Beauty at a Cost: Privacy Implications of CSS on the Web and in Emails

Modern browsers are increasingly restricting traditional tracking methods like third-party cookies to enhance user privacy. However, browser fingerprinting remains a powerful tool for tracking users across websites, even in privacy-conscious scenarios. It is typically associated with JavaScript-based methods, which have been the primary focus of tracking and mitigation efforts.

This talk highlights how Cascading Style Sheets (CSS), often considered harmless and enabled by default in email clients, enable third-party profiling without cookies or JavaScript. Furthermore, modern browser engines facilitate these techniques in HTML emails, making email fingerprinting a capable vector for tracking, targeted phishing, and spam campaigns. These findings reveal gaps in current JavaScript-centric privacy protections and emphasize the need for broader mitigations.