Beyond Cookies: Study Confirms Websites Use Browser Fingerprinting for Covert User Tracking
Even erasing all cookies is no longer a safeguard against digital surveillance. A groundbreaking study conducted by a team from Texas A&M University has provided the first documented evidence that websites are indeed leveraging browser fingerprinting to track users across the internet.
This so-called “browser fingerprint” is constructed from a combination of technical attributes—such as screen resolution, device model, time zone, and other system parameters. Together, these elements form a unique digital signature capable of identifying an individual user. Unlike cookies, which can be deleted, a browser fingerprint is nearly invisible and virtually impossible to conceal—meaning most users remain unaware that their everyday digital behavior is meticulously recorded. Until now, the cybersecurity community had only suspected that such tracking was taking place; this study has finally confirmed it.
The researchers’ approach was simple yet ingenious: if the behavior of advertising platforms—such as real-time bidding systems—changes when a browser fingerprint is altered, then the fingerprint must be actively used as an identifier. By monitoring HTTP requests and activities related to ad auctions, the researchers observed significant behavioral shifts when browser characteristics were modified. This strongly suggests that browser fingerprints are indeed influencing ad network decisions, and by extension, being used for surveillance.
Particularly alarming is the revelation that this form of tracking persists even when users explicitly opt out of tracking, invoking rights guaranteed under regulations such as GDPR and CCPA. The study demonstrated that, despite formal prohibitions, websites continue to deploy covert techniques to construct user profiles.
Some of the identified websites transmitted browser fingerprints to backend systems involved in the ad bidding process. This implies that identifiers obtained through opaque methods were actively employed in real time—for instance, to determine ad pricing or tailor the type of advertisement delivered.
According to the authors, current legal frameworks and browser-based privacy tools offer insufficient protection. They emphasize the urgent need for stricter oversight and advocate for the development of auditing tools to empower regulators and privacy advocates in exposing unethical data collection practices.
The study’s findings, presented at the ACM Web Conference (WWW) 2025, mark a pivotal moment in reassessing the true scope of web-based tracking via browser fingerprinting.
