I imagine that most people who take an interest in de-Googling are concerned about privacy. Privacy on the Internet is a somewhat nebulous concept, but one aspect of privacy is surely the prevention…
I imagine that most people who take an interest in de-Googling are concerned about privacy. Privacy on the Internet is a somewhat nebulous concept, but one aspect of privacy is surely the prevention of your web browsing behaviour being propagated from one organization to another. I don’t want my medical insurers to know, for example, that I’ve been researching coronary artery disease. And even though my personal safety and liberty probably aren’t at stake, I don’t want to give any support to the global advertising behemoth, by allowing advertisers access to better information about me.
Unfortunately, while distancing yourself from Google and its services might be a necessary first step in protecting your privacy, it’s far from the last. There’s more to do, and it’s getting harder to do it, because of browser fingerprinting.
How we got here
Until about five years ago, our main concern surrounding browser privacy was probably the use of third-party tracking cookies. The original intent behind cookies was that they would allow a web browser and a web server to engage in a conversation over a period of time. The HTTP protocol that web servers use is stateless; that is, each interaction between browser and server is expected to be complete in itself. Having the browser and the server exchange a cookie (which could just be a random number) in each interaction allowed the server to associate each browser with an ongoing conversation. This was, and is, a legitimate use of cookies, one that is necessary for almost all interactive web-based services. If the cookie is short-lived, and only applies to a single conversation with a single web server, it’s not a privacy concern.
Unfortunately, web browsers for a long time lacked the ability to distinguish between privacy-sparing and privacy-breaking uses of cookies. If many different websites issue pages that contain links to the same server – usually some kind of advertising service – then the browser would send cookies to that server, thinking it was being helpful. This behaviour effectively linked web-based services together, allowing them to share information about their users. The process is a bit more complicated than I’m making it out to be, but these third-party cookies were of such concern that, in Europe at least, legislation was enacted to force websites to disclose that they were using them.
Browsers eventually got better at figuring out which cookies were helpful and which harmful and, for the most part, we don’t need to be too concerned about ‘tracking cookies’ these days. Not only can browsers mitigate their risks, there’s a far more sinister one: browser fingerprinting.
Browser fingerprinting
Browser fingerprinting does not depend on cookies. It’s resistant, to some extent, to privacy measures like VPNs. Worst of all, steps that we might take to mitigate the risk of fingerprinting can actually worsen the risk. It’s a privacy nightmare, and it’s getting worse.
Fingerprinting works by having the web server extract certain discrete elements of information from the browser, and combining those elements into a numerical identifier. Some of the information supplied by the browser is fundamental and necessary and, although a browser could fake it, such a measure is likely to break the website.
For example, a fingerprinting system knows, just from information that my browser always supplies (and probably has to), that I’m using version 144 of the Firefox browser, on Linux; my preferred language is English, and my time-zone is GMT. That, by itself, isn’t enough information to identify me uniquely, but it’s a step towards doing so.
To get more information, the fingerprinter needs to use more sophisticated methods which the browser could, in theory, block. For example, if the browser supports JavaScript – and they nearly all do – then the fingerprinter can figure out what fonts I have installed, what browser extensions I use, perhaps even what my hardware is. Worst of all, perhaps, it can extract a canvas fingerprint. Canvas fingerprinting works by having the browser run code that draws text (perhaps invisibly), and then retrieving the individual pixel data that it drew. This pixel data will differ subtly from one system to another, even drawing the same text, because of subtle differences in the graphics hardware and the operating system.
It appears that only about one browser in every thousand share the same canvas fingerprint. Again, this alone isn’t enough to identify me, but it’s another significant data point.
Fingerprinting can make use of even what appears to be trivial information. If, for example, I resize my browser window, the browser will probably make the next window the same size. It will probably remember my preference from one day to the next. If the fingerprinter knows my preferred browser window size is, say, 1287x892 pixels, that probably narrows down the search for my identify by a factor of a thousand or more.
Why crude methods to defeat fingerprinting don’t work
You might think that a simple way to prevent, or at least hamper, fingerprinting would be simply to disable JavaScript support in the browser. While this does defeat measures like canvas fingerprinting, it generates a significant data point of its own: the fact that JavaScript is disabled. Since almost every web browser in the world now supports JavaScript, turning it off as a measure to protect privacy is like going to the shopping mall wearing a ski mask. Sure, it hides your identify; but nobody’s going to want to serve you in stores. And disabling JavaScript will break many websites, including some pages on this one, because I use it to render math equations.
Less dramatic approaches to fingerprinting resistance have their own problems. For example, a debate has long raged about whether a browser should actually identify itself at all. The fact that I’m running Firefox on Linux probably puts me in a small, easily identified group. Perhaps my browser should instead tell the server I’m running Chrome on Windows? That’s a much larger group, after all.
The problem is that the fingerprinters can guess the browser and platform with pretty good accuracy using other methods, whether the browser reports this information or not. If the browser says something different to what the fingerprinter infers, we’re back in ski-mask territory.
What about more subtle methods to spoof the client’s behaviour? Browsers (or plug-ins) can modify the canvas drawing procedures, for example, to spoof the results of canvas fingerprinting. Unfortunately, these methods leave traces of their own, if they aren’t applied subtly. What’s more, if they’re applied rigorously enough to be effective, they can break websites that rely on them for normal operation.
All in all, browser fingerprinting is very hard to defeat, and organizations that want to track us have gotten disturbingly good at it.
Is there any good news?
Not much, frankly.
Before sinking into despondency, it’s worth bearing in mind that websites that attempt to demonstrate the efficacy of fingerprinting, like amiunique and fingerprint.com do not reflect how fingerprinting works in the real world. They’re operating on comparatively small sets of data and, for the most part, they’re not tracking users over days. Real-world tracking is much harder than these sites make it out to be. That’s not to say it’s too hard but it is, at best, a statistical approach, rather than an exact one.
In addition ‘uniqueness’, in itself, is not a strong measure of traceability. That my browser fingerprint is unique at some point in time is irrelevant if my fingerprint will be different tomorrow, whether it remains unique within the fingerprinter’s database or not.
Of course, these facts also mean that it’s difficult to assess the effectiveness of our countermeasures: our assessment can only be approximate, because we don’t actually know what real fingerprinters are doing.
Another small piece of good news is that browser developers are starting to realize how much of a hazard fingerprinting is, and to integrate more robust countermeasures. We don’t necessarily need to resort to plug-ins and extensions, which are themselves detectable and become part of the fingerprint. At present, Brave and Mullvad seems to be doing the most to resist fingerprinting, albeit in different ways. Librewolf has the same fingerprint resistance as Firefox, but it is turned on by default. Probably anti-fingerprinting methods will improve over time but, of course, the fingerprinters will get better at what they do, too.
So what can we do?
First, and most obviously, if you care about avoiding tracking, you must prevent long-lived cookies hanging around in the browser, and you must use a VPN. Ideally the VPN should rotate its endpoint regularly.
The fact that you’re using a VPN, of course, is something that the fingerprinters will know, and it is does make you stand out. Sophisticated fingerprinters won’t be defeated by a VPN alone. But if you don’t use a VPN, the trackers don’t even need to fingerprint you: your IP number, combined with a few other bits of routine information, will identify you immediately, and with near-certainty.
Many browsers can be configured to remove cookies when they seem not to be in use; Librewolf does this by default, and Firefox and Chrome do it in ‘incognito’ mode. The downside, of course, is that long-lived cookies are often used to store authentication status so, if you delete them, you’ll find yourself having to log in every time you look at a site that requires authentication. To mitigate this annoyance, browsers generally allow particular sites to be excluded from their cookie-burning policies.
Next, you need to be as unremarkable as possible. Fingerprinting is about uniqueness, so you should use the most popular browser on the most popular operating system on the kind of hardware you can buy from PC World. If you’re running the latest Chrome on the latest Windows 11 on a two-year-old, bog-standard laptop, you’re going to be one of a very large group. Of course Chrome, being a Google product, has its own privacy concerns, so you might be better off using a Chromium-based browser with reduced Google influence, like Brave.
You should endeavour to keep your computer in as near its stock configuration as possible. Don’t install anything (like fonts) that are reportable by the browser. Don’t install any extensions, and don’t change any settings. Use the same ‘light’ theme as everybody else, and use the browser with a maximized window, and always the same size. And so on.
If possible, use a browser that has built-in fingerprint resistance, like Mullvad or Librewolf (or Firefox with these features turned on).
If you take all these precautions, you can probably reduce the probability that you can be tracked by you browser fingerprint, over days or weeks, from about 99% to about 50%.
50% is still too high, of course.
If you enable fingerprinting resistance in Firefox, or use Librewolf, you’ll immediately encounter oddities. Most obviously, every time you open a new browser window, it will be the same size. Resizing the window may have odd results, as the browser will try to constrain certain screen elements to common size multiples. In addition, you won’t be able to change the theme.
You’ll probably find yourself facing more ‘CAPTCHA’ and similar identity challenges, because your browser will be unknown to the server. Websites don’t do this out of spite: hacking and fraud are rife on the Internet, and the operators of web-based services are rightly paranoid about client behaviour.
You’ll likely find that some websites just don’t work properly, in many small ways: wrong colours, misplaced text, that kind of thing. I’ve found these issues to be irritations rather than show-stoppers, but you might discover otherwise.
Is browser fingerprinting legal?
The short answer, I think, is that nobody knows, even within a specific jurisdiction. In the UK, the Information Commissioner’s Office takes a dim view of it, and it probably violates the spirit of the GDPR, if not the letter.
The GDPR is, for the most part, technologically neutral, although it has specific provisions for cookies, which were a significant concern at the time it was drafted. So far as I know, nobody has yet challenged browser fingerprinting under the GDPR, even though it seems to violate the provisions regarding consent. Since there are legitimate reasons for fingerprinting, such as hacking detection, organizations that do it could perhaps defend against a legal challenge on the basis that fingerprinting is necessary to operate their services safely. In the end, we really need specific, new legislation to address this privacy threat.
I suspect that many people who take an interest in Internet privacy don’t appreciate how hard it is to resist browser fingerprinting. Taking steps to reduce it leads to inconvenience and, with the present state of technology, even the most intrusive approaches are only partially effective. The data collected by fingerprinting is invisible to the user, and stored somewhere beyond the user’s reach.
On the other hand, browser fingerprinting produces only statistical results, and usually can’t be used to track or identify a user with certainty. The data it collects has a relatively short lifespan – days to weeks, not months or years. While it probably can be used for sinister purposes, my main concern is that it supports the intrusive, out-of-control online advertising industry, which has made a wasteland of the Internet.
In the end, it’s probably only going to be controlled by legislation and, even when that happens, the advertisers will seek new ways to make the Internet even more of a hellscape – they always do.
Read the original article
Comments
Some time ago I noticed that in Chrome, every time you click "Never translate $language", $language quietly gets added to the Accept-Language header that Chrome sends to every website!
My header ended up looking like a permuted version of this:
I never manually configured any of those extra languages in the browser settings. All I had done was tell Chrome not to translate a few pages on some foreign news sites. Chrome then turned those one-off choices into persistent signals attached to every request.en-US,en;q=0.9,zh-CN;q=0.8,de;q=0.7,ja;q=0.6I'd be surprised if anyone in my vicinity share my exact combination of languages in that exact order, so this seems like a pretty strong fingerprinting vector.
There was even a proposal to reduce this surface area, but it wasn't adopted:
https://github.com/explainers-by-googlers/reduce-accept-lang...
By hoofedear 2025-11-2220:38 Is Chrome trying to assume that, since you don’t want it to translate those pages/languages, that you can read them/want them in your header? Interesting
By FridayoLeary 2025-11-2223:021 reply That will just make you stand out more.
By 1718627440 2025-11-230:20 You can change the reported UA header independently of the UA you use.
By datavirtue 2025-11-2221:48 I only use it when I want to be tracked.
By SV_BubbleTime 2025-11-2221:014 reply Definitely a good STEP1, but it’s not like Firefox and Safari are finger printing secure.
By capitainenemo 2025-11-2221:24 Firefox does pretty damn well though, especially with privacy.resistFingerprinting set to true
By 8fingerlouie 2025-11-2223:05 Modern Safari is pretty damned good at randomizing fingerprints with Intelligent Tracking Prevention. With IOS 26 and MacOS 26, it's enabled in both private and non private browser windows (used to be only in private mode).
All "fingerprint" tests I've run have returned good results.
By Alive-in-2025 2025-11-2222:01 what about duck duck go? We need a simple chart: 1. What browsers are good at resisting finger printing 2. tell for each browser, does it work on android ad ios and apple and windows and linux 3. what setting are needed to achieve this
for bonus points, is there no way to strip all headers on chrome on control it better?
By fsflover 2025-11-2221:48 Tor Browser (based on Firefox) is.
By thaumasiotes 2025-11-2222:29 > There was even a proposal to reduce this surface area, but it wasn't adopted:
>> Instead of sending a full list of the users' preferred languages from browsers and letting sites figure out which language to use, we propose a language negotiation process in the browser, which means in addition to the Content-Language header, the site also needs to respond with a header indicating all languages it supports
Who thought that made sense? Show me the website that (1) is available in multiple languages, and also (2) can't display a list of languages to the user for manual selection.
By datavirtue 2025-11-2221:47 Hmmm...YouTube has been getting confused about the language and displaying random languages for the closed captions on videos. This was happening to me across smart TVs but I access YouTube randomly from various devices and browsers...but mostly Chrome when using a browser.
Using Chrome and caring about privacy? I thought, after Google killed uBlock Origin, it had become beyond clear these two things were incompatible, https://news.ycombinator.com/item?id=41905368
By anthk 2025-11-2222:38 There's a way to enforce loading UBo in Chromium but you need to download the extension by hand (git clone it from GitHub) and load it in "developer mode" in the extension settings. Also, you need to enable some legacy options related to extensions in about:flags.
By fsflover 2025-11-2221:46 Which, by design, doesn't protect you from actual spying, https://github.com/uBlockOrigin/uBOL-home/wiki/Frequently-as...
Firefox w/ the Arkenfox user.js is probably as good as it gets in terms of privacy. By default, this config burns cookies on exit, standardizes the time zone to UTC, spoofs the canvas fingerprint, and does other helpful things. Basically, it makes Firefox expose the same information as the Tor browser.
In addition, I block most known advertizing/tracking domains at the DNS level (I run my own server, and use Hagezi's blacklists).
Finally, another suggestion would be to block all third party content by default using uBlock Origin and/or uMatrix. This will break a lot of websites, but automatically rules out most forms of tracking through things such as fonts hosted by Google, Adobe and others. I manually whitelist required third party domains (CDNs) for websites I frequently visit.
By samtheprogram 2025-11-2222:121 reply There's no point unless a critical mass of people use these tools. You will be the only one on your IP address using this configuration of masked fingerprinting, which is itself a fingerprint.
That's also why it's indeed useful when using Tor, because you're not identified by your base IP.
Unless we make this part of the culture, you have basically 0 recourse to browser fingerprinting except using Tor. Which can itself still be a useful fingerprint depending on the context.
EDIT: I'll add that using these tools outside of normal browsing use can be useful for obfuscating who's doing specific browsing, but it should be emphasized that using fingerprinting masking in isolation all the time is nearly as useful as not using them at all.
By cortesoft 2025-11-2223:21 Basically the XKCD license plate comic: https://xkcd.com/1105/
By codedokode 2025-11-2218:232 reply Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?
> block all third party content
It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.
Also imagine if browser didn't provide drawing API for canvas (if you would have to ship your own wasm rendering library). Canvas would become useless for fingerprinting and its usage would drop manyfold. And the browser would have less code and smaller attack surface.
> Does it hide GPU name that is exposed via WebGL/WebGPU? Does it hide internal IP address, available via WebRTC?
My GPU is reported as simply "Mozilla" by https://abrahamjuliot.github.io/creepjs/.
The number of cores is also set to 4 for everyone using this config and/or Tor.
> It's not going to work, because the fingerprinting script can be (and is often served) from first-party domain.
This may be true, but allowed third party content makes it trivially easy for Google and others to follow people around the Internet through fonts delivery systems among others.
I had forgotten I was running Ublock origin / Privacy Badger / Ghostry so I was a bit confused with the results from that site.
I think it is Ghostry that is faking the responses but I still have a pretty unique fingerprint according to https://coveryourtracks.eff.org/kcarter?aat=1
By ifh-hn 2025-11-2223:51 Isn't ghostry compromised? Having been bought out by an ad company?
If I infiltrate someone else’s computer, secretly run code in order to to exfiltrate data I risk prison time because objectively it seems to satisfy criminal laws over where I live.
How do prosecutors in any modern country/state not charge this behavior when done by a website owner?
The difference is that there's implied consent to run arbitrary (albeit sandboxed) code when you visit a website. Moreover it's not the website causing the code to be executed, it's your browser. Otherwise if the bar is "code is being run but the user doesn't know about it", it would lead to either any type of web pages with javascript being illegal (or maybe without javascript, given that CSS turing complete), or a cookie banner type situation where site asks for consent and everyone just blindly accepts.
Orion Browser (Kagi Product) prevents fingerprinters from running by default.
https://help.kagi.com/orion/privacy-and-security/preventing-...
By ashman5 2025-11-2220:31 Orion browser is also capable of running uBlock Origin (not Lite) on iOS.
By codedokode 2025-11-2218:371 reply How do they reliably detect fingerprinting? Did they solve the Halting Problem? Sounds fishy.
>The only efficient protection against fingerprinting is what Orion is doing — preventing any fingerprinter from running in the first place. Orion is the only browser on the market that comes with full first-party and third-party ad and tracking script blocking, built-in by default, making sure invasive fingerprinters never run on the page.
sounds like they block "known" fingerprinting scripts and call it a day.
This makes you inherently trackable, ironically. No trace is a massive trackable attribute, since almost nobody is untraceable.
By RamRodification 2025-11-2221:14 Hey look it's that invisible guy again!
By jorvi 2025-11-2221:15 > Orion is the only browser on the market that comes with full first-party and third-party ad and tracking script blocking
I love Kagi, but that is a laughable statement. Brave has been offering ad and fingerprint blocking for years now. The reason why they don't have full first party blocking ("aggressive" mode blocking) on by default is because it tends to break things.
By kachapopopow 2025-11-2218:441 reply All javascript based anti-fingerprinting is detectable and is also a major source of uniqueness!
By vorticalbox 2025-11-2220:231 reply Sure but if you are always unique for every website then you can’t be tracked overtime.
By HumanOstrich 2025-11-2222:07 They meant a signal of uniqueness for your setup that could still assist with tracking, not being unique for every site.
By capitainenemo 2025-11-2221:26 unfamiliar with the Arkenfox user.js but are any of these things that are beyond what firefox enables out of the box if you turn on privacy.resistFingerprinting ? Because what you describe seems to be all stuff it does just by flipping flag.
By hilbert42 2025-11-2221:17 "This will break a lot of websites, but automatically rules out most forms of tracking…"
Whether one breaks a lot of websites or not depends on the type of user one is. People who regularly use the Google ecosystem, Amazon and Social Media etc. cannot afford to break sites for obvious reasons, they too are those that websites are most interested in tracking and fingerprinting.
Those who use the web in the way advertisers and Big Tech intend users to use it are the most vulnerable, they're the ones who most need protection.
I break websites regularly but it doesn't worry me, I browse with the premise that there are more websites on the internet than I'll ever be able to visit and if I break sites or are blocked by paywalls then there are usually alternatives and workarounds.
But then I'm not a typical user, I block ads, I usually browse with JS off, kill cookies, use block lists, use multiple browsers (there are six on this deGoogled, rooted phone), browse from multiple machines—Windows, Linux and use multiple ISPs. Also, I've no Social media or Google accounts and rarely ever purchase stuff online. Internet access is via dynamic IP addresses and routers are rebooted often. There's more but you get the picture.
I assume browsing sans JS makes me a first-class target for fingerprinting and that websites know about me but it doesn't matter. Whatever I'm doing seems to work, over the years I've had very little trouble doing everything on the web that I want to do. Clearly I'm of little interest to advertisers and I never see ads let alone targeted ones. I used to use uBlock Origin but I don't bother now as browsing sans JS is just so effective at blocking ads.
I'm lucky in the fact that I use no service that would benefit from fingerprinting me. Whilst my web browsing is atypical of most users I reckon many could benefit by being more proactive—using multiple machines, browsers, ISPs etc.—to disrupt the outflow of personal data. For example, this is being written on a rooted Android using Privacy Browser from F-Droid sans JS and with block lists. If I really need to go to a site where JS is required, I can simply hit a toggle and turn on JS or alternatively use another browser.
As someone who utilizes these tools for anti-fraud purposes, Firefox is just as trackable if not more trackable than Chrome (especially because you stand out by using a niche browser in the first place).
Firefox exposes a massive amount of identifiable information via canvas, audio device and feature detection methods. There's also active methods to detect private windows, use of the developer console and more.
By vpShane 2025-11-2220:08 Of course. There's data where there isn't data.
-make client load something
-client doesn't load it
-add.fingerprint.point(client,'doesnltloadthings',1)
-detect if client does something only a certain browser does
-client does it
-add.fingerprint.point(client,'doesthisbrowsderthing',1)
-window was resized/moved, send a websocket snitch to the backend
- keep a consistent web socket open, or fetch a backend-api call for updates on X events - more calls are made, means user is probably scrolling, inject more things/different things.
I see some js obfuscators out there where I look at the js file and it's all mumbo jumbo.
It is indeed a privacy nightmare, where whatever we do feeds the algorithms to aide in making other people do things.
But it's also used in network security, organizations etc. Staff/employees will use the system a certain way, if something enters it without the behaviors, it's detectable. I assume that's what you mean in anti-fraud.
Sad part is we don't know what the data is ever used for, and it's often bought and sold and the cycle repeats.
By DeathArrow 2025-11-2222:21 There is also server side fingerprinting like JA4+ and others. Also, if you somehow evade fingeprinting, you have to prepare yourself to solve some very slow Google and Cloudflare captchas.
By maks198 2025-11-2219:16 [dead]
By kxrm 2025-11-2223:16 So there seems to be some confusion around fingerprinting related to identifying characteristics and tracking. These are two different things. Setting your timezone to UTC, masks that one characteristic of your "identity". But there are better signals for location than timezone, like GeoIP. Same with hiding capabilities. All this does is make the web harder for you but it doesn't make your untrackable. Trackability comes from a combination of factors both within and out of your browser's control. If you share your IP with a family of 4, and you go changing your request headers you are only making yourself MORE trackable. The fact that one request comes across with UTC as a timezone and others come back with EST or other timezones, means I now can track a single user on this single IP. This is made worse if you and your family are using different browsers or different devices.
So what do we care about? If you care about being untrackable, then you have a couple of options, rotate VPNs, or cycle your public facing IP often. Additionally, every request you make MUST change up the request headers. You could cycle between 50 different sets of headers. Combine these two and you will likely be very hard to fingerprint.
If you only care about being identified, use Tor + the Tor browser which makes A LOT of traffic look identical.
