> “Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
legitster · 8h ago
As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
glaucon · 8h ago
>As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
bryanrasmussen · 8m ago
the problem, for those tracking and using uniqueness tied to tech as a measure (as opposed to uniqueness tied to identity), is not that it is easy to change you to be non-unique, it is that you will probably be a different "unique" user in a few days.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
ryukoposting · 6h ago
There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
robin_reala · 2h ago
0.74% does seem a bit low, but most people browse the web on mobile phones, so knock off 50-70% immediately, then of the remaining most will be integrated GPUs from Intel or AMD in laptops. Take away Macs and you’re basically just left with gaming PCs, and laptops where the browser decided the task was difficult enough to spin up a discrete nVidia GPU.
bitmasher9 · 4h ago
My vendor “Apple Computer, Inc” was less than 10% (I’m on iPhone) so I suspect HN crowd probably uses unusual hardware.
While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.
It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.
normie3000 · 3h ago
Mine says zero percent match for everything, and claims I have a NaN % overall match. Does this site work?
glaucon · 2h ago
Definitely works for me although it was rendering the result a lot faster six hours ago.
kjkjadksj · 2h ago
Hn referrer already up to almost half a percent of their database at the time of writing. Either a lot of lurkers followed your link or a lot of bots crawl this site.
gruez · 5h ago
> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
1337biz · 5h ago
Did not the EFF have a long time ago a fingerprint analysis that showed how unique a user profile is.
gruez · 5h ago
You really can't put too much faith into the "you're unique!!" conclusions that fingerprinting sites give out. The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best. Most (all?) also take into account volatile attributes like the version number, which makes the previous problem worse by further reducing the actual sample size.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
codedokode · 1h ago
You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community. Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
glaucon · 3h ago
> so any conclusions that you're "unique" (in the world?)
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
kalleboo · 5h ago
> The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
socalgal2 · 3h ago
Yea, and it was effectively a lie.
I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)
Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.
Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)
Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.
shakna · 2h ago
I wouldn't call it a lie. The canvas jitter for each iPhone 15 Pro will be different. Different battery ages, different lifetime workloads. And no manufacturing process currently results in identical CPU performance.
That results in different nanosecond ranges of performance, for your canvas.
WalterBright · 3h ago
I have no idea what ads they serve me because I have ad blindness. My brain just refuses to perceive them.
Even when they float over the text I am trying to read, I do not see them.
hinterlands · 3h ago
Every person says this, but it's a massive industry for a reason. It's the same as with The North Face logo on jackets. You're never paying attention and you don't recall any specific person wearing the jacket. But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
drdeca · 2h ago
I wouldn’t claim to not notice ads. Especially ads that interrupt videos. I remember quite a few of them. But, even the ones that are initially a little amusing become annoying with repetition, and what initially seemed mildly amusing instead seems just stupid.
I don’t know what “north face” is. Personally I have a strong preference to not display any brand logos myself. People considering some brand to be “fashionable” seems kind of absurd to me?
I don’t feel like the ads I’ve seen influence my purchasing decisions much? Because most of the things I see ads for, aren’t things I would be interested in. I get ads for like, women’s clothing (I’m a man) home shopping sites (not in the market to buy a house at this stage of my life), horror movies (which I hate to see).
Well, I guess some candy ads have influenced me, in the opposite direction from what they intended. A kind of candy which was once among my favorites, I found the ads objectionable to a degree which I have pretty much committed to not buying any of it until they substantially change their advertising. Another brand I’ve never purchased because an ad of theirs covered the content of a webpage I was trying to view and kind of broke the site, and so I kind of regard them as bad actors?
I’d be willing to give advertisers a lot of information about what I would be interested in if I could be assured that they wouldn’t try to combine that information with any other information about me.
energy123 · 1h ago
Every person says this too, but it ignores the diversity in types of people. I know somehow who happily watches ads and makes purchasing decisions off it. I ignore them and do not. I don't believe I am being manipulated by the ads. The companies choose to advertise to target other people, and they lose money serving ads to people like me. But it's still a net win for them.
ojr · 10m ago
I stopped drinking soda this year and alcohol years ago. If you consumed any heavily advertised product this year, then you can't say ads don't work. Including products like Cursor.
godelski · 3h ago
Personally, I block them. But the people running these programs think they can get all of us. They don't seem to understand that the harder they try the more they piss off people like me. Meaning I'll put in more effort to circumvent or poison their data, making them spend a disproportionate amount of money on people like me. At this point I don't they'll give up, so let's find out who can live the longest. The number of people on my side are growing
erkt · 3h ago
This is a top tier super power. Ublock on Firefox and AdGuard on iPhone are pretty effective. When I actually see an ad it physically hurts.
godelski · 3h ago
On iPhone check out Orion browser. Blocks ads, even on YouTube. Though sometimes video quality goes low (manually set it higher to fix). Firefox focus also works, but only one tab
If on Android, check out revanced. You can remove ads from lots of apps. Highly recommend Firefox as well.
_kidlike · 2h ago
Brave is also extremely effective at removing ads while keeping websites functional (including YouTube). It even has some fingerprinting protection. (and before someone complains, you can disable all the crypto stuff)
godelski · 1h ago
Sure but personally I'm against recommending different flavors of chrome. Brave is a nice idea but it still gives undue power to Google because at the be of the day, they control chromium. It also makes a hard problem for chromium reskins as they keep finding things chromium can use to track their users...
fc417fc802 · 4h ago
> the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
DoctorOetker · 7h ago
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
gruez · 5h ago
>consider hardware interrupts and their handling delays depending say on the combination of apps installed
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
cosmic_cheese · 8h ago
Wouldn’t things like iCloud Private Relay and other VPN-ish things throw a wrench into IP-geo-based tracking? Seems like it’d make the targeting so broad as to be useless.
ztetranz · 8h ago
As an aside, we just spent a couple of weeks camping in our RV with a cellular router connected to a VPN at home. Now that we're back home, Google maps (on a non-GPS equipped device) and Roku still think we're at the campground several states away. I guess my GPS equipped tablet reported the new location of our home IP address. On past experience, it takes about a week to reset.
legitster · 8h ago
I don't know a lot about iCloud in particular, but in general there are not enough active VPN users to make a noticeable difference in tracking. By its nature ad tracking does not have to be super accurate in the aggregate to beat a wild guess.
lucasban · 8h ago
Conveniently for them, iCloud private relay only really impacts browser usage, third party apps are only impacted when using unencrypted connections, which is unlikely.
Gigachad · 5h ago
iCloud Private Relay has always kept the IP in the same city for me.
mediumsmart · 5h ago
Mine is also in a city 146 kilometers away.
kul_ · 7h ago
> A lot of the big ad networks right now instead rely heavily on geo-data
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
djrj477dhsnv · 6h ago
> ISPs normally will have at least one level of NATing with ipv4.
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
kul_ · 6h ago
Not sure about US, but Indian ISPs are doing this already to conserve IP space given huge userbase. In theory it would work similar to how a NAT gateway works for outbound communication. Skan + geo would be hard nut to crack in India.
Gigachad · 5h ago
In Australia most ISPs use CGNAT by default and you have to specifically request a dedicated IP if you want to host a Minecraft server or something.
gruez · 5h ago
It still works because those CGNAT shared IPs still vaguely correspond to a certain geography. It won't be accurate enough to target a specific home, but still accurate enough to target a specific neighborhood, for instance.
kul_ · 4h ago
Assuming an ext-IP (60k ports) can easily represent 100 household if we statically assign ports. Given CGNAT with dynamic port allocation this can easily go up to 5x? That's wildly inaccurate given the core problem is to "target" a small set of users which is based on this geo info. Not sure how well this elephant sits in a room full of engineers solving this specific targeting problem.
fiddlerwoaroof · 7h ago
I’ve never had an unroutable IP in the US
wut42 · 5h ago
CGNAT does not means unroutable IP, it just means you would only have assigned a small range of ports on a routable IP with others.
kulahan · 7h ago
Billboards are still among the most effective forms of advertising in terms of efficiency. You don’t need to be very close. I see myself popping up probably 10 miles from where I’m actually at, but the businesses aren’t that inaccessible.
NoahZuniga · 3h ago
fingerprint.com claims that they can fingerprint a user with >90% accuracy over 120 days. A half-life of a few days is awfully optimistic.
minitech · 8h ago
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
legitster · 8h ago
I'm not sure if I understand this. If you show up on a website one day with one fingerprint, but on the next day it was a different fingerprint, there's no way to connect that it's the same device unless it wasn't a core trait of the fingerprint in the first place.
orev · 4h ago
I think you’re thinking that the fingerprint is reported as a single hash (e.g. SHA512) of multiple attributes, which would of course change if a single bit was different. But there’s no reason they would be reported that way. It could be (and probably more likely) a big data structure of all the values. It would be easy to see that only a few things changed.
kemotep · 7h ago
If everything is the same but the browser version, a day later how is that not the same person?
gruez · 5h ago
>it’s stronger.
marginally given that most browsers auto-update.
jgalt212 · 5h ago
> As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
tjpnz · 5h ago
>A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
phyzome · 4h ago
"a proper open source browser never took off"
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
IshKebab · 6m ago
Google didn't use anticompetitive practices to squash it. They just made a better browser. When Chrome came out it was significantly better than Firefox. That's why people switched.
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
arkh · 1h ago
> then Google used anticompetitive practices to squash it
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
jaoane · 1h ago
> Every "web designer" had to work on a macbook
Sorry? Why? I must’ve missed that memo :)
ohso4 · 7h ago
> Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
Liquix · 2h ago
2. is almost immediately fingerprintable even with JS enabled. 0.00% similarity for canvas, 0.09% similarity for font list, 0.39% for "Navigator properties", 0.57% for useragent. with JS disabled (best practices for tor) it's even worse. maybe this works for windows users?
(debian, latest tor browser 14.5.3, no modifications)
ec109685 · 7h ago
In two separate private browser windows, I was identified as unique, so does that mean a fingerprint across private browser tabs would not work?
disambiguation · 6h ago
I think its matter of "least common denominator" as in the sum of all fields will surely be unique, but what's the _minimum_ number of fields needed to isolate one user? You can download the JSON from each test and compare the diffs yourself - there's a lot of noise from "cpt" and "ratio" fields, but some that stand out are "referer" and "cookie" fields as well as a few SSL attributes. Not sure if controlling for those is all it takes to de-anonymize, but either way it's not great.
jcranmer · 8h ago
> it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off.
What makes you disqualify Firefox from being a "proper open source browser"?
nuker · 4h ago
> What makes you disqualify Firefox from being a "proper open source browser"?
- June 2024. Mozilla acquires Anonym, an ad metrics firm.
- July 2024. Mozilla adds Privacy-Preserving Attribution (PPA), feature is enabled by default. Developed in cooperation with Meta (Facebook).
- Feb 2025. Mozilla updates its Privacy FAQ and TOS. "does not sell data about you." becomes "... in the way that most people think about it".
codedokode · 40m ago
Yes "PPA" is absolutely shady, it is a browser cooperating with ad companies behind user's back. I do not understand why I need this on my computer.
disambiguation · 7h ago
FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests. That was an original selling point of FF, and to this day the user base is mainly comprised of individuals (who were at one point or another) seeking free and open alternatives. Sadly Mozilla as an organization has made increasingly user hostile decisions (deals with Google, recent changes in privacy policy, some telemetry on by default) and FF no longer lives up to the original promise. But yes, thanks to the code being open source there are off-shoots like LibreWolf and WaterFox that may be worthwhile (I haven't vetted them) but its the same dilemma as with chrome, the upstream code is captured and controlled by an organization that I don't trust to respect user privacy.
energywut · 6h ago
> FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests.
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
XorNot · 6h ago
This is just making better the enemy of best.
In reality people espouse this opinion then continue using Chrome or Chromium browsers.
disambiguation · 6h ago
see original comment:
> Yet there really is little recourse for privacy enthusiasts
bronson · 8h ago
Firefox never took off.
diggan · 8h ago
At one point, Firefox (3.5 specifically) was #1, for a brief moment:
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
doublerabbit · 7h ago
lol, and I used neither. Opera all the way until...
arp242 · 5h ago
Millions of people use it. What's the latest usage number? 5% or something?
There's 5 billion people on the internet. 5% of that is 250 million.
Some companies would kill for user numbers like that. Hell, some would slaughter entire villages.
GenerocUsername · 8h ago
Define taking off then. Everyone knows Firefox and some people even like it
ChaoPrayaWave · 29m ago
I've always found fingerprint tracking more disturbing than cookies. At least cookies give you a sense of control. You can clear them, block them, and even isolate them by site. Browser fingerprinting is like an ID card that you can't get rid of even if you don't apply for it.
handsclean · 6h ago
I’d like to see better fingerprinting tests than coveryourtracks.eff.org and amiunique.org. Both have the flaw that they test only uniqueness, not persistence, with the result that they’d flag a random number generator as a fingerprint, too. Real fingerprinting protection does often involve random, not binned, results, and this results in both websites flunking even the browsers that do pass their tests, like Tor, Safari, and LibreWolf.
jiveturkey · 5h ago
fingerprint.com might have such a result-over-time test?
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
codedokode · 48m ago
It is noteworthy that there are browsers that resist fingerprinting much better than Chrome or Firefox. But these browsers are made not by a reputable companies but by shady Russian hackers, they are called "anti-detect browsers". Their purpose is to allow using multiple social network accounts from one machine and avoid getting banned for this.
diggan · 8h ago
I guess we all knew this was happening, but it's hard to "prove" that they track you across devices without resorting to anecdotes. This seems to be a framework for performing studies + a large-scale study in order to get some more concrete proof that it is actually happening in practice, and the fingerprinting isn't just used for other things like anti-abuse.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
Izmaki · 2h ago
The Tor Browser has been using predetermined window sizes for years for this reason exactly. It can hardly be "new research".
Leo-thorne · 53m ago
I used to think incognito mode was enough, until I found out browser fingerprinting is even worse than cookies. It tracks so many tiny details that sometimes it can recognize you even after switching devices. These days, going online feels like being watched.
halb · 10h ago
This is a problem because unlike cookies, that are tied to specific domains and isolated by security boundaries, fingerprints can be computed across any domain.
It's easy to imagine how a website that tracks users and serves ads solely using fingerprints could be exploited to gain informations about a victim, simply by collecting their fingerprint.
pdonis · 6h ago
My question is, why do browsers share all that information with websites in the first place?
fellatio · 1h ago
The browser is a sandbox with a bunch of discoverable features. Those features exist for the user but a side effect is they leak data which individually is probably not interesting but collectively is a fingerprint.
To be less of a fingerprint you'd need to remove JS from the entire web.
arp242 · 5h ago
Because most of it is useful or even needed. There's perhaps one or two things that can be removed, but not that much.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
pdonis · 4h ago
> momost of it is useful or even needed
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
fc417fc802 · 4h ago
The first point - there are usecases but it probably all ought to be user prompted. The vast majority of sites don't need any of it. For example when testing webgpu on chromium I had to globally enable it with a flag which prompted a security warning. A per-site prompt would have been much more secure - I was only using it on localhost.
The second point - you don't need to measure it (that I'm aware) but you _can_ measure it because disparate features that all have legitimate usecases on their own can be leveraged in tandem to accomplish things that weren't intended by the authors of the specification.
kevincox · 3h ago
> screen resolution
Required for showing the right resolution images. The alternative is blurry images or wasted bandwidth.
> time zone
Most people expect to see times in their local time.
> device model
This could probably be removed but can be useful for showing the right download button. Also I'm not sure this is explicitly shared? I'm curious what exactly they mean here.
Gigachad · 5h ago
It’s been getting progressively stripped back but there’s risk of breaking changes too. Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
The referer field has had the path removed or even dropped outright for some browsers.
pdonis · 4h ago
> Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Gigachad · 4h ago
Because they pretty much all power some kind of actual functionality. Users want the website to show up in their timezone, in their language, and to respect the light/dark mode options. Those are all legitimate functions, which also get used for tracking.
Security and privacy focused browsers and tools like Apple Lockdown Mode make some pretty significant compromises to maximise security.
neilv · 5h ago
My theory:
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
usr1106 · 2h ago
That fingerprints exist is nothing new to someone who has visited https://amiunique.org whenever I get a new device or install a new distro for many years. (It also tells me that the project is not very alive, they had the same job offer for many years.)
So what would have interested me is how and what kind of impact the researchers measured. The article seems to say pretty much zero about that. Disappointing.
28304283409234 · 5h ago
Okay, but what ads? All that energy wasted on fingerprinting me to serve me ads I block.
There is a way - provide random garbage via browser APIs, for example, fake GPU name, fake core count, fake IP addresses for WebRTC. But browser vendors do not want to do it. You have to compile your own browser.
Such browsers that allow you to masquerade as a different browser do exist but they are targeted at people doing social network marketing (spam and scam) from multiple accounts. Because social networks do not allow using multiple accounts from the same device. These browsers are called "anti-detect browsers" and you can find info about them on Russian underground forums.
chistev · 49m ago
Maybe this is why Reddit keeps suspending me?
bradley13 · 2h ago
Why do browsers share so much information? A standards-compliant website has no need to know which browser version I am using, which operating system I am running, etc..
shakna · 2h ago
One of the more effective techniques is measuring the speed at which JS renders to your canvas. That's a sidechannel I don't think can be closed easily.
As long as JS exists, there will be effective means to examine the sandbox.
(I do agree they have unsafe defaults info. It's just removing it isn't enough.)
jaoane · 1h ago
Is this a reliable metric? One would think there would be lots of jitter. But if you combine with something else like IP address it may be useful.
shakna · 56m ago
There is some noise, but there are bounds. Everyone tends to have fairly common habits and periods of transition into new habits, that combined with IPs, or geolocation, or screen sizes, that you can fairly accurately pin individual devices..
Your processors, memory, and so on all have manufacturing quirks, and then workloads provide some more. The fuzzy circle of rendering times becomes easy to use.
Various places have used it since before '14. But here's one random paper that goes into more depth. [0]
Has anyone made a plugin that forces your browser to resize slightly to help avoid fingerprinting? I feel like this is an annoyance I could tolerate, even if over the course of a day or two it causes me to resize it manually to something larger.
handsclean · 6h ago
Firefox has this built in, about:config privacy.resistFingerprinting.letterboxing. It was contributed upstream by Tor, and off by default in Firefox.
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
ohso4 · 7h ago
Plugins are an issue themselves. They're used for fingerprinting too!
The name for that is letterboxing. The Tor Browser (and the Mullvad browser, based on the Tor one, and Firefox as of v. 67 with an about:config flag) all support it.
There are also add-ons that perform the same basic function with some added customisability [0].
It doesn’t look like I can access the paper - does it list what ad networks, SSPS, DSPs, advertisers, etc they analyzed?
mediumsmart · 5h ago
They don’t have mine but since they have everyone else’s they know who I am anyway.
voidUpdate · 36m ago
"And we were like, "We know but, hey" "
Aeglaecia · 37m ago
chat gpt works in incognito fullscreen but not resized in any way fyi
taytus · 2h ago
this is like a 15 years old thing
leptons · 8h ago
“Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,”
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
martinky24 · 8h ago
They said "hard proof". Can you point to openly available "hard proof"? Otherwise your reply is just snark that doesn't add much.
mbrubeck · 5h ago
From over a decade ago, a paper on then-commercially-available browser fingerprinting tech, including a study of its deployment in the wild:
https://dl.acm.org/doi/10.1109/SP.2013.43 Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13).
antonok · 8h ago
As someone who's been building an adblocker for the last 6 years: yes, there's plenty of proof in the devtools console on more websites than you'd think.
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
My web browser is abrowser (firefox derivative) and I am not using Windows like it says. I do have my javascript restricted though. The site considers my computer unique.
tonyhart7 · 5h ago
now Imagine that instead of browser, its your phone
that's why many companies tried to get you into their mobile Apps
codedokode · 57m ago
Yes. Today you cannot register Vk, Google or Telegram account without scanning a QR code from smartphone or installing an app. I am surprised that there are people that agree to go through all these difficulties instead of going to a competitor.
superkuh · 8h ago
Luckily most of this is done by web devs using their normal tools which means if you just turn javascript off that gets rid of 99%. Sure, there are ad companies and related out there using actual webserver logs but more and more it's relying on you the user blindly executing their code on your machine. After all, everyone does it. Anyone not running javascript is weird, probably not monetizable, and therefore is a bot and doesn't exist.
azangru · 7h ago
> if you just turn javascript off that gets rid of 99%
Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
x-complexity · 4h ago
> > if you just turn javascript off that gets rid of 99%
> Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
Basically any webapp with any amount of processing being done on the device becomes unusable if JS is disabled. Photopea's a good example of this.
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.
It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)
Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.
Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)
Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.
That results in different nanosecond ranges of performance, for your canvas.
Even when they float over the text I am trying to read, I do not see them.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
I don’t know what “north face” is. Personally I have a strong preference to not display any brand logos myself. People considering some brand to be “fashionable” seems kind of absurd to me?
I don’t feel like the ads I’ve seen influence my purchasing decisions much? Because most of the things I see ads for, aren’t things I would be interested in. I get ads for like, women’s clothing (I’m a man) home shopping sites (not in the market to buy a house at this stage of my life), horror movies (which I hate to see).
Well, I guess some candy ads have influenced me, in the opposite direction from what they intended. A kind of candy which was once among my favorites, I found the ads objectionable to a degree which I have pretty much committed to not buying any of it until they substantially change their advertising. Another brand I’ve never purchased because an ad of theirs covered the content of a webpage I was trying to view and kind of broke the site, and so I kind of regard them as bad actors?
I’d be willing to give advertisers a lot of information about what I would be interested in if I could be assured that they wouldn’t try to combine that information with any other information about me.
If on Android, check out revanced. You can remove ads from lots of apps. Highly recommend Firefox as well.
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
marginally given that most browsers auto-update.
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
Sorry? Why? I must’ve missed that memo :)
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
(debian, latest tor browser 14.5.3, no modifications)
What makes you disqualify Firefox from being a "proper open source browser"?
- June 2024. Mozilla acquires Anonym, an ad metrics firm.
- July 2024. Mozilla adds Privacy-Preserving Attribution (PPA), feature is enabled by default. Developed in cooperation with Meta (Facebook).
- Feb 2025. Mozilla updates its Privacy FAQ and TOS. "does not sell data about you." becomes "... in the way that most people think about it".
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
In reality people espouse this opinion then continue using Chrome or Chromium browsers.
> Yet there really is little recourse for privacy enthusiasts
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
There's 5 billion people on the internet. 5% of that is 250 million.
Some companies would kill for user numbers like that. Hell, some would slaughter entire villages.
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
To be less of a fingerprint you'd need to remove JS from the entire web.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
The second point - you don't need to measure it (that I'm aware) but you _can_ measure it because disparate features that all have legitimate usecases on their own can be leveraged in tandem to accomplish things that weren't intended by the authors of the specification.
Required for showing the right resolution images. The alternative is blurry images or wasted bandwidth.
> time zone
Most people expect to see times in their local time.
> device model
This could probably be removed but can be useful for showing the right download button. Also I'm not sure this is explicitly shared? I'm curious what exactly they mean here.
The referer field has had the path removed or even dropped outright for some browsers.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Security and privacy focused browsers and tools like Apple Lockdown Mode make some pretty significant compromises to maximise security.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
So what would have interested me is how and what kind of impact the researchers measured. The article seems to say pretty much zero about that. Disappointing.
There really is no way to combat fingerprinting, other than using Tor on the "safest" mode. <- which disables javascript and some other stuff.
otherwise, you're fingerprintable.
also, check out https://demo.fingerprint.com/playground
Such browsers that allow you to masquerade as a different browser do exist but they are targeted at people doing social network marketing (spam and scam) from multiple accounts. Because social networks do not allow using multiple accounts from the same device. These browsers are called "anti-detect browsers" and you can find info about them on Russian underground forums.
As long as JS exists, there will be effective means to examine the sandbox.
(I do agree they have unsafe defaults info. It's just removing it isn't enough.)
Your processors, memory, and so on all have manufacturing quirks, and then workloads provide some more. The fuzzy circle of rendering times becomes easy to use.
Various places have used it since before '14. But here's one random paper that goes into more depth. [0]
[0] https://www.ndss-symposium.org/wp-content/uploads/2022-93-pa...
Quoted:
"Mid-2010s: Browser fingerprinting became more prevalent, with research indicating its use by various websites and advertising companies."
https://mullvad.net/en/browser/browser-fingerprinting
https://mullvad.net/en/browser/mullvad-browser
No comments yet
https://www.youtube.com/watch?v=799uhYUxtvA&pp=ygUOI2NyZWF0Z...
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
I think Privacy Badger may also do it.
There are also add-ons that perform the same basic function with some added customisability [0].
[0] https://addons.mozilla.org/en-US/firefox/addon/canvasblocker...
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
https://dl.acm.org/doi/10.1109/SP.2013.43 Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13).
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
[1] https://github.com/fingerprintjs/fingerprintjs [2] https://github.com/easylist/easylist/blob/132813613d04b7228c...
https://www.obsessivefacts.com/images/blog/2020-04-04-the-ja...
https://news.ycombinator.com/item?id=23679063
that's why many companies tried to get you into their mobile Apps
Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
> Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
Basically any webapp with any amount of processing being done on the device becomes unusable if JS is disabled. Photopea's a good example of this.