Cloudflare and the Browser Fingerprinting Reckoning
Cloudflare Turnstile, the CAPTCHA replacement that many developers adopted specifically because it felt less invasive than competitors, is now requiring fingerprintable WebGL. The HN thread is full of people who switched to Turnstile on principle now reconsidering that decision out loud. The same day, a separate thread surfaced research showing websites can fingerprint visitors by timing SSD cache access, a technique that works even in private browsing.
The pattern here: privacy-preserving alternatives keep getting quietly eroded. Developers adopted Turnstile because they trusted Cloudflare's brand positioning as the good-guy infrastructure company. That trust is now being stress-tested publicly, and users in the EU are already calling for petition-based regulatory action on browser fingerprinting across all browsers.
The counterpoint in the thread is that Cloudflare needs some signal to distinguish bots from humans, and WebGL is a reasonable heuristic. But that argument does not land well with the people who specifically chose Turnstile to avoid fingerprinting their own users. The tool is now doing the thing it was supposed to prevent.
So what?
If you are using Cloudflare Turnstile to avoid telling your users they are being fingerprinted, you may already be breaking that promise. Audit what Turnstile actually sends before your next privacy policy renewal. More broadly, any infrastructure vendor can quietly shift behavior on you, so building your compliance posture around vendor promises rather than technical verification is a liability.