Which Signals Survive Browser Updates? A Stability Analysis

Browser updates are the natural enemy of device fingerprinting. Every 4-6 weeks, Chrome, Firefox, and Safari push new versions that can alter signal values — changing user-agent strings, modifying rendering behavior, adding or removing APIs. As noted in the W3C Fingerprinting Guidance, browsers are actively working to limit fingerprintable surface area. For fingerprinting systems that treat all signals equally, each update is a potential identity break for millions of visitors.

We ran a comprehensive stability analysis across 50 browser updates to answer the fundamental question: which signals can you rely on, and which ones will betray you?

Methodology

We instrumented 200 physical devices across 5 operating systems (Windows 10, Windows 11, macOS Ventura, macOS Sonoma, Ubuntu 22.04) and 3 browsers (Chrome, Firefox, Safari). Each device ran automated signal collection daily for 14 months, covering 50 major browser version updates: 24 Chrome releases, 16 Firefox releases, and 10 Safari releases.

For each signal, we tracked: how often the value changed, whether the change correlated with a browser update or external factor (driver update, OS patch), and the magnitude of the change (complete value replacement vs. minor variation).

The Stability Tiers

Tier 1: Rock Solid (99.5%+ stability)

These signals changed only when physical hardware changed or drivers were updated — never due to browser updates alone.

Hardware Concurrency (navigator.hardwareConcurrency): 99.97% stable. Changed only on 1 device that had a BIOS update affecting hyperthreading. Device Memory (navigator.deviceMemory): 99.98% stable. One device was upgraded from 8GB to 16GB during the study. Screen Resolution and Color Depth: 99.92% stable. Changes correlated with monitor swaps and docking station events. WebGL Max Texture Size: 99.99% stable. Zero browser-related changes. Changed once on a device that received an NVIDIA driver update. Audio Sample Rate: 100% stable. Zero changes across all 200 devices and 50 updates. This is the single most stable signal we track.

Tier 2: Mostly Stable (95-99.5%)

These signals occasionally change with browser updates but remain stable across most releases.

Canvas 2D Fingerprint: 97.8% stable. Changes occurred in Chrome 118 (font rendering engine update), Chrome 122 (sub-pixel anti-aliasing change), and Firefox 121 (text shaping update). Each change affected all devices on that browser simultaneously — a detectable pattern we handle with browser-version-aware matching. WebGL Renderer String: 98.1% stable. Chrome occasionally reformats the ANGLE wrapper string. The underlying GPU information is unchanged, but the string representation shifts. We parse the GPU model from the string rather than hashing the string directly. Font List: 96.4% stable. OS updates occasionally add or remove system fonts. Browser updates rarely affect font enumeration, but Chrome 120 changed the order in which fonts are reported, which broke hash-based font fingerprinting. We use set-based comparison (set similarity) instead of ordered hashing.

Tier 3: Moderate Stability (80-95%)

These signals change with meaningful frequency but still provide useful identification value between changes.

Installed Plugins: 89.2% stable. Chrome's continued reduction of the plugins array (navigator.plugins) removed plugin visibility entirely in some contexts. Firefox maintained plugin enumeration. Safari restricted it to a standard set. CSS Feature Detection: 91.7% stable. New CSS features are added with each browser release, which changes the set of features detected by our CSS probing. We weight new features lower than established ones to reduce the impact. Touch Support: 93.1% stable. Desktop browsers occasionally change their reported touch support when Chrome adjusts its device emulation detection.

Tier 4: Volatile (<80%)

These signals change frequently and should never be primary identification anchors.

User Agent String: 42.3% stable. Chrome's User-Agent reduction initiative changed the string format multiple times. Firefox updates the version number with every release. Safari modifies the WebKit version string regularly. This used to be the backbone of simple fingerprinting systems — those systems are now broken. Connection Type (navigator.connection): 68.4% stable. Changes with network switching (WiFi to cellular, different WiFi networks). Battery API: 71.2% stable. Varies with charge state and browser API availability. Chrome restricted Battery API access in some contexts. Available Screen Area: 76.8% stable. Changes with taskbar visibility, window management, and display scaling adjustments.

Cross-Browser Comparison

Chrome is the most volatile browser for fingerprinting stability. Google actively works to reduce fingerprintability, which means Chrome updates break more signals than Firefox or Safari updates. Over our study period:

Chrome caused signal changes in 3.2% of collection sessions. Firefox caused signal changes in 1.8% of collection sessions. Safari caused signal changes in 1.1% of collection sessions.

Safari's lower volatility is partly because Apple ships fewer releases per year and partly because Safari's fingerprinting countermeasures (Intelligent Tracking Prevention) operate at the network level rather than changing API return values.

Practical Recommendations

Based on this analysis, we make five recommendations for production fingerprinting systems:

Never use user-agent as an identification anchor. It is the least stable distinctive signal. Use it for browser detection and Tier 3 confidence scoring only.

Separate hardware signals from software signals. Hardware signals (GPU, screen, audio) are 40x more stable than software signals (user agent, plugins, CSS features). Weight them accordingly.

Use set-based comparison for enumerable signals. Font lists, plugin lists, and feature detection results should be compared using set similarity or similar set-distance metrics, not ordered hashing. Order changes are common; content changes are rare.

Implement browser-version-aware matching. When Chrome 118 changes canvas rendering for all Chrome users simultaneously, your system should recognize this as a browser update, not a mass identity break. Track browser versions and apply version-specific matching tolerances.

Monitor signal stability continuously. Our stability percentages are based on historical data. Future browser updates may change the stability profile of any signal. We run continuous monitoring and automatically adjust signal weights when stability changes.

Impact on tracio.ai

Our V3 multi-tier identification architecture directly reflects this stability analysis. Tier 1 signals (hardware) carry 60% weight. Tier 2 signals (rendering, fonts) carry 30% weight. Tier 3 signals (browser metadata, connection) carry 10% weight. This weighting ensures that the most stable signals drive identification, while volatile signals contribute to confidence scoring without causing identity breaks.

The result: 99.5% identification stability across 50 browser updates, versus 69% for systems using flat hash-based fingerprinting. The difference is not algorithmic cleverness — it is empirical signal analysis applied to architectural decisions.