[mdominguez]

Yeah, they have to setup a completely different environment every time, or delete all cookies and then change the environment so as to fool the "feature change / new device" model. This can have different consequences depending on the company and how they model user behavior. One could be that the user is treated as a risky user - always having new devices. Another could be that the user is treated as an outlier and nothing more than that - not risky, not safe. And then, maybe if the user has a good previous history, you let them do their thing and see what happens. Maybe you're uncovering new fraudulent behavior or maybe you have new false positive example.

Nevertheless, the amount of users that go to these lenghts to mask themselves in the general population (i.e., all users of a 50m monthly active users app) is so miniscule that's not even a discussion, the opportunity cost is huge vs just focusing on your 99.998% (number I just came up with, not a real metric) of users and understanding their behavior and how to model a "good user". New users have stable device behavior? Well, then that VPS customer is probably gonna be traced frequently. This is how some banks do things as well (not fingerprinting, but transaction monitoring in general).

EDIT: as an aside, I think the most important point to understand about how companies and spaces like the ones I have experience in use fingerprinting is - it gives you outliers and only works as long as you have a nice mass of good users. These users are not trying to game you, so they don't tamper with our fingerprinting. The ones that do tamper are either tech savvy or fraudsters. But if everyone tampered with it... You see where I'm going with that.