Last week, a thread on X hit 589K views making a tight case that everyone building or using privacy tools needs to grapple with: clearing cookies does nothing, because that's not how they track you anymore.
The thread cites new peer-reviewed research — the FPTrace paper from Texas A&M and Johns Hopkins, published at the ACM Web Conference 2025 — and lands on a three-part fix:
- Switch browsers. Tor (best), Brave (good), Firefox (good), Chrome (avoid for anything sensitive)
- Install two Firefox extensions: uBlock Origin + CanvasBlocker
- Flip one Firefox setting:
privacy.resistFingerprinting = true
I work on a Chrome privacy extension. So this thread is, in part, a claim that my product is on the wrong platform and users should abandon it. Let me engage with that honestly — because a lot of it is right, some of it isn't, and the part that isn't matters a lot to the 3+ billion people using Chrome-based browsers.
When your browser fingerprint changes, the real-time price advertisers pay to target you changes with it. This is the first peer-reviewed proof that fingerprinting isn't passive data collection — it's active commercial targeting, invisible to every cookie law on the books.
What the thread gets right
All of this is correct and worth repeating:
- Fingerprinting is the cookie replacement. Google phased third-party cookies out. Apple blocked them years ago. The $600B ad industry needed something you can't clear, block, or opt out of. Fingerprinting is the answer.
- The opt-out doesn't cover it. GDPR and CCPA were written for cookies. Fingerprinting runs underneath. The FPTrace researchers tested users who legally opted out — they still got fingerprinted and priced.
- Every page load broadcasts you. Screen resolution, GPU, fonts, audio signature, canvas rendering, timezone, battery level, whether you have an ad blocker. The signals are individually meaningless. Combined, they produce a 32–48 bit identifier that persists across sessions, incognito, and cookie clears.
- Princeton's 88% number is real. The Princeton Web Transparency Project found fingerprinting scripts on 88% of the top 10,000 sites. The EFF's Panopticlick data shows 83% of browsers are uniquely identifiable with fingerprinting alone.
- Anonymity through uniformity is the right frame. A rare browser setup makes you more trackable, not less. Thirty privacy extensions and a weird user agent = the most identifiable fingerprint on the network.
If you remember one thing from this article: the thread's core claim about fingerprinting being the main surveillance surface in 2026 is correct. Everything downstream of that claim is where the nuance lives.
Where the thread's recommendation breaks down
The thread says: "Chrome killed uBlock Origin's full version in 2024 with Manifest V3. Firefox only for real protection."
This is true for uBlock Origin specifically. It's not true as a general claim about fingerprint defense on Chrome. The sentence blurs two different things:
1. What MV3 actually broke vs. what it didn't
Manifest V3 restricts network request filtering via the webRequest API. That's the uBlock Origin use case. You can no longer intercept requests on the fly and decide to block them based on arbitrary logic. You have to declare your blocking rules ahead of time as declarativeNetRequest rulesets. uBlock Origin Lite works within this constraint; full uBlock doesn't.
Fingerprint defense is a different problem. It doesn't involve blocking network requests. It involves intercepting JavaScript API calls — canvas.toDataURL(), AudioBuffer.getChannelData(), WebGLRenderingContext.getParameter() — and returning slightly different values than the browser would have. MV3 did not remove this capability. Content scripts in MV3 can still monkey-patch DOM APIs in the MAIN world. That's exactly how PII Fortress's fingerprint shield works on Chrome in 2026.
2. Brave's built-in fingerprinting randomization is excellent. So is PII Fortress's. You can run both.
Brave randomizes canvas, WebGL, and audio outputs every session. This is legitimately one of the best fingerprint defenses shipping in any browser. If you're willing to switch browsers, Brave is a strong choice and I'd recommend it.
Here's the part most writeups miss: Brave is Chromium. PII Fortress installs on Brave. You get Brave's native fingerprint randomization plus our 20-feature privacy suite on top — one click to install, same extension store, no friction. For users who want the strongest fingerprint defense available in any Chromium browser, Brave + PII Fortress Sentinel is the combination. Brave handles the browser-level randomization; PII Fortress adds the 203+ CMP auto-reject, breach monitoring, prompt injection detection, AI scraper blocking, scam scanner, and everything else Brave doesn't bundle.
And if you're on Chrome, Edge, Opera, Arc, or any other Chromium browser — which is ~70% of desktop users — PII Fortress's Fingerprint Shield does structurally the same thing Brave does natively:
- Canvas: Injects per-session noise into the RGB output of every
toDataURL,toBlob, andgetImageDatacall. Your canvas hash changes every session. (Same approach as Brave and CanvasBlocker.) - Audio: Perturbs AudioContext channel data with inaudible noise. The audio fingerprint that sites extract from your browser's audio rendering becomes different every time.
- WebGL: Spoofs the vendor/renderer strings, randomizes extension enumeration order, and adds noise to
readPixelsoutput. The "you have an Intel UHD Graphics 630" signal is scrambled. - Fonts: Limits enumeration to a common baseline set. Custom fonts you've installed don't leak.
- Screen / hardware (aggressive mode): Normalizes
screen.width,screen.height,navigator.hardwareConcurrency, and related APIs.
This is not theoretical. The code is 428 lines, open-sourceable, and runs at document_start before any site script reads the APIs.
The fight isn't "Chrome vs. Firefox." It's "active API interception" vs. "scripts that read fingerprints get to complete uninterrupted." Chrome with a good fingerprint shield is the former. Chrome with nothing is the latter.
The honest comparison
Here's what actually protects against fingerprinting, ranked by defensive strength:
| Setup | Canvas | Audio | WebGL | Fonts | Notes |
|---|---|---|---|---|---|
| Tier 1 — Maximum anonymity (high-threat users) | |||||
| Tor Browser | Unified | Unified | Unified | Unified | Strongest: all users share one fingerprint |
| Tier 2 — Everyday browsers, ranked most → least coverage | |||||
| Brave + PII Fortress (Sentinel) | ✓✓ | ✓✓ | ✓✓ | ✓ | Browser-level + extension-level randomization. Strongest non-Tor option. |
| Firefox + RFP + uBlock + CanvasBlocker | ✓ | ✓ | ✓ | ✓ | Thread's recommendation. Solid four-layer stack. |
| Chrome + PII Fortress (Sentinel) | ✓ | ✓ | ✓ | ✓ | What this article is about. Roughly Brave-equivalent on Chrome. |
| Brave (default) | ✓ | ✓ | ✓ | Partial | Zero-config. Excellent for most people. |
| Firefox default (no extensions) | Some | ✗ | ✗ | Some | Strict mode blocks some scripts, doesn't randomize. |
| Chrome + uBlock Origin Lite | ✗ | ✗ | ✗ | ✗ | Blocks some fingerprinting scripts via filter lists. Doesn't intercept APIs. |
| Chrome default | ✗ | ✗ | ✗ | ✗ | Your browser is telling every site exactly what it is. |
"But thirty extensions makes you MORE trackable"
This is the most important nuance in the thread and it deserves a careful answer.
The claim is: if everyone else runs stock Chrome with no extensions, and you run Chrome with 30 privacy extensions, your extension fingerprint (enumerable via chrome.runtime probing, CSS selectors that extensions inject, subtle timing signatures, etc.) is now itself the identifier.
This is true in the extreme case. Installing every privacy extension you can find is counterproductive. The thread is right about that.
But there's a critical distinction between extension detection and API randomization:
- Extension detection adds signal. Sites can probe for your installed extensions (limited on MV3, but possible). More extensions = more probe surface = potentially more identifying.
- API randomization subtracts signal. When PII Fortress's shield makes your Canvas hash different every session, sites can't tie today's you to yesterday's you via canvas at all. That's pure noise reduction on the primary fingerprint vector.
Net effect of one well-designed fingerprint shield extension on Chrome: you lose a bit of extension-detection signal and gain massive Canvas/Audio/WebGL noise. The trade is strongly positive. Running uBlock + CanvasBlocker + Ghostery + DuckDuckGo + Privacy Badger + PII Fortress all at once is probably worse than running one of them well. That's the thread's real point and it's correct.
What the thread undersells about the Firefox path
Three things the thread doesn't fully acknowledge:
1. privacy.resistFingerprinting = true breaks a lot of sites.
It's aggressive. It locks your timezone to UTC, reports a standardized set of fonts, reduces the precision of performance.now(), and messes with screen dimensions. Banking sites break. Video calls break. Some SaaS apps break. The thread presents it as "done" — but most users who try it disable it within a week because their tools stop working.
PII Fortress's Sentinel fingerprint shield is tuned to break almost nothing (we have explicit code paths to skip shielding for large canvases used by maps, video players, and WebGL games). The aggressive setting is opt-in, not default.
2. Firefox's market share is 2.8%.
This is the uncomfortable number. The thread tells 97% of web users to switch browsers. Most won't. Telling them "you should switch to Firefox, and if you won't switch you can't protect yourself" leaves almost everyone unprotected. The tool that actually gets installed is better than the tool that theoretically provides perfect protection.
3. CanvasBlocker isn't maintained as actively as uBlock.
CanvasBlocker is good software. It's also maintained by one person, updated less frequently, and has had gaps in coverage (e.g., WebGL2 extensions) that took months to close. If you run it, you're trusting that single maintainer's time and focus. This is fine — it's how most privacy tooling works — but it's worth being honest about.
Where PII Fortress is honestly weaker than the thread's recommendation
No marketing spin. Three places where "Firefox + RFP + uBlock + CanvasBlocker" actually beats "Chrome + PII Fortress":
1. Tor-level anonymity is impossible on Chrome.
The thread's first recommendation — Tor — wins because all Tor users share one fingerprint. That's structurally impossible in our architecture. If you're a journalist, activist, or anyone with a real adversary, Tor is the right answer and no Chrome extension will ever match it. PII Fortress is for the other 99.9% of users who want strong protection without switching everything about how they browse.
2. Firefox with full uBlock Origin (the non-Lite version) has capabilities MV3 doesn't permit.
Firefox still allows webRequest-based blocking. This means uBlock on Firefox can intervene in network requests with per-request logic that MV3 Chrome extensions can't. For pure network-level tracker blocking, Firefox + uBlock is technically stronger than Chrome + PII Fortress. Our advantage is breadth (fingerprinting, consent auto-reject, breach monitoring, AI scraper blocking, prompt injection detection) — not depth on network filtering alone.
3. PII Fortress isn't 100% free and isn't 100% open source yet.
Guard (our free tier) includes baseline protection but the fingerprint shield is gated to Sentinel ($5.99/mo) and Vault ($9.99/mo). uBlock and CanvasBlocker are free forever. That's a legitimate reason to prefer them if your fingerprint shield needs to cost zero. Our roadmap includes AGPL-3.0 open-sourcing in the next 6 months; paid tiers fund that work.
4. We're Chromium-only today. Firefox is on the roadmap.
As of today, PII Fortress ships on every major Chromium browser — Chrome, Brave, Edge, Arc, Opera, Vivaldi — but not Firefox. If you already run Firefox, the thread's recommendation (uBlock + CanvasBlocker + privacy.resistFingerprinting) is the right path until we ship there. Firefox support is on our published roadmap and in active development. WebExtensions API compatibility is already ~85% of the work; the remaining 15% is fingerprint-shield-specific API surface quirks. We'll announce timing when we're confident in the release date rather than before.
The honest recommendation for each user profile
- Journalists, activists, anyone with a real adversary: Tor Browser. Use it. PII Fortress is not the tool for this threat model.
- Privacy-maximalists who want the strongest non-Tor setup: Brave + PII Fortress Sentinel. Brave's browser-level randomization + our extension-level randomization + 19 other privacy features layered on top. Installs in 2 minutes.
- Privacy-maximalists on Firefox who want free and open source: Firefox with
privacy.resistFingerprinting+ uBlock Origin + CanvasBlocker. Legitimately excellent. We don't ship on Firefox yet (on the roadmap) — use this stack until we do. - People who use Chrome/Edge/Arc/Opera for work, life, or because their employer requires it: PII Fortress Sentinel. You get Brave-equivalent fingerprint randomization in your existing browser plus 19 other protections on top. No browser switch required.
- Anyone who wants "free and open source, period": Firefox + uBlock Origin + CanvasBlocker. We're not pretending to compete on "100% free forever" — yet. (AGPL-3.0 + Firefox port both on the 6-month roadmap.)
The thread's fix is correct if you'll switch browsers. PII Fortress is correct if you won't. Both are valid. Telling users "you're unprotected" because they won't switch is how privacy advocacy loses to defaults.
The specific claim we agree with most
"You don't have to visit a shady site. You just have to open a browser."
This is the line that should convince anyone reading the thread — or this article — to do something about fingerprinting right now. Every page you load is already broadcasting your identifier to 88% of the sites you visit. Clearing cookies does nothing to stop it. Most ad blockers do nothing to stop it. Chrome does nothing to stop it.
Pick your tool:
- Switch to Brave AND install PII Fortress Sentinel. Strongest non-Tor setup. Done in 12 minutes.
- Switch to Brave alone. Zero config. Done in 10 minutes.
- Switch to Firefox, flip
privacy.resistFingerprinting, install uBlock + CanvasBlocker. Done in 30 minutes. - Stay on Chrome/Edge/Opera/Arc, install PII Fortress, upgrade to Sentinel. Done in 2 minutes.
Any of these is enormously better than nothing. Don't let perfect be the enemy of installed.
Test your fingerprint, then fix it.
Run EFF's Cover Your Tracks to see your current fingerprint uniqueness. Then install PII Fortress and run it again. The delta is why we built this.
Sources
- FPTrace: Measuring the Propagation of Canvas Fingerprinting (ACM WWW 2025) — Texas A&M / Johns Hopkins
- EFF Cover Your Tracks — test your own browser
- Princeton Web Transparency Project — the 88% finding
- Firefox anti-fingerprinting documentation
- Brave fingerprinting defenses
- Original AIHighlight thread on X