The paper investigates the degree to which modern web browsers can be identified through "device fingerprinting," specifically by collecting and analyzing fingerprinting data from a large sample of browsers visiting the test site [panopticlick.eff.org]. The authors implemented a fingerprinting algorithm and found that the distribution of these fingerprints contains at least 18.1 bits of entropy, meaning that only one in 286,777 browsers is likely to share the same fingerprint. Among browsers supporting Flash or Java, the situation is worse, with an average of 18.8 bits of identifying information, and 94.2% of such browsers were unique. The study also observed how quickly browser fingerprints change over time. Among returning visitors who accepted cookies, 37.4% exhibited at least one fingerprint change. However, a simple heuristic algorithm was able to correctly guess the "progenitor" fingerprint in 99.1% of cases, with a false positive rate of only 0.86%. The paper discusses the privacy threats posed by browser fingerprinting and potential countermeasures. It highlights a trade-off between protection against fingerprintability and debuggability, noting that anti-fingerprinting technologies can be self-defeating if not widely adopted. The authors recommend that policymakers treat fingerprintable records as potentially personally identifiable and set limits on their association with sensitive data. They also suggest that browser developers should reduce fingerprintability, especially at the JavaScript API level.The paper investigates the degree to which modern web browsers can be identified through "device fingerprinting," specifically by collecting and analyzing fingerprinting data from a large sample of browsers visiting the test site [panopticlick.eff.org]. The authors implemented a fingerprinting algorithm and found that the distribution of these fingerprints contains at least 18.1 bits of entropy, meaning that only one in 286,777 browsers is likely to share the same fingerprint. Among browsers supporting Flash or Java, the situation is worse, with an average of 18.8 bits of identifying information, and 94.2% of such browsers were unique. The study also observed how quickly browser fingerprints change over time. Among returning visitors who accepted cookies, 37.4% exhibited at least one fingerprint change. However, a simple heuristic algorithm was able to correctly guess the "progenitor" fingerprint in 99.1% of cases, with a false positive rate of only 0.86%. The paper discusses the privacy threats posed by browser fingerprinting and potential countermeasures. It highlights a trade-off between protection against fingerprintability and debuggability, noting that anti-fingerprinting technologies can be self-defeating if not widely adopted. The authors recommend that policymakers treat fingerprintable records as potentially personally identifiable and set limits on their association with sensitive data. They also suggest that browser developers should reduce fingerprintability, especially at the JavaScript API level.