On the internet, it’s easy to feel anonymous. If you don’t log in, no one can see who you are; you can even switch to incognito mode. The more savvy user would say that’s not really enough. To be anonymous, you need to clear your cookies and use a privacy-oriented browser.
But new research shows even that doesn’t work anymore. Websites are still tracking you — silently, persistently, and without your consent — by reading your browser’s unique “fingerprint.”
“Think of it as a digital signature you didn’t know you were leaving behind,” explained co-author Zengrui Liu, a researcher who worked on the study. “You may look anonymous, but your device or browser gives you away.”
Digital breadcrumbs
Cookies — the tiny data packets websites use to remember you — have long been the focus of privacy debates. But cookies are visible. You can clear them, block them, or refuse them altogether.
Browser fingerprinting is different. It works in the shadows, without you actually doing anything.
When you go on a website, your browser communicates some bits of information. It’s normally things like your time zone, screen resolution, or device model. That information helps the website display information properly. But it also forms a pattern, a sort of digital signature. Essentially, you leave behind a trail of digital breadcrumbs that’s as unique as a fingerprint.
Unlike cookies, fingerprints can’t be deleted. They aren’t stored locally. They’re inferred, passively, every time your browser connects to a site. You can trick websites to show you a different resolution, for instance, but then the webiste wouldn’t load properly.
This information is very useful because it helps them serve better ads or customize offers based on your profile. But it could, in theory, also be used for surveillance.
Hard evidence
It’s not the first time digital fingerprinting has been discussed, researchers say.
“Fingerprinting has always been a concern in the privacy community, but until now, we had no hard proof that it was actually being used to track users,” said Dr. Nitesh Saxena, cybersecurity researcher, professor of computer science and engineering and associate director of the Global Cyber Research Institute at Texas A&M. “Our work helps close that gap.”
To see whether this is the case, they built a tool called FPTrace — a novel system designed to observe what happens when a browser’s fingerprint changes. The idea: if fingerprinting truly influences ad tracking, then altering the fingerprint should affect how advertisers behave. If browser fingerprinting is a thing, then altering fingerprints should change the ads you see and the HTTP records of communications.
They were right.
There were changes in advertiser bid values — how much a company was willing to pay to show an ad — and fewer “syncing events,” which are used to identify users across platforms. These changes strongly suggested that browser fingerprints were being used in real time to shape the digital ads a user sees, and potentially to pass that identifying data on to third parties.
Tracking occurred even when cookies were deleted or cleared.
“This kind of analysis lets us go beyond the surface,” said co-author Jimmy Dani, Saxena’s doctoral student. “We were able to detect not just the presence of fingerprinting, but whether it was being used to identify and target users — which is much harder to prove.”
No one follows the rules
The researchers then wanted to see whether legislation matters. They found that even users who had opted out of tracking under Europe’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA) were still fingerprinted. There were no options to say no. Just invisible surveillance.
It’s not clear if this is illegal. The problem, researchers argue, is that fingerprinting operates in a gray zone. Since it doesn’t require storage on your device, it’s not always covered by rules targeting cookies or traditional tracking methods. Legislation, as it so often happens, is behind and insufficient.
Presented at the 2025 ACM Web Conference, the study marks a significant turning point in the public understanding of online privacy. Most users have no idea something like this exists, and the technology is already deeply integrated into online ad systems. Every time a page loads, your fingerprint may be auctioned off to the highest bidder in a backend process that takes milliseconds and happens completely out of view.
The researchers hope that FPTrace can become a more widely used tool, not just for scientists, but also for regulators looking to build healthier laws. If privacy watchdogs can use it to detect silent fingerprinting, they may finally be able to enforce the rules that already exist — and push for better ones.
Until then, your best line of defense might not be deleting cookies. It might be realizing that your browser, quietly and automatically, is telling the internet far more about you than you ever intended.
Journal Reference: Zengrui Liu et al, The First Early Evidence of the Use of Browser Fingerprinting for Online Tracking, Proceedings of the ACM on Web Conference 2025 (2025). DOI: 10.1145/3696410.3714548
