Researchers at Texas A&M University released findings on June 26, 2025, showing that browser fingerprinting can track individual devices across websites and sessions even after users clear their cookies or connect through a VPN. The work, tied to a tool called FPTrace and presented at the ACM Web Conference 2025, underscores a gap that many VPN subscribers may not realize exists: hiding an IP address does not stop a website from recognizing the device itself.
How fingerprinting bypasses the VPN promise
A VPN encrypts traffic and masks a user’s IP address, which is the data point most people associate with online tracking. Fingerprinting operates on a different layer entirely. Scripts embedded in web pages collect dozens of signals from a visitor’s browser and hardware, including screen resolution, installed fonts, WebGL rendering behavior, audio stack properties, time zone, and language settings. On their own, each signal looks harmless. Combined, they form a profile distinctive enough to follow a device from site to site without relying on cookies or IP addresses at all.
The Texas A&M research team built FPTrace to measure how effectively these signals link browsing sessions together. According to the university’s news release, the core conclusion is straightforward: fingerprinting can track users across sessions and sites even when cookies are cleared. That means a user who rotates VPN servers, deletes stored data, and switches to private browsing mode can still be re-identified the moment a fingerprinting script runs on the next page load.
For the average person paying for a VPN subscription, the practical effect is that the product solves only part of the tracking problem. Network-level anonymity does not equal device-level anonymity, and most commercial VPN marketing does not spell out the difference. A VPN can prevent an internet service provider or a hostile network operator from seeing which sites a user visits, but it does little to stop individual sites from recognizing and correlating that same device over time.
FPTrace findings presented at ACM WWW 2025
FPTrace was presented at ACM WWW 2025, one of the top peer-reviewed venues for web research. The conference talk gave the tool visibility among browser engineers, privacy researchers, and policy analysts who influence how tracking defenses are designed. Peer review at that level lends weight to the central claim: current browser defaults expose enough hardware and software signals to make fingerprinting a reliable identification method in practice, not just in theory.
The institutional release from Texas A&M emphasizes how difficult it is for ordinary users to prevent the technique. Unlike cookies, which can be blocked or deleted through browser settings, fingerprinting attributes are generated by the browser’s normal interaction with web content. A site does not need to store anything on the user’s machine. It simply reads what the browser already reveals, computes a hash or feature vector, and compares it against previously seen profiles. The user receives no prompt, no consent dialog specific to fingerprinting, and in most cases no indication that the collection happened.
Browser vendors have taken incremental steps to blunt the practice. Firefox offers an Enhanced Tracking Protection mode that blocks some known fingerprinting scripts. Safari limits certain programming interfaces that expose hardware details. Brave randomizes particular outputs to make fingerprint hashes less stable. Tor Browser goes further by trying to make many users look as similar as possible. Still, these protections vary widely in scope and are often not enabled by default, especially in mainstream configurations that prioritize compatibility with existing websites.
The hypothesis that browsers could reduce cross-site fingerprinting by limiting exposed hardware and software signals is intuitive. Yet the public materials around FPTrace do not quantify how much protection specific changes would provide. Without a shared benchmark, it is hard for vendors to know whether, for example, rounding screen resolutions or hiding font lists would cut tracking success in half or only by a few percentage points.
What browsers and users still cannot measure
Several questions remain open after the FPTrace presentation. The university release summarizes the research conclusions but does not publish the raw dataset, the exact list of fingerprinting attributes FPTrace measured, or site-level tracking success rates. Without those specifics, independent researchers cannot yet replicate the results or compare fingerprinting resilience across different browsers and configurations in a controlled way.
The full ACM WWW 2025 paper and any supplementary materials are not available in the sources reviewed here. That gap matters because the difference between “fingerprinting can track users” as a general statement and “fingerprinting re-identified a specific share of users on a specific set of sites” as a quantified finding shapes how seriously browser vendors and regulators should treat the risk. The general possibility of fingerprinting has been documented in earlier academic work. The value of FPTrace lies in whatever new precision it adds about real-world tracking rates, and that precision is not yet visible in the public record described so far.
There is also no clear timeline for browser vendors to act on these findings. The institutional summary does not cite any formal commitments from major browser teams to change default settings or shipping features in response to FPTrace. Historically, companies have moved cautiously on fingerprinting protections because restricting browser signals can break legitimate uses such as fraud detection, performance tuning, and accessibility tools that rely on accurate device information.
Regulators, too, face measurement challenges. Many privacy laws focus on technologies that store identifiers on user devices, such as cookies or mobile advertising IDs. Fingerprinting sidesteps those definitions by deriving identifiers from existing system properties rather than writing new data. Without standardized metrics or transparency reports that reveal how often sites attempt fingerprinting and how successful those attempts are, policymakers have little empirical footing for new rules.
What privacy-conscious users can do today
For users who want to act now, the most direct step is to treat a VPN as one tool among many rather than a complete privacy solution. Choosing a browser that restricts fingerprinting by default, such as Brave or the Tor Browser, can meaningfully reduce the number of signals available to trackers. These browsers either randomize certain attributes or standardize them across users to make fingerprints less unique.
In mainstream browsers, checking privacy settings is the next practical move. Firefox users can enable stricter tracking protection modes that include some fingerprinting defenses. Safari users can turn on additional privacy options that limit cross-site tracking and reduce access to hardware details. While these measures do not eliminate fingerprinting, they raise the cost for trackers by degrading the stability and distinctiveness of each fingerprint.
Users can also be selective about where they allow JavaScript, since most fingerprinting techniques rely on script execution. Browser extensions that block or sandbox scripts on unfamiliar sites reduce exposure, though they may break interactive features on some pages. This trade-off between usability and privacy is unlikely to disappear, especially as sites adopt more sophisticated detection to ensure that critical functions still receive enough device information.
A widening gap between expectations and reality
The broader tension highlighted by FPTrace is the widening gap between user expectations and the technical reality of web tracking. Many people believe that clearing cookies, switching to private browsing mode, or routing traffic through a VPN meaningfully resets their online identity. The Texas A&M findings suggest that, in the presence of fingerprinting scripts, those steps are at best partial defenses.
Over the next year, that gap is likely to shape debates among browser vendors, advertisers, and regulators. Vendors must decide how far they are willing to go in reducing exposed signals, knowing that aggressive changes may disrupt existing services. Advertisers and analytics providers will weigh the value of fingerprinting data against the reputational and regulatory risks of relying on opaque tracking. Regulators will need clearer evidence and standardized measurements before they can craft rules that address fingerprinting without sweeping in benign uses of device information.
FPTrace does not close those debates, but it sharpens them. By demonstrating that fingerprinting can follow devices across sites even when users take basic precautions, the research challenges the narrative that privacy is a simple matter of toggling a VPN or deleting a cookie. Until browser defaults change and transparency improves, the burden will fall on technically informed users to assemble their own layers of protection-and to recognize that, in today’s web, anonymity is a moving target rather than a switch they can flip once and forget.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.