As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
>As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
the problem, for those tracking and using uniqueness tied to tech as a measure (as opposed to uniqueness tied to identity), is not that it is easy to change you to be non-unique, it is that you will probably be a different "unique" user in a few days.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
Nobody installs plugins in 2025. Content language is basically like the geo-data the parent said, but coarser. And billions of people just have the same (default OS) fonts - plus iirc, there are broswer mitigations against font enumeration for fingerprinting.
> the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
>consider hardware interrupts and their handling delays depending say on the combination of apps installed
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
Siteimprove Analytics appears to be confident enough about their cookieless tracking technology (compared to cookie based tracking) to claim:
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
Every person says this, but it's a massive industry for a reason. It's the same as with The North Face logo on jackets. You're never paying attention and you don't recall any specific person wearing the jacket. But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
Wouldn’t things like iCloud Private Relay and other VPN-ish things throw a wrench into IP-geo-based tracking? Seems like it’d make the targeting so broad as to be useless.
As an aside, we just spent a couple of weeks camping in our RV with a cellular router connected to a VPN at home. Now that we're back home, Google maps (on a non-GPS equipped device) and Roku still think we're at the campground several states away. I guess my GPS equipped tablet reported the new location of our home IP address. On past experience, it takes about a week to reset.
I don't know a lot about iCloud in particular, but in general there are not enough active VPN users to make a noticeable difference in tracking. By its nature ad tracking does not have to be super accurate in the aggregate to beat a wild guess.
Conveniently for them, iCloud private relay only really impacts browser usage, third party apps are only impacted when using unencrypted connections, which is unlikely.
> A lot of the big ad networks right now instead rely heavily on geo-data
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
It still works because those CGNAT shared IPs still vaguely correspond to a certain geography. It won't be accurate enough to target a specific home, but still accurate enough to target a specific neighborhood, for instance.
Billboards are still among the most effective forms of advertising in terms of efficiency. You don’t need to be very close. I see myself popping up probably 10 miles from where I’m actually at, but the businesses aren’t that inaccessible.
> As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
A fingerprint is composed of many signals. Even if a few of those signals change, the less-specific fingerprint made by the remaining signals can still be used to infer who a user is. And it doesn't need to be perfect: having a good idea that someone who almost looks like you from yesterday was interested in cat food is a good enough reason to auction ad space to cat food companies today.
>A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
I'm not sure if I understand this. If you show up on a website one day with one fingerprint, but on the next day it was a different fingerprint, there's no way to connect that it's the same device unless it wasn't a core trait of the fingerprint in the first place.
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
> then Google used anticompetitive practices to squash it
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
Google didn't use anticompetitive practices to squash it. They just made a better browser. When Chrome came out it was significantly better than Firefox. That's why people switched.
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
> Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
2. is almost immediately fingerprintable even with JS enabled. 0.00% similarity for canvas, 0.09% similarity for font list, 0.39% for "Navigator properties", 0.57% for useragent. with JS disabled (best practices for tor) it's even worse. maybe this works for windows users?
(debian, latest tor browser 14.5.3, no modifications)
What's surprising is that, over time, Firefox has done virtually nothing to reduce the impact of fingerprinting.
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
Because the users of web browsers expect compatibility. If one vendor unilaterally decides to stop supporting some browser APIs, the result isn't better privacy. The result is that people switch to other browsers.
If you have Firefox with "resist fingerprinting" enabled then you are feeding it some dummy data. People worry about the fact that this might make you "unique," but fail to grasp that if you look differently unique every time you're not necessarily identifiable.
I think its matter of "least common denominator" as in the sum of all fields will surely be unique, but what's the _minimum_ number of fields needed to isolate one user? You can download the JSON from each test and compare the diffs yourself - there's a lot of noise from "cpt" and "ratio" fields, but some that stand out are "referer" and "cookie" fields as well as a few SSL attributes. Not sure if controlling for those is all it takes to de-anonymize, but either way it's not great.
FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests. That was an original selling point of FF, and to this day the user base is mainly comprised of individuals (who were at one point or another) seeking free and open alternatives. Sadly Mozilla as an organization has made increasingly user hostile decisions (deals with Google, recent changes in privacy policy, some telemetry on by default) and FF no longer lives up to the original promise. But yes, thanks to the code being open source there are off-shoots like LibreWolf and WaterFox that may be worthwhile (I haven't vetted them) but its the same dilemma as with chrome, the upstream code is captured and controlled by an organization that I don't trust to respect user privacy.
> “Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
This isn't about bubbles or ignorance of the "Real World (TM)". I think this reading shows own biases about academia vs industry more than anything else.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
They consider me to have different visitor IDs when opening their demo page[1] in a regular window, and an incognito window on the same device. If this is state of the art I'm not too worried.
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
This has suddenly made me wonder how often fingerprinting of installed fonts is used to find targets working for particular companies. Quite a lot of organisations now have their own font, or a particular uncommon font they favour for brand purposes at least.
I’m not saying we should stop caring about online privacy, but the extent to which we fight fingerprinting while not actually solving the problem has made the web worse. It’s kinda like the argument for gun control: the unsavory folk will still fingerprint your browsing while the well-mannered sites suffer from lack of features due to aversion to any persistent handle on the users they might provide, like strong crypto because uh-oh a pub key would give your a “super-cookie” so we can’t have that.
I think the nuance here is that academic research often wants concrete, measurable evidence that can't just be hand-waved away by "well, it was mentioned in a privacy policy."
You know what's tracking you more than websites? Apps! You know why sites want you to install an app and keep begging you to install one? Because all the protections a browser adds to make it hard to track disappear once you're in an app. They require you to login, then they share all your data with anyone and everyone.
My app doesn't do that. The reason I push the app is because we don't ask for your email address, so the only way I have to notify you of new messages or stuff is via an app. Apps are sticky, websites aren't.
I’d like to see better fingerprinting tests than coveryourtracks.eff.org and amiunique.org. Both have the flaw that they test only uniqueness, not persistence, with the result that they’d flag a random number generator as a fingerprint, too. Real fingerprinting protection does often involve random, not binned, results, and this results in both websites flunking even the browsers that do pass their tests, like Tor, Safari, and LibreWolf.
CreepJS[0] allows you to "add a signature" (basically give your fingerprint a name). If you re-open the page, and it can correlate your fingerprint, it will show you your signature.
I guess we all knew this was happening, but it's hard to "prove" that they track you across devices without resorting to anecdotes. This seems to be a framework for performing studies + a large-scale study in order to get some more concrete proof that it is actually happening in practice, and the fingerprinting isn't just used for other things like anti-abuse.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
This is a problem because unlike cookies, that are tied to specific domains and isolated by security boundaries, fingerprints can be computed across any domain.
It's easy to imagine how a website that tracks users and serves ads solely using fingerprints could be exploited to gain informations about a victim, simply by collecting their fingerprint.
The browser is a sandbox with a bunch of discoverable features. Those features exist for the user but a side effect is they leak data which individually is probably not interesting but collectively is a fingerprint.
To be less of a fingerprint you'd need to remove JS from the entire web.
Because most of it is useful or even needed. There's perhaps one or two things that can be removed, but not that much.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
It’s been getting progressively stripped back but there’s risk of breaking changes too. Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
The referer field has had the path removed or even dropped outright for some browsers.
> Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
Readit News
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
TimezoneContent language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
can websites really see installed plugins?
Nobody installs plugins in 2025. Content language is basically like the geo-data the parent said, but coarser. And billions of people just have the same (default OS) fonts - plus iirc, there are broswer mitigations against font enumeration for fingerprinting.
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
Even when they float over the text I am trying to read, I do not see them.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
The ads are then in a language I don't even understand.. and for products not for sale in my country.
If I change to for example Hong Kong, all Spotify, YouTube etc are them for hk/Chinese products and spoken in Mandarin/Cantonese.
I change country daily, it's good fun.
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
marginally given that most browsers auto-update.
Deleted Comment
Deleted Comment
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
(debian, latest tor browser 14.5.3, no modifications)
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
Most browsers with fingerprint protections will for example introduce random noise in graphics and audio APIs.
What makes you disqualify Firefox from being a "proper open source browser"?
- June 2024. Mozilla acquires Anonym, an ad metrics firm.
- July 2024. Mozilla adds Privacy-Preserving Attribution (PPA), feature is enabled by default. Developed in cooperation with Meta (Facebook).
- Feb 2025. Mozilla updates its Privacy FAQ and TOS. "does not sell data about you." becomes "... in the way that most people think about it".
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
It is clearly in these companies best interest to use these things for snooping on the world’s internet users.
For almost 10 years now or some version of it. I stumbled on it when I wanted to keep track of spammy/abusive visitors on an old project.
[1]: https://fingerprintjs.github.io/fingerprintjs/
https://petsymposium.org/popets/2021/popets-2021-0004.pdf
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
Most of the bullshit over the past couple decades has been them trying to pull control back to server-side.
Yeah, hard pass.
[0] https://abrahamjuliot.github.io/creepjs/
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
To be less of a fingerprint you'd need to remove JS from the entire web.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
The referer field has had the path removed or even dropped outright for some browsers.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".