A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
If I change to for example Hong Kong, all Spotify, YouTube etc are them for hk/Chinese products and spoken in Mandarin/Cantonese.
I change country daily, it's good fun.
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
marginally given that most browsers auto-update.
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.
It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.
Basically, ”NVIDIA Corporation” means you are Firefox on Linux with an NVIDIA GPU — or Firefox on macOS with an NVIDIA GPU, which is probably even rarer.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
They theoretically could but which sites are actually doing this?
>Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
That basically boils down to what phone model you have. The number of iPhone 16 users (for instance) in a given city isn't exactly small.
>Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
If you read the comment more carefully you'd understand that it was toy example to prove a point, not a claim that you can only be fingerprinted by those attributes. I even specifically prefaced it with "suppose".
No need to use such self-deprecating language.
I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)
Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.
Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)
Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.
That results in different nanosecond ranges of performance, for your canvas.
> The canvas jitter for each iPhone 15 Pro will be different.
There is no such thing. I write tests for GPUs and iPhones in particlar. They don't produce different results
> Different battery ages, different lifetime workloads.
This is not something you can check from a webpage on an iPhone
> That results in different nanosecond ranges of performance, for your canvas.
There is no nanosecond measurement you can use to generate a fingerprint in a browser. All you'll get is noise which will give you a different fingerprint.
Maybe if you ran for several minutes with a frozen page doing nothing but timing could tease some signal out but no sites are doing that. No one would continue to use a site that froze for seconds every time they visited.
No one enjoys a conversation with a blank wall.
It doesn't look like you read the comment you're replying to either, because you failed to respond to any of the specific objections that were raised. Let's try again with the first one: do you have any proof that "canvas jitter" as you described it (ie. it varies between devices of the same model) actually exist?
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits. This is so even though the user population in our experiments exhibits little variation in browser and OS.
https://hovav.net/ucsd/dist/canvas.pdf
https://securehomes.esat.kuleuven.be/~gacar/persistent/the_web_never_forgets.pdf
https://doi.org/10.14722%2Fndss.2022.24093
https://web.archive.org/web/20141228070123/http://webcookies.org/canvas-fingerprinting/
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability
The claim being disputed was "canvas jitter for each iPhone 15 Pro will be different", not the broader claim of whether canvas fingerprinting exists at all. 116 unique fingerprints out of 294 doesn't really prove the former is true, especially when you consider that people on Mechanical Turk are probably all on laptops/desktops, which have more hardware diversity compared to smartphones. Moreover if the claim is that every (?) iPhone of the same model has different canvas outputs because of "canvas jitter", wouldn't we expect far more unique fingerprints?
But as these things don't sit still, a small perusal of any of the above links would give you the information you seek.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
For example, my default mode is no JS. If JS must be used then cache, cookies, history, etc. are erased by default (usually they are anyway). I use multiple machines and they have multiple browsers (there's five on this phone alone), and if I think it's important I'll change browsers between sessions for a given site—that also means an IP address change (router reboots, etc.). On Android, remove all Google apps, have no Google account, use a firewall and only allow apps from F-Droid to have internet access.
Can't say I've clicked on an add in 20 years unless accidentally, and anyway I see them very rarely sans JS. If I do I never linger over them to give the impression I'm reading them.
Browsers have block lists some very extensive (e.g. Privacy Browser), so do OSes' hosts files, location is off, etc. There's other stuff too but you get the gist.
Why bother you ask. Before the internet I could look at adds in magazines, buy something without giving name, rank and serial number, and or my address, or phone number and so on and be pretty certain manufacturers and advertising agencies weren't tracking me.
In short, I had some autonomy I could call my own.
So why is it now a prerequisite to give all that personal stuff away just because I've joined the internet? That wasn't the plan when the internet was devised.
I see what I do as basic self protection.
A final point: what the internet desperately needs is a JavaScript engine that users can tailor to their individual needs. Randomize, machine details, cookie info, and so on. A well designed engine could feed copious junk info back to websites and spoof itself as a 'genuine' engine to the extent that websites wouldn't know what's genuine and what's not.
Widespread use of such a JS engine could do considerable damage to these snooping bastards. The big question is why the hacking community hasn't yet come up with one.
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
Hardware interrupts are a standard part of computing. (see https://en.wikipedia.org/wiki/Interrupt#Hardware_interrupts)
"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
And, at least previously, the timing of interrupts have been used to facilitate information leakage. For example:
"Through analyzing the interrupt time series produced from touchscreen controller, attacker’s chance of cracking user’s unlock pattern is increased substantially. The interrupt time series produced from Display Sub-System reveals unique UI refreshing patterns and could be leveraged as fingerprints to identify the app running in the foreground"
https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2016-oakland-interrupt.pdf
It's been awhile since I've looked closely at anything related to phones, but for decades /proc/interrupts was globally readable. It may still be.
I'm not claiming interrupts don't exist, I'm claiming that they're not really a fingerprinting vector because Android is so locked down that all phones of the same model/OS version are going to have the same behavior. It might be an issue if you're using a xiaomi phone in the US or something, but if you're a normie with an iPhone there's tens and maybe hundreds of thousands of people with the same phone in a major metro.
I thought you were confused because you said "hardware interrupts (whatever that means)", and put it in scare quotes?
>so locked down that all phones of the same model/OS version are going to have the same behavior.
That's not how hardware interrupts work, though. The behavior is 100% user dependent. Me and you type at different speeds, times, etc. The hardware interrupts that result from me and you typing are, therefor, going to be completely distinct. The interrupt itself will be the same, but the timing of those interrupts is unique.
Whether or not /proc/interrupts remains globally readable is something I'm not confident on, but at the time of the paper (which was after sandboxing was first implemented in Android), it was globally readable and a valid side-channel for information leakage including as fingerprinting vector.
Hopefully that clears up what a hardware interrupt means, and why they are (or, at least used to be), a valid fingerprinting technique.
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
Just like how when you do NAT for your home network, your devices get assigned non-routable private use only address space.
Unroutable meaning not publicly routable. Of course you can route traffic through your own LAN to your Internet gateway.
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
In theory, this would be a rich landscape for an entirely different abstraction layer for fingerprinting… However, I am skeptical that the typical fingerprinting tool chains are receiving data that reaches that far down in the stack…
Getting a bit farther out there, CPU clock skew can be derived from the (randomly offset) TCP timestamps. That varies with temperature and thus load so it can be used to pick out otherwise indistinguishable traffic streams originating on the same physical host.
Back in the realm of commonly employed techniques, higher levels of the networking stack are fingerprinted in the wild. https://blog.cloudflare.com/ja4-signals/
Moving even farther up, the human interaction streams themselves are commonly fingerprinted. I realize that's a bit of a tangent but OP had suggested that fingerprints had short half lives and this is a very strong counterexample that I failed to mention earlier. https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymization
Even when they float over the text I am trying to read, I do not see them.
If on Android, check out revanced. You can remove ads from lots of apps. Highly recommend Firefox as well.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
I don’t know what “north face” is. Personally I have a strong preference to not display any brand logos myself. People considering some brand to be “fashionable” seems kind of absurd to me?
I don’t feel like the ads I’ve seen influence my purchasing decisions much? Because most of the things I see ads for, aren’t things I would be interested in. I get ads for like, women’s clothing (I’m a man) home shopping sites (not in the market to buy a house at this stage of my life), horror movies (which I hate to see).
Well, I guess some candy ads have influenced me, in the opposite direction from what they intended. A kind of candy which was once among my favorites, I found the ads objectionable to a degree which I have pretty much committed to not buying any of it until they substantially change their advertising. Another brand I’ve never purchased because an ad of theirs covered the content of a webpage I was trying to view and kind of broke the site, and so I kind of regard them as bad actors?
I’d be willing to give advertisers a lot of information about what I would be interested in if I could be assured that they wouldn’t try to combine that information with any other information about me.
But generally I'm not exposed to a lot of ads thanks to the adblockers I use. And the Duckduckgo browser on Android, besides generally blocking network access for apps with Netguard.
The massive industry exists vor various reasons, but mainly because people have been trained from early on to get something "for free" without pondering the hidden longtime costs.
Disclaimer: prefer to pay or sponsor useful apps or services instead. And my North Face wind stopper west is more than 20 years old, the raincoat 10+ years and both are still serving me well ;-)
Yes, but it's not usually a conscious thing. People assume that advertising doesn't affect them -- it does, it's brainwashing.
However, I've recently found that I'm so eager not to be swayed by advertising that I can't buy things I've consciously seen advertised at me because then `they` will have won. Of course I still pick out the fizzy drink brand advertised to me when I don't want to engage my brain over a triviality like picking a cold drink at work ...
So, "ads work" doesn't mean they will work for everyone at the individual level or won't have the opposite effect for some.
The ads are then in a language I don't even understand.. and for products not for sale in my country.
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
can websites really see installed plugins?
All of this is easily detected, can I ping X, can I see DOM Y, etc.
Nobody installs plugins in 2025. Content language is basically like the geo-data the parent said, but coarser. And billions of people just have the same (default OS) fonts - plus iirc, there are broswer mitigations against font enumeration for fingerprinting.
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
[1] https://github.com/fingerprintjs/fingerprintjs [2] https://github.com/easylist/easylist/blob/132813613d04b7228c3d43bd21f3fa13077edaec/easyprivacy/easyprivacy_general.txt#L908-L913
https://www.obsessivefacts.com/images/blog/2020-04-04-the-javascript-black-hole/xhamster-cropped.png
https://dl.acm.org/doi/10.1109/SP.2013.43 Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13).
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
What makes you disqualify Firefox from being a "proper open source browser"?
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
There's 5 billion people on the internet. 5% of that is 250 million.
Some companies would kill for user numbers like that. Hell, some would slaughter entire villages.
In reality people espouse this opinion then continue using Chrome or Chromium browsers.
> Yet there really is little recourse for privacy enthusiasts
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
- June 2024. Mozilla acquires Anonym, an ad metrics firm.
- July 2024. Mozilla adds Privacy-Preserving Attribution (PPA), feature is enabled by default. Developed in cooperation with Meta (Facebook).
- Feb 2025. Mozilla updates its Privacy FAQ and TOS. "does not sell data about you." becomes "... in the way that most people think about it".
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
(debian, latest tor browser 14.5.3, no modifications)
I've always used it inside of whonix, and when I tested it, it seemed like everything was fine.
When you disable js you need to do so by setting tor to Safest.
The font list should be spoofed by tor?
Anyway, you can fix all of that just by using whonix and setting tor to safest.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
Sorry? Why? I must’ve missed that memo :)
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
Most browsers with fingerprint protections will for example introduce random noise in graphics and audio APIs.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
> Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
Basically any webapp with any amount of processing being done on the device becomes unusable if JS is disabled. Photopea's a good example of this.
Using the web for applications forces you into behavior and situations you wouldn't accept otherwise. Web sites are best made of web pages. Not executable code. And there are still more web sites made out of web pages out there than corporate web apps. The web is huge and there's a lot beyond the top 100 web apps everyone use.
Turning off JS auto-execution helps one avoid falling into those traps as well as avoiding fingerprinting in general. And the vast majority of the non-commercial web still works just fine.
There are also add-ons that perform the same basic function with some added customisability [0].
[0] https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
I think Privacy Badger may also do it.
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
There really is no way to combat fingerprinting, other than using Tor on the "safest" mode. <- which disables javascript and some other stuff.
otherwise, you're fingerprintable.
also, check out https://demo.fingerprint.com/playground
Such browsers that allow you to masquerade as a different browser do exist but they are targeted at people doing social network marketing (spam and scam) from multiple accounts. Because social networks do not allow using multiple accounts from the same device. These browsers are called "anti-detect browsers" and you can find info about them on Russian underground forums.
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
The second point - you don't need to measure it (that I'm aware) but you _can_ measure it because disparate features that all have legitimate usecases on their own can be leveraged in tandem to accomplish things that weren't intended by the authors of the specification.
Required for showing the right resolution images. The alternative is blurry images or wasted bandwidth.
> time zone
Most people expect to see times in their local time.
> device model
This could probably be removed but can be useful for showing the right download button. Also I'm not sure this is explicitly shared? I'm curious what exactly they mean here.
Mozilla/5.0 (Linux; U; Android 15; zh-CN; V2301A Build/AP3A.240905.015.A2) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/123.0.6312.80 Quark/7.13.1.851 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 13; STYLO RAIN Build/TP1A.220624.014) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.7151.89 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 14; moto g04 Build/ULA34.89-193; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/137.0.7151.89 Mobile Safari/537.36
This is only an issue on Android and some other devices really (e.g. "smart" TVs and whatnot); I'm not aware of any desktop browser that does that. Not all Android devices do either.
This is a major reason why I stopped storing User-Agent headers in the database for my analytics app. I originally assumed there would be a relatively limited set of headers, but at some point I had millions of unique ones. Now it just stores the extracted information (e.g. "Chrome 137 on Android 14"). It's a pretty silly situation and completely unnecessary, but it is what it is.
How many websites is this actually an issue for? I know web developers get all impressed with themselves about putting fancy images on their web pages, but the vast majority of them are simply useless decoration.
> Most people expect to see times in their local time.
So have a built-in widget in the browser that takes a time in UTC from the server and converts it to local time (if the user has that setting enabled in their browser settings) based on the computer's time zone.
Even client side Javascript could do this without having to tell the server anything about the client's time zone.
> can be useful for showing the right download button
How about just letting the user select the right download button?
The website doesn't get told by the browser, but the website is sending you Javascript, and the browser will tell the Javascript when the Javascript politely inquires as to the width and height of the root html element, or some element with text in a funny font in it, and the Javascript is then free to report home.
I think hiding layout information like that from Javascript isn't really within reach without a radically different model that breaks a ton of websites.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
The referer field has had the path removed or even dropped outright for some browsers.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Security and privacy focused browsers and tools like Apple Lockdown Mode make some pretty significant compromises to maximise security.
To be less of a fingerprint you'd need to remove JS from the entire web.
that's why many companies tried to get you into their mobile Apps
> these difficulties
Because most people do not find it difficult to install an app. And many people started with the mobile app anyway, and/or use their mobile device as their primary computer.
https://www.youtube.com/watch?v=799uhYUxtvA&pp=ygUOI2NyZWF0ZWJyb3dzZXI%3D
Quoted:
"Mid-2010s: Browser fingerprinting became more prevalent, with research indicating its use by various websites and advertising companies."
As long as JS exists, there will be effective means to examine the sandbox.
(I do agree they have unsafe defaults info. It's just removing it isn't enough.)
Your processors, memory, and so on all have manufacturing quirks, and then workloads provide some more. The fuzzy circle of rendering times becomes easy to use.
Various places have used it since before '14. But here's one random paper that goes into more depth. [0]
[0] https://www.ndss-symposium.org/wp-content/uploads/2022-93-paper.pdf
So what would have interested me is how and what kind of impact the researchers measured. The article seems to say pretty much zero about that. Disappointing.
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
For almost 10 years now or some version of it. I stumbled on it when I wanted to keep track of spammy/abusive visitors on an old project.
Most of the bullshit over the past couple decades has been them trying to pull control back to server-side.
Yeah, hard pass.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
It is clearly in these companies best interest to use these things for snooping on the world’s internet users.
As a user who doesn't have a horse in this race (I work for a "captive clients" company, so ads don't help much, nor do we sell any ads), what I notice is that ads I'm served are absolutely absurd. It's either Google Maps trying to sell me some hotel 50 meters from my home (I live alone, so I fail to see any reason why I'd go for that), or Instagram which somehow figured I'd be interested in buying bras for pregnant women (I'm a male, and I'm single).
More recently, Instagram tries to sell me Range Rovers. Where I live, there's a tax on "heavy vehicles", traffic is absolutely crazy, and we have usable public transit (which I use – while scrolling Instagram). Buying a big-ass car wouldn't help me in any conceivable way, and would be an all-round nuisance.
What leaves me flabbergasted, is that my only interactions with Instagram are around photography. I only follow photographers, who shoot landscapes and similar, I always leave the app when I'm presented with naked girls or other "reels'. So I could maybe, possibly, be convinced to buy some new camera or photo gear. Guess what I never see advertised on Instagram?
As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
So then:
What to do with this massive infrastructure and billions of dollars of investment and workers employed by this global machine?
This is where gambling and vaping come in.
At least from my own anecdotal observations (including conversations with confused less technical friends and relatives started by questions like "how does this website know enough about me to show me that ad?"), the issue to me seems less that ad tech doesn't ever produce relevant ads, but that in practice very few people actually click ads, much less buy things from the destination, regardless of whether the ads are relevant or not. If anything, seeing a well-targeted ad often makes people feel creeped out, and their reaction isn't to go "oooh yes, that's perfect for me, let me click it", but to immediately close the browser tab and maybe even avoid the website that showed it to them in the future (because it's not obvious to a lay user that the ads are usually sourced from another party rather than the website itself). Slightly more tech-savvy users might even be aware of how ads are sometimes a vector for malware and avoid clicking them because the risk of getting something nasty isn't worth the probably quite low reward of buying something they could probably find just as easily on their own by actively looking. In practice, I have to wonder if it even matters whether adtech is effective at targeting or not, because I'm skeptical that the way people interact with ads ever would generate enough revenue to be worth it.
That's a reasonable approach. It's also incorrect. These companies think tracking users is a great thing. They aren't admitting it, they are boasting about it.
https://petsymposium.org/popets/2021/popets-2021-0004.pdf
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
The error lies in the candid nature of software developers, who couldn’t imagine a world in which every human thought or interaction could be economically exploitable. Why does my browser have to give away so much information?
I’ve tried using Firefox with privacy settings cranked up, but I’m still not sure how much it actually helps. Has anyone found a good way to stop or reduce fingerprinting?
I'm so confused about this research... especially since there's JS scripts that do this on GitHub for almost a decade now.
It would be great if it would give me a hash of that fingerprint so I could compare it in a few months time.
I'm guessing that my "fingerprint" changes every time I load the page, which makes it somewhat harder to use for fingerprinting me.
While advertising has become commonplace in today's online interactions, there is a notable dearth of research investigating the extent to which browser fingerprinting is harnessed for user tracking and targeted advertising. Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. It is imperative to address the mounting concerns regarding the utilization of browser fingerprinting in the realm of online advertising.
This paper introduces "FPTrace" (fingerprinting-based tracking assessment and comprehensive evaluation framework), a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments. Using FPTrace, we emulate user interactions, capture ad bid data, and monitor HTTP traffic. Our large-scale study reveals strong evidence of browser fingerprinting for ad tracking and targeting, shown by bid value disparities and reduced HTTP records after fingerprinting changes. We also show fingerprinting can bypass GDPR/CCPA opt-outs, enabling privacy-invasive tracking.
In conclusion, our research unveils the widespread employment of browser fingerprinting in online advertising, prompting critical considerations regarding user privacy and data security within the digital advertising landscape.
I think there are a few potential problems with this approach.
- A lot of browser-based mitigations (such as Firefox's "resist fingerprinting" settings) send dummy data to websites. So yes, you may have a unique fingerprint according to the EFF site. But, when you visit it later, you could in principle have a different unique fingerprint. I haven't seen much discourse which discusses whether this is a viable point of not. Yes, my Linux Firefox with a bunch of weird settings clearly stands out. But maybe I have a different fingerprint across visits?
- Additionally, this strategy seems to say "don't be unique, blend in with the crowd. Look like Windows 10 and Chrome." I think there must be some validity to this. But clearly, advertiser fingerprinting is _most_ interested in the vast middle of the bell curve, ie that huge mass of users with Windows 10-11 & Chrome & Edge. If looking just like everyone else were somehow an effective mitigation, then the advertisers' tracking technology would not actually be effective for the vast majority of cases; the ones they care about the most.
- I also wonder what the difference is between what security researches at EFF and other places can do in principle vs. what various websites are actually doing in practice. It's important to remember that advertising is now like a warrant; if an advertiser thinks you're a different person and serves you the wrong ad, no one will ever notice or care. They have no way to verify it, and whatever error exists won't ever show up in their promotional materials. Even if the fingerprinting technology is quite strong, I sincerely doubt the statistics we hear from advertisers (ie, "we can identify 90% of users") can be very accurate.
I don't mean to suggest that my points are strictly correct -- however I also don't think the usual discourse around the realities of advertising and tracking really gets to the bottom of things in a very accurate or useful way.
But this meme rests on an assumption that people must use, now and forever, certain software that sends many details that can be used to construct a fingerprint, namely, a software program that web developers call a "modern browser". If those are the conditions, if this is the only software web users are allowed to choose, then yes, I agree, web users have no chance against fingerprinting; they will be involuntarily sending copious details to websites, automatically. The small number of popular "modern" web browsers are generally distributed by surveillance advertising companies, companies increasing their surveillance advertising services or organisations that send data about users to such companies in return for payment. Using this complex software to attempt to "defeat browser fingerprinting" is, no surprise, a losing game.
Ultimately, the goal of anti-fingerprinting should be to significantly reduce the number of details sent, which in effect reduces the number of details that can be used to construct a fingerprint. The reason this should be the goal is that when there are fewer details to copy then it is easier to make fingerprints so generic that they are not very useful for surveillance advertising. The Catch-22 meme often refers to the goal as "blending in", achieved by trying to duplicate popular but complex configurations reported to websites by the popular browsers. Truthfully, if the choice of software is smaller programs that have minimal configuration and send almost no details, then it is easier to "blend in", if that is the goal.
If a user-modifiable string from an optional User-Agent HTTP header is one of only a few, or perhaps the only, detail in a fingerprint, e.g., if web users make HTTP requests using simpler software that does not run Javascript, then, _if web users wanted too look alike_, it is easier for them to do so. The alleged Catch-22 created by the complexity of "modern" browser can be resolved.
As it happens, according to "web security" reports, over half of web traffic comes from simpler clients that do not display advertising. What are the (non-behavioural) "browser fingerprints" of these users. Generally, it is a user-modifiable string in a User-Agent HTTP header. If the header is omittted, or if different "bots" use the same string, then the "browser fingerprint" becomes even less distinguishable.
Alas, web users who choose simpler software instead of the larger, more complex "modern" browsers often get mistaken for "bots" based on crude heuristics with high false positive rates. Alas, website operators often do not focus on behaviour, e.g., rate-limiting, when it's easier to simply label anything that is not sending many details and running Javascript as a "bot". The characteristic bad behaviour of "bots" is assumed. Even when it does not exist. A single, one-time HTTP request can trigger a heuristic-based block designed to stop repeated, excessive HTTP requests.
The surveillance advertising ecosystem relies on web users all choosing the same few browsers that run Javascripts indiscriminantly without any user input. Even using an add-on/extension like uMatrix with a "modern" browser may trigger "bot" heuristics, because uMatrix lets the user run Javascript discrimantly.
Fingerprinting may not be 100% dependant on Javascript. But the most useful fingerprints for advertising, not to mention serving the advertisements themselves, rely on Javascript.
Its always struck me as odd that your browser just volunteers so much information every time you go to a site. Then again, my knowledge of how the web works is limited to HTML+CSS from the 00’s…