Google Chrome lacks browser fingerprinting defenses • The Register

Google markets its Chrome browser by citing its superior security options, however in line with privateness advisor Alexander Hanff, Chrome doesn’t shield in opposition to browser fingerprinting – a way of monitoring individuals on-line by capturing technical particulars about their browser.

“There are at the least thirty distinct fingerprinting methods that work in Chrome proper now, at present, as you learn this,” wrote Hanff, an occasional contributor to The Register, in a just lately printed critique of Google’s browser.

“Not theoretical assaults from educational papers that may work beneath laboratory situations – actual, manufacturing methods deployed on thousands and thousands of internet sites to determine and monitor you with out your data or consent.”

Guests to web sites can depart behind a browser fingerprint that information the OS they’re working, their display decision, and put in fonts. That data is carried in visitors from a browser to an online server, or info out there to the server or third events by way of web page scripts and monitoring parts. Browser fingerprints can turn into distinctive identifiers.

A couple of decade in the past, Apple, Mozilla, and different privacy-oriented browser makers started implementing simpler defenses in opposition to cookie-based monitoring. That led advertisers towards browser fingerprinting, which is more difficult to block than cookie-based monitoring. The approach can also be utilized in fraud detection.

In keeping with a 2021 analysis paper, “Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors,” browser fingerprinting was discovered “on greater than 10 p.c of the top-100K web sites and over 1 / 4 of the top-10K web sites.”

Whereas browser fingerprinting might have legitimate makes use of, it poses a major privateness danger. And fingerprinting of this kind needn’t embody a lot technical info in any respect. A study printed in Nature final October discovered that simply figuring out the 4 web sites a person visits probably the most – a behavioral fingerprint versus a browser fingerprint – is sufficient to determine 95 p.c of individuals.

In 2019, Google announced its Privateness Sandbox initiative “to develop a set of open requirements to essentially improve privateness on the internet,” together with by smudging browser fingerprints.

The corporate blamed the rise of fingerprinting on efforts to dam third-party cookies and proposed its personal privacy-preserving expertise as an alternative choice to Apple’s App Monitoring Transparency scheme and comparable defenses in opposition to cookies.

“First, giant scale blocking of cookies undermines individuals’s privateness by encouraging opaque methods comparable to fingerprinting,” the corporate wrote on the time. “With fingerprinting, builders have discovered methods to make use of tiny bits of knowledge that adjust between customers, comparable to what machine they’ve or what fonts they’ve put in to generate a novel identifier which might then be used to match a person throughout web sites. In contrast to cookies, customers can not clear their fingerprint, and due to this fact can not management how their info is collected. We predict this subverts person alternative and is flawed.”

However after six years of stumbles, trade suspicion, and lobbying, Google gave up on its Privateness Sandbox. This got here simply months after the corporate modified its place from “digital fingerprinting is flawed” to “digital fingerprinting is okay if it’s disclosed”, again in Dec. 2024.

Such considerations could appear quaint at a time when individuals enable AI brokers to rifle by way of their recordsdata and share delicate particulars with chatbots and third-party AI purposes. However they’re of actual consequence.

A just lately printed report by Citizen Lab particulars how ad-based surveillance knowledge is offered to authorities and regulation enforcement organizations world wide. One of many surveillance merchandise described “’routinely extract[s] out there info from goal connections’ together with IP deal with, browser kind, language, model and plugins, working system and model, machine kind, CPU and GPU info, display decision, ISP info, estimated geolocation, person inputs, timezone, battery degree and charging standing.” It conducts machine fingerprinting, amongst different sorts of surveillance.

“Chrome ships virtually no built-in anti-fingerprinting defenses,” mentioned Hanff. “Let me say that once more as a result of it issues – Google’s browser, the most well-liked browser on the planet, does primarily nothing to forestall web sites from constructing a novel profile of your machine.”

He factors out that different browsers do have fingerprinting protections.

“Courageous has farbling. Firefox has privacy.resistFingerprinting. Chrome has nothing. Google’s Privateness Sandbox was discontinued in April 2025 with out transport a single fingerprinting-specific mitigation.”

Within the the rest of his submit, Hanff goes on to enumerate the gaps in Chrome’s fingerprinting defenses. These embody applied sciences like: Canvas, WebGL, WebGPU, AudioContext, Fonts, navigation and display properties, WebRTC IP leakage, TLS, emoji rendering, speech synthesis, keyboard format, and so forth.

He subsequently discusses 23 storage and monitoring mechanisms that can be utilized to comply with individuals on-line, comparable to cookies, bounce monitoring, and CNAME cloaking.

“The applied sciences described on this doc are usually not theoretical – they’re deployed at scale in opposition to billions of individuals each single day,” Hanff concludes. “Understanding them is step one. Constructing the instruments to detect and expose them is the following.”

Google didn’t reply to a request to remark. ®