This was big news in mid-February. Google announced that digital fingerprinting is back. And then everyone in the news started talking about this as some new crisis. Everyone was in complete panic and everyone wanted me to rush a video out on this topic. But I didn’t rush a video. First, let me shake you all up. Maybe I should do a little slap too to wake everyone up. Calm down folks. The fact is that fingerprinting never left you. There has been no real change technically. Fingerprinting has always been around. Google wanted to get rid of it, though people thought this move was for your privacy.

Well, sorry, their attempts at removing this capability was not for you. It was for Google. Fingerprinting is part of a series of techniques used to track you all over the internet. But to truly digest this completely, you need to understand all the different related tracking techniques. Fingerprinting is just one piece of the tracking puzzle. I will try to give you a big picture, and then we will focus at the end on what the consequences of this tracking are and how to get around it. To give you a quick example, turning off JavaScript is not going to help you.

You want to figure this all out? Stay right there. For a long time now, maybe close to 20 years ago, there was a technique used to track you on the internet. It was called cross-site cookies. Advertisers wanted to know if you’ve seen their ad or their site, and they want to know if you’re back. They do this by dropping a little cookie in your browser. This is so they can do target marketing, and it’s still heavily used till today. Then a little over a decade ago, someone discovered another technique to learn if you’re back to the same site by using browser fingerprinting, and this skips the cookies.

It turns out that your browser emits a unique enough signature that can be fairly accurate in figuring out that you’re the same party. That signature can be stored by the tracking entity. Just as a brief example, the combination of your IP address, time zone, language, device, screen, size, extensions, colors, fonts, and so on, creates enough uniqueness to identify you. This is not 100%, but it’s accurate enough for advertising use. Now in general, Google doesn’t need these techniques to track you. Why? Because you already logged into Google, and they can recognize you by your Google ID, and that is validated by 2FA, to factor authentication.

And the Google ID travels with you over the internet. Google never loses the ability to track you. When you go into 99% of websites, that website is running Google code called Google Analytics or Google AdSense, and then that will read the cookie which has your Google ID. So this is the real tracker over the internet, folks, the Google ID. If you needed to panic, it was over the Google ID, not the fingerprinting, nor cross-site cookies. Cross-site cookies and fingerprinting are techniques used mostly by third parties. Google is the first party. In Google’s mind, you, the user, are the second party, the party they’re dealing with on their platforms.

But third parties are external companies trying to track you. These companies want to track you for advertising reasons, and Google wanted to hog the capability to track you all, and wanted to keep these third parties out. The first attempt was to warn third parties that Chrome would block fingerprinting at some point, and tracking will be handed over to advertisers by Google in a new way, a way they’ve determined for everyone. The first plan was called Federated Learning of Cohorts or Flock. Google’s idea was to categorize people into unlimited groups according to their interests, and then publicly reveal what flock you are in so that advertisers can figure out what you want.

But this was not supported by advertisers, and of course, users thought this was a privacy invasion. That’s a couple of years ago. They introduced the new version called Topics, and you will see this today on your Chrome browser. You will see what topics interest you. But Google limited the topics categories, and it is very general compared to Flock. For advertisers, this was worse, so they did not support this at all either. Advertisers wanted to know that you saw a Ford Mustang EV ad, and then you visited different sites that talk about Ford Mustang EV.

They can use this to measure the effectiveness of their ads. Google wanted to limit what they can figure out. A topics category was just limited to saying you were interested in cars. It’s not specific enough. And here’s the other problem that Google faced. In order to implement this, they were going to put it in Chrome. However, for it to be accepted as a standard, all browsers were going to have to implement it. And it should be obvious now that no browser was interested in implementing either flock or topic. So this was basically dead in the water.

Thus, third parties now know that nothing has changed, and can continue to use fingerprinting and cross-site cookies like normal. So this is the status quo. The Google threat to eliminate fingerprinting is gone. In essence, it means today, nothing has changed. Now that you understand a little bit of history, let’s get into this whole tracking business again, so you understand the tracking threats clearly. The deterministic tracking would appear to be a technical term that I’m introducing. But I don’t want to reinvent the wheel. This is the term used by people in ad tech.

When they know precisely who you are already, because you logged in, that is called deterministic tracking, because there’s no doubt as to your identity. You identified yourself and verified it with your password and even a 2FA. On Google, Facebook, and most platforms, they want you to log in. In fact, if you’re on a VPN, Google doesn’t even allow you to watch YouTube freely. If you’re to use YouTube, they want you to either reveal your IP address or log in with your Google ID. As I already mentioned earlier, once you’ve logged into Google, they have the ability to track your moves over the internet because of Google Analytics and AdSense that is embedded in most websites.

The security significance of this should be understood. Even if you go to a website like gap.com, Google Analytics on that site is able to read Google cookies because Google Analytics is Google. In other words, a domain can read all cookies from its own domain. Third-parties cannot read the Google ID, but Google can. This is possible because websites actually embed Google.com into their sites by running Google code in an invisible sub-browser called an iFrame. So tracking is only possible if a website embeds code from another company that is not fairs. The other main company that is commonly embedded in websites is Meta, and specifically Facebook.

The important thing to understand here is that the deterministic tracking threat is only useful to these two big players. No one else can embed code in other people’s websites. No website would do it willingly. So for example, let’s say you are logged into TikTok on a browser and you go to a car dealer website, nothing will happen because the TikTok login will not be captured by anything on the car dealer website. There is no TikTok Analytics. So deterministic tracking has limited utility outside of Google and Facebook. In the absence of deterministic or logged-in tracking with a user ID, the only trick up the sleeve of an advertiser popping a Google ad somewhere is to identify you with non-deterministic methods.

In other words, guesswork on your identity. By its nature, non-deterministic methods are not perfect. For example, the main technique used historically to track you is that if an ad was displayed to you, the ad window will drop a cookie in your browser, and that same ad company will try to detect these cookies anytime you see a new ad. This establishes a pattern that you’re the same person. These cookies are called cross-site cookies because they’re dropped by the ad window and not by the site you were visiting directly. They’re different domains. But cookies can be cleared, as you all know.

In fact, some browsers, like Brave, will clear cookies automatically if you set it to do that. So this ruins the tracking accuracy. Then companies went to browser fingerprinting. Fingerprinting does not rely on cookies. If you want to see how fingerprinting actually works, go visit my example on Braxme slash geo. On this site, click on show details on device signature, and this will show you an example of what can be tracked. I haven’t updated this in years, so there are more things now that can be used to track you. But as I mentioned in the intro, disabling JavaScript does not help you.

It just becomes another rare signature that will reveal who you are because few people would disable JavaScript. Anything unique creates a signature. If anything, you want to look as plain vanilla as possible. This website demonstrates that you can be tracked non-deterministically with probably 90% accuracy in a small population, though it is not a permanent tracker. To ensure better tracking, a combination of cookies and fingerprint can be used. As shown in this example, you can store the fingerprint in a cookie as well. Though you can change something on your computer to alter your fingerprint, and you can clear cookies by using both and maybe multiple cookies, there will be a trace left of your identity.

The basic conclusion I want you to gain from this is that it is very difficult to evade tracker cookies and fingerprinting. In fact, there are new techniques called persistent fingerprinting, where if you delete the cookies, the cookies will come back because there will be multiple things running to create traces. So to me, it is a waste of energy to try to evade trackers and fingerprints, since a normal user cannot do it. You’ll have to use Tails OS or something as drastic with no data persistence to get away from all this. But it’s not even necessary, and the reason is because non-deterministic threats are the major threat.

It’s the deterministic threat of Google and Facebook. Now something you should know as well, sites like Facebook can track you over the internet in a non-deterministic way using cookies and fingerprints, but then they can detect these when you log into Facebook. This means that now you’ve merged non-deterministic information with deterministic information. This is how Facebook can expand their reach even when not logged in. Can Google do this too? You can assume that and must assume that. If you try tricks like logging out of Google and think you’ve escaped Google, then think again.

Now the other thing I haven’t mentioned is that there are a separate group of trackers on mobile devices. One of the non-deterministic methods in the phone is the advertising ID that you will find on iPhones and Google androids. And these are more persistent since people don’t typically reset the advertising ID on their devices. You should realize that Google and Apple control the logins on their phones. So every action on a standard or normie phone is always deterministic. But the Google phones have no login and they also have no advertising ID. So the Google phones can only be tracked by non-deterministic methods.

Now let’s make sense of everything I’ve just said. The most serious of the tracking threats, as I mentioned, is the Google ID and the Facebook ID. This is because there are Google and Facebook embedded code in third-party sites that can read them everywhere. This deterministic threat is obviously 100% accurate and even if you attempt to log out, they can remember what you’ve done using cookies and fingerprints and merge the data as soon as you log back in. If there is reason to panic, it is here and you should panic because this tracking is almost absolute.

Every click on the internet is recorded. Well, 99% for Google and a little less for Facebook, if you’re on Facebook. The other threats are from advertisers and third parties. Do you really need to worry about these threats? In my opinion, these trackers are not permanent and certain actions will change the fingerprint or make them inaccurate. So I personally follow a series of mitigations that minimize the effect of tracker cookies or fingerprints from third parties. Let me discuss these techniques. Browser isolation is a procedure I invented a long time ago, over a decade ago.

This was in direct response to the problems I just stated. The specific technique is that on any device, I run multiple browsers, no less than two and probably better to have three. My typical choice browsers are Chrome and Brave. I use Chrome only for Google and YouTube is Google so that’s the primary one and then Gmail so all that is done on Chrome. My Chrome is logged into Google so it knows who I am deterministically. This is the important point. This is the only browser that should be logged in to Google.

My second browser is Brave. I do everything else on Brave but never log into Google. I can log into other websites so those websites can know me deterministically but it cannot leak outside of that website. There will be plenty of trackers and fingerprinting done on Brave by third parties and I will mitigate those with other techniques later but otherwise the point of browser isolation is to isolate Google. Google is the true danger here. I would never use Facebook but if you had to I’d put it on Chrome as well or a third browser would be better.

This includes everything meta by the way. Brave itself defends against some of the cookie threats so that destroys some of the accuracy of fingerprints when it clears cookies but this is not 100% as there are persistent fingerprint techniques as I mentioned. Second mitigation technique is to use a VPN. Now why is this important? The IP address is a primary fingerprint. When you use a VPN many users share the same IP address. Thus you will not be mixed in with multiple people with different behaviors and devices so this ruins the fingerprint. The accuracy of the fingerprint will drop from 90% to something a lot less.

The Google phones have another advantage. Since they have no Google ID they can actually appear to be always done deterministic to Google. Google can never see the true identity of the phone. Second, a de-Google phone has no advertising ID so third parties cannot track it that way either. Google can track you deterministically over a browser if you go to a browser on the de-Google phone and log into Google but if you log out and clear cookies then the ID ends completely and it will not persist. The hardest ones to track are users that have a plain vanilla configuration with a common device.

For example, I always keep my browser stock. No extensions, no special configurations like no script. It has to look as ordinary as possible so it doesn’t stand out. This reduces the accuracy of the fingerprinting significantly. If you use a different browser the fingerprint changes. There are likely at least six browsers you can install on your device. To name a few, we have Chrome, Brave, Chromium, Firefox, Waterfox, Safari, DuckDuckGo and so on. Not Opera. If you want to partition your activities even more and make fingerprints less accurate, group them by browser and use bookmarks to remind you the purpose of each browser.

Maybe have a specific browser for political content, one for searching or AI use and so on. The more you break up the fingerprint and cookies, the less information is available to trackers. Forget about techniques like Firefox containers or privacy tabs. They create the same fingerprint since the browser is the same. Privacy tabs don’t affect fingerprinting because it doesn’t need cookies. By the way, ad blockers contribute to removing the fingerprint because they actually block those ad domains and websites. The other tracking technique is to use the normal mobile phone to provide a fingerprint and then by connecting the mobile device to the computer via location or IP address, you are now tracked over two devices.

Again, this cross device tracking does not work using a de-google font so that is the main mitigation. There are various techniques you can use to destroy the accuracy of the fingerprint by changing screen size, extensions, changing time zones and even more complex ones like changing installed fonts on the browser. But this is a waste of time as non-deterministic tracking techniques don’t pose a serious enough threat so there’s no use going overboard on this. And just for analysis, some people have asked me if I’m concerned that the main Braxme site has Google Analytics.

Since that is the site that advertises Braxme, Google Analytics is useful there. The main Braxme app has no Google Analytics and again this threat only matters if you have a Google ID because Google will know you were on Braxme. But with browser isolation, Google Analytics detects nothing so this is not anything to worry about as long as you’re following what I say in this video. So in summary, fingerprinting and cross-site cookies may be irritating but aside from use in ads, they do not rise to the seriousness of deterministic tracking by Google and Facebook.

And you can mitigate the effects of the fingerprint and cookies so they lose their potency. Folks, many of you know that I don’t take ads in my channel and this channel is supported directly by this community. We get support by your purchases of products and services we offer. One of the newest projects is the Brax3 phone which as I mentioned earlier prevents deterministic tracking. This project is currently on indiegogo.com and will be available also on the site Braxtech.net. This project passed 1 million in crowd funding pre-production. We have other products in our store on Braxme.

We have the Brax virtual phone, we have Braxmail, we have Bite VPN. These and other products are available in the store on Braxme which is a privacy-focused social media site. Join the over 100,000 users who discuss privacy issues daily. Thanks again for your support on Patreon, locals, and YouTube memberships. See you next time. [tr:trw].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.