📚 Browser Fingerprinting Case Studies

In 2014, researchers Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, and Arvind Narayanan at Princeton University published a groundbreaking study titled "The Web Never Forgets: Persistent Tracking Mechanisms in the Wild" (ACM CCS 2014). Their work revealed that a significant number of high-traffic websites were using HTML5 canvas elements to generate unique fingerprints for each visitor's browser—a technique now widely known as canvas fingerprinting.

The technique works by instructing the browser to draw a hidden image or render specific text using the HTML5 Canvas API. Because each device has a slightly different graphics processing unit (GPU), operating system, installed fonts, and anti-aliasing algorithms, the resulting pixel data differs from machine to machine. By converting the rendered canvas to a data URL using toDataURL(), trackers obtain a hash that is remarkably consistent for the same device yet unique across different devices. In the Princeton study, over 5.5% of the top 100,000 websites were found to be deploying canvas fingerprinting scripts, with the majority sourced from a single provider, AddThis.

What made this discovery particularly alarming was the stealth of the technique. Unlike cookies, which users can clear or block, canvas fingerprinting happens entirely in memory with no persistent storage on the device. Users received no notification, no consent prompt, and had no built-in browser mechanism to detect or prevent it. The fingerprint was regenerated on every page visit, making it a persistent and largely invisible tracking vector. Follow-up research by the EFF confirmed that canvas fingerprinting, when combined with other browser attributes, could uniquely identify over 90% of browsers tested.

The practical implications are significant: even privacy-conscious users who regularly cleared cookies and used ad blockers were being tracked without their knowledge. In response, browsers like Firefox introduced the privacy.resistFingerprinting preference, and the Brave browser began blocking canvas readback by default. Today, canvas fingerprinting remains one of the most widely deployed fingerprinting techniques on the web, underscoring the need for ongoing vigilance.

The Tor Browser, maintained by the Tor Project, is widely regarded as the gold standard for anti-fingerprinting protection. Its design philosophy is rooted in a principle called uniformity: rather than trying to randomize or spoof each user's fingerprint (which can itself become a unique signal), Tor Browser ensures that all users present an identical fingerprint to any website they visit. This approach was formalized in the Tor Browser Design Document by Mike Perry, Erinn Clark, and Steven Murdoch.

In practice, Tor Browser achieves this by enforcing a fixed set of parameters across all installations. Every Tor Browser window opens at a default size of 1000×1000 pixels (or a predefined letterboxed dimension) to prevent screen-resolution fingerprinting. The browser reports a standardized set of fonts, disables WebGL by default, spoofs the timezone to UTC regardless of the user's actual location, and blocks or normalizes dozens of JavaScript APIs that could leak identifying information. Canvas elements return uniform pixel data, and the AudioContext API is restricted to prevent audio fingerprinting.

Research by the Electronic Frontier Foundation (EFF) through their Panopticlick project (now Cover Your Tracks) demonstrated that Tor Browser users share a common fingerprint bucket, making individual identification statistically impractical. In tests involving hundreds of thousands of browsers, Tor users consistently fell into large anonymity sets, whereas users of mainstream browsers like Chrome or Safari were uniquely identifiable over 83% of the time. A 2020 study by Laperdrix et al. ("Browser Fingerprinting: A Survey", ACM Computing Surveys) confirmed that Tor remains one of the few browsers capable of resisting advanced fingerprinting techniques.

However, Tor's protections come with trade-offs. The fixed window size and disabled features can break website layouts and reduce functionality. Some websites actively block or challenge Tor traffic using CAPTCHAs. Despite these usability compromises, Tor Browser proves that effective anti-fingerprinting is achievable when privacy is prioritized at every level of browser design. Its strategy of blending in rather than standing out remains the most robust defense against fingerprint-based tracking.

Mobile devices present a uniquely challenging landscape for browser fingerprinting defense. Research published by Spooren et al. in 2023 found that over 95% of mobile browsers tested produced completely unique fingerprints, a rate even higher than the 83–90% typically observed on desktop browsers. This elevated uniqueness stems from the rich combination of hardware sensors, screen characteristics, and software configurations present on smartphones and tablets.

On mobile devices, fingerprinting scripts can access a wider array of identifying signals than on desktop. The screen resolution and pixel density alone are highly distinctive: while desktop monitors cluster around a few common resolutions, mobile devices span hundreds of unique combinations due to varying screen sizes and DPI values. Beyond the screen, mobile browsers expose touch event capabilities (including maximum touch points), device orientation through accelerometer and gyroscope APIs, and battery status information (though the Battery Status API has since been restricted in some browsers due to privacy concerns raised by Olejnik et al. in their 2015 study "The Leaking Battery").

A 2016 study by Laperdrix, Rudametkin, and Baudry ("Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints", IEEE S&P) demonstrated that mobile fingerprints incorporate signals such as the list of available media codecs, WebGL renderer strings (which identify the exact GPU model), and the set of supported Web APIs. When these attributes are combined using entropy analysis, the resulting fingerprint carries enough information—often exceeding 30 bits of entropy—to uniquely identify a device among millions.

The practical impact is substantial. Unlike desktop users, mobile users have fewer tools to defend themselves: most mobile browsers lack extension support, making it impossible to install anti-fingerprinting add-ons. iOS restricts all browsers to the WebKit engine, reducing diversity but also limiting the availability of privacy-enhancing features. On Android, Firefox Mobile with Enhanced Tracking Protection offers some defense, but the overall mobile ecosystem remains significantly more exposed to fingerprinting than its desktop counterpart. Users should disable unnecessary sensor permissions, use a VPN to mask their IP address, and regularly audit their browser's fingerprint.

The legal landscape surrounding browser fingerprinting has evolved significantly since the European Union's General Data Protection Regulation (GDPR) took effect in May 2018. Under GDPR Article 4, any data that can be used to identify a natural person—directly or indirectly—qualifies as personal data. Because browser fingerprints can uniquely identify individual users with high accuracy, regulatory bodies have increasingly classified fingerprinting as a form of personal data processing subject to full GDPR compliance requirements.

The ePrivacy Directive (2002/58/EC), specifically Article 5(3), provides additional regulation. It states that storing or accessing information on a user's device requires informed consent, with narrow exceptions for strictly necessary operations. In 2019, the French data protection authority (CNIL) issued Deliberation No. 2020-091, explicitly stating that device fingerprinting falls under the scope of Article 5(3) and requires prior, informed, and freely given consent from the user—the same standard applied to cookies. The CNIL subsequently fined several companies for deploying fingerprinting scripts without adequate consent mechanisms, with penalties reaching up to €100,000 for repeat violations.

In Germany, the Bundesbeauftragte für den Datenschutz (BfDI) issued guidance in 2021 clarifying that fingerprinting-based analytics tools cannot rely on the “legitimate interest” legal basis under GDPR Article 6(1)(f) because the intrusive nature of the technique typically outweighs any business interest. In the Netherlands, the Autoriteit Persoonsgegevens reached a similar conclusion, requiring explicit opt-in for any fingerprinting-based tracking. These rulings have created a strong precedent across the EU, effectively treating fingerprinting and cookie-based tracking as legally equivalent.

For website operators, the implications are clear: deploying fingerprinting without a compliant consent management platform (CMP) risks significant fines under GDPR (up to 4% of annual global turnover or €20 million, whichever is greater). Privacy-conscious organizations are increasingly moving toward privacy-preserving analytics solutions that aggregate data without individual identification, such as server-side analytics or differential privacy approaches. Users in the EU should exercise their rights under GDPR Articles 15–17 to request access to, correction of, or deletion of any fingerprint data collected about them.

Audio fingerprinting is a lesser-known but highly effective tracking technique that exploits differences in how browsers and devices process audio signals. First documented at scale by Steven Englehardt and Arvind Narayanan in their landmark 2016 study "Online Tracking: A 1-Million-Site Measurement" (ACM CCS 2016), audio fingerprinting leverages the Web Audio API—specifically the AudioContext and OfflineAudioContext interfaces—to generate a unique identifier for each browser.

The technique works by creating an OfflineAudioContext, generating a short audio signal (typically using an OscillatorNode connected to a DynamicsCompressorNode), and then reading back the processed audio samples. Because each device has a different audio processing pipeline—influenced by the sound card hardware, audio drivers, operating system audio stack, and the browser's own audio engine implementation—the resulting waveform varies subtly from device to device. These variations are consistent for the same device but distinct across different devices, yielding a stable fingerprint.

In the Princeton 1-million-site study, audio fingerprinting scripts were found on over 700 of the top one million websites. The technique is particularly insidious because it requires no user interaction, no permissions prompt, and leaves no visible trace. Unlike canvas fingerprinting, which at least involves rendering operations that can theoretically be intercepted, audio fingerprinting operates entirely through the audio processing pipeline, making it harder to detect and block. Research by Queiroz and Livingston (2019) demonstrated that audio fingerprints carry approximately 5–7 bits of entropy, which, when combined with other fingerprinting vectors, significantly narrows the anonymity set of a user.

Defending against audio fingerprinting is challenging. The Tor Browser disables the Web Audio API entirely, which breaks some web applications. Firefox's privacy.resistFingerprinting mode adds noise to audio output, reducing fingerprint accuracy. The Brave browser similarly randomizes audio processing results. For ordinary users, the best defense is to use a browser that specifically addresses audio fingerprinting and to be aware that even seemingly innocuous APIs can be weaponized for tracking purposes.

WebGL fingerprinting exploits the differences in how graphics processing units (GPUs) render 3D content through the WebGL API. First systematically analyzed by Keaton Mowery and Hovav Shacham in their 2012 paper "Pixel Perfect: Fingerprinting Canvas in HTML5" (W2SP 2012), and later expanded upon by Yinzhi Cao, Song Li, and Erik Wijmans in "(Cross-)Browser Fingerprinting via OS and Hardware Level Features" (NDSS 2017), WebGL fingerprinting has become one of the most reliable methods for identifying devices.

The technique operates on multiple levels. At the simplest level, the WEBGL_debug_renderer_info extension exposes the GPU vendor and renderer strings (e.g., "NVIDIA GeForce RTX 3080" or "Apple M1 GPU"). These strings alone significantly reduce the anonymity set. At a deeper level, fingerprinting scripts render complex 3D scenes involving specific shader programs, lighting calculations, and texture operations, then read back the resulting pixel data. Because GPU architectures, driver versions, and floating-point precision differ across devices, the rendered output varies in subtle but measurable ways—even when the same GPU model is used with different driver versions.

A 2017 study by Cao et al. demonstrated that WebGL-based fingerprinting could achieve a uniqueness rate exceeding 99% when combining renderer information with rendered image analysis. Particularly effective was the use of complex fragment shaders that perform trigonometric and exponential calculations, as these operations amplify the micro-differences in GPU floating-point implementations. The study also showed that WebGL fingerprints remain stable over time, with less than 2% drift over a six-month observation period, making them more reliable than many other fingerprinting vectors.

Mitigating WebGL fingerprinting involves trade-offs. Disabling WebGL entirely (as Tor Browser does by default) breaks many websites that rely on 3D graphics, including maps, data visualizations, and games. Some browsers, like Brave, choose to mask the renderer string while still allowing WebGL functionality, which reduces the information leakage without completely disabling the feature. Firefox's Enhanced Tracking Protection blocks known fingerprinting scripts from accessing WebGL data. For users who need WebGL functionality, browser extensions like WebGL Fingerprint Defender can spoof the renderer output, though sophisticated fingerprinting scripts may detect such spoofing.

One of the most concerning developments in fingerprinting research is the ability to track users across different browsers on the same machine. Traditionally, fingerprinting was browser-specific: switching from Chrome to Firefox would produce a different fingerprint, effectively breaking the tracking link. However, a landmark 2017 study by Yinzhi Cao, Song Li, and Erik Wijmans at Lehigh University and Washington University in St. Louis ("(Cross-)Browser Fingerprinting via OS and Hardware Level Features", NDSS 2017) demonstrated that this assumption was fundamentally flawed.

The researchers identified a set of fingerprinting features that originate from the operating system and hardware rather than from the browser itself. These include: the number of CPU cores (exposed via navigator.hardwareConcurrency), the list of installed system fonts (accessible through CSS font enumeration), the GPU model (via WebGL renderer strings), screen resolution and color depth, timezone, installed system languages, and the behavior of specific graphics operations that depend on the OS-level rendering pipeline. By focusing exclusively on these OS and hardware-level signals, the researchers were able to link fingerprints across different browsers on the same machine with a 99.24% accuracy rate.

The implications of cross-browser fingerprinting are profound. Privacy-conscious users who maintain separate browsers for different activities—for example, using Chrome for work and Firefox for personal browsing—may believe they have separated their online identities. Cross-browser fingerprinting shatters this assumption by demonstrating that the underlying hardware and operating system create a persistent identifier that transcends any individual browser. The study tested the technique against a dataset of 1,903 users and found that the cross-browser fingerprint was nearly as unique as a single-browser fingerprint, despite using fewer browser-specific features.

Defending against cross-browser fingerprinting is exceptionally difficult because the identifying signals come from the OS and hardware, which the user cannot easily change. Using a virtual machine or different operating system profiles can help, as these alter the hardware-level signals. Tor Browser's approach of standardizing OS-level reports (e.g., always reporting a generic platform string) offers partial protection. Some researchers have proposed OS-level privacy layers that would normalize hardware signals across applications, but no mainstream operating system has implemented such features yet. For now, users should assume that using multiple browsers on the same device does not provide meaningful identity separation.

En 2014, des chercheurs de l'Université de Princeton ont publié une étude pionnière intitulée « The Web Never Forgets » (ACM CCS 2014). Leurs travaux ont révélé que de nombreux sites web très fréquentés utilisaient des éléments HTML5 canvas pour générer des empreintes uniques pour chaque visiteur — une technique connue sous le nom d'empreinte canvas.

La technique fonctionne en demandant au navigateur de dessiner une image cachée à l'aide de l'API Canvas HTML5. Comme chaque appareil possède une unité de traitement graphique (GPU), un système d'exploitation et des polices de caractères légèrement différents, les données pixel obtenues varient d'une machine à l'autre. Dans l'étude de Princeton, plus de 5,5 % des 100 000 sites les plus visités utilisaient des scripts d'empreinte canvas.

Ce qui rendait cette découverte particulièrement alarmante était la discrétion de la technique : contrairement aux cookies, l'empreinte canvas se produit entièrement en mémoire sans stockage persistant. En réponse, Firefox a introduit privacy.resistFingerprinting et Brave a commencé à bloquer la lecture canvas par défaut.

Le navigateur Tor est reconnu comme la référence en matière de protection anti-empreinte. Sa philosophie de conception repose sur l'uniformité : plutôt que de tenter de randomiser l'empreinte de chaque utilisateur, le navigateur Tor s'assure que tous les utilisateurs présentent un fingerprint identique à tout site visité.

En pratique, Tor Browser impose une fenêtre de taille fixe (1000×1000 pixels), signale un ensemble standardisé de polices, désactive WebGL par défaut, substitue le fuseau horaire en UTC et restreint des dizaines d'API JavaScript révélatrices. Des recherches de l'EFF ont confirmé que les utilisateurs de Tor partagent un profil d'empreinte commun, rendant l'identification individuelle statistiquement peu pratique.

Les appareils mobiles présentent un défi particulier pour la défense contre les empreintes. Des recherches de 2023 ont révélé que plus de 95 % des navigateurs mobiles testés produisaient des empreintes entièrement uniques — un taux encore plus élevé que les 83-90 % observés sur les ordinateurs de bureau.

Sur les appareils mobiles, les scripts d'empreinte peuvent accéder à une plus grande variété de signaux identifiants : résolution d'écran, densité de pixels, capacités tactiles, orientation de l'appareil et spécifications du GPU. Les utilisateurs mobiles disposent également de moins d'outils pour se défendre, la plupart des navigateurs mobiles ne prenant pas en charge les extensions.

Le cadre juridique entourant l'empreinte de navigateur a considérablement évolué depuis l'entrée en vigueur du RGPD en mai 2018. Les autorités réglementaires ont de plus en plus classé l'empreinte comme une forme de traitement de données personnelles soumise aux exigences de conformité du RGPD.

En 2019, la CNIL française a explicitement déclaré que l'empreinte des appareils relevait de l'article 5(3) de la directive ePrivacy et nécessitait un consentement préalable, éclairé et librement donné — le même standard que pour les cookies.

L'empreinte audio est une technique de suivi moins connue mais très efficace qui exploite les différences dans la façon dont les navigateurs et appareils traitent les signaux audio. Cette technique utilise l'API Web Audio pour générer un identifiant unique pour chaque navigateur. Dans l'étude Princeton sur un million de sites, des scripts d'empreinte audio ont été trouvés sur plus de 700 des principaux sites.

L'empreinte WebGL exploite les différences dans la façon dont les unités de traitement graphique (GPU) restituent le contenu 3D. Une étude de 2017 a démontré que le fingerprinting basé sur WebGL pouvait atteindre un taux d'unicité supérieur à 99 % en combinant les informations de rendu avec l'analyse d'images rendues.

L'une des évolutions les plus préoccupantes de la recherche sur les empreintes est la capacité à suivre les utilisateurs sur différents navigateurs sur la même machine. Une étude de 2017 a démontré que les chercheurs pouvaient lier des empreintes sur différents navigateurs sur la même machine avec un taux de précision de 99,24 % en utilisant uniquement des signaux au niveau du système d'exploitation et du matériel.