As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
>As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
the problem, for those tracking and using uniqueness tied to tech as a measure (as opposed to uniqueness tied to identity), is not that it is easy to change you to be non-unique, it is that you will probably be a different "unique" user in a few days.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
> the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
Siteimprove Analytics appears to be confident enough about their cookieless tracking technology (compared to cookie based tracking) to claim:
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
Wouldn’t things like iCloud Private Relay and other VPN-ish things throw a wrench into IP-geo-based tracking? Seems like it’d make the targeting so broad as to be useless.
> A lot of the big ad networks right now instead rely heavily on geo-data
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
It still works because those CGNAT shared IPs still vaguely correspond to a certain geography. It won't be accurate enough to target a specific home, but still accurate enough to target a specific neighborhood, for instance.
Billboards are still among the most effective forms of advertising in terms of efficiency. You don’t need to be very close. I see myself popping up probably 10 miles from where I’m actually at, but the businesses aren’t that inaccessible.
> As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
A fingerprint is composed of many signals. Even if a few of those signals change, the less-specific fingerprint made by the remaining signals can still be used to infer who a user is. And it doesn't need to be perfect: having a good idea that someone who almost looks like you from yesterday was interested in cat food is a good enough reason to auction ad space to cat food companies today.
>A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
I'm not sure if I understand this. If you show up on a website one day with one fingerprint, but on the next day it was a different fingerprint, there's no way to connect that it's the same device unless it wasn't a core trait of the fingerprint in the first place.
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
> Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
What's surprising is that, over time, Firefox has done virtually nothing to reduce the impact of fingerprinting.
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
> “Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
This isn't about bubbles or ignorance of the "Real World (TM)". I think this reading shows own biases about academia vs industry more than anything else.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
I’m not saying we should stop caring about online privacy, but the extent to which we fight fingerprinting while not actually solving the problem has made the web worse. It’s kinda like the argument for gun control: the unsavory folk will still fingerprint your browsing while the well-mannered sites suffer from lack of features due to aversion to any persistent handle on the users they might provide, like strong crypto because uh-oh a pub key would give your a “super-cookie” so we can’t have that.
I think the nuance here is that academic research often wants concrete, measurable evidence that can't just be hand-waved away by "well, it was mentioned in a privacy policy."
You know what's tracking you more than websites? Apps! You know why sites want you to install an app and keep begging you to install one? Because all the protections a browser adds to make it hard to track disappear once you're in an app. They require you to login, then they share all your data with anyone and everyone.
My app doesn't do that. The reason I push the app is because we don't ask for your email address, so the only way I have to notify you of new messages or stuff is via an app. Apps are sticky, websites aren't.
I’d like to see better fingerprinting tests than coveryourtracks.eff.org and amiunique.org. Both have the flaw that they test only uniqueness, not persistence, with the result that they’d flag a random number generator as a fingerprint, too. Real fingerprinting protection does often involve random, not binned, results, and this results in both websites flunking even the browsers that do pass their tests, like Tor, Safari, and LibreWolf.
CreepJS[0] allows you to "add a signature" (basically give your fingerprint a name). If you re-open the page, and it can correlate your fingerprint, it will show you your signature.
I guess we all knew this was happening, but it's hard to "prove" that they track you across devices without resorting to anecdotes. This seems to be a framework for performing studies + a large-scale study in order to get some more concrete proof that it is actually happening in practice, and the fingerprinting isn't just used for other things like anti-abuse.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
This is a problem because unlike cookies, that are tied to specific domains and isolated by security boundaries, fingerprints can be computed across any domain.
It's easy to imagine how a website that tracks users and serves ads solely using fingerprints could be exploited to gain informations about a victim, simply by collecting their fingerprint.
The browser is a sandbox with a bunch of discoverable features. Those features exist for the user but a side effect is they leak data which individually is probably not interesting but collectively is a fingerprint.
To be less of a fingerprint you'd need to remove JS from the entire web.
Because most of it is useful or even needed. There's perhaps one or two things that can be removed, but not that much.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
It’s been getting progressively stripped back but there’s risk of breaking changes too. Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
The referer field has had the path removed or even dropped outright for some browsers.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
Readit News
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
TimezoneContent language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
Loading comment...
Loading comment...
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
Loading comment...
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
Loading comment...
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
Even when they float over the text I am trying to read, I do not see them.
Loading comment...
Loading comment...
Loading comment...
Loading comment...
Loading comment...
Loading comment...
Loading comment...
Loading comment...
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
marginally given that most browsers auto-update.
Deleted Comment
Deleted Comment
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
Loading comment...
Loading comment...
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
Loading comment...
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
Loading comment...
Loading comment...
Loading comment...
Loading comment...
Most browsers with fingerprint protections will for example introduce random noise in graphics and audio APIs.
What makes you disqualify Firefox from being a "proper open source browser"?
Loading comment...
Loading comment...
Loading comment...
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
Loading comment...
Loading comment...
For almost 10 years now or some version of it. I stumbled on it when I wanted to keep track of spammy/abusive visitors on an old project.
Loading comment...
https://petsymposium.org/popets/2021/popets-2021-0004.pdf
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
Loading comment...
Loading comment...
Loading comment...
[0] https://abrahamjuliot.github.io/creepjs/
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
To be less of a fingerprint you'd need to remove JS from the entire web.
Loading comment...
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Loading comment...
The referer field has had the path removed or even dropped outright for some browsers.
Loading comment...
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".