The privacy nightmare of browser fingerprinting

Original Article ↗ Hacker News Discussion ↗

Technical fingerprinting methods

  • Discussion extends beyond the article to TLS-level fingerprints (JA3/JA4) that characterize clients by cipher suites and handshake details.
    • Seen as useful for spotting “Python pretending to be Chrome” and low-skill bots, but increasingly spoofable with libraries that mimic Chrome’s TLS stack.
  • Canvas/WebGL/WebGPU, audio, WebRTC, fonts, cores, screen size, and even mouse/keyboard behavior are cited as major entropy sources.
    • Some note GPU+driver+resolution can behave almost like a noisy “physically unclonable function.”
  • Passive signals (Accept-Language, User-Agent, IP, TLS behavior) combine with active JS probes to build stable IDs; even style/asset requests can be used server-side.

How identifying and harmful is it?

  • Several argue individual techniques usually only pin down browser/OS family, not a named person, unless combined with logins, email, IP, or purchase data.
  • Others stress correlation over time: even evolving fingerprints can be re-linked with high accuracy, and “rare” setups or privacy tweaks themselves become strong identifiers.
  • There’s concern that making trackers “slightly better informed” about people like you increases systemic risk (e.g., for dissidents, journalists), even if you personally never feel direct harm.

Countermeasures and their limits

  • Popular tools: Firefox + Arkenfox / privacy.resistFingerprinting, Mullvad Browser, Tor Browser, LibreWolf, Orion, Brave, DNS-level blocking, uBlock/uMatrix, temporary containers, VPNs.
  • Tradeoffs: breakage, CAPTCHAs, being treated as a bot, and the “ski mask in a mall” problem—strong defenses can themselves be a rare fingerprint unless widely adopted.
  • Debate over strategy:
    • Standardize and minimize entropy (Tor/Mullvad model) vs. randomize per-session fingerprints.
    • Some say Tor/anti-detect browsers are the only serious options; others call much DIY tweaking “LARP” that increases uniqueness.

Ads, business models, and incentives

  • Large debate on replacing surveillance ads: per-view micropayments, “syndicate” subscriptions, ISP-based payments, tipping/donations, Brave-style redistribution, or a return to contextual ads.
  • Many note past failures (Blendle, Scroll, Google Contributor) and structural obstacles: fees, lack of shared infrastructure (no “HTTP 402”), coordination problems, and the huge profitability of targeted ads.
  • Some argue most casual “content creators” will never meaningfully monetize; ad networks capture most value while users pay with data.

Law, regulation, and ethics

  • Strong sentiment that technical fixes aren’t enough; calls for:
    • Treating fingerprinting as PII (as EU guidance suggests) with real enforcement and big fines for retention/trading.
    • Possibly criminalizing non-consensual, deliberate tracking, analogized to stalking.
  • Others emphasize the “Business Internet”: banks, SaaS, and anti-fraud teams rely on fingerprinting and bot detection, making a clean ban politically and practically hard.

Bot and fraud prevention

  • Multiple commenters from anti-fraud/security contexts say browser/TLS fingerprints are among the few scalable tools against large botnets, credential stuffing, AI scrapers, and fake signups.
  • Counterpoint: proof-of-work CAPTCHAs and other mechanisms might reduce abuse without full surveillance, but are underused.