In the end, you've got two things to work with: Things you can convince the browser to actively identify itself with, and the things you can track regardless.

Cookies are in the first category, but they are not alone. You can get things as simple as presenting an entire site with customized URLs that track a user through querystrings being appended to everything with an identifier. You can track certain caching differences. You can program a website to use local storage and submit a token on every URL click with a fairly simple handler. This isn't even remotely a complete list.

In the second category, you've got IP address, browser versions, various settings... see something like https://www.amiunique.org/ .

In a nutshell, your rich browser experience leaks so much data along so many axes that it is essentially inconceivable that you could ever prevent yourself from being fingerprinted. What you can do is try to detach that fingerprint from a real person, to a certain extent rotate what you can, etc. But in reality you can't be shipping up kilobytes of header information on each web request and expect there isn't something in there that can track you.

https://www.amiunique.org/fingerprint says I'm 100% unique; with all the red lighting up I'm not surprised.

Cookies aren't really mentioned in GDPR or other privacy laws, folks just latched onto cookies as one area that can track users. But really, all personal data is subject to most of the privacy laws, including outbound requests as well as stored data.

IANAL. But for context from lawyers, see: https://ico.org.uk/for-organisations/direct-marketing-and-el...

A web server’s logs may include the IP and http request they’ve made, but once you start attaching that to an identity instead it might count as data processing.

> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

One can use the “legitimate interest” basis (recital 49 may be relevant here) or “compliance with a legal obligation” for logging.

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

- ePrivacy Directive which is about local storage

- GDPR which is about information processing

That still falls into the EU Cookie definition in the law. [0] If a website is doing this regardless of the user choosing not to allow cookies, it's committing a violation in the eyes of the law (in the EU at least).

[0] https://softwareengineering.stackexchange.com/a/295212

If I had to guess, based on what I know about you (what I mentioned in the previous paragraph), I would guess that you built your own computer. This almost guarantees a unique fingerprint.

With the deprecation of 3rd party cookies, we will definitely see an increase in fingerprint-based tracking. That being said, it’s going to look different than unique cookies (and it doesn’t explain OP’s situation.

(Or it might actually be that simple. Your fingerprint might be unique between IP re-addressing, and that’s all it is.)

Quite a lot of the specific details did surprise me though, to the point of wondering if there's a bug somewhere in their code determining percentages. "Audio context": "sampleRate : 44100, state : suspended" 0.05%? Gyroscope is a green check (I don't even 100% know what that means) and that's 0.13%? "Battery": "charging : true, chargingTime : 0, level : 1", 0.08%? (And is that even useful for fingerprinting over any significant period of time anyhow?)

So seems very skewed!

There are a few studies that used sites like that and got lots of traffic (by advertising on sites like HN) from non-normal users.

There was a landmark study done in France that measured fingerprints through a government website. The general population was much less unique.

Edit: found the AmIUnique paper: https://scholar.google.com/scholar_lookup?journal=Proceeding...

So basically what OP says is that most sites are just not following the European laws.

The other interesting thing is that it lists my plugins and "do not track" settings. They are both fairly unique. So, someone who attempts to anonimize themselves using plugins or browser features are just highlighting themselves.

I wonder how unique `wget` would be.

Besides the fonts, only 3% of the people recorded in their database have their monitors configured for 30-bit color.

Therefore it appears that taking good care of my eyes makes me easily identifiable, but there is no workaround for this, except for running the browser in a VM, where the characteristics of the hardware and whatever else is installed could be well hidden.

It hides the fact that I have a 30-bit monitor by pretending that it is a 24-bit monitor, but the list of available fonts remains visible, so I can still be uniquely identified.

list of fonts, list of plugins, media devices (the combo of webcams and microphones my work computer uses)

Great site for understanding what your browser tells about who you are.

I would expect that any reasonably sophisticated fingerprinting system would not rely primarily on the useragent, and agree that anything that isn't stock only serves to distinguish you further.

GDPR absolutely does not rely on specific implementations. Even earlier things I'm pretty sure don't, but GDPR has a much more general coverage. It's extremely important people understand this when they're writing software.

So local storage is also covered by this law. For other fingerprinting techniques, if you can identify a user, GDPR applies. And for ad purposes, the only realistic legal basis is consent.

So the existence of that header actually makes tracking worse on the web

Everything about you that isn't identical to everyone else can be combined to guess who you likely are. Your exact browser version, OS, supported APIs, your IP address, your latency to Google servers... Anything that isn't a complete match to everyone else.

You may have a new install, but your IP and latency match your old install. What are the odds you're not the same person?

It's all probabilistic. But Google has a lot of incentive to get really good at making those guesses.

I have been fingerprinted on sites completely unrelated to serving Google Ads.

Wait until the nsfw blackmail comes.

- the websites you view. you may have a common 3-4 that you visit in a row, sometimes on autopilot. fingerprint.

- the way you type and move your mouse. your cadence is unique, you have subtle changes in how you use your mouse. fingerprint.

Sources of these signals are often abuses of protocols used to enhance UX across devices. Examples include:

- Fonts installed (https://gist.github.com/szepeviktor/d28dfcfc889fe61763f3)

- Power saving telemetry (https://developer.mozilla.org/en-US/docs/Web/API/Battery_Sta...)

- Screen size - https://developer.mozilla.org/en-US/docs/Web/API/Screen

- Deep Packet Inspection — not just IP addresses anymore - https://en.m.wikipedia.org/wiki/Deep_packet_inspection

These are all tools meant to help users, but they can be used for collecting signals for targeted ads.

I am sure there are more techniques that are just not publicly talked about.

I have been asked by extended family members about blocking transmissions from devices so they cannot be tracked. There really is an illusion that the device actively listens on the microphone in order to target ads. I told them that, some places don’t need to transmit microphone in order to collect signals for device fingerprinting, and that is scarier.

Aggressive DNS blocking gets much better results. Bromite / similar beowser also helps.

https://cheq.ai/blog/what-is-browser-fingerprinting/

https://coveryourtracks.eff.org/

I assume it was SwiftKey since it was the only piece of software that had access to those keywords besides Chrome itself (which I assume is not the leaker since it never leaked data from Incognito on desktop and because it also happened in Firefox Private Browsing). The "Am I Unique" fingerprint for an Incognito vs a regular tab is also different, so I assume it's not a matter of fingerprinting with server-side tracking.

We are being tracked by the least suspicious pieces of software nowadays, it's becoming more and more difficult to know where the actual tracking came from as we add more and more layers of complexity into our computers. It's scary to think about.

Although, while fingerprinting is a thing, most people get targeted because they use their home IP. This is one good reason why a good vpn provider is better than wireguard on a vps.

If this is a concern for you, maybe consider Firefox? Then grab some extra privacy-conserving extensions like ublock, adnauseam, privacy badger, privacy possum, ghostery, decentraleyes, clearURLs, IStillDontCareAboutCookies, etc.

I get that this is a work machine and you may not have admin rights to install Firefox but any IT manager worth their salt won't refuse a request to change browser, especially if the motivation is personal security.

If they really don't budge (or you are too welded to the Google ecosystem to part with their browser) then maybe you could look for some of the extensions I mentioned above on Chrome?

This is a great opportunity to conduct a double blind experiment! Set up three Chrome profiles: your current one, one that's totally fresh, and one that's connecting from a different IP over a Socks proxy. Write a script to randomly start Chrome with one of these profiles; every hour quit the browser, restart it with a random profile, and record the ads you see. Do they all get the same distribution of ads? Do they start out different, but eventually converge?

My usual loadout is Thorium + the EFF's Privacy Badger extension, and sometimes UBO.

There are also experimental Windows builds of Bromite (another Chrome fork that is very close to Chromium, but with a light built-in adblocker.)

https://github.com/uazo/bromite-buildtools#test-windows-vers...

https://github.com/ungoogled-software/ungoogled-chromium

it looks like some of their patches are now built into debian? Like on this list:

https://udd.debian.org/patches.cgi?src=chromium&version=114....

disable/signin.patch seems to reference the ungoogled chromium repo

Seeing things I search for on google, like very unrelated to normal YT viewing like specific tech queries show on YT.

- Your DNS server is relevant, especially if it's google's or cloudflare's or youe ISP's DNS

- ETags can be used like fingerprints

- LastModified can also be used for fingerprints

- Pragma can be abused for long-living fingerprints in your Browser Cache

- AdMob has ultrasonic support. Not kidding, ads can be delivered to your phone while you watch TV - via unhearable sound signals. [1] usually called uXDT or XDT.

- Chrome has multicast DNS support to discover surrounding devices (and Browser instances). Check DNS-SD for details, and what can be discovered.

- Also the data for Chrome's locally trained neural net (aka FLoC) is inside the profile folder but won't be cleared with Browser History.

- (unlikely) TLS fingerprint is usually coupled with User-Agent on the server side, so rotating your User-Agent is pointless if you don't change the TLS fingerprint (which you can't without recompiling the Browser Engine).

Welcome to the new world. I miss the good ol' HTTP/1.1 days.

[1] (German) https://de.m.wikipedia.org/wiki/Cross-Device_Tracking

I agree with all the other comments that are saying this is probably fingerprinting, but you can check whether refusing cookies is doing anything. Two ways:

1. On a page where you refused all cookies but are seeing targeted ads, open developer tools and go into the "Application" tab. Open up Storage > Cookies. Do you see anything listed? You should see nothing there. You also shouldn't see anything in the rest of storage, since "cookie" consent is really "client-local storage consent".

2. You can check whether cookies were sent on particular network requests, like the ones to the ad companies. Open a new tab, open devtools, open networking. Then paste the URL in the url bar. Find an ad request in the networking tab: do you see a "Cookies:" header? If so, it sent a cookie for you.

Now what exactly that means I'm not sure. But the first thing my cookie banner does when someone declines the banner is.... create a cookie. But I guess we can argue that's essential for the user experience - to keep the banner out of the way on follow-up page views. Not a lawyer or privacy expert though.

Edit: above is behaviour I found with at least 2 cookie banners. I'm interested in suggestions if this isn't standard!

I used to use stricter methods such as blocking cookies outright or having them automatically delete upon receipt and changing the browser's user agent but it's not necessary to go to those lengths.

If one wants to see ads then fine, if you don't then you don't have to, even YouTube ads can easily be avoided. As this ad problem arises so frequently and as the solutions are so simple one has to ask why is it so difficult to get the point across that getting rid of ads is simple.

https://mullvad.net/en/browser/mullvad-browser

Though it's annoying having bars around browser to prevent display resolution fingerprinting.

You'll also not be able to login to some sites like tiktok (and probably others) which I don't know the fix for without just disabling all tracking protection.

1. Device Fingerprinting: Advertisers can use techniques such as device fingerprinting to gather information about your device, browser settings, operating system, and other characteristics. This information can be used to create a unique identifier for your device, allowing advertisers to target you with ads based on your device's attributes rather than relying on cookies.

2. IP Address Tracking: Your IP address is a unique identifier assigned to your device when connected to the internet. Advertisers can use your IP address to approximate your location and deliver ads based on your geographic location.

3. Behavioral Tracking: While cookies are commonly used for behavioral tracking, advertisers can also use other methods like pixel tags, web beacons, and JavaScript code to track your online activities across websites. These techniques allow advertisers to monitor your browsing behavior and serve targeted ads based on your interests and preferences.

4. Contextual Targeting: Advertisers may rely on contextual targeting, which involves analyzing the content of the web pages you visit or keywords used in search queries to determine relevant ads to display. This approach doesn't necessarily rely on cookies or personal data but focuses on the context of the content you engage with.

5. Data from Third-Party Sources: Advertisers may obtain data from third-party sources such as data brokers, social media platforms, or other online services. These data sources can provide information about your interests, demographics, or browsing history, enabling advertisers to target you with personalized ads even if you refuse cookies.

It's important to note that different platforms and advertising networks have varying approaches to ad targeting and user tracking. While refusing cookies can reduce the effectiveness of certain tracking methods, it may not completely eliminate all targeted advertising.

To enhance your privacy and reduce targeted ads, you can consider additional measures such as using browser extensions or privacy-focused browsers, enabling ad blockers, adjusting privacy settings on your devices and online accounts, and being cautious about the information you share online.

Most IPs don’t change that much.

Browse on Tor if you really want to avoid tracking.

Like, advertising on its own is already disgusting. I've worked hard to prevent myself from seeing/hearing ads. But the fact that this industry has also turned into a nightmare panopticon is so stupid. I wish we could literally ban all advertising. Maybe an exception for coupons in newspapers.

https://github.com/fingerprintjs/fingerprintjs

Cookies just scale better.

You have to edit your cookie preferences for the site (assuming they provide the option) and deselect Legitimate Interest cookies proactively in order to block them.

This recent write-up on Reddit alerted me to this information:

https://www.reddit.com/r/YouShouldKnow/comments/14ddk4u/ysk_...

GDPR enters the picture when cookies are used to identify users. And using the “legitimate interest” basis for ad purposes is illegal, and instead will require consent. Adtech is just hoping that users won't notice and lodge a complaint.