HMN 2025: How Websites are monitoring you through browser fingerprinting, researchers present

Clearing your cookies will not be sufficient to guard your privateness on-line. New analysis led by Texas A&M University has discovered that web sites are covertly utilizing browser fingerprinting—a technique to uniquely determine an online browser—to trace individuals throughout browser periods and websites.

The findings are published as a part of the Proceedings of the ACM on Web Conference 2025.

“Fingerprinting has at all times been a priority within the privateness group, however till now, we had no onerous proof that it was truly getting used to trace customers,” mentioned Dr. Nitesh Saxena, cybersecurity researcher, professor of pc science and engineering and affiliate director of the Global Cyber Research Institute at Texas A&M. “Our work helps shut that hole.”

When you go to an internet site, your browser shares a stunning quantity of data, like your display decision, time zone, gadget model and extra. When mixed, these particulars create a “fingerprint” that is usually distinctive to your browser. Unlike cookies—which customers can delete or block—fingerprinting is far more durable to detect or forestall. Most customers do not know it is occurring, and even privacy-focused browsers battle to totally block it.

“Think of it as a digital signature you did not know you have been abandoning,” defined co-author Zengrui Liu, a former doctoral scholar in Saxena’s lab. “You might look nameless, however your gadget or browser provides you away.”

This analysis marks a turning mark in how pc scientists perceive the real-world use of browser fingerprinting by connecting it with using adverts.

“While prior works have studied browser fingerprinting and its utilization on totally different web sites, ours is the primary to correlate browser fingerprints and advert behaviors, primarily establishing the connection between net monitoring and fingerprinting,” mentioned co-author Dr. Yinzhi Cao, affiliate professor of pc science and technical director of the Information Security Institute at Johns Hopkins University.

To examine whether or not web sites are utilizing fingerprinting knowledge to trace individuals, the researchers needed to transcend merely scanning web sites for the presence of fingerprinting code. They developed a measurement framework referred to as FPTrace, which assesses fingerprinting-based person monitoring by analyzing how advert methods reply to adjustments in browser fingerprints.

This method is predicated on the perception that if browser fingerprinting influences monitoring, altering fingerprints ought to have an effect on advertiser bidding—where advert area is bought in actual time based mostly on the profile of the particular person viewing the web site—and HTTP information—information of communication between a server and a browser.

“This sort of evaluation lets us transcend the floor,” mentioned co-author Jimmy Dani, Saxena’s doctoral scholar. “We have been in a position to detect not simply the presence of fingerprinting, however whether or not it was getting used to determine and goal customers—which is far more durable to show.”

The researchers discovered that monitoring occurred even when customers cleared or deleted cookies. The outcomes confirmed notable variations in bid values and a lower in HTTP information and syncing occasions when fingerprints have been modified, suggesting an affect on concentrating on and monitoring.

Additionally, a few of these websites linked fingerprinting conduct to backend bidding processes—which means fingerprint-based profiles have been being utilized in actual time, more likely to tailor responses to customers or move alongside identifiers to 3rd events.

Perhaps extra regarding, the researchers discovered that even customers who explicitly decide out of monitoring beneath privateness legal guidelines like Europe’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA) should still be silently tracked throughout the net by way of browser fingerprinting.

Based on the outcomes of this study, the researchers argue that present privateness instruments and insurance policies usually are not doing sufficient. They name for stronger defenses in browsers and new regulatory consideration to fingerprinting practices. They hope that their FPTrace framework will help regulators audit web sites and suppliers who take part in such actions, particularly with out person consent.

This analysis was carried out in collaboration with Johns Hopkins University and offered on the ACM Web Conference (WWW) 2025.