Et tu, browser? Security experts ring bell over browser fingerprinting

Your web browser wants you to think it’s on your side. It’s your helpful window into the online universe, and if it logs your history, so be it: there’s always incognito mode, or clearing things out every once in a while. It does not wish you ill. That bit of code hidden in its pocket? Nothing to worry about.

Alas, says That Privacy Guy, “the browser you are using right now is almost certainly betraying you.”

The accusation comes in a post in which the tech blogger aims to provide “a comprehensive, technically accurate and forensically useful reference covering every known client-side privacy vulnerability in Google Chrome.”

There are more of them than you might think. The Register has insights from privacy consultant Alexander Hanff, who notes that Chrome does not protect against browser fingerprinting, which monitors browser activity to create a unique footprint.

Hanff claims “there are at least thirty distinct fingerprinting techniques that work in Chrome right now, today, as you read this. Not theoretical attacks from academic papers that might work under laboratory conditions – real, production techniques deployed on millions of websites to identify and track you without your knowledge or consent.”

Fonts, screen resolution, other small details combine for unique identifier

On a recent episode of the Biometric Update Podcast, Valentin Vasilyev, chief technology officer of Fingerprint, explains how browser fingerprinting works. Browsers, he says, “expose so much information that can be used potentially to identify devices that you can combine that information to have enough identification accuracy to uniquely identify browsers and mobile devices.” Fingerprinting considers “things like screen resolution, fonts, the size of your dock, maybe, in macOS, and other things that are unique to your browser or your environment.”

On the device level, fingerprinting can scan CPU core count and available memory, screen resolution and display characteristics, timezone and language settings, battery status, audio configuration, storage capabilities, and other features.

Fingerprint the company uses browser fingerprinting for fraud protection. But, says the Register, the technique itself poses a significant privacy risk. “A study published in Nature last October found that just knowing the four websites an individual visits the most – a behavioral fingerprint as opposed to a browser fingerprint – is enough to identify 95 percent of people.”

Google was initially opposed to fingerprinting, writing in 2019 that, “unlike cookies, users cannot clear their fingerprint, and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

That opinion has clearly changed.

“Chrome ships almost no built-in anti-fingerprinting defenses,” says Hanff. “Let me say that again because it matters – Google’s browser, the most popular browser in the world, does essentially nothing to prevent websites from building a unique profile of your device.”

“The technologies described in this document are not theoretical – they are deployed at scale against billions of people every single day. Understanding them is the first step. Building the tools to detect and expose them is the next.”

LinkedIn embroiled in ‘BrowserGate’ scandal

LinkedIn is now a part of the browser fingerprinting controversy, after an investigation alleged that the professional networking platform is deploying hidden browser scripts capable of scanning thousands of installed extensions and collecting detailed device data from users.

A recent edition of Cyber Security Hub Newsletter – published on LinkedIn – says the so-called “BrowserGate” report, published by a group claiming to represent commercial users, “accuses LinkedIn, owned by Microsoft, of engaging in large-scale browser fingerprinting that could expose sensitive corporate and personal information.”

“According to the report, LinkedIn injects concealed JavaScript into user sessions that actively probes browsers for installed extensions – tools that can range from productivity add-ons to enterprise sales software.” Analysis by cybersecurity outlet BleepingComputer “suggests the script checks for more than 6,200 browser extensions, a sharp increase from earlier findings in 2025, when roughly 2,000 extensions were reportedly targeted.”

“More recent public code repositories indicate a steady expansion of this detection capability, underscoring how rapidly the scope has grown.”

BrowserGate floats the idea that LinkedIn is using data for competitive intelligence, scanning for tools that directly compete with its own services – meaning the company could theoretically map which organizations rely on competing software.

LinkedIn rejects the allegations, and says the BrowserGate report “originates from an individual whose account was restricted for policy violations, including scraping.”

Friends, Romans, countrymen: give us your data

Many companies rely on browser-level signals to detect fraud, enforce policies, and protect digital platforms. Citibank, TD Bank, eBay, Equifax and Chick-fil-A are a few of the bigger names.

But the privacy concerns underscore “a broader tension in the modern internet: platforms seek to protect themselves from scraping, fraud, and misuse,” while “users and regulators demand transparency and privacy safeguards.”

“As browser fingerprinting techniques become more sophisticated, the line between security measures and surveillance continues to blur.” The fault, dear users, is not in ourselves, but in our czars.

Article Topics

behavioral analysis  |  browser fingerprinting  |  device fingerprinting  |  digital identity