Rethinking Fingerprinting: An Assessment of Behavior-based Methods at Scale and Implications for Web Tracking
Authors: Kyle Crichton (Georgetown University), Lorrie Faith Cranor (Carnegie Mellon University), Nicolas Christin (Carnegie Mellon University)
Volume: 2025
Issue: 4
Pages: 795–811
DOI: https://doi.org/10.56553/popets-2025-0158
Abstract: Most common forms of web tracking fail to maintain the continuity of a user's identity over long periods of time: cookies get deleted, IP addresses are reassigned, attributes used for browser fingerprinting change. These identity discontinuities help prevent adversaries from conducting persistent long-term tracking. In fact, many privacy-enhancing technologies (e.g., automatic cookie deletion, use of proxy servers, fingerprint obfuscation) are predicated on the ability of identity discontinuities to disrupt an adversary's tracking capability. While only evaluated on a limited scale, behavioral fingerprinting—identifying users based on habitual patterns in their web browsing—may provide adversaries the key to linking users' identities across these discontinuities. To assess this potential threat, we provide an analysis of behavioral fingerprinting at scale, with over 150,000 users across two years, and the first assessment of the impact of these techniques on user anonymity online. Overall, we find that behavioral fingerprints are relatively unique, with most browsing sessions retaining little to no anonymity even at scale. Furthermore, users' behavioral fingerprints are consistent, evolving slowly over the course of months to years. Together, these findings satisfy the preconditions for effective identity linking. We go on to demonstrate that optimal performance is achieved when an adversary can observe 15–25 browsing sessions prior to a discontinuity and 10–15 sessions after. However, an adversary can eliminate 84–95% of a user's anonymity having observed just a single session pre- and post-discontinuity. After a discontinuity occurs, a user loses an average of 78–85% of their anonymity within the first 60 seconds of browsing and 90% of their anonymity within the first 10 minutes—largely negating the anonymity gains of privacy protections that induce discontinuities. We find that visiting fewer web pages, diversifying the websites visited, and avoiding niche content can help a user's browsing remain anonymous. Finally, we demonstrate that the combination of behavioral and browser fingerprinting can outperform each method individually, achieving an F1 score of 0.869 across 100,000 users.
Keywords: web tracking, fingerprinting, privacy, online behavior
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
