How prevalent and advanced is browser fingerprinting?

Several questions:

How much of the websites utilize browser fingerprinting?

How powerful are the fingerprinters? If my threat model is just to avoid tracking by companies, is basic randomization good enough?

Can I check if the website I’m visiting is trying to fingerprint me? What are the indicators?

Thanks a lot!

1 Like

off the top of my head (I do have the papers here, but there’s a lot of papers), there have been studies done on various clearnet website crawls: e.g. top 10,000 Alexa rankings etc or top 1million etc

many years ago, telltale signs of usage of FPing were 1 or 2% … then it was 5%, now it’s 10% (figures off the top of my head). The issue here is, that without checking the papers, I can’t really tell you if they were suspected or actual - and if they determined if they were for tracking or e.g. bot/fraud detection. And I can’t tell you if there methods were consistent between them.

As state tracking has become a little harder (cookies being phased out, and most browsers moving to state partitioning), FPing will grow in popularity and sophistication - at the moment since 95% of the world does nothing, it’s very low hanging fruit, and trivial to get 99% unique users. So the sophistication growth won’t need to happen for a while, if ever (not to be confused with taking any FPing techniques seriously and mitigating them, at least at Tor Browser)

It’s not important, IMO, to know FP usage outside academic studies - as the threat model for Tor Browser is to assume the worst - i.e any site can use FPing - and the response is to always try to mitigate entropy (we don’t even think about who or how many would use it)

In terms of protection: randomizing is not what you think - all randomizing can be detected (not to be confused with leaking the real value, that is still protected) and thus ultimately the answer is always to reduce entropy by making everyone as similar as possible to create large buckets of users. Don’t get me wrong, it doesn’t matter how you protect a value, as long as you protect it - so randomizing is fine, just don’t think of it as some holy grail or saviour, it’s not.

1 Like