German software designer Jonas Strehle has published a proof of concept on GitHub that he says demonstrates a method in which the favicon’s cache can be used to store a unique identifier for a user that is readable “in the browser’s incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers.”As Motherboard points out, Strehle started building the project after reading a research paper from the University of Illinois at Chicago that describes the technique. The basic gist of the method starts with the fact that favicon’s get cached in your browser the first time you visit a website. When you return to the site, the browser checks to see if the favicon has been stored in its own special home on your machine that’s called the F-Cache. If the data is out of date or missing, the browser requests data from the website’s servers. Strehle explained what happens next in a write up on his website: A web server can draw conclusions about whether a browser has already loaded a favicon or not: So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent. By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.