Tuesday, June 24, 2025
Latest:
The Register

‘Psylo’ browser tries to obscure digital fingerprints by giving every tab its own IP address

TH Author

Psylo, which bills itself as a new kind of private web browser, debuted last Tuesday in Apple’s App Store, one day ahead of a report warning about the widespread use of browser fingerprinting for ad tracking and targeting.

It was a fortuitous coincidence.

Psylo for iOS and iPadOS was created by Mysk, a Canada-based app biz run by software developers and security researchers Talal Haj Bakry and Tommy Mysk.

“Psylo stands out as it is the only WebKit-based iOS browser that truly isolates tabs,” Tommy Mysk told The Register. “It’s not only about separate storage and cookies. Psylo goes beyond that.

“This is why we call tabs ‘silos.’ It applies unique anti-fingerprinting measures per silo, such as canvas randomization. This way two Psylo tabs opening the same website would appear as though they originated on two different devices to the opened website.”

“Browser fingerprinting” sees developers use APIs in native apps and web browsers to gather information about netizens’ hardware and software configurations. The technique makes it possible to gather info on users’ screen resolution, operating system, plus browser type and version.

Marketers who analyze that info can create a reasonably accurate description of a user – their “fingerprint”. It’s worth the effort because a fingerprint is a more robust alternative than less constant identifiers, such as IP addresses and the values written to cookies.

The Electronic Frontier Foundation released a paper [PDF] back in 2010 that called out risks associated with browser fingerprinting. Since then, browser API developers have tried to make fingerprinting more difficult, even as others have developed libraries to simplify online fingerprinting, notionally for legitimate purposes like fighting fraud.

The latest word on the subject comes from researchers at Texas A&M University. Last week, computer scientists Zengrui Liu, Jimmy Dani, Yinzhi Cao, Shujiang Wu, and Nitesh Saxena published a report titled, “The First Early Evidence of the Use of Browser Fingerprinting for Online Tracking.”

Prior research, the authors claim, has shown that website publishers run fingerprinting scripts, but did not establish whether the scripts are used for privacy-invasive online tracking, or for less controversial reasons like bot detection.

The researchers contend they have established that link, based on their analysis of bids in online ad auctions.

“Our large-scale study reveals strong evidence of browser fingerprinting for ad tracking and targeting, shown by bid value disparities and reduced HTTP records after fingerprinting changes,” the paper claims. “We also show fingerprinting can bypass GDPR/CCPA opt-outs, enabling privacy-invasive tracking.”

To further complicate matters, some of these same researchers have shown that browser fingerprints can be copied and spoofed. In other words, an attacker might be able to impersonate your browser fingerprint to make it look as if you visited a website you’ve never read.

Enter Psylo, which Bakry and Mysk describe in a blog post as an attempt to address native app fingerprinting using software development kits, or libraries that developers add to their apps.

Apple, they observe, has tried to make it harder to create fingerprints by introducing privacy measures like App Tracking Transparency in iOS 14, App Store Privacy Nutrition Labels, and Privacy Manifests, along with limitations on using APIs for tracking. Nonetheless, they say, ad tech firms have developed workarounds.

Psylo, as Tommy Mysk explained, isolates browser tabs into silos, where it can apply anti-fingerprinting mechanisms.

The browser-maker also relies on its own Mysk Private Proxy Network to mask the IP address of each silo.

“We designed the system so that the network traffic is always transferred in encrypted channels,” said Mysk. “An attacker intercepting Psylo traffic at any point will only see encrypted data. Psylo uses encrypted TLS channels for communication and it blocks plain-text HTTP traffic. We can’t read the data that our users send and receive.”

The company claims Psylo therefore offers better privacy than a VPN because the virtual networks mask the user’s IP address but generally don’t alter the data used for fingerprinting. Psylo, for example, will adjust the browser’s time zone and browser language to match the geolocation of each proxy, resulting in more entropy that means fingerprints created by gathering data from silos will appear to be different.

The Mysk devs’ post states that some privacy-focused browsers like Brave also implement anti-fingerprinting measures like canvas randomization, but those are more effective on the desktop macOS app due to Apple’s iOS restrictions. They claim that they were able to achieve better results on iOS by using a client-side JavaScript solution.

Mysk designed Psylo to minimize the information available to its maker. It doesn’t log personally identifiable information or browsing data that the curious could use to identify the user, the company claims, noting that it also doesn’t have customer payment information, which is handled by Apple.

There are no user accounts, only randomized identifiers to indicate active subscriptions.

According to Tommy Mysk, the only subscriber data kept is bandwidth usage, which is necessary to prevent abuse.

“We aggregate bandwidth usage based on a randomly generated ID that is created when a subscription is made,” Mysk said. “The randomly generated ID is associated with the Apple subscription transaction. Apple doesn’t share the identity of users making App Store purchases with developers.”

Asked whether Apple could identify users, Mysk said, “Theoretically and given a court order, Apple can figure out the randomly generated ID of the user in question. If we were to hand out the data associated with the randomly generated ID, it would only be the bandwidth usage of that user in the current month, and two months in the past. Older data is automatically deleted.

“We don’t associate any identifiable information with the randomly generated ID. We don’t store IP addresses at all in every component of our system. We don’t store websites visited by our users at all.”

Psylo is available for iOS and iPadOS. Mysk, the company, could create an Android version if the iOS/iPadOS version proves popular.

In the US, Psylo costs $9.99 per month or $99 per year. That’s the price of privacy. ®

READ MORE HERE