More Space, Less Privacy? IP-based Website Fingerprinting in IPv6

As the Internet moves toward stronger encryption, many users assume their online activity is becoming harder to monitor.

Technologies like DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and Encrypted Client Hello (ECH) now hide domain names from network observers, closing off one of the most obvious sources of privacy leakage. But encryption does not make the Internet invisible. One thing remains fully exposed: the IP addresses in network traffic, which can be mapped to their hosting domains, effectively unmasking the websites a user visits.

In my 2025 Pulse Research Fellowship, we asked a simple yet important question: Does the transition from IPv4 to IPv6 improve or worsen online tracking?

IPv6 Transition is a Double-edged Sword

Unlike IPv4, which forces many websites to share the same IP address, IPv6 offers an enormous address space. In theory, this allows each website to have its own unique IP address, making it easier for ISPs, enterprise networks, or national censors to infer which sites a user is visiting, even when domain names are encrypted by examining IP connections.

To test whether this concern holds in practice, we conducted the largest study to date of IP-based website fingerprinting in IPv6 environments. We analyzed more than half a million IPv6-enabled websites, combining large-scale web crawling, active DNS measurements, and longitudinal analysis over several months.

For websites that still rely on a mix of IPv4 and IPv6 (currently, most of The Web i.e dual-stack incomplete), IP-based tracking remains highly effective. In these cases, observers can correctly identify visited websites roughly 94% of the time, regardless of whether traffic uses IPv4 or IPv6. In other words, today’s “dual-stack” Internet remains highly fingerprintable.

Websites that operate only over IPv6 (dual-stack complete) are significantly harder to fingerprint. Identification accuracy drops to around 45%, meaning that more than half the time, an observer cannot reliably tell which site a user is visiting. The contrast in the fingerprinting accuracy between dual-stack incomplete and complete websites is illustrated in Table 1.

Table 1 — Fingerprinting accuracy in IPv4 and IPv6 across dual-stack complete and incomplete websites.

Ranking	Dual-stack incomplete sites			Dual-stack complete sites
	#Sites	IPv4 %	IPv6 %	#Sites	IPv4 %	IPv6 %
Top 100	39	89.74	89.74	61	29.51	24.59
Top 1000	540	90.37	90.19	460	56.96	49.35
Top 10K	6038	94.10	94.17	3962	64.84	54.72
Top 50K	29742	94.81	94.96	20258	65.33	56.64
Top 100K	56491	94.68	94.86	43509	62.24	53.29
Top 250K	119997	93.06	93.31	130003	56.37	44.94
Top 500K	219501	93.79	94.16	280499	56.09	44.80
All websites	228108	93.78	94.20	295315	56.02	44.82

This result is counterintuitive to the concerns found in the privacy community. IPv6 addresses are more abundant and often appear to host a single domain compared to IPv4 addresses. But uniqueness alone does not determine privacy risk.

Why Hosting Infrastructure Matters More Than IP Version

The key factor shaping fingerprinting success is how hosting providers deploy IPv6, not IPv6 itself.

Large platforms and content delivery networks (CDNs), such as Cloudflare, Fastly, and Google, often host thousands of unrelated websites on shared IPv6 address pools. When many domains share the same infrastructure, IP addresses become less informative, weakening tracking attempts.

In contrast, providers that assign one IPv6 address per website or use large, aliased IPv6 prefixes make those sites much easier to identify. As a result, two websites using IPv6 can face very different outcomes depending on where and how they are hosted.

This uneven deployment explains why IPv6 does not produce a single, uniform privacy story. Instead, provider choices determine whether IPv6 amplifies or reduces tracking risks. This becomes clearer when comparing major hosting providers and their corresponding fingerprinting accuracy in Table 3.

Table 2 – IPv6 fingerprint accuracy of the top 10 hosting providers for dual-stack complete and incomplete websites (Weighted-f1 accuracy).

Rank	Dual-stack incomplete sites			Dual-stack complete sites
	Provider	# Sites	WF %	Provider	# Sites	WF %
1	CLOUDFLARENET	146115	97.0	CLOUDFLARENET	212195	43.6
2	Hostinger Int'l Ltd	4255	97.6	Hostinger Int'l Ltd	4775	79.5
3	AMAZON	4006	84.2	Hetzner Online GmbH	3892	48.5
4	FASTLY	3344	71.4	Cloudflare London, LLC	3626	25.6
5	DIGITALOCEAN	3195	14.6	OVH SAS	2865	49.6
6	OVH SAS	1985	86.1	AMAZON	2508	62.8
7	Hetzner Online GmbH	1896	93.4	IONOS SE	2321	50.7
8	AkamaI Int'l B.V.	1848	78.9	FASTLY	1706	22.5
9	IONOS SE	1717	93.8	GOOGLE-GCP	1629	9.8
10	JSC Timeweb	1607	88.1	GOOGLE	1601	16.3

IPv6 Won’t Fix Privacy, bBut It Can Help

Our results have clear implications:

• Encryption alone is not enough. Even with encrypted DNS and TLS handshakes, IP-level metadata still enables large-scale tracking.
• IPv6 can improve privacy only if deployed thoughtfully. Shared addressing and infrastructure-level aggregation matter more than raw address space.
• Hosting providers play a central role in user privacy. Their address allocation and domain co-location decisions directly affect how visible users’ browsing behavior is to network observers.

As IPv6 adoption continues to grow worldwide, it creates both risk and opportunity. With careful deployment practices, IPv6 can help restore some of the anonymity that address scarcity (IPv4) once provided.

This study is currently under peer review, and we will be releasing complete datasets and findings shortly. In the meantime, you can watch my presentation at the Pulse Internet Measurement Forum in Spain, or contact [email protected] to learn more about my methodology and results.

Muhammad Sumeer Ahmad was a 2025 Pulse Research Fellow and PhD student at Stony Brook University Department of Computer Science.