[charcircuit]

>Having a unique fingerprint means fingerprinters can continuously identify you invisibly

This is not right. If you have a unique fingerprint every time someone tries to fingerprint you, then they have to do extra work to try and figure out which are the same. If you make it always be the same you've made the fingerprinter's job much easier.

[tomrittervg]

In this context "a unique fingerprint" means that your fingerprint does not match any other user's. When you visit Site A and B you give a fingerprint X that is the same on A and B but no one else on the internet has ever sent.

In contrast a randomized fingerprint mean when you visit A you have a fingerprint X' and on B you have a fingerprint Y' and no one else on the internet has X' or Y' but A and B can't correlate you.

The protections we've put in place first try to do API normalization to make it so more people have a fingerprint X, and it isn't unique. And then they do API randomization so you use X' and Y'.

If a fingerprint goes to extra effort of detecting a randomized fingerprint, and ignore (or remove) the randomization, they will get the X fingerprint which - hopefully - matches many more users.

[cjkaminski]

Agreed. And this technique becomes more effective as the number of people using it increases. It's easy to match up randomized fingerprints if only one person is doing it, but quite hard when thousands or millions are doing it.

[rolph]

dont use randomized fingerprints, spoof actual fingerprints, randomly.

[kube-system]

A good fingerprint algorithm incorporates features and functionality that can't be spoofed because it is necessary for the browser to work correctly.

You can't just make your browser's APIs give erroneous outputs and still expect the browser's APIs to work.