Beyond Cookies: The Sneaky Ways Websites Identify and Track You Online
Generated by AI, reviewed by humans.
In the latest episode of Security Now, Steve Gibson breaks down new research that proves what privacy advocates have long suspected: browser fingerprinting isn’t just theoretical—it’s actively being used by websites and advertisers to track users across the web, even after they delete or block cookies.
The First Real Proof of Browser Fingerprinting for Tracking
A team of five researchers from Texas A&M University, Johns Hopkins, and F5 Inc. presented a paper at the 2025 ACM Web Conference in Sydney titled “The First Early Evidence of the Use of Browser Fingerprinting for Online Tracking.” Using a novel tool they developed—FPTrace—the researchers manipulated browser fingerprints and monitored how ad behavior changed in response. Their data confirmed a direct correlation between browser fingerprint variations and ad bidding behavior, establishing that fingerprinting is being used for real-world tracking and targeting.
Steve emphasized that this paper fills a critical gap: previous studies could only confirm the presence of fingerprinting scripts, not their actual use for tracking. FPTrace changes that.
What Is Browser Fingerprinting?
Unlike cookies, which store identifiable data on your machine and can be deleted or blocked, browser fingerprinting is a passive, behind-the-scenes method of tracking. JavaScript code running on websites collects subtle signals like screen resolution, installed fonts, language, time zone, device memory, and dozens of other properties—then stitches them together into a unique “fingerprint” of your device.
The troubling part? Users have no visibility into this tracking. It happens silently, without consent, and is extremely difficult to prevent.
The 40% Premium That Drives This Practice
Steve highlighted another study referenced in the research showing that advertisers are willing to pay up to 40% more to show ads to users they recognize and can profile. This premium makes identifying users highly lucrative—and gives websites a strong incentive to collaborate with ad networks to pass along identifying data through mechanisms like URL parameters.
This revelation underscores why fingerprinting is so persistent: it’s not just about surveillance—it’s about profit.
Fingerprinting in Action
The study found browser fingerprinting is being used to:
- Track users across websites, even without cookies
- Restore deleted cookies in some cases (though fingerprinting’s direct role in this remains unproven)
- Bypass privacy regulations like GDPR and CCPA
- Continue tracking after users explicitly opt out
Researchers documented 378 instances of cookie restoration linked to fingerprinting behavior across 90 unique cookie/host combinations.
Don’t Forget Your IP Address
Steve reminded listeners that even if you block cookies and use incognito mode, your IP address can still betray you. His Cox Cable IP address, for example, hasn’t changed in years. This means that unless you’re also using a VPN or rotating IP addresses, your browsing activity can still be linked back to you.
Why Standard Privacy Tools Aren’t Enough
- Disabling third-party cookies doesn’t stop fingerprinting
- Private browsing mode doesn’t help
- Browser attempts to fuzz or randomize data haven’t stopped tracking
- Blocking third-party scripts often breaks website functionality
Steve conducted a test by blocking third-party scripts using uBlock Origin and found it broke core functionality—like a restaurant reservation button that stopped working entirely. This demonstrates how tightly integrated third-party code is into modern web experiences, making privacy a usability tradeoff.
Tech’s Complicity in Tracking
Steve didn’t mince words about where some of the blame lies: browser vendors and web standards bodies. Many API features—like battery level, ambient light, or device orientation—add tiny details that enhance fingerprint uniqueness. He questioned whether these features are really necessary and pointed to the danger of an ever-expanding surface area for surveillance.
A Regulatory “Make Me” Attitude
Despite user opt-outs under GDPR or CCPA, the researchers found that fingerprinting can persist. In some cases, advertisers using content management platforms (CMPs) like OneTrust or Quantcast were still engaging in fingerprint-based identification after users opted out. As Steve put it, the industry has adopted a “make me stop” stance when it comes to privacy laws.
The Reality: Fingerprinting Is Here to Stay
Unlike cookies, which can be cleared or blocked by users, fingerprinting leverages core browser behaviors. The only semi-effective mitigation today involves a complex cocktail of VPN usage, fingerprint-randomizing browser extensions, and frequent device configuration changes—none of which are accessible or convenient for average users.
Steve concluded that as long as there’s a financial premium for recognizing users, the web will remain a battleground between privacy advocates and a deeply entrenched advertising industry.
Want to hear Steve’s full breakdown, including the technical methodology and more privacy insights? Listen to the full episode of Security Now #1032 – Pervasive Web Fingerprinting at twit.tv/shows/security-now.