Websites are tracking you via browser fingerprinting, researchers show

Clearing your cookies is not enough to protect your privacy online. New research led by Texas A&M University has found that websites are covertly using browser fingerprinting—a method to uniquely identify a web browser—to track people across browser sessions and sites.

The findings are published as part of the Proceedings of the ACM on Web Conference 2025.

“Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”

When you visit a website, your browser shares a surprising amount of information, like your screen resolution, time zone, device model and more. When combined, these details create a “fingerprint” that’s often unique to your browser. Unlike cookies—which users can delete or block—fingerprinting is much harder to detect or prevent. Most users have no idea it’s happening, and even privacy-focused browsers struggle to fully block it.

“Think of it as a digital signature you didn’t know you were leaving behind,” explained co-author Zengrui Liu, a former doctoral student in Saxena’s lab. “You may look anonymous, but your device or browser gives you away.”

This research marks a turning point in how computer scientists understand the real-world use of browser fingerprinting by connecting it with the use of ads.

“While prior works have studied browser fingerprinting and its usage on different websites, ours is the first to correlate browser fingerprints and ad behaviors, essentially establishing the relationship between web tracking and fingerprinting,” said co-author Dr. Yinzhi Cao, associate professor of computer science and technical director of the Information Security Institute at Johns Hopkins University.

To investigate whether websites are using fingerprinting data to track people, the researchers had to go beyond simply scanning websites for the presence of fingerprinting code. They developed a measurement framework called FPTrace, which assesses fingerprinting-based user tracking by analyzing how ad systems respond to changes in browser fingerprints.

This approach is based on the insight that if browser fingerprinting influences tracking, altering fingerprints should affect advertiser bidding—where ad space is sold in real time based on the profile of the person viewing the website—and HTTP records—records of communication between a server and a browser.

“This kind of analysis lets us go beyond the surface,” said co-author Jimmy Dani, Saxena’s doctoral student. “We were able to detect not just the presence of fingerprinting, but whether it was being used to identify and target users—which is much harder to prove.”

The researchers found that tracking occurred even when users cleared or deleted cookies. The results showed notable differences in bid values and a decrease in HTTP records and syncing events when fingerprints were changed, suggesting an impact on targeting and tracking.

Additionally, some of these sites linked fingerprinting behavior to backend bidding processes—meaning fingerprint-based profiles were being used in real time, likely to tailor responses to users or pass along identifiers to third parties.

Perhaps more concerning, the researchers found that even users who explicitly opt out of tracking under privacy laws like Europe’s General Data Protection Regulation (GDPR) and California’s California Consumer Privacy Act (CCPA) may still be silently tracked across the web through browser fingerprinting.

Based on the results of this study, the researchers argue that current privacy tools and policies are not doing enough. They call for stronger defenses in browsers and new regulatory attention to fingerprinting practices. They hope that their FPTrace framework can help regulators audit websites and providers who participate in such activities, especially without user consent.

This research was conducted in collaboration with Johns Hopkins University and presented at the ACM Web Conference (WWW) 2025.