You are even known by the way the system draws emojis. Welcome to the world of total surveillance.
While users quietly open sites in Google Chrome, dozens of hidden mechanisms are already collecting detailed files about them. And we are not talking about theoretical attacks from scientific works, but about real tools that work right now and are used on millions of sites.
The author of a large technical review has collected almost a complete list of browser vulnerabilities on the client side. The main conclusion sounds unpleasant: Chrome almost does not protect against hidden tracking, and many methods allow you to learn more about the user than he knows about his device.
One of the most common ways is the so-called “browser fingerprint”. The site draws a hidden image through graphical interfaces and then analyzes the result. Different video cards, operating systems and even small features of rendering give a unique picture. This method is used by about 12.7% of popular sites. Chrome does not interfere with such checks.
Other technologies also work in a similar way. Through WebRTC, sites learn the IP addresses of users, through WebGL – video card data, through WebGPU – the characteristics of the device, through the audio system – how it processes the sound. Even a list of installed fonts, interface languages and screen parameters are folded into a unique user profile. Individual methods reach the point of absurdity: analyze how the system displays emoji or what voices are available in the synthesis of speech.
There are also more direct leaks. The keyboard API issues a layout. Motion sensors can transmit the characteristics of a particular device. Even simple CSS-quituges allow you to collect dozens of characteristics and send them to the server.
However, there is almost no built-in protection. Other browsers have already developed mechanisms that specifically distort or restrict access to them. In Chrome, such measures were practically not implemented, and Privacy Sandbox, which was supposed to solve the problem, was closed in 2025.
A separate story is tracking through data storage. Cookies still work in full, including third-party cookies. Despite many years of promises to abandon them, the browser continues to support the old model. Sites record identifiers and then use them to track users between different resources.
Even if you delete cookies, there are other ways. LocalStorage and IndexedDB store data for years, the cache may act as a “super-cookie”, and HTTP headers like ETag allow you to recognize the user without any JavaScript. There are more cunning schemes: sites are redirected through intermediate resources, add identifiers to links, mask trackers for “their” domains through DNS.
Particularly dangerous is the so-called CNAME-masking. In this case, the third-party service looks like a part of the site, and the browser sends it even service cookies. Chrome does not block such schemes and does not give extensions of tools for full verification.
Despite all this, the user does not remain completely defenseless. The author describes how to detect such techniques through the extension of the browser with advanced rights. Such an extension can intercept function calls, track network queries, and analyze data storage. The limit is one: methods at the network protocol level, such as TLS fingerprints, remain invisible.
The general conclusion looks tough. Chrome almost does not prevent the collection of digital fingerprints, does not limit surveillance inside sites and does not close complex camouflage schemes. At the same time, the methods themselves have long gone beyond the theory and are used in the real network every day. To understand exactly how surveillance works is the only way to somehow confront it.
While users quietly open sites in Google Chrome, dozens of hidden mechanisms are already collecting detailed files about them. And we are not talking about theoretical attacks from scientific works, but about real tools that work right now and are used on millions of sites.
The author of a large technical review has collected almost a complete list of browser vulnerabilities on the client side. The main conclusion sounds unpleasant: Chrome almost does not protect against hidden tracking, and many methods allow you to learn more about the user than he knows about his device.
One of the most common ways is the so-called “browser fingerprint”. The site draws a hidden image through graphical interfaces and then analyzes the result. Different video cards, operating systems and even small features of rendering give a unique picture. This method is used by about 12.7% of popular sites. Chrome does not interfere with such checks.
Other technologies also work in a similar way. Through WebRTC, sites learn the IP addresses of users, through WebGL – video card data, through WebGPU – the characteristics of the device, through the audio system – how it processes the sound. Even a list of installed fonts, interface languages and screen parameters are folded into a unique user profile. Individual methods reach the point of absurdity: analyze how the system displays emoji or what voices are available in the synthesis of speech.
There are also more direct leaks. The keyboard API issues a layout. Motion sensors can transmit the characteristics of a particular device. Even simple CSS-quituges allow you to collect dozens of characteristics and send them to the server.
However, there is almost no built-in protection. Other browsers have already developed mechanisms that specifically distort or restrict access to them. In Chrome, such measures were practically not implemented, and Privacy Sandbox, which was supposed to solve the problem, was closed in 2025.
A separate story is tracking through data storage. Cookies still work in full, including third-party cookies. Despite many years of promises to abandon them, the browser continues to support the old model. Sites record identifiers and then use them to track users between different resources.
Even if you delete cookies, there are other ways. LocalStorage and IndexedDB store data for years, the cache may act as a “super-cookie”, and HTTP headers like ETag allow you to recognize the user without any JavaScript. There are more cunning schemes: sites are redirected through intermediate resources, add identifiers to links, mask trackers for “their” domains through DNS.
Particularly dangerous is the so-called CNAME-masking. In this case, the third-party service looks like a part of the site, and the browser sends it even service cookies. Chrome does not block such schemes and does not give extensions of tools for full verification.
Despite all this, the user does not remain completely defenseless. The author describes how to detect such techniques through the extension of the browser with advanced rights. Such an extension can intercept function calls, track network queries, and analyze data storage. The limit is one: methods at the network protocol level, such as TLS fingerprints, remain invisible.
The general conclusion looks tough. Chrome almost does not prevent the collection of digital fingerprints, does not limit surveillance inside sites and does not close complex camouflage schemes. At the same time, the methods themselves have long gone beyond the theory and are used in the real network every day. To understand exactly how surveillance works is the only way to somehow confront it.
