How Streaming Sites Track You Even with VPNs and Private Browsing

• Privacy, Security

Research findings on how DRM implementations expose hardware-level identifiers for potential cross-site tracking.

How This Was Discovered

Security researchers recently found that the copy protection software built into browsers (called Widevine) secretly collects information about your computer's hardware. This creates a unique "fingerprint" that can identify your specific device.

The key problem: unlike cookies or browsing history that you can delete, this fingerprint is collected by closed software that runs deeper in your system. Your VPN, private browsing, and clearing your data won't stop it because it bypasses all the normal browser privacy tools.

Here's what happens behind the scenes when you watch Netflix or YouTube:

navigator.requestMediaKeySystemAccess('com.widevine.alpha', config)
.then(keySystemAccess => {
// Exposes hardware security module details
// GPU info, firmware versions, crypto certificates
return keySystemAccess.createMediaKeys();
});

What Gets Tracked

The EME fingerprint includes hardware details that survive privacy measures:

  • Hardware Security Module (HSM) identifiers
  • DRM certificate chains (device-specific)
  • GPU model and driver versions
  • Secure processor firmware signatures
  • Codec support matrix

This creates a persistent identifier stored in secure hardware that regular browser data clearing can't touch.

Privacy Implications

The same hardware fingerprint appears across different contexts:

  1. Netflix streaming session
  2. YouTube in incognito mode
  3. Spotify in different browser

This creates potential for cross-site correlation since the identifier persists regardless of privacy settings or browser choice.

Checking EME Status

See if EME is enabled in your browser:

# Firefox
about:config → media.eme.enabled

# Chrome  
chrome://settings → Privacy and security → Site Settings → Additional content settings

Test if EME triggers hardware fingerprinting:

// Simple test - hardware fingerprinting happens inside CDM, not visible here
navigator.requestMediaKeySystemAccess('com.widevine.alpha', [{
initDataTypes: ['cenc'],
audioCapabilities: [{contentType: 'audio/mp4;codecs="mp4a.40.2"'}]
}]).then(access => {
console.log('EME available - CDM collects hardware fingerprint internally');
return access.createMediaKeys();
}).then(keys => {
console.log('MediaKeys created - device fingerprinted by CDM');
}).catch(e => console.log('Error:', e.name, '- EME may not be fully available'));

Run this script on Netflix or YouTube to see actual DRM fingerprinting in action.

Mitigation Options

Limited options, all with trade-offs:

Disable EME completely:

# Firefox: Set media.eme.enabled = false
# Chrome: Not possible to fully disable

Breaks all streaming services (Netflix, Spotify, YouTube Premium).

Separate devices:

  • Dedicated streaming device (Roku, Apple TV)
  • Different laptop for entertainment vs work
  • Virtual machines (may not support EME)

Technical Considerations

EME requires device attestation for content protection, which inherently exposes hardware characteristics. This is a fundamental tension between DRM functionality and privacy.

Privacy-conscious users should understand this trade-off when using DRM-enabled services.