Web fingerprinting is worse than I thought (2023)

Original Article ↗ Hacker News Discussion ↗

Browser behavior and real-world tests

  • Multiple commenters tested fingerprint.com and similar demos:
    • Brave, Firefox, Chrome (even with “hardest” settings) often still yielded stable IDs across normal and private sessions; Tor Browser was the main case that consistently broke tracking.
    • Safari (especially Private mode) often produced different IDs between normal and private windows; some saw it as significantly better than Chrome for privacy.
    • Mullvad Browser + VPN could still be tracked by fingerprint.com for some users.
  • Brave’s built‑in fingerprinting protection and Shields were viewed as weaker than advertised; blocking scripts can break demos but may just hide the identifier UI.
  • Firefox’s privacy.resistFingerprinting and related privacy modes can reduce leakage but:
    • They break or degrade many sites (timezone forced to UTC, canvas glitches, Cloudflare loops, bot flags, finance sites issues).
    • Several users reported still being uniquely fingerprinted or re-identified, especially when IPs are static.
  • Librewolf and plugin-heavy Firefox setups often trigger more captchas and bot checks, indicating that “hardened” profiles themselves become fingerprints.

How fingerprinting works and its limits

  • Signals mentioned: browser/OS versions, CPU count, screen/viewport size, fonts, codecs, timezone/locale, touchpoints, GPU/canvas/WebGL artifacts, extensions/adblockers, timing/CPU performance, and TLS/JA3/JA4 fingerprints.
  • On homogenous platforms like iPhones, fingerprinting is weaker but still possible via regional settings, font sets, rollout timing of versions, and subtle rendering differences.
  • IP address:
    • Some see it as a major signal (stable home prefixes, household-level ID).
    • Others note IPv6 rotation and MAC randomization, though home prefixes can remain static for years.
  • Stability over time: Fingerprints can ignore fast-changing attributes (like browser version) and rely more on hardware and network invariants; un-hashed/raw attributes let trackers link “old” and “new” fingerprints.

Mitigations, tradeoffs, and arms race

  • Techniques like spoofing user agents, randomizing canvas/fonts, or blocking JS can:
    • Make you stand out as “privacy-ext user” and increase fingerprintability or risk of blocking.
    • Break legitimate functionality (graphics, terminals, layout adaptation, downloads per-architecture).
  • Some argue that removing or heavily gating high-risk APIs (canvas, WebGL, capability queries) would help, but others note modern “web app as VM” design inherently enables fingerprinting.
  • Split setups (locked-down browser vs. “clean” browser for banking/government) are a common coping strategy.

Legal and regulatory debates (GDPR, cookies, enforcement)

  • Several comments assert that under GDPR and ePrivacy, fingerprinting is legally on par with tracking cookies and requires consent; “cookie banners” are in fact broader tracking-consent dialogs.
  • Others emphasize:
    • Enforcement difficulty: fingerprinting happens via JS and server-side matching; unlike cookies, there’s no local artifact to inspect.
    • Industry has turned consent UIs into dark patterns to force opt-in and blame GDPR for UX pain.
  • Disagreement:
    • Some say doing fingerprinting without consent is “almost certainly illegal” in the EU.
    • Others claim that purely client-side, non-stored, non-shared measurements might be compliant (unclear; multiple “I am not a lawyer” caveats).
  • Strong skepticism that regulators will meaningfully act, given corporate lobbying and low political payoff.

Legitimate vs abusive uses

  • Cited “legit” uses:
    • Bot detection, rate limiting (e.g. JA3/JA4 TLS fingerprints), preventing ban evasion and fraud.
  • Abuses:
    • Commercial services that “de‑anonymize” site visitors by merging fingerprints with data brokers and selling identity/PII for retargeting.
    • Vendors marketing this as “privacy-compliant” and skirting GDPR/CCPA spirit while claiming legality.

Broader sentiment

  • Many view browser fingerprinting as more dangerous than cookies and believe it should be outright illegal, but:
    • Some argue purely legal approaches are weak and we need technical defenses too; others see technical-only responses as an endless arms race.
  • There is deep distrust of ad-funded browser vendors and large platforms; several comments frame the problem as structural: tracking is aligned with their core business models.