The Collapse of Browser Privacy

Chrome's Manifest V3 migration sounded technical. For most people, it was invisible. For privacy-conscious users, it was a catastrophe.

In January 2024, Chrome began disabling Manifest V2—the API that powered ad blockers, tracker blockers, and privacy extensions for over a decade. The replacement, Manifest V3 (MV3), removed the webRequest API that made comprehensive blocking possible. By November 2024, Manifest V2 was gone entirely.

The damage: Ad blockers lost 60–70% of their blocking capability. uBlock Origin, the gold standard, went from blocking 113,000+ tracking domains and ads to struggling with 30–40% of the traffic it once caught. Users reinstalled extensions and got dramatically less protection—without realizing it.

This wasn't a bug. It was intentional.

Why Google Did This (And Why It Matters)

webRequest was powerful because it was total. An extension could inspect every HTTP request, modify headers, block URLs, log data—complete visibility and control. Google's justification for removal: privacy protection. The real reason: revenue protection.

webRequest exposed a problem for Google's ad business: extensions could see everything. They could block ads before Google made money from them. They could intercept tracking pixels. They could prevent behavioral profiling. An extension with webRequest access is a privacy nuclear option.

Google's solution: declarativeNetRequest (DNR). Instead of "inspect every request and decide," it's "pre-declare rules, the browser applies them." Declarative means:

The result: Powerful blocking became impossible. Sophisticated trackers adapted. Web fingerprinting—identifying users without cookies—exploded to fill the gap.

How Modern Trackers Survived MV3

When cookies started dying, the ad industry pivoted to browser fingerprinting—reconstructing user identity from behavioral and hardware signals.

Your browser leaks:

  1. GPU Model — Every browser's WebGL implementation exposes GPU type (NVIDIA, AMD, Intel integrated, Apple silicon). Combined with OS and screen resolution, this is ~99% identifying.
  2. AudioContext fingerprint — The Web Audio API generates a unique ID based on your audio hardware. Even across incognito windows, the ID remains constant.
  3. Canvas fingerprint — Draw text to a hidden canvas, read the pixels. Anti-aliasing differs by OS, browser, font rasterizer—another 90%+ identifying signal.
  4. User-Agent strings — Browser, OS, version. Publicly available, universally collected.
  5. Timing side-channels — How fast your CPU executes code. Measurable with millisecond precision.

Stack these together, and sites can identify you with 99.9% confidence—without a single cookie. Ad blockers and tracker blockers miss all of this. They target network requests. Hardware fingerprinting happens in JavaScript, client-side, after the extension has already decided the request is "safe."

Google, Meta, and Amazon already use this. It's why you see ads following you even with ad blockers enabled.

What Actually Fixes It

There are three layers of defense:

Layer 1: Network Blocking (DNR)
Block requests before they load. Declarative rules work here. uBlock Origin, Ghostery, Privacy Badger—all excellent for catching 40% of tracking infrastructure. But only 40%.

Layer 2: Behavioral Blocking (JavaScript Injection)
Spoof canvas fingerprints, fake WebGL responses, lie about screen dimensions. This requires runtime code injection—modifying the DOM and JavaScript context. Some extensions do this. It works, but it's CPU-intensive and breaks legitimate sites.

Layer 3: Hardware Blocking (System-Level Access)
The layer no extension previously touched: actual hardware access. Block the browser from accessing:

This requires system-level integration with the browser—not possible in the legacy webRequest era, and still rare in the MV3 era because it requires deeper integration with Chromium than most extensions attempt.

Aran Shield does all three.

The Technical Reality

Here's what your browser does when you visit most websites:

// Network layer (blocked by ad blockers)
GET /api/track?user=x&session=y&click=z   // blocked
POST /analytics/events                     // blocked

// JavaScript fingerprinting layer
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.fillText("Browser Fingerprint Test", 10, 20);
const fingerprint = canvas.toDataURL();    // sent to ad network
// Most blockers miss this

// Hardware access layer
navigator.mediaDevices.getUserMedia({video: true})
  .then(stream => {
    // Audio/video stream obtained
    // Used for hardware profiling
  });
// No extension permission exists for this in stock browsers

Aran Shield blocks the hardware access before the JavaScript ever executes.

Why This Matters Now

uBlock Origin and other DNR-only extensions are losing ground. Sites adapt faster than filter lists update. Tracking has become layered—if one layer fails, three others work. Meta and Google have published research on fingerprinting resistance; they're not relying on cookies anymore.

The browser is not going to protect you. Chrome's incentives are aligned with tracking, not blocking. Firefox is better, but it still has the same JavaScript fingerprinting vectors.

The last line of defense is your extension. And it needs to be comprehensive.

For a practical guide to stopping fingerprinting — Canvas, WebGL, AudioContext, and more — see our browser fingerprinting defense guide.

privacy chrome-extension web-security browser manifest-v3

Try Aran Shield

Hardware-level blocking that DNR extensions can't touch. Blocks ads, trackers, and fingerprinting across all three layers. Free to start.

Download Free →