Very few users can detect that they are being tracked, so they can't avoid it. The tracking methods are designed to be undetectable; web beacons are invisible pixels; sites don't tell users: we track this info and share it with these people; even privacy policies usually are ambiguous, and they are too long and complex to read for every site someone visits.
This can be used to make a user's fingerprint stand out based on their browsing patterns. However, it is very fragile in practice. The tracker would need both a rare fingerprint, as well as a rare browsing pattern in order to identify a user.
This is pretty hard, considering the Tor Browser does a good job at having a common fingerprint at it's highest security setting (Javascript disabled, which is what this tracker is for).
I think he is saying that users can't be tracked between page-loads using this method, or your risk sending multiple users the same token. (which is true, at least with this implementation)
The time they spend on the website, latency, etc can all be used to add to a fingerprint, but there isn't something magic that makes this accurate, especially without JavaScript.
I may be missing something, but it seems to me that this technique(if not this particular implementation) could be used to easily track individual users.
NoScript->Options->Embeddings->Additional restrictions for untrusted sites->Forbid <IFRAME>
Just turned that option on, myself. I might have had it on years ago--can't remember for sure--but now that I know it's being abused, I'll definitely leave it on. IFRAMEs are generally poor practice, anyway.
I will not be surprised at all if something like this will be soon used to circumvent adblockers replacing classic javascript based analytics on the "bright" side of the web.
AdBlockers will still block iframes and already does. Those I've seen blocks the full request based on a list of known domains. Many 3rd-party tracking cookies is often placed with help of iframes or a img-pixel.
With Google Analytics you have the option to actually do all the tracking server-side so AdBlockers shouldn't be an issue tracking-wise.
Before Microsoft gave us the XMLHttpRequest, and before IFRAMEs were everywhere, this is exactly how, and with FRAMESETs and target="" one could track session length, reload other parts of a page after some given time, allow forms to interact with complex flows and various other things.
The "virtually invisible frame loading in the background" trick is going to be around for a long-term and seems destined to be re-learned many times over.
