laptops/desktops, which have more hardware diversity compared to smartphones. Moreover if the claim is that every (?) iPhone of the same model has different canvas outputs because of "canvas jitter", wouldn't we expect far more unique fingerprints?
When that was the first attempt, over a decade ago? No.
But as these things don't sit still, a small perusal of any of the above links would give you the information you seek.
I think you miss some key issues here:
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
> Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins
can websites really see installed plugins?
Not really. They can‘t see a list, as navigator.plugins is dummy data in every major browser, but they might able to detect eg. Adblockers by other means
Adblocking is not rocket science, you block the DNS of the ads. Some also use JS to mess or remove ads.
All of this is easily detected, can I ping X, can I see DOM Y, etc.
>E.g. installed plugins, content language, fonts.
Nobody installs plugins in 2025. Content language is basically like the geo-data the parent said, but coarser. And billions of people just have the same (default OS) fonts - plus iirc, there are broswer mitigations against font enumeration for fingerprinting.
> the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
What is TCP stack fingerprinting?
It is what nmap does.
In theory, this would be a rich landscape for an entirely different abstraction layer for fingerprinting… However, I am skeptical that the typical fingerprinting tool chains are receiving data that reaches that far down in the stack…
Also TCP timestamp if the network stack doesn't apply a randomized offset. As of 4.10 Linux added randomization; no idea about others.
Getting a bit farther out there, CPU clock skew can be derived from the (randomly offset) TCP timestamps. That varies with temperature and thus load so it can be used to pick out otherwise indistinguishable traffic streams originating on the same physical host.
Back in the realm of commonly employed techniques, higher levels of the networking stack are fingerprinted in the wild. https://blog.cloudflare.com/ja4-signals/
Moving even farther up, the human interaction streams themselves are commonly fingerprinted. I realize that's a bit of a tangent but OP had suggested that fingerprints had short half lives and this is a very strong counterexample that I failed to mention earlier. https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymizat...
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
>consider hardware interrupts and their handling delays depending say on the combination of apps installed
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
>"hardware interrupts" (whatever that means)
Hardware interrupts are a standard part of computing. (see https://en.wikipedia.org/wiki/Interrupt#Hardware_interrupts)
"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
And, at least previously, the timing of interrupts have been used to facilitate information leakage. For example:
"Through analyzing the interrupt time series produced from touchscreen controller, attacker’s chance of cracking user’s unlock pattern is increased substantially. The interrupt time series produced from Display Sub-System reveals unique UI refreshing patterns and could be leveraged as fingerprints to identify the app running in the foreground"
https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2016-oakland...
It's been awhile since I've looked closely at anything related to phones, but for decades /proc/interrupts was globally readable. It may still be.
>"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
I'm not claiming interrupts don't exist, I'm claiming that they're not really a fingerprinting vector because Android is so locked down that all phones of the same model/OS version are going to have the same behavior. It might be an issue if you're using a xiaomi phone in the US or something, but if you're a normie with an iPhone there's tens and maybe hundreds of thousands of people with the same phone in a major metro.
>I'm not claiming interrupts don't exist
I thought you were confused because you said "hardware interrupts (whatever that means)", and put it in scare quotes?
>so locked down that all phones of the same model/OS version are going to have the same behavior.
That's not how hardware interrupts work, though. The behavior is 100% user dependent. Me and you type at different speeds, times, etc. The hardware interrupts that result from me and you typing are, therefor, going to be completely distinct. The interrupt itself will be the same, but the timing of those interrupts is unique.
Whether or not /proc/interrupts remains globally readable is something I'm not confident on, but at the time of the paper (which was after sandboxing was first implemented in Android), it was globally readable and a valid side-channel for information leakage including as fingerprinting vector.
Hopefully that clears up what a hardware interrupt means, and why they are (or, at least used to be), a valid fingerprinting technique.
Siteimprove Analytics appears to be confident enough about their cookieless tracking technology (compared to cookie based tracking) to claim:
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
I have no idea what ads they serve me because I have ad blindness. My brain just refuses to perceive them.
Even when they float over the text I am trying to read, I do not see them.
Every person says this, but it's a massive industry for a reason. It's the same as with The North Face logo on jackets. You're never paying attention and you don't recall any specific person wearing the jacket. But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
>But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it. //
Yes, but it's not usually a conscious thing. People assume that advertising doesn't affect them -- it does, it's brainwashing.
However, I've recently found that I'm so eager not to be swayed by advertising that I can't buy things I've consciously seen advertised at me because then `they` will have won. Of course I still pick out the fizzy drink brand advertised to me when I don't want to engage my brain over a triviality like picking a cold drink at work ...
I wouldn’t claim to not notice ads. Especially ads that interrupt videos. I remember quite a few of them. But, even the ones that are initially a little amusing become annoying with repetition, and what initially seemed mildly amusing instead seems just stupid.
I don’t know what “north face” is. Personally I have a strong preference to not display any brand logos myself. People considering some brand to be “fashionable” seems kind of absurd to me?
I don’t feel like the ads I’ve seen influence my purchasing decisions much? Because most of the things I see ads for, aren’t things I would be interested in. I get ads for like, women’s clothing (I’m a man) home shopping sites (not in the market to buy a house at this stage of my life), horror movies (which I hate to see).
Well, I guess some candy ads have influenced me, in the opposite direction from what they intended. A kind of candy which was once among my favorites, I found the ads objectionable to a degree which I have pretty much committed to not buying any of it until they substantially change their advertising. Another brand I’ve never purchased because an ad of theirs covered the content of a webpage I was trying to view and kind of broke the site, and so I kind of regard them as bad actors?
I’d be willing to give advertisers a lot of information about what I would be interested in if I could be assured that they wouldn’t try to combine that information with any other information about me.
Personally, I block them. But the people running these programs think they can get all of us. They don't seem to understand that the harder they try the more they piss off people like me. Meaning I'll put in more effort to circumvent or poison their data, making them spend a disproportionate amount of money on people like me. At this point I don't they'll give up, so let's find out who can live the longest. The number of people on my side are growing
I'm with you, but my take is that advertainment only scales big, so we are mostly collateral noise to the designers who have to balance many different factors, the main one bieng that the market they have brainwashed is as a result, fickle, and insists on bieng entertained, with most of the work force in advertising also consuming the product in a world of always almost, never quite satiated quest for the something™ that will get them off the treadmill. The very fact that anything imaginable is availible, anywhere, right now, up front, delivered ,only highlights the sameness of it all, where the tracking and fingerprinting results in people buying whatever they glanced at,casualy and inocently, but now own some glitzy cheap, likely broken facsimily, and are now under intense pressure to buy another one. So advertainment gives it's reek of edgy mindless frustration to the whole world. So ya, turn off scripts and storage, run some blockers, and remember to be nice to all the people actualy helping and doing things in the real world.
Sure but it's about pareto efficiency. How much do you capture? It's a percentage. But you have to spend infinite resources to get to 100%. They just see number go up...
Ads definitely have an effect on me: the more intrusive they are, the more I remember them and tend to not buy that product and ignore the company altogether.
But generally I'm not exposed to a lot of ads thanks to the adblockers I use. And the Duckduckgo browser on Android, besides generally blocking network access for apps with Netguard.
The massive industry exists vor various reasons, but mainly because people have been trained from early on to get something "for free" without pondering the hidden longtime costs.
Disclaimer: prefer to pay or sponsor useful apps or services instead. And my North Face wind stopper west is more than 20 years old, the raincoat 10+ years and both are still serving me well ;-)
Every person says this too, but it ignores the diversity in types of people. I know somehow who happily watches ads and makes purchasing decisions off it. I ignore them and do not. I don't believe I am being manipulated by the ads. The companies choose to advertise to target other people, and they lose money serving ads to people like me. But it's still a net win for them.
I stopped drinking soda this year and alcohol years ago. If you consumed any heavily advertised product this year, then you can't say ads don't work. Including products like Cursor.
I take a bit of an opposite approach. For the most part, if I'm stuck hearing an ad, I just blacklist the company.
I mean, ads work same way those obnoxious Mr Beast faces in thumbnails work: I never click on any video like that, but they obviously work for attracting a general public. It's even kind of funny how aggressively the algorithm tries to push them to me: if I were to anthropomorphize it, I'd say it's palpable its desperation to drag me to a popular cluster
So, "ads work" doesn't mean they will work for everyone at the individual level or won't have the opposite effect for some.
I change my VPN country daily.
The ads are then in a language I don't even understand.. and for products not for sale in my country.
This is a top tier super power. Ublock on Firefox and AdGuard on iPhone are pretty effective. When I actually see an ad it physically hurts.
On iPhone check out Orion browser. Blocks ads, even on YouTube. Though sometimes video quality goes low (manually set it higher to fix). Firefox focus also works, but only one tab
If on Android, check out revanced. You can remove ads from lots of apps. Highly recommend Firefox as well.
Brave is also extremely effective at removing ads while keeping websites functional (including YouTube). It even has some fingerprinting protection. (and before someone complains, you can disable all the crypto stuff)
Sure but personally I'm against recommending different flavors of chrome. Brave is a nice idea but it still gives undue power to Google because at the be of the day, they control chromium. It also makes a hard problem for chromium reskins as they keep finding things chromium can use to track their users...
Wouldn’t things like iCloud Private Relay and other VPN-ish things throw a wrench into IP-geo-based tracking? Seems like it’d make the targeting so broad as to be useless.
As an aside, we just spent a couple of weeks camping in our RV with a cellular router connected to a VPN at home. Now that we're back home, Google maps (on a non-GPS equipped device) and Roku still think we're at the campground several states away. I guess my GPS equipped tablet reported the new location of our home IP address. On past experience, it takes about a week to reset.
I don't know a lot about iCloud in particular, but in general there are not enough active VPN users to make a noticeable difference in tracking. By its nature ad tracking does not have to be super accurate in the aggregate to beat a wild guess.
If you look at app download charts, the main VPN companies dominate. So I suspect there are sufficient active users.
Conveniently for them, iCloud private relay only really impacts browser usage, third party apps are only impacted when using unencrypted connections, which is unlikely.
VPN does.
If I change to for example Hong Kong, all Spotify, YouTube etc are them for hk/Chinese products and spoken in Mandarin/Cantonese.
I change country daily, it's good fun.
iCloud Private Relay has always kept the IP in the same city for me.
Mine is also in a city 146 kilometers away.
A fingerprint is composed of many signals. Even if a few of those signals change, the less-specific fingerprint made by the remaining signals can still be used to infer who a user is. And it doesn't need to be perfect: having a good idea that someone who almost looks like you from yesterday was interested in cat food is a good enough reason to auction ad space to cat food companies today.
> A lot of the big ad networks right now instead rely heavily on geo-data
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
> ISPs normally will have at least one level of NATing with ipv4.
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
Not sure about US, but Indian ISPs are doing this already to conserve IP space given huge userbase. In theory it would work similar to how a NAT gateway works for outbound communication. Skan + geo would be hard nut to crack in India.
In UK I'm now on FTTP but even on ADSL the house would have an IP address that normally stayed constant until a router reboot. This seems to be pretty common in the UK. Probably on cable internet (and on mobile ofc) you get NAT-ed but I've never had that.
In Australia most ISPs use CGNAT by default and you have to specifically request a dedicated IP if you want to host a Minecraft server or something.
It still works because those CGNAT shared IPs still vaguely correspond to a certain geography. It won't be accurate enough to target a specific home, but still accurate enough to target a specific neighborhood, for instance.
Assuming an ext-IP (60k ports) can easily represent 100 household if we statically assign ports. Given CGNAT with dynamic port allocation this can easily go up to 5x? That's wildly inaccurate given the core problem is to "target" a small set of users which is based on this geo info. Not sure how well this elephant sits in a room full of engineers solving this specific targeting problem.
I’ve never had an unroutable IP in the US
CGNAT does not means unroutable IP, it just means you would only have assigned a small range of ports on a routable IP with others.
Billboards are still among the most effective forms of advertising in terms of efficiency. You don’t need to be very close. I see myself popping up probably 10 miles from where I’m actually at, but the businesses aren’t that inaccessible.
fingerprint.com claims that they can fingerprint a user with >90% accuracy over 120 days. A half-life of a few days is awfully optimistic.
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
I'm not sure if I understand this. If you show up on a website one day with one fingerprint, but on the next day it was a different fingerprint, there's no way to connect that it's the same device unless it wasn't a core trait of the fingerprint in the first place.
If everything is the same but the browser version, a day later how is that not the same person?
I think you’re thinking that the fingerprint is reported as a single hash (e.g. SHA512) of multiple attributes, which would of course change if a single bit was different. But there’s no reason they would be reported that way. It could be (and probably more likely) a big data structure of all the values. It would be easy to see that only a few things changed.
>it’s stronger.
marginally given that most browsers auto-update.
> As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
>A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
https://www.amiunique.org/
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
"a proper open source browser never took off"
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
> then Google used anticompetitive practices to squash it
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
All the front-end devs I knew at the time switched to Macbooks after the Intel switch, because you could get a Unix-based machine that could run Safari and Firefox natively, and Internet Explorer in a VM. Chrome wasn’t even released at that point.
> Every "web designer" had to work on a macbook
Sorry? Why? I must’ve missed that memo :)
Because working on Windows machines was a gigantic pain in the ass back then and Linux still kinda sucked as a desktop OS.
Google didn't use anticompetitive practices to squash it. They just made a better browser. When Chrome came out it was significantly better than Firefox. That's why people switched.
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
I think it's pretty debatable that Chrome is currently better, but you're definitely correct. When Chrome first debuted (and for years afterwards) it was clearly superior to Firefox.
Note that having a unique fingerprint becomes actually great if it's so unique that even after a page refresh you get a different one.
Most browsers with fingerprint protections will for example introduce random noise in graphics and audio APIs.
What's surprising is that, over time, Firefox has done virtually nothing to reduce the impact of fingerprinting.
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
Because the users of web browsers expect compatibility. If one vendor unilaterally decides to stop supporting some browser APIs, the result isn't better privacy. The result is that people switch to other browsers.
Cutting down permissions will just make you more identifiable.
> Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
2. is almost immediately fingerprintable even with JS enabled. 0.00% similarity for canvas, 0.09% similarity for font list, 0.39% for "Navigator properties", 0.57% for useragent. with JS disabled (best practices for tor) it's even worse. maybe this works for windows users?
(debian, latest tor browser 14.5.3, no modifications)
Great website. I'm surprised that even things like battery status are queryable. There's really no good reason to expose that.
In two separate private browser windows, I was identified as unique, so does that mean a fingerprint across private browser tabs would not work?
If you have Firefox with "resist fingerprinting" enabled then you are feeding it some dummy data. People worry about the fact that this might make you "unique," but fail to grasp that if you look differently unique every time you're not necessarily identifiable.
I think its matter of "least common denominator" as in the sum of all fields will surely be unique, but what's the _minimum_ number of fields needed to isolate one user? You can download the JSON from each test and compare the diffs yourself - there's a lot of noise from "cpt" and "ratio" fields, but some that stand out are "referer" and "cookie" fields as well as a few SSL attributes. Not sure if controlling for those is all it takes to de-anonymize, but either way it's not great.
> it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off.
What makes you disqualify Firefox from being a "proper open source browser"?
> What makes you disqualify Firefox from being a "proper open source browser"?
- June 2024. Mozilla acquires Anonym, an ad metrics firm.
- July 2024. Mozilla adds Privacy-Preserving Attribution (PPA), feature is enabled by default. Developed in cooperation with Meta (Facebook).
- Feb 2025. Mozilla updates its Privacy FAQ and TOS. "does not sell data about you." becomes "... in the way that most people think about it".
Yes "PPA" is absolutely shady, it is a browser cooperating with ad companies behind user's back. I do not understand why I need this on my computer.
FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests. That was an original selling point of FF, and to this day the user base is mainly comprised of individuals (who were at one point or another) seeking free and open alternatives. Sadly Mozilla as an organization has made increasingly user hostile decisions (deals with Google, recent changes in privacy policy, some telemetry on by default) and FF no longer lives up to the original promise. But yes, thanks to the code being open source there are off-shoots like LibreWolf and WaterFox that may be worthwhile (I haven't vetted them) but its the same dilemma as with chrome, the upstream code is captured and controlled by an organization that I don't trust to respect user privacy.
> FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests.
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
This is just making better the enemy of best.
In reality people espouse this opinion then continue using Chrome or Chromium browsers.
see original comment:
> Yet there really is little recourse for privacy enthusiasts
Firefox never took off.
At one point, Firefox (3.5 specifically) was #1, for a brief moment:
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
lol, and I used neither. Opera all the way until...
Millions of people use it. What's the latest usage number? 5% or something?
There's 5 billion people on the internet. 5% of that is 250 million.
Some companies would kill for user numbers like that. Hell, some would slaughter entire villages.
Define taking off then. Everyone knows Firefox and some people even like it
> “Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
This isn't about bubbles or ignorance of the "Real World (TM)". I think this reading shows own biases about academia vs industry more than anything else.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
Why wouldn’t admitting doing something be proof, and what else would TRACKING PIXELS be used for?
It is clearly in these companies best interest to use these things for snooping on the world’s internet users.
Tracking pixels aren't for fingerprinting, they're just regular tracking. You can block them fairly easily (just block the 3rd party request to the known tracker). Fingerprinting is a lot more difficult to detect and prevent. Companies claiming they reserve the right to do it is a good reason to take precautions, but without insight into what is actually being done, that's hard to effectively do (without resorting to blocking all possible vectors, like Tor Browser).
Aren't the companies who say they're doing this actually selling these capabilities to others? So it's in their interest to pretend to be able to do more / better than what they actually can do. Especially when the clients have little capability to verify what actually happens. So no, their saying "we can do it" doesn't actually mean that they can.
As a user who doesn't have a horse in this race (I work for a "captive clients" company, so ads don't help much, nor do we sell any ads), what I notice is that ads I'm served are absolutely absurd. It's either Google Maps trying to sell me some hotel 50 meters from my home (I live alone, so I fail to see any reason why I'd go for that), or Instagram which somehow figured I'd be interested in buying bras for pregnant women (I'm a male, and I'm single).
More recently, Instagram tries to sell me Range Rovers. Where I live, there's a tax on "heavy vehicles", traffic is absolutely crazy, and we have usable public transit (which I use – while scrolling Instagram). Buying a big-ass car wouldn't help me in any conceivable way, and would be an all-round nuisance.
What leaves me flabbergasted, is that my only interactions with Instagram are around photography. I only follow photographers, who shoot landscapes and similar, I always leave the app when I'm presented with naked girls or other "reels'. So I could maybe, possibly, be convinced to buy some new camera or photo gear. Guess what I never see advertised on Instagram?
This is where gambling and vaping come in…
As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
So then:
What to do with this massive infrastructure and billions of dollars of investment and workers employed by this global machine?
This is where gambling and vaping come in.
> As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
At least from my own anecdotal observations (including conversations with confused less technical friends and relatives started by questions like "how does this website know enough about me to show me that ad?"), the issue to me seems less that ad tech doesn't ever produce relevant ads, but that in practice very few people actually click ads, much less buy things from the destination, regardless of whether the ads are relevant or not. If anything, seeing a well-targeted ad often makes people feel creeped out, and their reaction isn't to go "oooh yes, that's perfect for me, let me click it", but to immediately close the browser tab and maybe even avoid the website that showed it to them in the future (because it's not obvious to a lay user that the ads are usually sourced from another party rather than the website itself). Slightly more tech-savvy users might even be aware of how ads are sometimes a vector for malware and avoid clicking them because the risk of getting something nasty isn't worth the probably quite low reward of buying something they could probably find just as easily on their own by actively looking. In practice, I have to wonder if it even matters whether adtech is effective at targeting or not, because I'm skeptical that the way people interact with ads ever would generate enough revenue to be worth it.
Disclosure is not proof, especially when they have something to sell you.
You're coming at it from this type of tracking being an accusation of bad behaviour and the company having to admit it, like they have to admit a security breach losing personal data.
That's a reasonable approach. It's also incorrect. These companies think tracking users is a great thing. They aren't admitting it, they are boasting about it.
There have been source code leaks from major websites which clearly show fingerprinting tools being used.
Some people live in bubbles. I have been aware of https://github.com/fingerprintjs/fingerprintjs
For almost 10 years now or some version of it. I stumbled on it when I wanted to keep track of spammy/abusive visitors on an old project.
They consider me to have different visitor IDs when opening their demo page[1] in a regular window, and an incognito window on the same device. If this is state of the art I'm not too worried.
[1]: https://fingerprintjs.github.io/fingerprintjs/
It tracked me on incognito but not across browsers though
It's been known in academia for at least half a decade as well. See:
https://petsymposium.org/popets/2021/popets-2021-0004.pdf
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
This has suddenly made me wonder how often fingerprinting of installed fonts is used to find targets working for particular companies. Quite a lot of organisations now have their own font, or a particular uncommon font they favour for brand purposes at least.
Well, nobody has Flash installed anymore (I hope) and I don't believe there is a "modern" way to obtaining a font list (that works on all/majority of browsers). So, at face value, looking at installed fonts doesn't sound like a meaningful attack vector these days.
I believe you can do some stuff with CSS by providing a list of fonts to try and then comparing the size of a block of text, but yes, it is quite a bit harder now.
I’m not saying we should stop caring about online privacy, but the extent to which we fight fingerprinting while not actually solving the problem has made the web worse. It’s kinda like the argument for gun control: the unsavory folk will still fingerprint your browsing while the well-mannered sites suffer from lack of features due to aversion to any persistent handle on the users they might provide, like strong crypto because uh-oh a pub key would give your a “super-cookie” so we can’t have that.
Sites need to realize that offering a public presentation means they're at the whim of user-agents.
Most of the bullshit over the past couple decades has been them trying to pull control back to server-side.
That’s somewhat different from user-agents refusing to implement useful features because they might have privacy implications.
>while the well-mannered sites suffer from lack of features due to aversion to any persistent handle on the users they might provide
Yeah, hard pass.
I think the nuance here is that academic research often wants concrete, measurable evidence that can't just be hand-waved away by "well, it was mentioned in a privacy policy."
The paper might have put this better by saying they can prove it without the need for disclosure.
You know what's tracking you more than websites? Apps! You know why sites want you to install an app and keep begging you to install one? Because all the protections a browser adds to make it hard to track disappear once you're in an app. They require you to login, then they share all your data with anyone and everyone.
My app doesn't do that. The reason I push the app is because we don't ask for your email address, so the only way I have to notify you of new messages or stuff is via an app. Apps are sticky, websites aren't.
On iOS now there's the "Ask App Not to Track" prompt. The problem is, that only covers certain types of tracking
I’d like to see better fingerprinting tests than coveryourtracks.eff.org and amiunique.org. Both have the flaw that they test only uniqueness, not persistence, with the result that they’d flag a random number generator as a fingerprint, too. Real fingerprinting protection does often involve random, not binned, results, and this results in both websites flunking even the browsers that do pass their tests, like Tor, Safari, and LibreWolf.
CreepJS[0] allows you to "add a signature" (basically give your fingerprint a name). If you re-open the page, and it can correlate your fingerprint, it will show you your signature.
[0] https://abrahamjuliot.github.io/creepjs/
fingerprint.com might have such a result-over-time test?
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
I guess we all knew this was happening, but it's hard to "prove" that they track you across devices without resorting to anecdotes. This seems to be a framework for performing studies + a large-scale study in order to get some more concrete proof that it is actually happening in practice, and the fingerprinting isn't just used for other things like anti-abuse.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
This is a problem because unlike cookies, that are tied to specific domains and isolated by security boundaries, fingerprints can be computed across any domain. It's easy to imagine how a website that tracks users and serves ads solely using fingerprints could be exploited to gain informations about a victim, simply by collecting their fingerprint.
My question is, why do browsers share all that information with websites in the first place?
The browser is a sandbox with a bunch of discoverable features. Those features exist for the user but a side effect is they leak data which individually is probably not interesting but collectively is a fingerprint.
To be less of a fingerprint you'd need to remove JS from the entire web.
which would be amazing, a good 85 per cent of js on the web is both pointless and useless.
Because most of it is useful or even needed. There's perhaps one or two things that can be removed, but not that much.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
> momost of it is useful or even needed
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
The first point - there are usecases but it probably all ought to be user prompted. The vast majority of sites don't need any of it. For example when testing webgpu on chromium I had to globally enable it with a flag which prompted a security warning. A per-site prompt would have been much more secure - I was only using it on localhost.
The second point - you don't need to measure it (that I'm aware) but you _can_ measure it because disparate features that all have legitimate usecases on their own can be leveraged in tandem to accomplish things that weren't intended by the authors of the specification.
> but why does the website that's sending me HTML and CSS and Javascript need to know?
The website doesn't get told by the browser, but the website is sending you Javascript, and the browser will tell the Javascript when the Javascript politely inquires as to the width and height of the root html element, or some element with text in a funny font in it, and the Javascript is then free to report home.
I think hiding layout information like that from Javascript isn't really within reach without a radically different model that breaks a ton of websites.
And when I block js, most websites are still readable. (some even look better!) The fact that some sites work just fine without js mean that most could. Certainly the sites load much, much quickly without the js. 90% of the time all I want is the text, which loads perfectly without it. JS is a huge waste of resources with no real benefit to consumers. Some web apps need it, yes, but even those could still do fine without it. (until recently there was still an HTML gmail app which worked just fine.)
> screen resolution
Required for showing the right resolution images. The alternative is blurry images or wasted bandwidth.
> time zone
Most people expect to see times in their local time.
> device model
This could probably be removed but can be useful for showing the right download button. Also I'm not sure this is explicitly shared? I'm curious what exactly they mean here.
Some mobile devices (especially cheap Androids) often have device model numbers and build version in the User-Agent headers. A few examples from a quick look at my access log:
All of these contain both the device/model name and specific software version.This is only an issue on Android and some other devices really (e.g. "smart" TVs and whatnot); I'm not aware of any desktop browser that does that. Not all Android devices do either.
This is a major reason why I stopped storing User-Agent headers in the database for my analytics app. I originally assumed there would be a relatively limited set of headers, but at some point I had millions of unique ones. Now it just stores the extracted information (e.g. "Chrome 137 on Android 14"). It's a pretty silly situation and completely unnecessary, but it is what it is.
It’s been getting progressively stripped back but there’s risk of breaking changes too. Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
The referer field has had the path removed or even dropped outright for some browsers.
> Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Because they pretty much all power some kind of actual functionality. Users want the website to show up in their timezone, in their language, and to respect the light/dark mode options. Those are all legitimate functions, which also get used for tracking.
Security and privacy focused browsers and tools like Apple Lockdown Mode make some pretty significant compromises to maximise security.
Developers wanted to use those APIs to deliver features. The privacy implications were not considered until the cat was already out of the bag.
My theory:
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
Okay, but what ads? All that energy wasted on fingerprinting me to serve me ads I block.
Everytime I go to the EFF fingerprint page it tells me I have a unique fingerprint. If I revisit it an hour later it tells me I have a unique fingerprint.
It would be great if it would give me a hash of that fingerprint so I could compare it in a few months time.
I'm guessing that my "fingerprint" changes every time I load the page, which makes it somewhat harder to use for fingerprinting me.
First evidence ? It had been there in use for quite a good time.
Quoted:
"Mid-2010s: Browser fingerprinting became more prevalent, with research indicating its use by various websites and advertising companies."
It is noteworthy that there are browsers that resist fingerprinting much better than Chrome or Firefox. But these browsers are made not by a reputable companies but by shady Russian hackers, they are called "anti-detect browsers". Their purpose is to allow using multiple social network accounts from one machine and avoid getting banned for this.
The Tor Browser has been using predetermined window sizes for years for this reason exactly. It can hardly be "new research".
check out https://coveryourtracks.eff.org
There really is no way to combat fingerprinting, other than using Tor on the "safest" mode. <- which disables javascript and some other stuff.
otherwise, you're fingerprintable.
also, check out https://demo.fingerprint.com/playground
There is a way - provide random garbage via browser APIs, for example, fake GPU name, fake core count, fake IP addresses for WebRTC. But browser vendors do not want to do it. You have to compile your own browser.
Such browsers that allow you to masquerade as a different browser do exist but they are targeted at people doing social network marketing (spam and scam) from multiple accounts. Because social networks do not allow using multiple accounts from the same device. These browsers are called "anti-detect browsers" and you can find info about them on Russian underground forums.
There's only so much you can fake without breaking sites. You may be able to fake the specific elements that a site is looking at today, but it'll always be a cat and mouse game.
I've always found fingerprint tracking more disturbing than cookies. At least cookies give you a sense of control. You can clear them, block them, and even isolate them by site. Browser fingerprinting is like an ID card that you can't get rid of even if you don't apply for it.
One thing I'm interested are the EFF demo sites which try to identify if you're "uniquely fingerprint-able." What I've seen a lot in the discourse is people attempting to increase the privacy of their browser (via add-ons, configurations, etc) only to see their browser become _more_ unique. They then conclude that you cannot get away from fingerprinting.
I think there are a few potential problems with this approach.
- A lot of browser-based mitigations (such as Firefox's "resist fingerprinting" settings) send dummy data to websites. So yes, you may have a unique fingerprint according to the EFF site. But, when you visit it later, you could in principle have a different unique fingerprint. I haven't seen much discourse which discusses whether this is a viable point of not. Yes, my Linux Firefox with a bunch of weird settings clearly stands out. But maybe I have a different fingerprint across visits?
- Additionally, this strategy seems to say "don't be unique, blend in with the crowd. Look like Windows 10 and Chrome." I think there must be some validity to this. But clearly, advertiser fingerprinting is _most_ interested in the vast middle of the bell curve, ie that huge mass of users with Windows 10-11 & Chrome & Edge. If looking just like everyone else were somehow an effective mitigation, then the advertisers' tracking technology would not actually be effective for the vast majority of cases; the ones they care about the most.
- I also wonder what the difference is between what security researches at EFF and other places can do in principle vs. what various websites are actually doing in practice. It's important to remember that advertising is now like a warrant; if an advertiser thinks you're a different person and serves you the wrong ad, no one will ever notice or care. They have no way to verify it, and whatever error exists won't ever show up in their promotional materials. Even if the fingerprinting technology is quite strong, I sincerely doubt the statistics we hear from advertisers (ie, "we can identify 90% of users") can be very accurate.
I don't mean to suggest that my points are strictly correct -- however I also don't think the usual discourse around the realities of advertising and tracking really gets to the bottom of things in a very accurate or useful way.
That fingerprints exist is nothing new to someone who has visited https://amiunique.org whenever I get a new device or install a new distro for many years. (It also tells me that the project is not very alive, they had the same job offer for many years.)
So what would have interested me is how and what kind of impact the researchers measured. The article seems to say pretty much zero about that. Disappointing.
I used to think blocking cookies was enough, but recently I’ve been learning about browser fingerprinting and realized it’s a whole other level of tracking.
I’ve tried using Firefox with privacy settings cranked up, but I’m still not sure how much it actually helps. Has anyone found a good way to stop or reduce fingerprinting?
Resizing the window seems to work for me in Firefox
I spent a lot of time testing this recently and the only browser which consistently resists fingerprinting is Brave. Firefox has some plugins which enable spoofing fingerprints, but I haven't found one which randomises it.
I find that by resizing my window in Firefox, my fingerprint changes. At least that is from testing with https://abrahamjuliot.github.io/creepjs/
I guess it can't fingerprint me on 115.24.0esr? Its stuck on "Computing..."
I used to think incognito mode was enough, until I found out browser fingerprinting is even worse than cookies. It tracks so many tiny details that sometimes it can recognize you even after switching devices. These days, going online feels like being watched.
I think we also need tighter regulation and better enforcement around these practices. Otherwise, it's an endless cat-and-mouse game.
Has anyone made a plugin that forces your browser to resize slightly to help avoid fingerprinting? I feel like this is an annoyance I could tolerate, even if over the course of a day or two it causes me to resize it manually to something larger.
Firefox has this built in, about:config privacy.resistFingerprinting.letterboxing. It was contributed upstream by Tor, and off by default in Firefox.
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
Plugins are an issue themselves. They're used for fingerprinting too!
They've been around a while. Here's the top Google Result: https://chromewebstore.google.com/detail/canvas-fingerprint-...
I think Privacy Badger may also do it.
The name for that is letterboxing. The Tor Browser (and the Mullvad browser, based on the Tor one, and Firefox as of v. 67 with an about:config flag) all support it.
There are also add-ons that perform the same basic function with some added customisability [0].
[0] https://addons.mozilla.org/en-US/firefox/addon/canvasblocker...
Also there doesn't seem to be anything one can do about it. Traditional privacy countermeasures like privacy plugins just make you more unique not less
When I discovered fingerprinting, I tried tinkering with every single bit of information possible, but it was hopeless.
The error lies in the candid nature of software developers, who couldn’t imagine a world in which every human thought or interaction could be economically exploitable. Why does my browser have to give away so much information?
Why do browsers share so much information? A standards-compliant website has no need to know which browser version I am using, which operating system I am running, etc..
One of the more effective techniques is measuring the speed at which JS renders to your canvas. That's a sidechannel I don't think can be closed easily.
As long as JS exists, there will be effective means to examine the sandbox.
(I do agree they have unsafe defaults info. It's just removing it isn't enough.)
Is this a reliable metric? One would think there would be lots of jitter. But if you combine with something else like IP address it may be useful.
There is some noise, but there are bounds. Everyone tends to have fairly common habits and periods of transition into new habits, that combined with IPs, or geolocation, or screen sizes, that you can fairly accurately pin individual devices..
Your processors, memory, and so on all have manufacturing quirks, and then workloads provide some more. The fuzzy circle of rendering times becomes easy to use.
Various places have used it since before '14. But here's one random paper that goes into more depth. [0]
[0] https://www.ndss-symposium.org/wp-content/uploads/2022-93-pa...
You can avoid this by using curl. Half kidding.
Curl, by default, tells sites exactly what version of Curl you are using.
Then pass a random user agent string on each request
https://arxiv.org/abs/2409.15656
If I am unique every time I reload the page in a new private window, that means the fingerprint is not the same as the last time I visited right?
I use RSS reader for most news consumption. I noticed that algorithm does not see what I looked via my client.
Can’t a good privacy browser randomize some of the ‘nonessential’ elements it sends, thereby creating a new fingerprint for each website? Or change them all to the same one so everyone using that browser has an even more similar fingerprint?
Its always struck me as odd that your browser just volunteers so much information every time you go to a site. Then again, my knowledge of how the web works is limited to HTML+CSS from the 00’s…
It doesn’t look like I can access the paper - does it list what ad networks, SSPS, DSPs, advertisers, etc they analyzed?
so if i use Network Chuck's world's most secure browser, will it help? Link below
https://www.youtube.com/watch?v=799uhYUxtvA&pp=ygUOI2NyZWF0Z...
There is a lot of discussion in this thread about the novelty of this research. This is because TAMU's PR piece is not accurately describing what this research is about. The paper's abstract highlights a different contribution altogether. They show the evidence that fingerprinting is used for advertising (which might be violating GDPR in some cases)
While advertising has become commonplace in today's online interactions, there is a notable dearth of research investigating the extent to which browser fingerprinting is harnessed for user tracking and targeted advertising. Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. It is imperative to address the mounting concerns regarding the utilization of browser fingerprinting in the realm of online advertising.
This paper introduces "FPTrace" (fingerprinting-based tracking assessment and comprehensive evaluation framework), a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments. Using FPTrace, we emulate user interactions, capture ad bid data, and monitor HTTP traffic. Our large-scale study reveals strong evidence of browser fingerprinting for ad tracking and targeting, shown by bid value disparities and reduced HTTP records after fingerprinting changes. We also show fingerprinting can bypass GDPR/CCPA opt-outs, enabling privacy-invasive tracking.
In conclusion, our research unveils the widespread employment of browser fingerprinting in online advertising, prompting critical considerations regarding user privacy and data security within the digital advertising landscape.
https://dl.acm.org/doi/10.1145/3696410.3714548
They don’t have mine but since they have everyone else’s they know who I am anyway.
Have these people never heard of ReCaptcha v3?
Maybe this is why Reddit keeps suspending me?
There's a second side of this story, that nobody ever really talks about, because the cost is so diffuse. There are real, legit, uses for fingerprinting. One of the more common ones is anti-fraud for payments, as well as anti-abuse for social sites. I'm sure you've been to forums or other social sites where ban evading trolls, astroturfers, card checkers, and the like cause constant pain for both legitimate users and site operators. When I ran a large site with social interactions and payments/credits, I got deep insights into all the abusers who try to bilk the system for whatever they can. Because fingerprinting is so hard, bad users have an easy time to return with a zillion sock puppet accounts. As a normal user, my estimation is that I suffer more from the actions of those bad users who poison the well, than I would suffer from an internet that made everyone non-anonymous.
I've got my serious questions about the methodology of these fingerprinting techniques.
If you want to see your fingerprint, I found this site: https://amiunique.org/fingerprint
My web browser is abrowser (firefox derivative) and I am not using Windows like it says. I do have my javascript restricted though. The site considers my computer unique.
Evidence aside, it always seems impossible to have any serious discussion of (non-behavioural) fingerprinting online. There is a meme that always shows up about how anything someone does to avoid fingerpringting makes them stand out even more, like some sort of Catch-22.
But this meme rests on an assumption that people must use, now and forever, certain software that sends many details that can be used to construct a fingerprint, namely, a software program that web developers call a "modern browser". If those are the conditions, if this is the only software web users are allowed to choose, then yes, I agree, web users have no chance against fingerprinting; they will be involuntarily sending copious details to websites, automatically. The small number of popular "modern" web browsers are generally distributed by surveillance advertising companies, companies increasing their surveillance advertising services or organisations that send data about users to such companies in return for payment. Using this complex software to attempt to "defeat browser fingerprinting" is, no surprise, a losing game.
Ultimately, the goal of anti-fingerprinting should be to significantly reduce the number of details sent, which in effect reduces the number of details that can be used to construct a fingerprint. The reason this should be the goal is that when there are fewer details to copy then it is easier to make fingerprints so generic that they are not very useful for surveillance advertising. The Catch-22 meme often refers to the goal as "blending in", achieved by trying to duplicate popular but complex configurations reported to websites by the popular browsers. Truthfully, if the choice of software is smaller programs that have minimal configuration and send almost no details, then it is easier to "blend in", if that is the goal.
If a user-modifiable string from an optional User-Agent HTTP header is one of only a few, or perhaps the only, detail in a fingerprint, e.g., if web users make HTTP requests using simpler software that does not run Javascript, then, _if web users wanted too look alike_, it is easier for them to do so. The alleged Catch-22 created by the complexity of "modern" browser can be resolved.
As it happens, according to "web security" reports, over half of web traffic comes from simpler clients that do not display advertising. What are the (non-behavioural) "browser fingerprints" of these users. Generally, it is a user-modifiable string in a User-Agent HTTP header. If the header is omittted, or if different "bots" use the same string, then the "browser fingerprint" becomes even less distinguishable.
Alas, web users who choose simpler software instead of the larger, more complex "modern" browsers often get mistaken for "bots" based on crude heuristics with high false positive rates. Alas, website operators often do not focus on behaviour, e.g., rate-limiting, when it's easier to simply label anything that is not sending many details and running Javascript as a "bot". The characteristic bad behaviour of "bots" is assumed. Even when it does not exist. A single, one-time HTTP request can trigger a heuristic-based block designed to stop repeated, excessive HTTP requests.
The surveillance advertising ecosystem relies on web users all choosing the same few browsers that run Javascripts indiscriminantly without any user input. Even using an add-on/extension like uMatrix with a "modern" browser may trigger "bot" heuristics, because uMatrix lets the user run Javascript discrimantly.
Fingerprinting may not be 100% dependant on Javascript. But the most useful fingerprints for advertising, not to mention serving the advertisements themselves, rely on Javascript.
“Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,”
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
They said "hard proof". Can you point to openly available "hard proof"? Otherwise your reply is just snark that doesn't add much.
As someone who's been building an adblocker for the last 6 years: yes, there's plenty of proof in the devtools console on more websites than you'd think.
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
[1] https://github.com/fingerprintjs/fingerprintjs [2] https://github.com/easylist/easylist/blob/132813613d04b7228c...
From over a decade ago, a paper on then-commercially-available browser fingerprinting tech, including a study of its deployment in the wild:
https://dl.acm.org/doi/10.1109/SP.2013.43 Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13).
Why do you think a porn site was trying to access MIDI devices? To play some smooth jazz?
https://www.obsessivefacts.com/images/blog/2020-04-04-the-ja...
https://news.ycombinator.com/item?id=23679063
Iovation is at least one companies script I know that the financial sector tends to use to get some fingerprinting on. Youngsters, please don't be skeptical. Surveillance hellhole-wise, fingerprinting is and will remain a perennial corporate favorite thing to do.
Yes. I wrote the code that did it, way, way back when.
Wasn't this like... "common knowledge"?
I'm so confused about this research... especially since there's JS scripts that do this on GitHub for almost a decade now.
chat gpt works in incognito fullscreen but not resized in any way fyi
"And we were like, "We know but, hey" "
this is like a 15 years old thing
Luckily most of this is done by web devs using their normal tools which means if you just turn javascript off that gets rid of 99%. Sure, there are ad companies and related out there using actual webserver logs but more and more it's relying on you the user blindly executing their code on your machine. After all, everyone does it. Anyone not running javascript is weird, probably not monetizable, and therefore is a bot and doesn't exist.
> if you just turn javascript off that gets rid of 99%
Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
> > if you just turn javascript off that gets rid of 99%
> Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
Basically any webapp with any amount of processing being done on the device becomes unusable if JS is disabled. Photopea's a good example of this.
Yep. Native applications are much faster, more reliable (can't change underneath you unless you let them), incomparibly more private, and generally longer lasting.
Using the web for applications forces you into behavior and situations you wouldn't accept otherwise. Web sites are best made of web pages. Not executable code. And there are still more web sites made out of web pages out there than corporate web apps. The web is huge and there's a lot beyond the top 100 web apps everyone use.
Turning off JS auto-execution helps one avoid falling into those traps as well as avoiding fingerprinting in general. And the vast majority of the non-commercial web still works just fine.
now Imagine that instead of browser, its your phone
that's why many companies tried to get you into their mobile Apps
Yes. Today you cannot register Vk, Google or Telegram account without scanning a QR code from smartphone or installing an app. I am surprised that there are people that agree to go through all these difficulties instead of going to a competitor.
> installing an app
> these difficulties
Because most people do not find it difficult to install an app. And many people started with the mobile app anyway, and/or use their mobile device as their primary computer.
No shit. I was doing this, at internet scale, 10+ years ago. Guess what, then we calculated there were around 1.1 real humans on the internet.
Mullvad Browser is designed to evade browser fingerprinting:
https://mullvad.net/en/browser/browser-fingerprinting
https://mullvad.net/en/browser/mullvad-browser
AFAIK they're just using firefox with RFP enabled by default? Are they doing anything extra?
[dead]
No browser can accurately evade modern fingerprinting techniques like JA3/JA4 or creepjs.