Websites are tracking you via browser fingerprinting

Original Article ↗ Hacker News Discussion ↗

Scope and goals of the research

  • Commenters note fingerprinting has been known and deployed for over a decade, but prior work mostly showed scripts could fingerprint, not that it was actually used for ad tracking at scale.
  • This paper’s claimed contribution (via FPTrace) is tying fingerprint changes to ad auction behavior, showing that ad systems really use fingerprints for targeting and to bypass consent/opt-outs (e.g. GDPR/CCPA), not just for fraud/bot detection.

How fingerprinting works and what’s collected

  • Fingerprints combine many attributes: UA string, headers, fonts, screen size, GPU/CPU details, media capabilities, timezone/language, storage and permission state, sensors, WebGL/canvas behavior, and sometimes lower-level network or TLS signatures.
  • Timing side channels (render speed, interrupts, TCP timestamps, human typing/mouse dynamics) are cited as additional long-lived signals.
  • Modern privacy tests (EFF, amiunique, CreepJS, fingerprint.com) demonstrate how easily browsers become statistically unique, though some commenters question their methodology and traffic representativeness.

Persistence, uniqueness, and effectiveness

  • Strong disagreement over “half-life of a few days”:
    • One side argues many attributes (versions, window size) change quickly, making long-term tracking fragile.
    • Others say many properties (hardware, fonts, GPU, sensors, stack behavior) are stable, and trackers can link evolving fingerprints via overlap and cookies.
  • Important distinction: uniqueness vs persistence. Being “unique” in a niche test set doesn’t mean globally unique; randomized or spoofed fingerprints may look unique each visit, which actually reduces linkability.
  • Several people think adtech’s real-world effectiveness is overstated and often resembles snake oil, though others point out 90%+ long-term match claims from commercial vendors.

IP/geo and cross-device behavior

  • Multiple comments say large ad networks lean heavily on IP-based geo and “flood” an area, which explains household and cross-device ad effects.
  • VPNs, CGNAT, iCloud Private Relay, mobile IPs, and geolocation drift add noise but often still allow neighborhood-level targeting; some ads obviously change when switching VPN countries.

Defenses, tradeoffs, and practical limits

  • Common mitigations: disabling JavaScript, using Tor/Mullvad/Brave, Firefox’s resistFingerprinting and letterboxing, anti-detect browsers (mainly used for fraud/ban evasion), VPNs, adblockers, strict JS and storage controls.
  • Tradeoffs are severe: many sites break without JS; aggressive privacy settings increase “weirdness” and can both aid fingerprinting and trigger bot defenses.
  • Randomization and dummy data can defeat persistence but often cause privacy-test sites to label you “unique,” confusing users.
  • Some argue the only robust strategy is drastically reducing exposed APIs and surface area; others think browsers are constrained by web compatibility and user expectations.

Browsers, standards, and regulation

  • Criticism that mainstream browsers, especially those touting privacy, still leak excessive information (detailed UA, referer, fonts, battery, etc.) and move slowly to restrict APIs.
  • Debate over whether open-source options (particularly Firefox and derivatives) remain meaningfully privacy-respecting given funding sources and recent ad-related features.
  • Several call for stronger regulation and enforcement, since technical defenses alone create an endless cat-and-mouse game while tracking steadily improves.