What are the various ways logging into a website can compromise privacy?

When a user logs into a website, what are the specific ways it enhances the website’s ability to track/fingerprint the user?

For example, when I am using a browser with multiple tabs of various websites open and I log into Amazon, what is Amazon able to do/know about me in the that specific browser session that they were not able to do/know about me prior?

I’m asking this because I’ve seen it mentioned many times that to protect privacy when users log into websites like Amazon, Facebook, Google, etc., they should do so in a separate browser or browser profile, but it is hard for me to find specific info as to all the reasons why. Is it simply because the logged in website will now have your ID matched/fingerprinted to the specific browser which it will pass onto all it’s advertising affiliates? If that is true then would it be true to say that any browser you want to remain as private as possible should not be used to log into websites owned by privacy-invasive companies?

Apologies in advance if this has been addressed before, but I’m having a hard time finding a clear-cut explanation.

[EDIT: Clarification]

I think this is best explained by an example. I used to work for an analytics company working on a tool that was designed to identify, unmask, and track website visitors. The end goal was for the website/app owner to know exactly who is visiting their website/app, including information such as their full name, social media accounts, email address, phone number, etc. The way some of these tools are built is to fingerprint a user, including their device, browser, and more importantly data which they submit. Once the name is submitted, you can set cookies, session storage, or local storage to continue to identify the user across different websites. If the tool is integrated into 2 websites, it could capture the information about the user on one site and then provide that information to the owner of the other website.

The more information you have on the user, the more accurately you can identify him. If the user wipes their cookies and cache, you could still track him if his fingerprint is incredibly unique. For example if it is unique out of the 1000 users, it’s highly probably that it’s the same the user when you encounter the exact same fingerprint. The more data you collect on the user, the better you can identify him.

Whether you go incognito, use another browser profile, or a new tab doesn’t really matter these days since tracking is no longer done just by cookies alone. For example, if you visit this site https://fingerprint.com using Arkenfox and then Librewolf without any change in IP address, fingerprint.com will identify you as the same person. You can try doing the exact same by opening another tab.

One reason I recommended using SOCKS5 proxies in another topic (Browser Use Cases - #3 by vergeOfNormy) is because a change in your IP address can throw off the analytical tools and you will no longer be identified as the same user.

Feel free to test it yourself.

3 Likes

Thank you, this is helpful info. I went to fingerprint.com using a standard Brave session and an incognito Brave session using the same VPN connection and it gave me different fingerprint results. However, what was able to accurately track me between the two browser sessions was http.james’ Fingerprinting Experiment: https://fpresearch.httpjames.space/. James’ website got all the “No Javascript Test” fingerprints correct and accurately reported my number of visits. Under the Client Fingerprinting test it showed the same Font Hash, but could not get the Client-side hash correct, nevertheless the “Similarity Algorithm” fingerprint was dead-on.

I have been using Mullvad browser quite a bit and your suggestion about using different profiles on the other thread seems like a good idea so I gave it a try with james’ and MB got barely better results than I got with Brave. It got the same fingerprint results as Brave with the “No Javascript Test” with the exception the times it estimated I visited was way off by several dozen. Under the Client Fingerprinting test it also like Brave could not get the client-side hash correct, nor the font hash (which Brave failed at), and the times visited was also different between the two profiles. Nevertheless the Similarity Algorithm fingerprint was dead-on as it was with Brave.

I tried changing my VPN server, but unfortunately it did not have any effect on james’ fingerprinting accuracy.

I will continue experimenting as I find time, but one question regarding Mullvad profiles: is there a way to tell which profile is which when they are running? I don’t see anywhere the profile name appears. On Brave I can simply right-click the icon on the taskbar and the name I gave the profile appears.

Interesting. I tested it on my end and it returned the same for both. Did you visit the site with Brave, then quit Brave, and then reopened the browser with Incognito + Tor, or did you visit the site and then opened a second window for incognito+tor mode and went to the site?

I have been using Mullvad browser quite a bit and your suggestion about using different profiles on the other thread seems like a good idea so I gave it a try with james’ and MB got barely better results than I got with Brave.

The goal of the Mullvad Browser is similar to the Tor Browser, which is supposed to hide you in the crowd. This is why it says “I’ve seen you 160 times” or whatever, because other users have the exact same fingerprint. What you want is to not have a unique fingerprint. If you get the same fingerprint as others, that’s a good thing and not a bad thing.

I will continue experimenting as I find time, but one question regarding Mullvad profiles: is there a way to tell which profile is which when they are running? I don’t see anywhere the profile name appears. On Brave I can simply right-click the icon on the taskbar and the name I gave the profile appears.

Not that I know of. If you’re using Firefox you could install different themes to tell them apart. It’s something that mildly annoys me as well.

Personally, I’m a bit biased against Brave, since I’m not a fan of everything already being built-in. However, I also have rather unique use cases that often require highly customized configurations, which is why I use customized versions of Arkenfox and typically with JS disabled. Brave is better than using Chrome from a privacy standpoint, but if you encounter a higher threat model, then it’s likely not something you’d want to use. In a nutshell, it depends on what you’re doing and how paranoid you either are or have to be.

Edit: Regarding the JS fingerprinting, this is the reason why if you are using the Tor Browser or I2P you should always disable JS, ideally in the about:config. As soon as you enable JS, it becomes a whole lot easier to fingerprint you.

I just visited the site and opened an incognito (no tor) session.

And thanks for the disabling JS advice. I will seek to do that when I want to maximize privacy in Mullvad. Haven’t tried Librewolf or Arkenfox, but plan to soon. On my phone I’m running GOS so I have been using Vanadium for private surfing, but doing a check at james’ just now and after refreshing the standard and incognito windows a few times it was able to identify me across standard/incognito. But I suppose this is because there is no one visiting james’ site at this particular moment in time from my particular IP address who is using Vanadium.

So would it be correct to say that conducting a fingerprint test this way is going to give skewed results in favor of a positive fingerprint due to the nature of the test and repeatedly refreshing the standard/incognito browser sessions?