Google may tout the safety features of Chrome, but a privacy consultant is calling into question how safe the browser really is. Alexander Hanff maintains that browser fingerprinting is not protected in Chrome.
Browser fingerprinting is a technique used to track people by capturing technical details about their browsers.
“There are at least thirty distinct fingerprinting techniques that work in Chrome right now, today, as you read this,” maintained Hanff, in a recently published critique of Google’s browser.
“Not theoretical attacks from academic papers that might work under laboratory conditions — real, production techniques deployed on millions of websites to identify and track you without your knowledge or consent,” he added.
The power of the browser
When a person visits a website, they can leave behind a browser fingerprint that records the OS they are running, along with their screen resolution and installed fonts, according to The Register, which published Hanff’s concerns. A browser carries that information to a web server, or makes information accessible to the server or third parties via page scripts and tracking elements. Browser fingerprints can become unique identifiers.
Apple, Mozilla, and other privacy-focused browser companies began deploying more effective defenses against cookie-based tracking about a decade ago. That was the impetus for advertisers to implement browser fingerprinting, which is harder to block than cookie-based tracking. The technique is also used in fraud detection.
Even if browser fingerprinting has its merits, it creates a significant privacy risk. And this type of fingerprinting may not, in fact, contain much technical information, The Register noted. Instead of a browser fingerprint, a behavioral fingerprint — which only requires knowledge of the four websites a person visits most frequently — is enough to identify 95% of people, according to a study published in Nature last October.
Cookies galore
Google’s Privacy Sandbox initiative was announced in 2019 to develop “a set of open standards to fundamentally enhance privacy on the web,” including by smudging browser fingerprints.
At the time, the company blamed the growth of fingerprinting on efforts to block third-party cookies. Instead, as an alternative to Apple’s App Tracking Transparency scheme and similar cookie protections, it proposed its own privacy-preserving technology.
However, according to Hanff, Google abandoned its reduction of third-party cookies in July 2024 and retired Privacy Sandbox replacement APIs in October 2025. This means that “third-party cookies remain fully operational in Chrome with no removal timeline,’’ he wrote. “Let me be clear about what this means — after six years of promising to remove third-party cookies, after building an entire Privacy Sandbox ecosystem supposedly designed to replace them, Google simply gave up and left them in place.”
Other safety measures in Chrome
Earlier this month, Google announced that it had taken measures to combat session theft — which typically occurs when a user inadvertently downloads malware onto their device — by making Device Bound Session Credentials (DBSC) publicly available for Windows users on Chrome 146. DBSC will be expanded to macOS in an upcoming Chrome release, the company said.
Google also detailed other safety aspects it is working on, including securing federated identity and advancing registration capabilities, and said it is looking into adding software-based keys to extend protections to devices without dedicated secure hardware.
Meanwhile, the company is grappling with a massive Chrome Extension scam that exposed the data of about 20,000 people, carried out by a lone hacking group.
Read the full article here
