New research provides first evidence of the use of browser fingerprints for online tracking.
To investigate whether websites are using fingerprinting data to track people, the researchers had to go beyond simply scanning websites for the presence of fingerprinting code. They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints. This approach is based on the insight that if browser fingerprinting influences tracking, altering fingerprints should affect advertiser bidding — where ad space is sold in real time based on the profile of the person viewing the website — and HTTP records — records of communication between a server and a browser.
“This kind of analysis lets us go beyond the surface,” said co-author Jimmy Dani, Saxena’s doctoral student. “We were able to detect not just the presence of fingerprinting, but whether it was being used to identify and target users — which is much harder to prove.”
The researchers found that tracking occurred even when users cleared or deleted cookies. The results showed notable differences in bid values and a decrease in HTTP records and syncing events when fingerprints were changed, suggesting an impact on targeting and tracking.
Additionally, some of these sites linked fingerprinting behavior to backend bidding processes — meaning fingerprint-based profiles were being used in real time, likely to tailor responses to users or pass along identifiers to third parties.
Perhaps more concerning, the researchers found that even users who explicitly opt out of tracking under privacy laws like Europe’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA) may still be silently tracked across the web through browser fingerprinting.
Based on the results of this study, the researchers argue that current privacy tools and policies are not doing enough. They call for stronger defenses in browsers and new regulatory attention on fingerprinting practices. They hope that their FPTrace framework can help regulators audit websites and providers who participate in such activities, especially without user consent.
This research was conducted in collaboration with Johns Hopkins University and presented at the ACM Web Conference (WWW) 2025.
Funding for this research is administered by the Texas A&M Engineering Experiment Station (TEES), the official research agency for Texas A&M Engineering.
Read the original article
Comments
As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
> They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.
I'm curious to know a bit more about their methodology. It's more likely to me that the ad networks are probably segmenting the ads based on device settings more than they are individually targeting based on fingerprints. For example, someone running new software versions on new hardware might be lumped into a hotter buyer category. Also, simple things like time of day have huge impacts on ad bidding, so knowing how they controlled would be everything.
>As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
I've just looked at my fingerprint and I'm told I'm unique (my mum always said that ;-) ).
Unfortunately it's impossible, using https://www.amiunique.org/fingerprint, to determine what elements of the fingerprint, if changed, would make me significantly non-unique but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
While the precise value may change with time I feel like saying "has a half-life of only a few days" tends to understate the effectiveness of this technique.
By bryanrasmussen 2025-06-197:431 reply the problem, for those tracking and using uniqueness tied to tech as a measure (as opposed to uniqueness tied to identity), is not that it is easy to change you to be non-unique, it is that you will probably be a different "unique" user in a few days.
If there is a lot of information that won't change that quickly it is questionable if that subset would be unique. Logically it seems to me that subset would not be unique because in tech the stuff that does not get changed gets widely distributed.
on edit: here is a sample of three unique user profiles, I open up FF and I log in to Google. I have two unique users, FF, and Google. I then have to do something that needs Safari for some reason, so I open up Safari, and then for some reason I have to log into Google again on Safari. Now I have three unique user profiles: FF, Safari, and still Google. Browser fingerprinting is ok for tracking uniqueness in one way, but for building up a unique user profile it is pretty crap.
By reactordev 2025-06-1915:041 reply They will fuzz your uniqueness into a profile no matter how many times it changes. There’s enough there to identify you based on your fingerprint and behavior.
By bryanrasmussen 2025-06-1915:46 right, but it is most powerful if they can combine unique fingerprint with identity fingerprint via login over time, so as to build up a long term behavioral profile. Identity is not good enough because you will sometimes not be logged in, fingerprint via uniqueness may not be enough because your behavior may change in different environments.
By ryukoposting 2025-06-190:583 reply There are a few obvious ones I knew would be bad for me - the Linux user agent, for example. My canvas also came up unique and I'm betting Dark Reader had something to do with that.
But then there's other things that don't make any sense. How is "NVIDIA Corporation" only 0.74% for "WebGL Vendor?" Why does navigator.hardwareConcurrency even exist?
By einr 2025-06-1910:03 ”NVIDIA Corporation” is a rare vendor because most browsers (Chrome, Edge, Firefox on Windows) use ANGLE and will report ”Google Inc. (NVIDIA Corporation)” as a vendor.
Basically, ”NVIDIA Corporation” means you are Firefox on Linux with an NVIDIA GPU — or Firefox on macOS with an NVIDIA GPU, which is probably even rarer.
By robin_reala 2025-06-194:53 0.74% does seem a bit low, but most people browse the web on mobile phones, so knock off 50-70% immediately, then of the remaining most will be integrated GPUs from Intel or AMD in laptops. Take away Macs and you’re basically just left with gaming PCs, and laptops where the browser decided the task was difficult enough to spin up a discrete nVidia GPU.
By bitmasher9 2025-06-193:29 My vendor “Apple Computer, Inc” was less than 10% (I’m on iPhone) so I suspect HN crowd probably uses unusual hardware.
While my timezone (in USA) and device vendor are both single digit rare, combining the two probably leaks less information than you’d expect because my timezone has a much higher density of Apple devices than global averages.
It’s really not until you take into consideration a few other variables that you could really finger print me pretty decently.
By normie3000 2025-06-194:521 reply Mine says zero percent match for everything, and claims I have a NaN % overall match. Does this site work?
Definitely works for me although it was rendering the result a lot faster six hours ago.
By kjkjadksj 2025-06-195:49 Hn referrer already up to almost half a percent of their database at the time of writing. Either a lot of lurkers followed your link or a lot of bots crawl this site.
> but when I look down the list 16/58 javascript attributes are red (the lowest category of similarity ratio) and only two of those are overtly dependent on a version number, another six refer to screen size/resolution. It seems to me that leaves quite a lot of information which isn't going to change all the quickly.
I disagree. Going through the list, the following attributes are basically 100% tied to the browser or browser version, because nobody is going to change them:
* User agent
* Accept
* Content encoding
* Upgrade Insecure Requests
* User agent
* Platform
* Cookies enabled
* Navigator properties
* BuildID
* Product
* Product sub
* Vendor
* Vendor sub
* Java enabled
* List of plugins (note that plugins were deprecated by major browsers years ago)
* Do Not Track (DNT has been deprecated in favor of GPC, and if you want to stay anonymous you should leave it as the default)
* Audio formats
* Audio context
* Frequency analyser
* Audio data
* Video formats
* Media devices
The following are very correlated to your geo ip, so unless you're pretending to be a Mongolian with a US geo IP, it reveals very little.
Content language
Timezone
Content language
These are actually valuable for fingerprinting, but most of these basically boil down to "what device you're using". If you're using an iPhone 16 running iOS 18.5, chances are most of the device related attributes will be the same as everyone else with an iPhone 16 on iOS 18.5.
Canvas
* List of fonts (JS)
* Use of Adblock
* Hardware concurrency
* Device memory
* WebGL Vendor
* WebGL Renderer
* WebGL Data
* WebGL Parameters
* Keyboard layout
These are basically screen dimensions but repeated several times:
* Screen width
* Screen height
* Screen depth
* Screen available top
* Screen available Left
* Screen available Height
* Screen available width
* Screen left
* Screen top
These are non-issues as long as you don't touch such settings, and are reset if you clear browsing data.
* Permissions
* Use of local storage
* Use of session storage
* Use of IndexedDB
These basically boil down to "whether you're using a phone, laptop, or desktop"
* Accelerometer
* Gyroscope
* Proximity sensor
* Battery
* Connection
The last few seem related to flash but since that's been deprecated years ago they're non-issues.
Did not the EFF have a long time ago a fingerprint analysis that showed how unique a user profile is.
You really can't put too much faith into the "you're unique!!" conclusions that fingerprinting sites give out. The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best. Most (all?) also take into account volatile attributes like the version number, which makes the previous problem worse by further reducing the actual sample size.
Suppose a fingerprinting site used (user agent, timezone, user language, screen resolution) as an uniqueness key for its fingerprints, and those were the only fingerprintable attributes. User agent changes often, basically every month for firefox and chrome, so the version information is basically garbage. If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable. However most fingerprinting sites will happily say "you're unique out of 1 million visitors!".
To make this even worse, people will inevitably revisit these sites and use "fingerprint blocking" extensions, which randomize various attributes. The fingerprinting sites aren't very sophisticated and can't tell attributes are being faked, so it'll record that as a new visitor, which has the effect of bumping the denominator even more. Instead of saying you're unique among 1 million users, it'll say you're unique among 10 million users, but that's a lie, because 9 million of those devices never existed.
By codedokode 2025-06-196:501 reply You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community. Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
> If you had two firefox users visit the site two months apart, but with the same timezone, language, and screen size, then for all intents and purposes they're indistinguishable
Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
By gruez 2025-06-1911:51 >You should not forget that sites can use cookies to link old and new fingerprints. So if you visit HN after browser upgrade it will still understand that it's you and share the fingerprints with fingerprinting community.
They theoretically could but which sites are actually doing this?
>Also, fingerprints related to hardware (like GPU name, CPU type and core count) do not change often.
That basically boils down to what phone model you have. The number of iPhone 16 users (for instance) in a given city isn't exactly small.
>Absolutely wrong. The users will have different hardware, maybe different ISPs, cities etc.
If you read the comment more carefully you'd understand that it was toy example to prove a point, not a claim that you can only be fingerprinted by those attributes. I even specifically prefaced it with "suppose".
By kalleboo 2025-06-192:50 > The sites don't receive much traffic, because only privacy nuts visit them, so any conclusions that you're "unique" (in the world?) is suspect at best
Very much this. For example, according to that amiunique.org link, I am literally the only person on the planet who has their browser set to Japanese and that alone makes me unique.
By glaucon 2025-06-194:50 > so any conclusions that you're "unique" (in the world?)
I don't think too many people are labouring under this idea, I think it's implicit that "unique" is in terms of those people those people who've volunteered for fingerprinting by this site.
I was amused to see that my referer value of 'https://news.ycombinator.com/' matched 1/1000th of "all" browsers, Hacker News is popular in certain circles but clearly this is self-selecting sample.
By yupyupyups 2025-06-1913:07 >privacy nuts
No need to use such self-deprecating language.
Yea, and it was effectively a lie.
I'm in the Pacific Time Zone which covers LA, SF, San Diego, Seattle, or 51 million people. Apparently, 90% have a smartphone (that includes kids) which is lower than 90% but for adults is 97%. Looking various statics of sales, upgrade cycles, etc there are probably at between 500k of 1million iPhone 15 Pros (not 15, not 15 Pro Plus, just 15 Pro)
Every iPhone 15 Pro will have the exact same fingerprint. The only settings that "leak" are langauge, time-zone, font-size, light/dark preference. There's isn't anything else an iPhone user can change.
Given those, and given most people have those set to the default, at best there are 100k people giving the same fingerprint, likely more. But, if I go to the Eff's site on my iPhone 15 pro it will falsely claim my fingerprint is unique. (https://coveryourtracks.eff.org/)
Yes, it might be unique to their server since no one visits. But if no one visits there's no point to fingerprinting. It's only popular sites that would gain from fingerprinting and yet the EFF is effectively lying about those sites ability to fingerprint.
I wouldn't call it a lie. The canvas jitter for each iPhone 15 Pro will be different. Different battery ages, different lifetime workloads. And no manufacturing process currently results in identical CPU performance.
That results in different nanosecond ranges of performance, for your canvas.
It is lie. They're making up stuff to spin their position
> The canvas jitter for each iPhone 15 Pro will be different.
There is no such thing. I write tests for GPUs and iPhones in particlar. They don't produce different results
> Different battery ages, different lifetime workloads.
This is not something you can check from a webpage on an iPhone
> That results in different nanosecond ranges of performance, for your canvas.
There is no nanosecond measurement you can use to generate a fingerprint in a browser. All you'll get is noise which will give you a different fingerprint.
Maybe if you ran for several minutes with a frozen page doing nothing but timing could tease some signal out but no sites are doing that. No one would continue to use a site that froze for seconds every time they visited.
That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.
No one enjoys a conversation with a blank wall.
>That doesn't sound like you've actually read any of the widely adapted and used techniques, employed by everyone from PornHub to Meta, nor does it sound like you're willing to.
It doesn't look like you read the comment you're replying to either, because you failed to respond to any of the specific objections that were raised. Let's try again with the first one: do you have any proof that "canvas jitter" as you described it (ie. it varies between devices of the same model) actually exist?
Have you bothered to look, yet? It's been in use since 2012. Responding to specifics, when someone is acting out of bad faith, isn't generally a good idea. But fine.
> In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits. This is so even though the user population in our experiments exhibits little variation in browser and OS.
https://hovav.net/ucsd/dist/canvas.pdf
https://securehomes.esat.kuleuven.be/~gacar/persistent/the_w...
https://doi.org/10.14722%2Fndss.2022.24093
https://web.archive.org/web/20141228070123/http://webcookies...
https://www.torproject.org/projects/torbrowser/design/#finge...
By gruez 2025-06-1916:00 > In 294 experiments on Amazon’s Mechanical Turk, we observed 116 unique fingerprint values, for a sample entropy of 5.73 bits
The claim being disputed was "canvas jitter for each iPhone 15 Pro will be different", not the broader claim of whether canvas fingerprinting exists at all. 116 unique fingerprints out of 294 doesn't really prove the former is true, especially when you consider that people on Mechanical Turk are probably all on laptops/desktops, which have more hardware diversity compared to smartphones. Moreover if the claim is that every (?) iPhone of the same model has different canvas outputs because of "canvas jitter", wouldn't we expect far more unique fingerprints?
I think you miss some key issues here:
(a) Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins, content language, fonts. The used data points can be dynamically fine-tuned in retrospect and be different for each identified agent.
(b) In the grand scheme of things, the browser fingerprint is only one data point. If you combine it with other data points (e.g. the geo-data you mentioned) you can overcome some of its limitations as well as intentional evasion attempts. E.g. a new fingerprint appears at my workplace IP that has 80% similarity with my old fingerprint. At the same time my old fingerprint goes dark.
(c) The ad companies take the shotgun approach because it works for them: it is cost-effective and can be defended as a legit method. Entities that are interested in surveilance for purposes other than selling ads and already collect a trove of other data can do a lot better than ad companies.
> Browser fingerprinting can be very robust if you select your data points correctly. E.g. installed plugins
can websites really see installed plugins?
By peetistaken 2025-06-199:371 reply Not really. They can‘t see a list, as navigator.plugins is dummy data in every major browser, but they might able to detect eg. Adblockers by other means
By dubcanada 2025-06-199:40 Adblocking is not rocket science, you block the DNS of the ads. Some also use JS to mess or remove ads.
All of this is easily detected, can I ping X, can I see DOM Y, etc.
By coldtea 2025-06-1911:47 >E.g. installed plugins, content language, fonts.
Nobody installs plugins in 2025. Content language is basically like the geo-data the parent said, but coarser. And billions of people just have the same (default OS) fonts - plus iirc, there are broswer mitigations against font enumeration for fingerprinting.
By fc417fc802 2025-06-193:311 reply > the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
The size of a maximized window is unlikely to change unless either the desktop environment is updated in some way or the monitor (hardware) itself is swapped out.
GPU hardware is unlikely to change frequently and various idiosyncrasies can be fingerprinted via either webgl or webgpu.
Installed fonts probably don't change all that frequently.
I'd expect TCP stack fingerprinting to be fairly stable.
That's but a few examples off the top of my head. As long as only one characteristic changes at a time you can link the cluster together. Worse, if client side identifiers (ex cookies) aren't wiped simultaneously then you can link two entirely distinct fingerprints with full confidence.
By rsync 2025-06-1914:13 It is what nmap does.
In theory, this would be a rich landscape for an entirely different abstraction layer for fingerprinting… However, I am skeptical that the typical fingerprinting tool chains are receiving data that reaches that far down in the stack…
By Swoerd123 2025-06-1911:58 Siteimprove Analytics appears to be confident enough about their cookieless tracking technology (compared to cookie based tracking) to claim:
In general, Visitor Hash is expected to be more persistent, resulting in a drop in the number of unique visitors. Since cookies are known to have an increasingly short lifetime, leading to overestimated data about unique visitors, we consider the Visitor Hash technology to be more accurate at capturing information about unique and returning visitors
When Cookieless tracking is enabled, it replaces the traditional use of cookies with a "Visitor Hash" made of non-personal information only. This information includes hashed IP and HTTP header values including browser type, browser version, browser language, and the user agent string. The Visitor Hash only consists of server-side attributes passed along by the website server.
Note: Siteimprove analytics does not collect client-side attributes. The Visitor Hash is used for the same functionality as the cookie and nothing else. For some websites, like intranets, there is an increased likelihood that the visitors could end up getting the same Visitor Hash as they might all be accessing the site from the same IP and on the same device setups. In those cases all page views would appear to be coming from one, or a few, visits. That's why we recommend excluding those domains from using cookieless tracking. See the "How to exclude domains from having cookieless tracking enabled" section below for more information.
By DoctorOetker 2025-06-190:021 reply > And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
I don't follow, consider hardware interrupts and their handling delays depending say on the combination of apps installed, the exact gpu driver version, etc ...
An occasional update could change the relevant timings, but would unlikely change all timing distributions (since perhaps the gpu driver wasn't updated, or the some other app wasn't)
>consider hardware interrupts and their handling delays depending say on the combination of apps installed
There's zero chance that apps on iOS and Android have access to "hardware interrupts" (whatever that means), because both platforms are too sandboxed. Moreover timing resolution on javascript has been nerfed since several years ago because of fears of spectre attacks.
>the exact gpu driver version, etc ...
If you're just rendering simple polygons, it's highly implausible that timings would change in between drivers. You might be able to tell driver versions apart if you spend hundreds/thousands of man-hours reverse engineering each driver version for quirks to test against, but I doubt they're pouring that much effort into this.
>"hardware interrupts" (whatever that means)
Hardware interrupts are a standard part of computing. (see https://en.wikipedia.org/wiki/Interrupt#Hardware_interrupts)
"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
And, at least previously, the timing of interrupts have been used to facilitate information leakage. For example:
"Through analyzing the interrupt time series produced from touchscreen controller, attacker’s chance of cracking user’s unlock pattern is increased substantially. The interrupt time series produced from Display Sub-System reveals unique UI refreshing patterns and could be leveraged as fingerprints to identify the app running in the foreground"
https://staff.ie.cuhk.edu.hk/~khzhang/my-papers/2016-oakland...
It's been awhile since I've looked closely at anything related to phones, but for decades /proc/interrupts was globally readable. It may still be.
>"Android also inherits the interrupt mechanism from Linux, which is designed for the efficient communication between the CPU and external devices. When new hardware events (e.g., user touching the screen) come, the corresponding hardware device (e.g., touchscreen controller) sends a signal to ask OS for immediate processing"
I'm not claiming interrupts don't exist, I'm claiming that they're not really a fingerprinting vector because Android is so locked down that all phones of the same model/OS version are going to have the same behavior. It might be an issue if you're using a xiaomi phone in the US or something, but if you're a normie with an iPhone there's tens and maybe hundreds of thousands of people with the same phone in a major metro.
By qualeed 2025-06-1915:53 >I'm not claiming interrupts don't exist
I thought you were confused because you said "hardware interrupts (whatever that means)", and put it in scare quotes?
>so locked down that all phones of the same model/OS version are going to have the same behavior.
That's not how hardware interrupts work, though. The behavior is 100% user dependent. Me and you type at different speeds, times, etc. The hardware interrupts that result from me and you typing are, therefor, going to be completely distinct. The interrupt itself will be the same, but the timing of those interrupts is unique.
Whether or not /proc/interrupts remains globally readable is something I'm not confident on, but at the time of the paper (which was after sandboxing was first implemented in Android), it was globally readable and a valid side-channel for information leakage including as fingerprinting vector.
Hopefully that clears up what a hardware interrupt means, and why they are (or, at least used to be), a valid fingerprinting technique.
By WalterBright 2025-06-194:103 reply I have no idea what ads they serve me because I have ad blindness. My brain just refuses to perceive them.
Even when they float over the text I am trying to read, I do not see them.
By hinterlands 2025-06-194:237 reply Every person says this, but it's a massive industry for a reason. It's the same as with The North Face logo on jackets. You're never paying attention and you don't recall any specific person wearing the jacket. But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it.
Some online ads want to grab your attention, but most are just about building almost-subliminal connections like that.
By pbhjpbhj 2025-06-199:32 >But somehow, when it's time to buy a jacket, you know about the brand, and know all the people in your socioeconomic circle seem to like it. //
Yes, but it's not usually a conscious thing. People assume that advertising doesn't affect them -- it does, it's brainwashing.
However, I've recently found that I'm so eager not to be swayed by advertising that I can't buy things I've consciously seen advertised at me because then `they` will have won. Of course I still pick out the fizzy drink brand advertised to me when I don't want to engage my brain over a triviality like picking a cold drink at work ...
By drdeca 2025-06-195:16 I wouldn’t claim to not notice ads. Especially ads that interrupt videos. I remember quite a few of them. But, even the ones that are initially a little amusing become annoying with repetition, and what initially seemed mildly amusing instead seems just stupid.
I don’t know what “north face” is. Personally I have a strong preference to not display any brand logos myself. People considering some brand to be “fashionable” seems kind of absurd to me?
I don’t feel like the ads I’ve seen influence my purchasing decisions much? Because most of the things I see ads for, aren’t things I would be interested in. I get ads for like, women’s clothing (I’m a man) home shopping sites (not in the market to buy a house at this stage of my life), horror movies (which I hate to see).
Well, I guess some candy ads have influenced me, in the opposite direction from what they intended. A kind of candy which was once among my favorites, I found the ads objectionable to a degree which I have pretty much committed to not buying any of it until they substantially change their advertising. Another brand I’ve never purchased because an ad of theirs covered the content of a webpage I was trying to view and kind of broke the site, and so I kind of regard them as bad actors?
I’d be willing to give advertisers a lot of information about what I would be interested in if I could be assured that they wouldn’t try to combine that information with any other information about me.
Personally, I block them. But the people running these programs think they can get all of us. They don't seem to understand that the harder they try the more they piss off people like me. Meaning I'll put in more effort to circumvent or poison their data, making them spend a disproportionate amount of money on people like me. At this point I don't they'll give up, so let's find out who can live the longest. The number of people on my side are growing
I'm with you, but my take is that advertainment only scales big, so we are mostly collateral noise to the designers who have to balance many different factors, the main one bieng that the market they have brainwashed is as a result, fickle, and insists on bieng entertained, with most of the work force in advertising also consuming the product in a world of always almost, never quite satiated quest for the something™ that will get them off the treadmill. The very fact that anything imaginable is availible, anywhere, right now, up front, delivered ,only highlights the sameness of it all, where the tracking and fingerprinting results in people buying whatever they glanced at,casualy and inocently, but now own some glitzy cheap, likely broken facsimily, and are now under intense pressure to buy another one. So advertainment gives it's reek of edgy mindless frustration to the whole world. So ya, turn off scripts and storage, run some blockers, and remember to be nice to all the people actualy helping and doing things in the real world.
By godelski 2025-06-1916:37 Sure but it's about pareto efficiency. How much do you capture? It's a percentage. But you have to spend infinite resources to get to 100%. They just see number go up...
By jcynix 2025-06-199:29 Ads definitely have an effect on me: the more intrusive they are, the more I remember them and tend to not buy that product and ignore the company altogether.
But generally I'm not exposed to a lot of ads thanks to the adblockers I use. And the Duckduckgo browser on Android, besides generally blocking network access for apps with Netguard.
The massive industry exists vor various reasons, but mainly because people have been trained from early on to get something "for free" without pondering the hidden longtime costs.
Disclaimer: prefer to pay or sponsor useful apps or services instead. And my North Face wind stopper west is more than 20 years old, the raincoat 10+ years and both are still serving me well ;-)
Every person says this too, but it ignores the diversity in types of people. I know somehow who happily watches ads and makes purchasing decisions off it. I ignore them and do not. I don't believe I am being manipulated by the ads. The companies choose to advertise to target other people, and they lose money serving ads to people like me. But it's still a net win for them.
By ojr 2025-06-197:41 I stopped drinking soda this year and alcohol years ago. If you consumed any heavily advertised product this year, then you can't say ads don't work. Including products like Cursor.
By drowsspa 2025-06-1918:08 I mean, ads work same way those obnoxious Mr Beast faces in thumbnails work: I never click on any video like that, but they obviously work for attracting a general public. It's even kind of funny how aggressively the algorithm tries to push them to me: if I were to anthropomorphize it, I'd say it's palpable its desperation to drag me to a popular cluster
So, "ads work" doesn't mean they will work for everyone at the individual level or won't have the opposite effect for some.
By everdrive 2025-06-1911:46 I take a bit of an opposite approach. For the most part, if I'm stuck hearing an ad, I just blacklist the company.
By v5v3 2025-06-1911:01 I change my VPN country daily.
The ads are then in a language I don't even understand.. and for products not for sale in my country.
This is a top tier super power. Ublock on Firefox and AdGuard on iPhone are pretty effective. When I actually see an ad it physically hurts.
On iPhone check out Orion browser. Blocks ads, even on YouTube. Though sometimes video quality goes low (manually set it higher to fix). Firefox focus also works, but only one tab
If on Android, check out revanced. You can remove ads from lots of apps. Highly recommend Firefox as well.
Brave is also extremely effective at removing ads while keeping websites functional (including YouTube). It even has some fingerprinting protection. (and before someone complains, you can disable all the crypto stuff)
By godelski 2025-06-196:43 Sure but personally I'm against recommending different flavors of chrome. Brave is a nice idea but it still gives undue power to Google because at the be of the day, they control chromium. It also makes a hard problem for chromium reskins as they keep finding things chromium can use to track their users...
By bastawhiz 2025-06-1915:33 A fingerprint is composed of many signals. Even if a few of those signals change, the less-specific fingerprint made by the remaining signals can still be used to infer who a user is. And it doesn't need to be perfect: having a good idea that someone who almost looks like you from yesterday was interested in cat food is a good enough reason to auction ad space to cat food companies today.
By cosmic_cheese 2025-06-1823:085 reply Wouldn’t things like iCloud Private Relay and other VPN-ish things throw a wrench into IP-geo-based tracking? Seems like it’d make the targeting so broad as to be useless.
By ztetranz 2025-06-1823:40 As an aside, we just spent a couple of weeks camping in our RV with a cellular router connected to a VPN at home. Now that we're back home, Google maps (on a non-GPS equipped device) and Roku still think we're at the campground several states away. I guess my GPS equipped tablet reported the new location of our home IP address. On past experience, it takes about a week to reset.
I don't know a lot about iCloud in particular, but in general there are not enough active VPN users to make a noticeable difference in tracking. By its nature ad tracking does not have to be super accurate in the aggregate to beat a wild guess.
By v5v3 2025-06-1911:05 If you look at app download charts, the main VPN companies dominate. So I suspect there are sufficient active users.
By v5v3 2025-06-1911:04 VPN does.
If I change to for example Hong Kong, all Spotify, YouTube etc are them for hk/Chinese products and spoken in Mandarin/Cantonese.
I change country daily, it's good fun.
By lucasban 2025-06-1823:31 Conveniently for them, iCloud private relay only really impacts browser usage, third party apps are only impacted when using unencrypted connections, which is unlikely.
iCloud Private Relay has always kept the IP in the same city for me.
By mediumsmart 2025-06-192:37 Mine is also in a city 146 kilometers away.
> A lot of the big ad networks right now instead rely heavily on geo-data
How does this work in today's age where ISPs normally will have at least one level of NATing with ipv4. And given ipv6 with prefix delegation is still far away this should continue to be very imprecise?
By djrj477dhsnv 2025-06-190:563 reply > ISPs normally will have at least one level of NATing with ipv4.
I don't think that's generally true for home DSL/cable/fiber service. I've only seen it on mobile internet.
By kul_ 2025-06-191:22 Not sure about US, but Indian ISPs are doing this already to conserve IP space given huge userbase. In theory it would work similar to how a NAT gateway works for outbound communication. Skan + geo would be hard nut to crack in India.
By pbhjpbhj 2025-06-199:50 In UK I'm now on FTTP but even on ADSL the house would have an IP address that normally stayed constant until a router reboot. This seems to be pretty common in the UK. Probably on cable internet (and on mobile ofc) you get NAT-ed but I've never had that.
By Gigachad 2025-06-192:25 In Australia most ISPs use CGNAT by default and you have to specifically request a dedicated IP if you want to host a Minecraft server or something.
It still works because those CGNAT shared IPs still vaguely correspond to a certain geography. It won't be accurate enough to target a specific home, but still accurate enough to target a specific neighborhood, for instance.
By kul_ 2025-06-193:00 Assuming an ext-IP (60k ports) can easily represent 100 household if we statically assign ports. Given CGNAT with dynamic port allocation this can easily go up to 5x? That's wildly inaccurate given the core problem is to "target" a small set of users which is based on this geo info. Not sure how well this elephant sits in a room full of engineers solving this specific targeting problem.
By fiddlerwoaroof 2025-06-190:441 reply I’ve never had an unroutable IP in the US
By wut42 2025-06-191:53 CGNAT does not means unroutable IP, it just means you would only have assigned a small range of ports on a routable IP with others.
By kulahan 2025-06-190:47 Billboards are still among the most effective forms of advertising in terms of efficiency. You don’t need to be very close. I see myself popping up probably 10 miles from where I’m actually at, but the businesses aren’t that inaccessible.
By NoahZuniga 2025-06-193:58 fingerprint.com claims that they can fingerprint a user with >90% accuracy over 120 days. A half-life of a few days is awfully optimistic.
> And the reality is that even a really precise fingerprint has a half-life of only a few days (especially if it's based on characteristics like window size or software versions).
A fingerprint that changes only by the increase of a browser version isn’t dead; it’s stronger.
I'm not sure if I understand this. If you show up on a website one day with one fingerprint, but on the next day it was a different fingerprint, there's no way to connect that it's the same device unless it wasn't a core trait of the fingerprint in the first place.
By orev 2025-06-193:15 I think you’re thinking that the fingerprint is reported as a single hash (e.g. SHA512) of multiple attributes, which would of course change if a single bit was different. But there’s no reason they would be reported that way. It could be (and probably more likely) a big data structure of all the values. It would be easy to see that only a few things changed.
By kemotep 2025-06-1823:55 If everything is the same but the browser version, a day later how is that not the same person?
By gruez 2025-06-192:12 >it’s stronger.
marginally given that most browsers auto-update.
By jgalt212 2025-06-192:41 > As someone who works in this tech space, nobody brings up how long fingerprints persist. And the reality is that even a really precise fingerprint has a half-life of only a few days
True that. We use cookies + fingerprints to monitor for license compliance (i.e. ensure users are not id/password sharing). Sometimes we can use a fingerprint to recover a deleted cookie, but not all that often. What would really help is a fingerprint transition matrix, so we could make some probabilistic guesses.
By tjpnz 2025-06-191:56 >A lot of the big ad networks right now instead rely heavily on geo-data. Which is why you are probably seeing lots of ads in your feeds that seemingly cross between devices or are relating to interests of your spouse/friends/etc. They just look at the geo on your IP and literally flood the zone.
I don't see them and nor does my spouse. Ads aren't allowed in my house (to mangle the words of a famous adtech company).
By disambiguation 2025-06-1823:075 reply > your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies — which users can delete or block — fingerprinting is much harder to detect or prevent.
Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
more idle thoughts - it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off. I suppose monopolizing from the start was too lucrative to let it be free. Yet there really is little recourse for privacy enthusiasts. I've entertained the idea of using my own scraper, so I can access the web offline, though seems like more trouble than its worth.
"a proper open source browser never took off"
That's... not accurate at all. Firefox was extremely popular at one point, and completely ate the lunch of everything else out there. (And then Google used anticompetitive practices to squash it, but that came later.)
> then Google used anticompetitive practices to squash it
Not exactly. Apple happened.
Every "web designer" had to work on a macbook to be different like every one else. And firefox had dismal performances on those macbooks so said designers turned to the only browser with good tools and good enough performances: Chrome.
Next time you're told "performances don't matter", remember how it can be a differentiating feature and could cost you your market share.
By robin_reala 2025-06-1912:31 All the front-end devs I knew at the time switched to Macbooks after the Intel switch, because you could get a Unix-based machine that could run Safari and Firefox natively, and Internet Explorer in a VM. Chrome wasn’t even released at that point.
By jaoane 2025-06-196:44 > Every "web designer" had to work on a macbook
Sorry? Why? I must’ve missed that memo :)
Google didn't use anticompetitive practices to squash it. They just made a better browser. When Chrome came out it was significantly better than Firefox. That's why people switched.
To be honest it's still better (at least if you ignore the manifest V3 nonsense).
By everdrive 2025-06-1912:02 I think it's pretty debatable that Chrome is currently better, but you're definitely correct. When Chrome first debuted (and for years afterwards) it was clearly superior to Firefox.
What's surprising is that, over time, Firefox has done virtually nothing to reduce the impact of fingerprinting.
Why on earth are we, in 2025, still sending overly detailed User Agent strings? Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 .... There are zero legitimate reasons for websites to know I'm running X11 on x86_64 Linux. Zero.
Why are Refer(r)ers still on by default?
Why can JS be used to enumerate the list of fonts I have installed on my system?
We need way more granular permission controls, and more sensible defaults. There are plugins to achieve this, but that's a big hassle.
By kube-system 2025-06-1916:06 Because the users of web browsers expect compatibility. If one vendor unilaterally decides to stop supporting some browser APIs, the result isn't better privacy. The result is that people switch to other browsers.
> Ironically, the more fine tuned and hardened your device, OS, and browser are for security and privacy, the worse your fingerprint liability becomes.
1. You could (however, I doubt the effectiveness) use something like brave which tries to randomize your fingerprint.
2. You could "blend in with the crowd" and use tor.
By Liquix 2025-06-195:50 2. is almost immediately fingerprintable even with JS enabled. 0.00% similarity for canvas, 0.09% similarity for font list, 0.39% for "Navigator properties", 0.57% for useragent. with JS disabled (best practices for tor) it's even worse. maybe this works for windows users?
(debian, latest tor browser 14.5.3, no modifications)
In two separate private browser windows, I was identified as unique, so does that mean a fingerprint across private browser tabs would not work?
By everdrive 2025-06-1912:03 If you have Firefox with "resist fingerprinting" enabled then you are feeding it some dummy data. People worry about the fact that this might make you "unique," but fail to grasp that if you look differently unique every time you're not necessarily identifiable.
By disambiguation 2025-06-191:02 I think its matter of "least common denominator" as in the sum of all fields will surely be unique, but what's the _minimum_ number of fields needed to isolate one user? You can download the JSON from each test and compare the diffs yourself - there's a lot of noise from "cpt" and "ratio" fields, but some that stand out are "referer" and "cookie" fields as well as a few SSL attributes. Not sure if controlling for those is all it takes to de-anonymize, but either way it's not great.
> it's strange and disappointing that in the vast space and history of FOSS tools, a proper open source browser never took off.
What makes you disqualify Firefox from being a "proper open source browser"?
> What makes you disqualify Firefox from being a "proper open source browser"?
- June 2024. Mozilla acquires Anonym, an ad metrics firm.
- July 2024. Mozilla adds Privacy-Preserving Attribution (PPA), feature is enabled by default. Developed in cooperation with Meta (Facebook).
- Feb 2025. Mozilla updates its Privacy FAQ and TOS. "does not sell data about you." becomes "... in the way that most people think about it".
By codedokode 2025-06-197:11 Yes "PPA" is absolutely shady, it is a browser cooperating with ad companies behind user's back. I do not understand why I need this on my computer.
By disambiguation 2025-06-190:332 reply FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests. That was an original selling point of FF, and to this day the user base is mainly comprised of individuals (who were at one point or another) seeking free and open alternatives. Sadly Mozilla as an organization has made increasingly user hostile decisions (deals with Google, recent changes in privacy policy, some telemetry on by default) and FF no longer lives up to the original promise. But yes, thanks to the code being open source there are off-shoots like LibreWolf and WaterFox that may be worthwhile (I haven't vetted them) but its the same dilemma as with chrome, the upstream code is captured and controlled by an organization that I don't trust to respect user privacy.
By energywut 2025-06-191:07 > FOSS is a flexible term but carries the connotation of community ownership, and therefore independence from for-profit interests.
That's certainly not true. Unless Red Hat, MongoDB, Chef, etc. are not open source.
While I love to believe that the FOSS world is an anarchist utopia that believes in wellbeing for all, I think there are plenty of profit driven people there. They just don't sell access to the code/software.
This is just making better the enemy of best.
In reality people espouse this opinion then continue using Chrome or Chromium browsers.
By disambiguation 2025-06-191:04 see original comment:
> Yet there really is little recourse for privacy enthusiasts
At one point, Firefox (3.5 specifically) was #1, for a brief moment:
> Between mid-December 2009 and February 2010, Firefox 3.5 was the most popular browser (when counting individual browser versions) according to StatCounter, and as of February 2010 was one of the top 3 browser versions according to Net Applications. Both milestones involved passing Internet Explorer 7, which previously held the No. 1 and No. 3 spots in popularity according to StatCounter and Net Applications, respectively - https://en.wikipedia.org/wiki/Firefox_3.5
Then Chrome appeared and flattened both IE and Firefox.
By doublerabbit 2025-06-190:29 lol, and I used neither. Opera all the way until...
By arp242 2025-06-192:21 Millions of people use it. What's the latest usage number? 5% or something?
There's 5 billion people on the internet. 5% of that is 250 million.
Some companies would kill for user numbers like that. Hell, some would slaughter entire villages.
By GenerocUsername 2025-06-1823:52 Define taking off then. Everyone knows Firefox and some people even like it
> “Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”
Maybe if you live in a bubble where documentation published outside of academia doesn't exist. Tracking vendors themselves have claimed to be fingerprinting users' browsers in their privacy policies for over a decade.
This isn't about bubbles or ignorance of the "Real World (TM)". I think this reading shows own biases about academia vs industry more than anything else.
They provide proof that fingerprinting is not only actively used, but also used effectively at that. That vendors claimed they could and would use this is still not proof, let alone gives any insight into its effectiveness or the magnitude of the problem. So this is useful work.
Especially since the extent to which it is effective in "benign" ads is also indicative of the extent to which it would be successful for tracking by other agencies.
Why wouldn’t admitting doing something be proof, and what else would TRACKING PIXELS be used for?
It is clearly in these companies best interest to use these things for snooping on the world’s internet users.
By tga_d 2025-06-1914:46 Tracking pixels aren't for fingerprinting, they're just regular tracking. You can block them fairly easily (just block the 3rd party request to the known tracker). Fingerprinting is a lot more difficult to detect and prevent. Companies claiming they reserve the right to do it is a good reason to take precautions, but without insight into what is actually being done, that's hard to effectively do (without resorting to blocking all possible vectors, like Tor Browser).
By vladvasiliu 2025-06-1913:181 reply Aren't the companies who say they're doing this actually selling these capabilities to others? So it's in their interest to pretend to be able to do more / better than what they actually can do. Especially when the clients have little capability to verify what actually happens. So no, their saying "we can do it" doesn't actually mean that they can.
As a user who doesn't have a horse in this race (I work for a "captive clients" company, so ads don't help much, nor do we sell any ads), what I notice is that ads I'm served are absolutely absurd. It's either Google Maps trying to sell me some hotel 50 meters from my home (I live alone, so I fail to see any reason why I'd go for that), or Instagram which somehow figured I'd be interested in buying bras for pregnant women (I'm a male, and I'm single).
More recently, Instagram tries to sell me Range Rovers. Where I live, there's a tax on "heavy vehicles", traffic is absolutely crazy, and we have usable public transit (which I use – while scrolling Instagram). Buying a big-ass car wouldn't help me in any conceivable way, and would be an all-round nuisance.
What leaves me flabbergasted, is that my only interactions with Instagram are around photography. I only follow photographers, who shoot landscapes and similar, I always leave the app when I'm presented with naked girls or other "reels'. So I could maybe, possibly, be convinced to buy some new camera or photo gear. Guess what I never see advertised on Instagram?
This is where gambling and vaping come in…
As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
So then:
What to do with this massive infrastructure and billions of dollars of investment and workers employed by this global machine?
This is where gambling and vaping come in.
By saghm 2025-06-1915:31 > As a viewer of ridiculous ad placements, and as a frustrated buyer of online ads, I continue to conclude That adtech Is largely snake oil. In fact, I encourage you to look into the well-founded claims and research which call into question the very activity of marketing as a whole.
At least from my own anecdotal observations (including conversations with confused less technical friends and relatives started by questions like "how does this website know enough about me to show me that ad?"), the issue to me seems less that ad tech doesn't ever produce relevant ads, but that in practice very few people actually click ads, much less buy things from the destination, regardless of whether the ads are relevant or not. If anything, seeing a well-targeted ad often makes people feel creeped out, and their reaction isn't to go "oooh yes, that's perfect for me, let me click it", but to immediately close the browser tab and maybe even avoid the website that showed it to them in the future (because it's not obvious to a lay user that the ads are usually sourced from another party rather than the website itself). Slightly more tech-savvy users might even be aware of how ads are sometimes a vector for malware and avoid clicking them because the risk of getting something nasty isn't worth the probably quite low reward of buying something they could probably find just as easily on their own by actively looking. In practice, I have to wonder if it even matters whether adtech is effective at targeting or not, because I'm skeptical that the way people interact with ads ever would generate enough revenue to be worth it.
By 0manrho 2025-06-1913:32 Disclosure is not proof, especially when they have something to sell you.
By ta1243 2025-06-1913:40 You're coming at it from this type of tracking being an accusation of bad behaviour and the company having to admit it, like they have to admit a security breach losing personal data.
That's a reasonable approach. It's also incorrect. These companies think tracking users is a great thing. They aren't admitting it, they are boasting about it.
By kube-system 2025-06-1915:59 There have been source code leaks from major websites which clearly show fingerprinting tools being used.
It's been known in academia for at least half a decade as well. See:
https://petsymposium.org/popets/2021/popets-2021-0004.pdf
Hell, before that, we knew Flash was being used to get the list of fonts you have installed (for tracking purposes). You're right that these quotes are just plain wrong.
This has suddenly made me wonder how often fingerprinting of installed fonts is used to find targets working for particular companies. Quite a lot of organisations now have their own font, or a particular uncommon font they favour for brand purposes at least.
By pan69 2025-06-1917:07 Well, nobody has Flash installed anymore (I hope) and I don't believe there is a "modern" way to obtaining a font list (that works on all/majority of browsers). So, at face value, looking at installed fonts doesn't sound like a meaningful attack vector these days.
Some people live in bubbles. I have been aware of https://github.com/fingerprintjs/fingerprintjs
For almost 10 years now or some version of it. I stumbled on it when I wanted to keep track of spammy/abusive visitors on an old project.
By _Algernon_ 2025-06-1912:463 reply They consider me to have different visitor IDs when opening their demo page[1] in a regular window, and an incognito window on the same device. If this is state of the art I'm not too worried.
By HexPhantom 2025-06-1916:22 I think the nuance here is that academic research often wants concrete, measurable evidence that can't just be hand-waved away by "well, it was mentioned in a privacy policy."
I’m not saying we should stop caring about online privacy, but the extent to which we fight fingerprinting while not actually solving the problem has made the web worse. It’s kinda like the argument for gun control: the unsavory folk will still fingerprint your browsing while the well-mannered sites suffer from lack of features due to aversion to any persistent handle on the users they might provide, like strong crypto because uh-oh a pub key would give your a “super-cookie” so we can’t have that.
Sites need to realize that offering a public presentation means they're at the whim of user-agents.
Most of the bullshit over the past couple decades has been them trying to pull control back to server-side.
By dcow 2025-06-1911:22 That’s somewhat different from user-agents refusing to implement useful features because they might have privacy implications.
By coldtea 2025-06-1911:44 >while the well-mannered sites suffer from lack of features due to aversion to any persistent handle on the users they might provide
Yeah, hard pass.
By harvey9 2025-06-1912:56 The paper might have put this better by saying they can prove it without the need for disclosure.
