This is a problem because unlike cookies, that are tied to specific domains and isolated by security boundaries, fingerprints can be computed across any domain.
It's easy to imagine how a website that tracks users and serves ads solely using fingerprints could be exploited to gain informations about a victim, simply by collecting their fingerprint.
As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
Wouldn’t things like iCloud Private Relay and other VPN-ish things throw a wrench into IP-geo-based tracking? Seems like it’d make the targeting so broad as to be useless.
Conveniently for them, iCloud private relay only really impacts browser usage, third party apps are only impacted when using unencrypted connections, which is unlikely.
I don't know a lot about iCloud in particular, but in general there are not enough active VPN users to make a noticeable difference in tracking. By its nature ad tracking does not have to be super accurate in the aggregate to beat a wild guess.
As an aside, we just spent a couple of weeks camping in our RV with a cellular router connected to a VPN at home. Now that we're back home, Google maps (on a non-GPS equipped device) and Roku still think we're at the campground several states away. I guess my GPS equipped tablet reported the new location of our home IP address. On past experience, it takes about a week to reset.
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
I'm not sure if I understand this. If you show up on a website one day with one fingerprint, but on the next day it was a different fingerprint, there's no way to connect that it's the same device unless it wasn't a core trait of the fingerprint in the first place.
I think you’re thinking that the fingerprint is reported as a single hash (e.g. SHA512) of multiple attributes, which would of course change if a single bit was different. But there’s no reason they would be reported that way. It could be (and probably more likely) a big data structure of all the values. It would be easy to see that only a few things changed.
>As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
My vendor “Apple Computer, Inc” was less than 10% (I’m on iPhone) so I suspect HN crowd probably uses unusual hardware.
While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.
It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.
0.74% does seem a bit low, but most people browse the web on mobile phones, so knock off 50-70% immediately, then of the remaining most will be integrated GPUs from Intel or AMD in laptops. Take away Macs and you’re basically just left with gaming PCs, and laptops where the browser decided the task was difficult enough to spin up a discrete nVidia GPU.
”NVIDIA Corporation” is a rare vendor because most browsers (Chrome, Edge, Firefox on Windows) use ANGLE and will report ”Google Inc. (NVIDIA Corporation)” as a vendor.
Basically, ”NVIDIA Corporation” means you are Firefox on Linux with an NVIDIA GPU — or Firefox on macOS with an NVIDIA GPU, which is probably even rarer.
> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
You really can't put too much faith into the "you're unique!!" conclusions that fingerprinting sites give out. The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best. Most (all?) also take into account volatile attributes like the version number, which makes the previous problem worse by further reducing the actual sample size.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
> The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
> so any conclusions that you're "unique" (in the world?)
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community. Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
>You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community.
They theoretically could but which sites are actually doing this?
>Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
That basically boils down to what phone model you have. The number of iPhone 16 users (for instance) in a given city isn't exactly small.
>Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
If you read the comment more carefully you'd understand that it was toy example to prove a point, not a claim that you can only be fingerprinted by those attributes. I even specifically prefaced it with "suppose".
I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)
Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.
Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)
Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.
I wouldn't call it a lie. The canvas jitter for each iPhone 15 Pro will be different. Different battery ages, different lifetime workloads. And no manufacturing process currently results in identical CPU performance.
That results in different nanosecond ranges of performance, for your canvas.
It is lie. They're making up stuff to spin their position
> The canvas jitter for each iPhone 15 Pro will be different.
There is no such thing. I write tests for GPUs and iPhones in particlar. They don't produce different results
> Different battery ages, different lifetime workloads.
This is not something you can check from a webpage on an iPhone
> That results in different nanosecond ranges of performance, for your canvas.
There is no nanosecond measurement you can use to generate a fingerprint in a browser. All you'll get is noise which will give you a different fingerprint.
Maybe if you ran for several minutes with a frozen page doing nothing but timing could tease some signal out but no sites are doing that. No one would continue to use a site that froze for seconds every time they visited.
That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.
>That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.
It doesn't look like you read the comment you're replying to either, because you failed to respond to any of the specific objections that were raised. Let's try again with the first one: do you have any proof that "canvas jitter" as you described it (ie. it varies between devices of the same model) actually exist?
Have you bothered to look, yet? It's been in use since 2012. Responding to specifics, when someone is acting out of bad faith, isn't generally a good idea. But fine.
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits. This is so even though the user population in our experiments exhibits little variation in browser and OS.
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits
The claim being disputed was "canvas jitter for each iPhone 15 Pro will be different", not the broader claim of whether canvas fingerprinting exists at all. 116 unique fingerprints out of 294 doesn't really prove the former is true, especially when you consider that people on Mechanical Turk are probably all on laptops/desktops, which have more hardware diversity compared to smartphones. Moreover if the claim is that every (?) iPhone of the same model has different canvas outputs because of "canvas jitter", wouldn't we expect far more unique fingerprints?
Hn referrer already up to almost half a percent of their database at the time of writing. Either a lot of lurkers followed your link or a lot of bots crawl this site.
the problem, for those tracking and using uniqueness tied to tech as a measure (as opposed to uniqueness tied to identity), is not that it is easy to change you to be non-unique, it is that you will probably be a different "unique" user in a few days.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
They will fuzz your uniqueness into a profile no matter how many times it changes. There’s enough there to identify you based on your fingerprint and behavior.
right, but it is most powerful if they can combine unique fingerprint with identity fingerprint via login over time, so as to build up a long term behavioral profile. Identity is not good enough because you will sometimes not be logged in, fingerprint via uniqueness may not be enough because your behavior may change in different environments.
One can be uniquely identified but the info gathered can be made pretty useless (at least for commercial purposes). The State spying on one is another matter altogether, one has to assume one is then petty transparent.
For example, my default mode is no JS. If JS must be used then cache, cookies, history, etc. are erased by default (usually they are anyway). I use multiple machines and they have multiple browsers (there's five on this phone alone), and if I think it's important I'll change browsers between sessions for a given site—that also means an IP address change (router reboots, etc.). On Android, remove all Google apps, have no Google account, use a firewall and only allow apps from F-Droid to have internet access.
Can't say I've clicked on an add in 20 years unless accidentally, and anyway I see them very rarely sans JS. If I do I never linger over them to give the impression I'm reading them.
Browsers have block lists some very extensive (e.g. Privacy Browser), so do OSes' hosts files, location is off, etc. There's other stuff too but you get the gist.
Why bother you ask. Before the internet I could look at adds in magazines, buy something without giving name, rank and serial number, and or my address, or phone number and so on and be pretty certain manufacturers and advertising agencies weren't tracking me.
In short, I had some autonomy I could call my own.
So why is it now a prerequisite to give all that personal stuff away just because I've joined the internet? That wasn't the plan when the internet was devised.
I see what I do as basic self protection.
A final point: what the internet desperately needs is a JavaScript engine that users can tailor to their individual needs. Randomize, machine details, cookie info, and so on. A well designed engine could feed copious junk info back to websites and spoof itself as a 'genuine' engine to the extent that websites wouldn't know what's genuine and what's not.
Widespread use of such a JS engine could do considerable damage to these snooping bastards. The big question is why the hacking community hasn't yet come up with one.
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
>consider hardware interrupts and their handling delays depending say on the combination of apps installed
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
And, at least previously, the timing of interrupts have been used to facilitate information leakage. For example:
"Through analyzing the interrupt time series produced from touchscreen controller, attacker’s chance of cracking user’s unlock pattern is increased substantially. The interrupt time series produced from Display
Sub-System reveals unique UI refreshing patterns and could be leveraged as fingerprints to identify the app running in the foreground"
>"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
I'm not claiming interrupts don't exist, I'm claiming that they're not really a fingerprinting vector because Android is so locked down that all phones of the same model/OS version are going to have the same behavior. It might be an issue if you're using a xiaomi phone in the US or something, but if you're a normie with an iPhone there's tens and maybe hundreds of thousands of people with the same phone in a major metro.
I thought you were confused because you said "hardware interrupts (whatever that means)", and put it in scare quotes?
>so locked down that all phones of the same model/OS version are going to have the same behavior.
That's not how hardware interrupts work, though. The behavior is 100% user dependent. Me and you type at different speeds, times, etc. The hardware interrupts that result from me and you typing are, therefor, going to be completely distinct. The interrupt itself will be the same, but the timing of those interrupts is unique.
Whether or not /proc/interrupts remains globally readable is something I'm not confident on, but at the time of the paper (which was after sandboxing was first implemented in Android), it was globally readable and a valid side-channel for information leakage including as fingerprinting vector.
Hopefully that clears up what a hardware interrupt means, and why they are (or, at least used to be), a valid fingerprinting technique.
> A lot of the big ad networks right now instead rely heavily on geo-data
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
Billboards are still among the most effective forms of advertising in terms of efficiency. You don’t need to be very close. I see myself popping up probably 10 miles from where I’m actually at, but the businesses aren’t that inaccessible.
Not sure about US, but Indian ISPs are doing this already to conserve IP space given huge userbase. In theory it would work similar to how a NAT gateway works for outbound communication. Skan + geo would be hard nut to crack in India.
In UK I'm now on FTTP but even on ADSL the house would have an IP address that normally stayed constant until a router reboot. This seems to be pretty common in the UK. Probably on cable internet (and on mobile ofc) you get NAT-ed but I've never had that.
It still works because those CGNAT shared IPs still vaguely correspond to a certain geography. It won't be accurate enough to target a specific home, but still accurate enough to target a specific neighborhood, for instance.
Assuming an ext-IP (60k ports) can easily represent 100 household if we statically assign ports. Given CGNAT with dynamic port allocation this can easily go up to 5x? That's wildly inaccurate given the core problem is to "target" a small set of users which is based on this geo info. Not sure how well this elephant sits in a room full of engineers solving this specific targeting problem.
>A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
> As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
> the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
In theory, this would be a rich landscape for an entirely different abstraction layer for fingerprinting… However, I am skeptical that the typical fingerprinting tool chains are receiving data that reaches that far down in the stack…
Also TCP timestamp if the network stack doesn't apply a randomized offset. As of 4.10 Linux added randomization; no idea about others.
Getting a bit farther out there, CPU clock skew can be derived from the (randomly offset) TCP timestamps. That varies with temperature and thus load so it can be used to pick out otherwise indistinguishable traffic streams originating on the same physical host.
Back in the realm of commonly employed techniques, higher levels of the networking stack are fingerprinted in the wild. https://blog.cloudflare.com/ja4-signals/
Moving even farther up, the human interaction streams themselves are commonly fingerprinted. I realize that's a bit of a tangent but OP had suggested that fingerprints had short half lives and this is a very strong counterexample that I failed to mention earlier. https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymizat...
On iPhone check out Orion browser. Blocks ads, even on YouTube. Though sometimes video quality goes low (manually set it higher to fix). Firefox focus also works, but only one tab
If on Android, check out revanced. You can remove ads from lots of apps. Highly recommend Firefox as well.
Brave is also extremely effective at removing ads while keeping websites functional (including YouTube). It even has some fingerprinting protection. (and before someone complains, you can disable all the crypto stuff)
Sure but personally I'm against recommending different flavors of chrome. Brave is a nice idea but it still gives undue power to Google because at the be of the day, they control chromium. It also makes a hard problem for chromium reskins as they keep finding things chromium can use to track their users...
Every person says this, but it's a massive industry for a reason. It's the same as with The North Face logo on jackets. You're never paying attention and you don't recall any specific person wearing the jacket. But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
Personally, I block them. But the people running these programs think they can get all of us. They don't seem to understand that the harder they try the more they piss off people like me. Meaning I'll put in more effort to circumvent or poison their data, making them spend a disproportionate amount of money on people like me. At this point I don't they'll give up, so let's find out who can live the longest. The number of people on my side are growing
I'm with you, but my take is that advertainment only scales big, so we are mostly collateral noise to the designers who have to balance many different factors, the main one bieng that the market they have brainwashed is as a result, fickle, and insists on bieng entertained, with most of the work force in advertising also consuming the product in a world of always almost, never quite satiated quest for the something™ that will get them off the treadmill.
The very fact that anything imaginable is availible, anywhere, right now, up front, delivered ,only highlights the sameness of it all, where the tracking and fingerprinting results in people buying whatever they glanced at,casualy and inocently, but now own some glitzy cheap, likely broken facsimily, and are now under intense pressure to buy another one.
So advertainment gives it's reek of edgy mindless frustration to the whole world.
So ya, turn off scripts and storage, run some blockers, and remember to be nice to all the people actualy helping and doing things in the real world.
Sure but it's about pareto efficiency. How much do you capture? It's a percentage. But you have to spend infinite resources to get to 100%. They just see number go up...
I wouldn’t claim to not notice ads. Especially ads that interrupt videos. I remember quite a few of them. But, even the ones that are initially a little amusing become annoying with repetition, and what initially seemed mildly amusing instead seems just stupid.
I don’t know what “north face” is. Personally I have a strong preference to not display any brand logos myself. People considering some brand to be “fashionable” seems kind of absurd to me?
I don’t feel like the ads I’ve seen influence my purchasing decisions much? Because most of the things I see ads for, aren’t things I would be interested in. I get ads for like, women’s clothing (I’m a man) home shopping sites (not in the market to buy a house at this stage of my life), horror movies (which I hate to see).
Well, I guess some candy ads have influenced me, in the opposite direction from what they intended. A kind of candy which was once among my favorites, I found the ads objectionable to a degree which I have pretty much committed to not buying any of it until they substantially change their advertising. Another brand I’ve never purchased because an ad of theirs covered the content of a webpage I was trying to view and kind of broke the site, and so I kind of regard them as bad actors?
I’d be willing to give advertisers a lot of information about what I would be interested in if I could be assured that they wouldn’t try to combine that information with any other information about me.
Every person says this too, but it ignores the diversity in types of people. I know somehow who happily watches ads and makes purchasing decisions off it. I ignore them and do not. I don't believe I am being manipulated by the ads. The companies choose to advertise to target other people, and they lose money serving ads to people like me. But it's still a net win for them.
I stopped drinking soda this year and alcohol years ago. If you consumed any heavily advertised product this year, then you can't say ads don't work. Including products like Cursor.
Ads definitely have an effect on me: the more intrusive they are, the more I remember them and tend to not buy that product and ignore the company altogether.
But generally I'm not exposed to a lot of ads thanks to the adblockers I use. And the Duckduckgo browser on Android, besides generally blocking network access for apps with Netguard.
The massive industry exists vor various reasons, but mainly because people have been trained from early on to get something "for free" without pondering the hidden longtime costs.
Disclaimer: prefer to pay or sponsor useful apps or services instead. And my North Face wind stopper west is more than 20 years old, the raincoat 10+ years and both are still serving me well ;-)
>But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it. //
Yes, but it's not usually a conscious thing. People assume that advertising doesn't affect them -- it does, it's brainwashing.
However, I've recently found that I'm so eager not to be swayed by advertising that I can't buy things I've consciously seen advertised at me because then `they` will have won. Of course I still pick out the fizzy drink brand advertised to me when I don't want to engage my brain over a triviality like picking a cold drink at work ...
I mean, ads work same way those obnoxious Mr Beast faces in thumbnails work: I never click on any video like that, but they obviously work for attracting a general public. It's even kind of funny how aggressively the algorithm tries to push them to me: if I were to anthropomorphize it, I'd say it's palpable its desperation to drag me to a popular cluster
So, "ads work" doesn't mean they will work for everyone at the individual level or won't have the opposite effect for some.
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
Not really.
They can‘t see a list, as navigator.plugins is dummy data in every major browser, but they might able to detect eg. Adblockers by other means
Nobody installs plugins in 2025. Content language is basically like the geo-data the parent said, but coarser. And billions of people just have the same (default OS) fonts - plus iirc, there are broswer mitigations against font enumeration for fingerprinting.
Siteimprove Analytics appears to be confident enough about their cookieless tracking technology (compared to cookie based tracking) to claim:
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
A fingerprint is composed of many signals. Even if a few of those signals change, the less-specific fingerprint made by the remaining signals can still be used to infer who a user is. And it doesn't need to be perfect: having a good idea that someone who almost looks like you from yesterday was interested in cat food is a good enough reason to auction ad space to cat food companies today.
“Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,”
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
As someone who's been building an adblocker for the last 6 years: yes, there's plenty of proof in the devtools console on more websites than you'd think.
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
From over a decade ago, a paper on then-commercially-available browser fingerprinting tech, including a study of its deployment in the wild:
https://dl.acm.org/doi/10.1109/SP.2013.43 Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13).
Iovation is at least one companies script I know that the financial sector tends to use to get some fingerprinting on. Youngsters, please don't be skeptical. Surveillance hellhole-wise, fingerprinting is and will remain a perennial corporate favorite thing to do.
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
At one point, Firefox (3.5 specifically) was #1, for a brief moment:
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests. That was an original selling point of FF, and to this day the user base is mainly comprised of individuals (who were at one point or another) seeking free and open alternatives. Sadly Mozilla as an organization has made increasingly user hostile decisions (deals with Google, recent changes in privacy policy, some telemetry on by default) and FF no longer lives up to the original promise. But yes, thanks to the code being open source there are off-shoots like LibreWolf and WaterFox that may be worthwhile (I haven't vetted them) but its the same dilemma as with chrome, the upstream code is captured and controlled by an organization that I don't trust to respect user privacy.
> FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests.
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
I think its matter of "least common denominator" as in the sum of all fields will surely be unique, but what's the _minimum_ number of fields needed to isolate one user? You can download the JSON from each test and compare the diffs yourself - there's a lot of noise from "cpt" and "ratio" fields, but some that stand out are "referer" and "cookie" fields as well as a few SSL attributes. Not sure if controlling for those is all it takes to de-anonymize, but either way it's not great.
If you have Firefox with "resist fingerprinting" enabled then you are feeding it some dummy data. People worry about the fact that this might make you "unique," but fail to grasp that if you look differently unique every time you're not necessarily identifiable.
> Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
2. is almost immediately fingerprintable even with JS enabled. 0.00% similarity for canvas, 0.09% similarity for font list, 0.39% for "Navigator properties", 0.57% for useragent. with JS disabled (best practices for tor) it's even worse. maybe this works for windows users?
(debian, latest tor browser 14.5.3, no modifications)
if there's 0.00% similarity for canvas, then I think there would be some issue with the letterboxing. You shouldn't resize your tor window from 1400x900. Tor pretends it's windows, so I don't know why it would do that for the useragent.
I've always used it inside of whonix, and when I tested it, it seemed like everything was fine.
When you disable js you need to do so by setting tor to Safest.
The font list should be spoofed by tor?
Anyway, you can fix all of that just by using whonix and setting tor to safest.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
> then Google used anticompetitive practices to squash it
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
All the front-end devs I knew at the time switched to Macbooks after the Intel switch, because you could get a Unix-based machine that could run Safari and Firefox natively, and Internet Explorer in a VM. Chrome wasn’t even released at that point.
Google didn't use anticompetitive practices to squash it. They just made a better browser. When Chrome came out it was significantly better than Firefox. That's why people switched.
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
I think it's pretty debatable that Chrome is currently better, but you're definitely correct. When Chrome first debuted (and for years afterwards) it was clearly superior to Firefox.
What's surprising is that, over time, Firefox has done virtually nothing to reduce the impact of fingerprinting.
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
Because the users of web browsers expect compatibility. If one vendor unilaterally decides to stop supporting some browser APIs, the result isn't better privacy. The result is that people switch to other browsers.
I guess we all knew this was happening, but it's hard to "prove" that they track you across devices without resorting to anecdotes. This seems to be a framework for performing studies + a large-scale study in order to get some more concrete proof that it is actually happening in practice, and the fingerprinting isn't just used for other things like anti-abuse.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
Luckily most of this is done by web devs using their normal tools which means if you just turn javascript off that gets rid of 99%. Sure, there are ad companies and related out there using actual webserver logs but more and more it's relying on you the user blindly executing their code on your machine. After all, everyone does it. Anyone not running javascript is weird, probably not monetizable, and therefore is a bot and doesn't exist.
Yep. Native applications are much faster, more reliable (can't change underneath you unless you let them), incomparibly more private, and generally longer lasting.
Using the web for applications forces you into behavior and situations you wouldn't accept otherwise. Web sites are best made of web pages. Not executable code. And there are still more web sites made out of web pages out there than corporate web apps. The web is huge and there's a lot beyond the top 100 web apps everyone use.
Turning off JS auto-execution helps one avoid falling into those traps as well as avoiding fingerprinting in general. And the vast majority of the non-commercial web still works just fine.
Has anyone made a plugin that forces your browser to resize slightly to help avoid fingerprinting? I feel like this is an annoyance I could tolerate, even if over the course of a day or two it causes me to resize it manually to something larger.
The name for that is letterboxing. The Tor Browser (and the Mullvad browser, based on the Tor one, and Firefox as of v. 67 with an about:config flag) all support it.
There are also add-ons that perform the same basic function with some added customisability [0].
Firefox has this built in, about:config privacy.resistFingerprinting.letterboxing. It was contributed upstream by Tor, and off by default in Firefox.
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
There is a way - provide random garbage via browser APIs, for example, fake GPU name, fake core count, fake IP addresses for WebRTC. But browser vendors do not want to do it. You have to compile your own browser.
Such browsers that allow you to masquerade as a different browser do exist but they are targeted at people doing social network marketing (spam and scam) from multiple accounts. Because social networks do not allow using multiple accounts from the same device. These browsers are called "anti-detect browsers" and you can find info about them on Russian underground forums.
There's only so much you can fake without breaking sites. You may be able to fake the specific elements that a site is looking at today, but it'll always be a cat and mouse game.
I’d like to see better fingerprinting tests than coveryourtracks.eff.org and amiunique.org. Both have the flaw that they test only uniqueness, not persistence, with the result that they’d flag a random number generator as a fingerprint, too. Real fingerprinting protection does often involve random, not binned, results, and this results in both websites flunking even the browsers that do pass their tests, like Tor, Safari, and LibreWolf.
CreepJS[0] allows you to "add a signature" (basically give your fingerprint a name). If you re-open the page, and it can correlate your fingerprint, it will show you your signature.
Because most of it is useful or even needed. There's perhaps one or two things that can be removed, but not that much.
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
The first point - there are usecases but it probably all ought to be user prompted. The vast majority of sites don't need any of it. For example when testing webgpu on chromium I had to globally enable it with a flag which prompted a security warning. A per-site prompt would have been much more secure - I was only using it on localhost.
The second point - you don't need to measure it (that I'm aware) but you _can_ measure it because disparate features that all have legitimate usecases on their own can be leveraged in tandem to accomplish things that weren't intended by the authors of the specification.
Required for showing the right resolution images. The alternative is blurry images or wasted bandwidth.
> time zone
Most people expect to see times in their local time.
> device model
This could probably be removed but can be useful for showing the right download button. Also I'm not sure this is explicitly shared? I'm curious what exactly they mean here.
Some mobile devices (especially cheap Androids) often have device model numbers and build version in the User-Agent headers. A few examples from a quick look at my access log:
Mozilla/5.0 (Linux; U; Android 15; zh-CN; V2301A Build/AP3A.240905.015.A2) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/123.0.6312.80 Quark/7.13.1.851 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 13; STYLO RAIN Build/TP1A.220624.014) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.7151.89 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 14; moto g04 Build/ULA34.89-193; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/137.0.7151.89 Mobile Safari/537.36
All of these contain both the device/model name and specific software version.
This is only an issue on Android and some other devices really (e.g. "smart" TVs and whatnot); I'm not aware of any desktop browser that does that. Not all Android devices do either.
This is a major reason why I stopped storing User-Agent headers in the database for my analytics app. I originally assumed there would be a relatively limited set of headers, but at some point I had millions of unique ones. Now it just stores the extracted information (e.g. "Chrome 137 on Android 14"). It's a pretty silly situation and completely unnecessary, but it is what it is.
> Required for showing the right resolution images.
How many websites is this actually an issue for? I know web developers get all impressed with themselves about putting fancy images on their web pages, but the vast majority of them are simply useless decoration.
> Most people expect to see times in their local time.
So have a built-in widget in the browser that takes a time in UTC from the server and converts it to local time (if the user has that setting enabled in their browser settings) based on the computer's time zone.
Even client side Javascript could do this without having to tell the server anything about the client's time zone.
> can be useful for showing the right download button
How about just letting the user select the right download button?
> but why does the website that's sending me HTML and CSS and Javascript need to know?
The website doesn't get told by the browser, but the website is sending you Javascript, and the browser will tell the Javascript when the Javascript politely inquires as to the width and height of the root html element, or some element with text in a funny font in it, and the Javascript is then free to report home.
I think hiding layout information like that from Javascript isn't really within reach without a radically different model that breaks a ton of websites.
And when I block js, most websites are still readable. (some even look better!) The fact that some sites work just fine without js mean that most could. Certainly the sites load much, much quickly without the js. 90% of the time all I want is the text, which loads perfectly without it. JS is a huge waste of resources with no real benefit to consumers. Some web apps need it, yes, but even those could still do fine without it. (until recently there was still an HTML gmail app which worked just fine.)
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
It’s been getting progressively stripped back but there’s risk of breaking changes too. Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
The referer field has had the path removed or even dropped outright for some browsers.
> Lots of websites started breaking when Apple did something as simple as updating the OS version from 10 to 11 in the user agent.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Because they pretty much all power some kind of actual functionality. Users want the website to show up in their timezone, in their language, and to respect the light/dark mode options. Those are all legitimate functions, which also get used for tracking.
Security and privacy focused browsers and tools like Apple Lockdown Mode make some pretty significant compromises to maximise security.
The browser is a sandbox with a bunch of discoverable features. Those features exist for the user but a side effect is they leak data which individually is probably not interesting but collectively is a fingerprint.
To be less of a fingerprint you'd need to remove JS from the entire web.
My web browser is abrowser (firefox derivative) and I am not using Windows like it says. I do have my javascript restricted though. The site considers my computer unique.
Yes. Today you cannot register Vk, Google or Telegram account without scanning a QR code from smartphone or installing an app. I am surprised that there are people that agree to go through all these difficulties instead of going to a competitor.
Because most people do not find it difficult to install an app. And many people started with the mobile app anyway, and/or use their mobile device as their primary computer.
Why do browsers share so much information? A standards-compliant website has no need to know which browser version I am using, which operating system I am running, etc..
One of the more effective techniques is measuring the speed at which JS renders to your canvas. That's a sidechannel I don't think can be closed easily.
As long as JS exists, there will be effective means to examine the sandbox.
(I do agree they have unsafe defaults info. It's just removing it isn't enough.)
There is some noise, but there are bounds. Everyone tends to have fairly common habits and periods of transition into new habits, that combined with IPs, or geolocation, or screen sizes, that you can fairly accurately pin individual devices..
Your processors, memory, and so on all have manufacturing quirks, and then workloads provide some more. The fuzzy circle of rendering times becomes easy to use.
Various places have used it since before '14. But here's one random paper that goes into more depth. [0]
That fingerprints exist is nothing new to someone who has visited https://amiunique.org whenever I get a new device or install a new distro for many years. (It also tells me that the project is not very alive, they had the same job offer for many years.)
So what would have interested me is how and what kind of impact the researchers measured. The article seems to say pretty much zero about that. Disappointing.
251 comments
[ 3.1 ms ] story [ 274 ms ] threadA lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
If I change to for example Hong Kong, all Spotify, YouTube etc are them for hk/Chinese products and spoken in Mandarin/Cantonese.
I change country daily, it's good fun.
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
marginally given that most browsers auto-update.
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.
It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.
Basically, ”NVIDIA Corporation” means you are Firefox on Linux with an NVIDIA GPU — or Firefox on macOS with an NVIDIA GPU, which is probably even rarer.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
They theoretically could but which sites are actually doing this?
>Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
That basically boils down to what phone model you have. The number of iPhone 16 users (for instance) in a given city isn't exactly small.
>Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
If you read the comment more carefully you'd understand that it was toy example to prove a point, not a claim that you can only be fingerprinted by those attributes. I even specifically prefaced it with "suppose".
No need to use such self-deprecating language.
I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)
Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.
Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)
Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.
That results in different nanosecond ranges of performance, for your canvas.
> The canvas jitter for each iPhone 15 Pro will be different.
There is no such thing. I write tests for GPUs and iPhones in particlar. They don't produce different results
> Different battery ages, different lifetime workloads.
This is not something you can check from a webpage on an iPhone
> That results in different nanosecond ranges of performance, for your canvas.
There is no nanosecond measurement you can use to generate a fingerprint in a browser. All you'll get is noise which will give you a different fingerprint.
Maybe if you ran for several minutes with a frozen page doing nothing but timing could tease some signal out but no sites are doing that. No one would continue to use a site that froze for seconds every time they visited.
No one enjoys a conversation with a blank wall.
It doesn't look like you read the comment you're replying to either, because you failed to respond to any of the specific objections that were raised. Let's try again with the first one: do you have any proof that "canvas jitter" as you described it (ie. it varies between devices of the same model) actually exist?
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits. This is so even though the user population in our experiments exhibits little variation in browser and OS.
https://hovav.net/ucsd/dist/canvas.pdf
https://securehomes.esat.kuleuven.be/~gacar/persistent/the_w...
https://doi.org/10.14722%2Fndss.2022.24093
https://web.archive.org/web/20141228070123/http://webcookies...
https://www.torproject.org/projects/torbrowser/design/#finge...
The claim being disputed was "canvas jitter for each iPhone 15 Pro will be different", not the broader claim of whether canvas fingerprinting exists at all. 116 unique fingerprints out of 294 doesn't really prove the former is true, especially when you consider that people on Mechanical Turk are probably all on laptops/desktops, which have more hardware diversity compared to smartphones. Moreover if the claim is that every (?) iPhone of the same model has different canvas outputs because of "canvas jitter", wouldn't we expect far more unique fingerprints?
But as these things don't sit still, a small perusal of any of the above links would give you the information you seek.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
For example, my default mode is no JS. If JS must be used then cache, cookies, history, etc. are erased by default (usually they are anyway). I use multiple machines and they have multiple browsers (there's five on this phone alone), and if I think it's important I'll change browsers between sessions for a given site—that also means an IP address change (router reboots, etc.). On Android, remove all Google apps, have no Google account, use a firewall and only allow apps from F-Droid to have internet access.
Can't say I've clicked on an add in 20 years unless accidentally, and anyway I see them very rarely sans JS. If I do I never linger over them to give the impression I'm reading them.
Browsers have block lists some very extensive (e.g. Privacy Browser), so do OSes' hosts files, location is off, etc. There's other stuff too but you get the gist.
Why bother you ask. Before the internet I could look at adds in magazines, buy something without giving name, rank and serial number, and or my address, or phone number and so on and be pretty certain manufacturers and advertising agencies weren't tracking me.
In short, I had some autonomy I could call my own.
So why is it now a prerequisite to give all that personal stuff away just because I've joined the internet? That wasn't the plan when the internet was devised.
I see what I do as basic self protection.
A final point: what the internet desperately needs is a JavaScript engine that users can tailor to their individual needs. Randomize, machine details, cookie info, and so on. A well designed engine could feed copious junk info back to websites and spoof itself as a 'genuine' engine to the extent that websites wouldn't know what's genuine and what's not.
Widespread use of such a JS engine could do considerable damage to these snooping bastards. The big question is why the hacking community hasn't yet come up with one.
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
Hardware interrupts are a standard part of computing. (see https://en.wikipedia.org/wiki/Interrupt#Hardware_interrupts)
"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
And, at least previously, the timing of interrupts have been used to facilitate information leakage. For example:
"Through analyzing the interrupt time series produced from touchscreen controller, attacker’s chance of cracking user’s unlock pattern is increased substantially. The interrupt time series produced from Display Sub-System reveals unique UI refreshing patterns and could be leveraged as fingerprints to identify the app running in the foreground"
https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2016-oakland...
It's been awhile since I've looked closely at anything related to phones, but for decades /proc/interrupts was globally readable. It may still be.
I'm not claiming interrupts don't exist, I'm claiming that they're not really a fingerprinting vector because Android is so locked down that all phones of the same model/OS version are going to have the same behavior. It might be an issue if you're using a xiaomi phone in the US or something, but if you're a normie with an iPhone there's tens and maybe hundreds of thousands of people with the same phone in a major metro.
I thought you were confused because you said "hardware interrupts (whatever that means)", and put it in scare quotes?
>so locked down that all phones of the same model/OS version are going to have the same behavior.
That's not how hardware interrupts work, though. The behavior is 100% user dependent. Me and you type at different speeds, times, etc. The hardware interrupts that result from me and you typing are, therefor, going to be completely distinct. The interrupt itself will be the same, but the timing of those interrupts is unique.
Whether or not /proc/interrupts remains globally readable is something I'm not confident on, but at the time of the paper (which was after sandboxing was first implemented in Android), it was globally readable and a valid side-channel for information leakage including as fingerprinting vector.
Hopefully that clears up what a hardware interrupt means, and why they are (or, at least used to be), a valid fingerprinting technique.
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
Just like how when you do NAT for your home network, your devices get assigned non-routable private use only address space.
Unroutable meaning not publicly routable. Of course you can route traffic through your own LAN to your Internet gateway.
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
In theory, this would be a rich landscape for an entirely different abstraction layer for fingerprinting… However, I am skeptical that the typical fingerprinting tool chains are receiving data that reaches that far down in the stack…
Getting a bit farther out there, CPU clock skew can be derived from the (randomly offset) TCP timestamps. That varies with temperature and thus load so it can be used to pick out otherwise indistinguishable traffic streams originating on the same physical host.
Back in the realm of commonly employed techniques, higher levels of the networking stack are fingerprinted in the wild. https://blog.cloudflare.com/ja4-signals/
Moving even farther up, the human interaction streams themselves are commonly fingerprinted. I realize that's a bit of a tangent but OP had suggested that fingerprints had short half lives and this is a very strong counterexample that I failed to mention earlier. https://www.whonix.org/wiki/Keystroke_and_Mouse_Deanonymizat...
Even when they float over the text I am trying to read, I do not see them.
If on Android, check out revanced. You can remove ads from lots of apps. Highly recommend Firefox as well.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
I don’t know what “north face” is. Personally I have a strong preference to not display any brand logos myself. People considering some brand to be “fashionable” seems kind of absurd to me?
I don’t feel like the ads I’ve seen influence my purchasing decisions much? Because most of the things I see ads for, aren’t things I would be interested in. I get ads for like, women’s clothing (I’m a man) home shopping sites (not in the market to buy a house at this stage of my life), horror movies (which I hate to see).
Well, I guess some candy ads have influenced me, in the opposite direction from what they intended. A kind of candy which was once among my favorites, I found the ads objectionable to a degree which I have pretty much committed to not buying any of it until they substantially change their advertising. Another brand I’ve never purchased because an ad of theirs covered the content of a webpage I was trying to view and kind of broke the site, and so I kind of regard them as bad actors?
I’d be willing to give advertisers a lot of information about what I would be interested in if I could be assured that they wouldn’t try to combine that information with any other information about me.
But generally I'm not exposed to a lot of ads thanks to the adblockers I use. And the Duckduckgo browser on Android, besides generally blocking network access for apps with Netguard.
The massive industry exists vor various reasons, but mainly because people have been trained from early on to get something "for free" without pondering the hidden longtime costs.
Disclaimer: prefer to pay or sponsor useful apps or services instead. And my North Face wind stopper west is more than 20 years old, the raincoat 10+ years and both are still serving me well ;-)
Yes, but it's not usually a conscious thing. People assume that advertising doesn't affect them -- it does, it's brainwashing.
However, I've recently found that I'm so eager not to be swayed by advertising that I can't buy things I've consciously seen advertised at me because then `they` will have won. Of course I still pick out the fizzy drink brand advertised to me when I don't want to engage my brain over a triviality like picking a cold drink at work ...
So, "ads work" doesn't mean they will work for everyone at the individual level or won't have the opposite effect for some.
The ads are then in a language I don't even understand.. and for products not for sale in my country.
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
can websites really see installed plugins?
All of this is easily detected, can I ping X, can I see DOM Y, etc.
Nobody installs plugins in 2025. Content language is basically like the geo-data the parent said, but coarser. And billions of people just have the same (default OS) fonts - plus iirc, there are broswer mitigations against font enumeration for fingerprinting.
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
Huh? In 2025?? Fingerprinting has been around and actively used to track users for probably at least 20 years.
Fingerprintjs [1] is a well known one that gets a lot of use. And if you check EasyPrivacy, you'll see the rules to block it [2] have been in place for a long time.
[1] https://github.com/fingerprintjs/fingerprintjs [2] https://github.com/easylist/easylist/blob/132813613d04b7228c...
https://www.obsessivefacts.com/images/blog/2020-04-04-the-ja...
https://news.ycombinator.com/item?id=23679063
https://dl.acm.org/doi/10.1109/SP.2013.43 Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13).
> your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
What makes you disqualify Firefox from being a "proper open source browser"?
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
There's 5 billion people on the internet. 5% of that is 250 million.
Some companies would kill for user numbers like that. Hell, some would slaughter entire villages.
In reality people espouse this opinion then continue using Chrome or Chromium browsers.
> Yet there really is little recourse for privacy enthusiasts
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
- June 2024. Mozilla acquires Anonym, an ad metrics firm.
- July 2024. Mozilla adds Privacy-Preserving Attribution (PPA), feature is enabled by default. Developed in cooperation with Meta (Facebook).
- Feb 2025. Mozilla updates its Privacy FAQ and TOS. "does not sell data about you." becomes "... in the way that most people think about it".
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
(debian, latest tor browser 14.5.3, no modifications)
I've always used it inside of whonix, and when I tested it, it seemed like everything was fine.
When you disable js you need to do so by setting tor to Safest.
The font list should be spoofed by tor?
Anyway, you can fix all of that just by using whonix and setting tor to safest.
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
Sorry? Why? I must’ve missed that memo :)
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
Most browsers with fingerprint protections will for example introduce random noise in graphics and audio APIs.
> Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. [...] a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments - https://dl.acm.org/doi/10.1145/3696410.3714548
Unfortunately I don't have access to the paper myself, so not sure what details they share beyond that.
Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
> Given how websites are built these days, if you just turn javascript off, half of them, if not more, will become unusable.
Basically any webapp with any amount of processing being done on the device becomes unusable if JS is disabled. Photopea's a good example of this.
Using the web for applications forces you into behavior and situations you wouldn't accept otherwise. Web sites are best made of web pages. Not executable code. And there are still more web sites made out of web pages out there than corporate web apps. The web is huge and there's a lot beyond the top 100 web apps everyone use.
Turning off JS auto-execution helps one avoid falling into those traps as well as avoiding fingerprinting in general. And the vast majority of the non-commercial web still works just fine.
There are also add-ons that perform the same basic function with some added customisability [0].
[0] https://addons.mozilla.org/en-US/firefox/addon/canvasblocker...
I think Privacy Badger may also do it.
Edit: I think I misunderstood you, you’re looking for something that adds changing noise to the viewport size. Letterboxing isn’t that, but it is another, arguably better, approach to reducing the same fingerprinting vector.
There really is no way to combat fingerprinting, other than using Tor on the "safest" mode. <- which disables javascript and some other stuff.
otherwise, you're fingerprintable.
also, check out https://demo.fingerprint.com/playground
Such browsers that allow you to masquerade as a different browser do exist but they are targeted at people doing social network marketing (spam and scam) from multiple accounts. Because social networks do not allow using multiple accounts from the same device. These browsers are called "anti-detect browsers" and you can find info about them on Russian underground forums.
https://mullvad.net/en/browser/browser-fingerprinting
https://mullvad.net/en/browser/mullvad-browser
they are tops in fingerprinting aaS AFAIK. meta and google are probably the only ones better.
[0] https://abrahamjuliot.github.io/creepjs/
The rest is just measuring the differences between "doing stuff and seeing what happens". For example if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
From the article, "your screen resolution, time zone, device model and more" are shared. Why? Why does a website need to know these things? I don't get it. My own device of course needs to know, but why does the website that's sending me HTML and CSS and Javascript need to know?
> if I render a box with some text and many different "font-family: [..]" then the size will differ per platform depending on what fonts you have installed, and you can measure that.
Why do you need to measure this? The whole point of HTML and CSS was supposed to be to let the user agent render the site in whatever way is best for the user. The website doesn't know what that is; the user does.
The second point - you don't need to measure it (that I'm aware) but you _can_ measure it because disparate features that all have legitimate usecases on their own can be leveraged in tandem to accomplish things that weren't intended by the authors of the specification.
Required for showing the right resolution images. The alternative is blurry images or wasted bandwidth.
> time zone
Most people expect to see times in their local time.
> device model
This could probably be removed but can be useful for showing the right download button. Also I'm not sure this is explicitly shared? I'm curious what exactly they mean here.
This is only an issue on Android and some other devices really (e.g. "smart" TVs and whatnot); I'm not aware of any desktop browser that does that. Not all Android devices do either.
This is a major reason why I stopped storing User-Agent headers in the database for my analytics app. I originally assumed there would be a relatively limited set of headers, but at some point I had millions of unique ones. Now it just stores the extracted information (e.g. "Chrome 137 on Android 14"). It's a pretty silly situation and completely unnecessary, but it is what it is.
How many websites is this actually an issue for? I know web developers get all impressed with themselves about putting fancy images on their web pages, but the vast majority of them are simply useless decoration.
> Most people expect to see times in their local time.
So have a built-in widget in the browser that takes a time in UTC from the server and converts it to local time (if the user has that setting enabled in their browser settings) based on the computer's time zone.
Even client side Javascript could do this without having to tell the server anything about the client's time zone.
> can be useful for showing the right download button
How about just letting the user select the right download button?
The website doesn't get told by the browser, but the website is sending you Javascript, and the browser will tell the Javascript when the Javascript politely inquires as to the width and height of the root html element, or some element with text in a funny font in it, and the Javascript is then free to report home.
I think hiding layout information like that from Javascript isn't really within reach without a radically different model that breaks a ton of websites.
Partly because Mozilla upper leadership hasn't been sufficiently aligned with privacy, security, nor liberty. And when they try, it's like a random techbro who latches onto a marketing angle, but doesn't really know what they're doing, and might still not care beyond marketing. And would maybe rather have the same title at Big Tech, doing the exploiting.
Also, no matter how misaligned or disingenuous a commercial ambassador to a W3C meeting was, Tim Berners-Lee is nice, and would never confront someone, on lunch break, in a dimly-lit parking lot, and say "I will end you".
The referer field has had the path removed or even dropped outright for some browsers.
Of course I know that in practice websites have been modifying their behavior based on the user agent string for years. But at least that information is supposed to be shared per the specs.
What I don't understand is why browsers are sharing lots of other information beyond the user agent string.
Security and privacy focused browsers and tools like Apple Lockdown Mode make some pretty significant compromises to maximise security.
To be less of a fingerprint you'd need to remove JS from the entire web.
that's why many companies tried to get you into their mobile Apps
> these difficulties
Because most people do not find it difficult to install an app. And many people started with the mobile app anyway, and/or use their mobile device as their primary computer.
https://www.youtube.com/watch?v=799uhYUxtvA&pp=ygUOI2NyZWF0Z...
Quoted:
"Mid-2010s: Browser fingerprinting became more prevalent, with research indicating its use by various websites and advertising companies."
As long as JS exists, there will be effective means to examine the sandbox.
(I do agree they have unsafe defaults info. It's just removing it isn't enough.)
Your processors, memory, and so on all have manufacturing quirks, and then workloads provide some more. The fuzzy circle of rendering times becomes easy to use.
Various places have used it since before '14. But here's one random paper that goes into more depth. [0]
[0] https://www.ndss-symposium.org/wp-content/uploads/2022-93-pa...
So what would have interested me is how and what kind of impact the researchers measured. The article seems to say pretty much zero about that. Disappointing.