skip to main content
10.1145/3696410.3714548acmconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article

The First Early Evidence of the Use of Browser Fingerprinting for Online Tracking

Authors:
Zengrui Liu
Nanjing University of Finance and Economics, Nanjing, Jiangsu, China and Texas A&M University, College Station, TX, USA
,
Jimmy Dani
Texas A&M University, College Station, TX, USA
,
Yinzhi Cao
Johns Hopkins University, Baltimore, MD, USA
,
Shujiang Wu
,
Nitesh Saxena
Texas A&M University, College Station, TX, USA
Authors Info & Claims
Published: 22 April 2025 Publication History

Abstract

While advertising has become commonplace in today's online interactions, there is a notable dearth of research investigating the extent to which browser fingerprinting is harnessed for user tracking and targeted advertising. Prior studies only measured whether fingerprinting-related scripts are being run on the websites but that in itself does not necessarily mean that fingerprinting is being used for the privacy-invasive purpose of online tracking because fingerprinting might be deployed for the defensive purposes of bot/fraud detection and user authentication. It is imperative to address the mounting concerns regarding the utilization of browser fingerprinting in the realm of online advertising.
This paper introduces "FPTrace" (fingerprinting-based tracking assessment and comprehensive evaluation framework), a framework to assess fingerprinting-based user tracking by analyzing ad changes from browser fingerprinting adjustments. Using FPTrace, we emulate user interactions, capture ad bid data, and monitor HTTP traffic. Our large-scale study reveals strong evidence of browser fingerprinting for ad tracking and targeting, shown by bid value disparities and reduced HTTP records after fingerprinting changes. We also show fingerprinting can bypass GDPR/CCPA opt-outs, enabling privacy-invasive tracking.
In conclusion, our research unveils the widespread employment of browser fingerprinting in online advertising, prompting critical considerations regarding user privacy and data security within the digital advertising landscape.

References

[1]
2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/re g/2016/679/oj/eng.
[2]
2018. California Consumer Privacy Act. https://leginfo.legislature.ca.gov/faces /codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.
[3]
2020. Fraud detection API demo. https://fingerprintjs.com/demo.
[4]
2023. Browser Fingerprinting: A Complete Guide. https://incogniton.com/bro wser-fingerprinting-complete-guide.

Index Terms

  1. The First Early Evidence of the Use of Browser Fingerprinting for Online Tracking

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      WWW '25: Proceedings of the ACM on Web Conference 2025
      April 2025
      5475 pages
      ISBN:9798400712746
      DOI:10.1145/3696410
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org.

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 22 April 2025

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. measurement studies of privacy issues
      2. privacy policies
      3. web privacy

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      WWW '25
      Sponsor:
      WWW '25: The ACM Web Conference 2025
      April 28 - May 2, 2025
      Sydney NSW, Australia

      Acceptance Rates

      Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • 0
        Total Citations
      • 1,290
        Total Downloads
      • Downloads (Last 12 months)1,290
      • Downloads (Last 6 weeks)1,275
      Reflects downloads up to 15 Jun 2025

      Other Metrics

      Citations

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media

      Get Access

      Get Access

      Login options

      References

      References

      [1]
      2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/eli/re g/2016/679/oj/eng.
      [2]
      2018. California Consumer Privacy Act. https://leginfo.legislature.ca.gov/faces /codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5.
      [3]
      2020. Fraud detection API demo. https://fingerprintjs.com/demo.
      [4]
      2023. Browser Fingerprinting: A Complete Guide. https://incogniton.com/bro wser-fingerprinting-complete-guide.
      [5]
      2023. Client-side vs. Server-side Header Bidding: What to Choose? https://www.adpushup.com/blog/client-side-header-bidding-vs-server-sideheader-bidding/.
      [6]
      2023. Cover Your Track. https://coveryourtracks.eff.org/.
      [7]
      2023. DataDome - Bot & Online Fraud Protection Solution. https://datadome.co/.
      [8]
      2023. DDoS Services: Cloud Security Products and Solutions | Radware. https: //www.radware.com/.
      [9]
      2023. The First Early Evidence of the Use of Browser Fingerprinting for Online Tracking raw data. https://tamucs-my.sharepoint.com/:f:/g/personal/lzr_tamu _edu/EtA94fEfURxHsH6Qixvrvn4BnLJWHzMoM_EHeF4Vx3n78A?e=xhavnq.
      [10]
      2023. Header Bidding. https://admanager.google.com/home/resources/featurebrief-open-bidding/.
      [11]
      2023. How to use ModHeader in Selenium WebDriver. https://modheader.com/ docs/advanced/selenium-webdriver.
      [12]
      2023. ModHeader. https://chrome.google.com/webstore/detail/modheader/idgp nmonknjnojddfkpgkljpfnnfcklj?hl=en.
      [13]
      2023. My browser fingerprint. https://amiunique.org/fp.
      [14]
      2023. Network Advertising Initiative (NAI) opt-out controls. https://optout.net workadvertising.org/?c=1.
      [15]
      2023. Prebid. https://prebid.org/.
      [16]
      2023. Protection From Automated Attacks, Bots and Fraud | HUMAN Security. https://www.humansecurity.com/.
      [17]
      2023. Selenium automates browsers. That's it! https://www.selenium.dev/.
      [18]
      2023. Web Almanac: Part II Chapter 10 Privacy: Consent Management Platforms. https://almanac.httparchive.org/en/2021/privacy.
      [19]
      Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 1129--1140.
      [20]
      Károly Boda, Ádám Máté Földes, Gábor György Gulyás, and Sándor Imre. 2012. User tracking on the web via cross-browser fingerprinting. In Information Security Technology for Applications: 16th Nordic Conference on Secure IT Systems, NordSec 2011, Tallinn, Estonia, October 26--28, 2011, Revised Selected Papers 16. Springer, 31--46.
      [21]
      Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-) browser fingerprinting via OS and hardware level features. In Proceedings 2017 Network and Distributed System Security Symposium. Internet Society.
      [22]
      Darion Cassel, Su-Chin Lin, Alessio Buraggina, William Wang, Andrew Zhang, Lujo Bauer, Hsu-Chun Hsiao, Limin Jia, and Timothy Libert. 2021. Omnicrawl: Comprehensive measurement of web tracking with real desktop and mobile browsers. Proceedings on Privacy Enhancing Technologies 2022, 1 (2021).
      [23]
      John Cook, Rishab Nithyanand, and Zubair Shafiq. 2020. Inferring Tracker-Advertiser Relationships in the Online Advertising Ecosystem using Header Bidding. In Privacy Enhancing Technologies Symposium (PETS).
      [24]
      Peter Eckersley. 2010. How unique is your web browser?. In International Symposium on Privacy Enhancing Technologies Symposium.
      [25]
      Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. In ACM Conference on Computer and Communications Security (CCS).
      [26]
      David Fifield and Serge Egelman. 2015. Fingerprinting web users through font metrics. In International Conference on Financial Cryptography and Data Security.
      [27]
      Imane Fouad, Cristiana Santos, Arnaud Legout, and Nataliia Bielova. 2022. My Cookie is a phoenix: detection, measurement, and lawfulness of cookie respawning with browser fingerprinting. In PETS 2022--22nd Privacy Enhancing Technologies Symposium.
      [28]
      Umar Iqbal, Steven Englehardt, and Zubair Shafiq. 2021. Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 1143--1161.
      [29]
      Pierre Laperdrix, Gildas Avoine, Benoit Baudry, and Nick Nikiforakis. 2019. Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 43--66.
      [30]
      Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. 2020. Browser Fingerprinting: A Survey. ACM Trans. Web 14, 2, Article 8 (apr 2020), 33 pages.
      [31]
      Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 878--894.
      [32]
      Ada Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX. https://www.usenix.org /conference/usenixsecurity16/technical-sessions/presentation/lerner
      [33]
      Xu Lin, Panagiotis Ilia, Saumya Solanki, and Jason Polakis. 2022. Phish in Sheep's Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting. In 31st USENIX Security Symposium (USENIX Security 22). 1651--1668.
      [34]
      Zengrui Liu, Umar Iqbal, and Nitesh Saxena. 2024. Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy? Proceedings on Privacy Enhancing Technologies (2024).
      [35]
      Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. 2022. Gummy browsers: targeted browser spoofing against state-of-the-art fingerprinting techniques. In International Conference on Applied Cryptography and Network Security. Springer, 147--169.
      [36]
      Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. Proceedings of W2SP 2012 (2012).
      [37]
      Martin Mulazzani, Philipp Reschl, Markus Huber, Manuel Leithner, Sebastian Schrittwieser, Edgar Weippl, and FC Wien. 2013. Fast and reliable browser identification with javascript engine fingerprinting. In Web 2.0 Workshop on Security and Privacy (W2SP), Vol. 5. Citeseer, 4.
      [38]
      Gabi Nakibly, Gilad Shelef, and Shiran Yudilevich. 2015. Hardware fingerprinting using HTML5. arXiv preprint arXiv:1503.01408 (2015).
      [39]
      Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In 2013 IEEE Symposium on Security and Privacy. IEEE, 541--555.
      [40]
      Lukasz Olejnik, Minh-Dung Tran, and Claude Castelluccia. 2014. Selling Off Privacy at Auction. In Network and Distributed System Security Symposium (NDSS).
      [41]
      Alexander Sjösten, Daniel Hedin, and Andrei Sabelfeld. 2021. Essentialfp: Exposing the essence of browser fingerprinting. In 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 32--48.
      [42]
      Spirals-Team. 2020. Spirals-Team/FPStalker. https://github.com/Spirals-Team/FPStalker.
      [43]
      Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. {Fp-Scanner}: The privacy implications of browser fingerprint inconsistencies. In 27th USENIX Security Symposium (USENIX Security 18). 135--150.
      [44]
      Craig E Wills and Can Tatar. 2012. Understanding what they do with what they know. In Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society. 13--18.
      [45]
      Shujiang Wu, Pengfei Sun, Yao Zhao, and Yinzhi Cao. 2023. Him of many faces: Characterizing billion-scale adversarial and benign browser fingerprints on commercial websites. In 30th Annual Network and Distributed System Security Symposium, NDSS.
      [46]
      Ting-Fang Yen, Yinglian Xie, Fang Yu, Roger Peng Yu, and Martin Abadi. 2012. Host Fingerprinting and Tracking on theWeb: Privacy and Security Implications. In NDSS, Vol. 62. 66.
      [47]
      Eric Zeng, Rachel McAmis, Tadayoshi Kohno, and Franziska Roesner. 2022. What factors affect targeting and bids in online advertising? a field measurement study. In Proceedings of the 22nd ACM Internet Measurement Conference. 210--229.