As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
glaucon · 2h ago
>As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
ryukoposting · 1h ago
There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
gruez · 39m ago
> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
1337biz · 11m ago
Did not the EFF have a long time ago a fingerprint analysis that showed how unique a user profile is.
DoctorOetker · 2h ago
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
gruez · 32m ago
>consider hardware interrupts and their handling delays depending say on the combination of apps installed
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
kul_ · 1h ago
> A lot of the big ad networks right now instead rely heavily on geo-data
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
gruez · 29m ago
It still works because those CGNAT shared IPs still vaguely correspond to a certain geography. It won't be accurate enough to target a specific home, but still accurate enough to target a specific neighborhood, for instance.
djrj477dhsnv · 1h ago
> ISPs normally will have at least one level of NATing with ipv4.
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
kul_ · 1h ago
Not sure about US, but Indian ISPs are doing this already to conserve IP space given huge userbase. In theory it would work similar to how a NAT gateway works for outbound communication. Skan + geo would be hard nut to crack in India.
Gigachad · 14m ago
In Australia most ISPs use CGNAT by default and you have to specifically request a dedicated IP if you want to host a Minecraft server or something.
fiddlerwoaroof · 1h ago
I’ve never had an unroutable IP in the US
wut42 · 47m ago
CGNAT does not means unroutable IP, it just means you would only have assigned a small range of ports on a routable IP with others.
kulahan · 1h ago
Billboards are still among the most effective forms of advertising in terms of efficiency. You don’t need to be very close. I see myself popping up probably 10 miles from where I’m actually at, but the businesses aren’t that inaccessible.
cosmic_cheese · 3h ago
Wouldn’t things like iCloud Private Relay and other VPN-ish things throw a wrench into IP-geo-based tracking? Seems like it’d make the targeting so broad as to be useless.
ztetranz · 2h ago
As an aside, we just spent a couple of weeks camping in our RV with a cellular router connected to a VPN at home. Now that we're back home, Google maps (on a non-GPS equipped device) and Roku still think we're at the campground several states away. I guess my GPS equipped tablet reported the new location of our home IP address. On past experience, it takes about a week to reset.
Gigachad · 14m ago
iCloud Private Relay has always kept the IP in the same city for me.
mediumsmart · 3m ago
Mine is also in a city 146 kilometers away.
lucasban · 3h ago
Conveniently for them, iCloud private relay only really impacts browser usage, third party apps are only impacted when using unencrypted connections, which is unlikely.
legitster · 3h ago
I don't know a lot about iCloud in particular, but in general there are not enough active VPN users to make a noticeable difference in tracking. By its nature ad tracking does not have to be super accurate in the aggregate to beat a wild guess.
minitech · 3h ago
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
legitster · 2h ago
I'm not sure if I understand this. If you show up on a website one day with one fingerprint, but on the next day it was a different fingerprint, there's no way to connect that it's the same device unless it wasn't a core trait of the fingerprint in the first place.
kemotep · 2h ago
If everything is the same but the browser version, a day later how is that not the same person?
gruez · 27m ago
>it’s stronger.
marginally given that most browsers auto-update.
tjpnz · 44m ago
>A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
mediumsmart · 11s ago
They don’t have mine but since they have everyone else’s they know who I am anyway.
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
ohso4 · 1h ago
> Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
ec109685 · 2h ago
In two separate private browser windows, I was identified as unique, so does that mean a fingerprint across private browser tabs would not work?
disambiguation · 1h ago
I think its matter of "least common denominator" as in the sum of all fields will surely be unique, but what's the _minimum_ number of fields needed to isolate one user? You can download the JSON from each test and compare the diffs yourself - there's a lot of noise from "cpt" and "ratio" fields, but some that stand out are "referer" and "cookie" fields as well as a few SSL attributes. Not sure if controlling for those is all it takes to de-anonymize, but either way it's not great.
jcranmer · 3h ago
> it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off.
What makes you disqualify Firefox from being a "proper open source browser"?
disambiguation · 2h ago
FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests. That was an original selling point of FF, and to this day the user base is mainly comprised of individuals (who were at one point or another) seeking free and open alternatives. Sadly Mozilla as an organization has made increasingly user hostile decisions (deals with Google, recent changes in privacy policy, some telemetry on by default) and FF no longer lives up to the original promise. But yes, thanks to the code being open source there are off-shoots like LibreWolf and WaterFox that may be worthwhile (I haven't vetted them) but its the same dilemma as with chrome, the upstream code is captured and controlled by an organization that I don't trust to respect user privacy.
energywut · 1h ago
> FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests.
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
XorNot · 1h ago
This is just making better the enemy of best.
In reality people espouse this opinion then continue using Chrome or Chromium browsers.
disambiguation · 1h ago
see original comment:
> Yet there really is little recourse for privacy enthusiasts
bronson · 2h ago
Firefox never took off.
diggan · 2h ago
At one point, Firefox (3.5 specifically) was #1, for a brief moment:
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
doublerabbit · 2h ago
lol, and I used neither. Opera all the way until...
arp242 · 18m ago
Millions of people use it. What's the latest usage number? 5% or something?
There's 5 billion people on the internet. 5% of that is 250 million.
Some companies would kill for user numbers like that. Hell, some would slaughter entire villages.
GenerocUsername · 2h ago
Define taking off then. Everyone knows Firefox and some people even like it
handsclean · 1h ago
I’d like to see better fingerprinting tests than coveryourtracks.eff.org and amiunique.org. Both have the flaw that they test only uniqueness, not persistence, with the result that they’d flag a random number generator as a fingerprint, too. Real fingerprinting protection does often involve random, not binned, results, and this results in both websites flunking even the browsers that do pass their tests, like Tor, Safari, and LibreWolf.
jiveturkey · 48m ago
fingerprint.com might have such a result-over-time test?
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
pdonis · 48m ago
My question is, why do browsers share all that information with websites in the first place?
Gigachad · 8m ago
It’s been getting progressively stripped back but there’s risk of breaking changes too. Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
The referer field has had the path removed or even dropped outright for some browsers.
arp242 · 23m ago
Because most of it is useful or even needed. There's perhaps one or two things that can be removed, but not that much.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
neilv · 15m ago
My theory:
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
diggan · 3h ago
I guess we all knew this was happening, but it's hard to "prove" that they track you across devices without resorting to anecdotes. This seems to be a framework for performing studies + a large-scale study in order to get some more concrete proof that it is actually happening in practice, and the fingerprinting isn't just used for other things like anti-abuse.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
halb · 4h ago
This is a problem because unlike cookies, that are tied to specific domains and isolated by security boundaries, fingerprints can be computed across any domain.
It's easy to imagine how a website that tracks users and serves ads solely using fingerprints could be exploited to gain informations about a victim, simply by collecting their fingerprint.
diogenes_atx · 1h ago
Mullvad Browser is designed to evade browser fingerprinting:
AFAIK they're just using firefox with RFP enabled by default? Are they doing anything extra?
soared · 1h ago
It doesn’t look like I can access the paper - does it list what ad networks, SSPS, DSPs, advertisers, etc they analyzed?
jpalawaga · 2h ago
Has anyone made a plugin that forces your browser to resize slightly to help avoid fingerprinting? I feel like this is an annoyance I could tolerate, even if over the course of a day or two it causes me to resize it manually to something larger.
handsclean · 1h ago
Firefox has this built in, about:config privacy.resistFingerprinting.letterboxing. It was contributed upstream by Tor, and off by default in Firefox.
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
now Imagine that instead of browser, its your phone
that's why many companies tried to get you into their mobile Apps
superkuh · 2h ago
Luckily most of this is done by web devs using their normal tools which means if you just turn javascript off that gets rid of 99%. Sure, there are ad companies and related out there using actual webserver logs but more and more it's relying on you the user blindly executing their code on your machine. After all, everyone does it. Anyone not running javascript is weird, probably not monetizable, and therefore is a bot and doesn't exist.
azangru · 2h ago
> if you just turn javascript off that gets rid of 99%
Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
leptons · 3h ago
“Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,”
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
martinky24 · 3h ago
They said "hard proof". Can you point to openly available "hard proof"? Otherwise your reply is just snark that doesn't add much.
antonok · 2h ago
As someone who's been building an adblocker for the last 6 years: yes, there's plenty of proof in the devtools console on more websites than you'd think.
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
marginally given that most browsers auto-update.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
What makes you disqualify Firefox from being a "proper open source browser"?
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
In reality people espouse this opinion then continue using Chrome or Chromium browsers.
> Yet there really is little recourse for privacy enthusiasts
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
There's 5 billion people on the internet. 5% of that is 250 million.
Some companies would kill for user numbers like that. Hell, some would slaughter entire villages.
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
The referer field has had the path removed or even dropped outright for some browsers.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
https://mullvad.net/en/browser/browser-fingerprinting
https://mullvad.net/en/browser/mullvad-browser
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
I think Privacy Badger may also do it.
There really is no way to combat fingerprinting, other than using Tor on the "safest" mode. <- which disables javascript and some other stuff.
otherwise, you're fingerprintable.
also, check out https://demo.fingerprint.com/playground
that's why many companies tried to get you into their mobile Apps
Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
[1] https://github.com/fingerprintjs/fingerprintjs [2] https://github.com/easylist/easylist/blob/132813613d04b7228c...
https://www.obsessivefacts.com/images/blog/2020-04-04-the-ja...
https://news.ycombinator.com/item?id=23679063