Web Fingerprinting Demo ⇥ bitestring.com

A non-bylined post at Bitestring:

We are going to test a product built by a company called FingerprintJS Inc. who is selling fingerprinting as a service. They make JavaScript fingerprinting libraries which are in fact open source and sell it to many websites. There’s FingerprintJS Pro which is an even scarier version of regular fingerprinting library. It doesn’t matter if you are using a VPN or Private Browsing mode, they can accurately identify you. Here’s how they are describing themselves, “The device identity platform for high-scale applications”.

FingerprintJS has a demo built into its homepage, https://fingerprint.com. When you visit this website, they generate a visitor ID (fingerprint) which is unique for your browser. So even if you clear the cache (and other site data) or visit the site in Private Browsing mode, they can generate the same ID and correlate with your previous visit.

My visitor ID was stable in Safari after visiting fingerprint.com only in private windows across two separate sessions. This, despite using Safari’s anti-tracking features, having iCloud Private Relay switched on, and using browser extensions which limit what kinds of scripts are able to run in my browser — and, again, accessing it only in private windows. On its homepage, FingerprintJS says the “VisitorID will remain the same for years, even as browsers are upgraded”. It can be, near as makes no difference, a permanent personal identifier.

The writer notes Firefox has a resistFingerprinting setting which does appear to prevent whatever techniques FingerprintJS is using by restricting access to some APIs. However, as this technology is also used to check that website visitors are real people and to reduce credit card fraud, I imagine it could prove restrictive. There are already many websites which challenge me to prove I am not a bot simply because I am using Safari; the same sites do not present so many challenges in Chrome.