I did scan the doc, though I admit I didn't read the whole (wordy) thing completely. It seems to me that they use in order of magnitude:
for their method to work. It seems to me that WebGL is the main attack surface here? When WebGL came out, it sounded like a bad idea to me, so I switched if off on all my Browsers and machines, and I have to say, in all the years since, I have run into one single website that needed it (an interactive "how to solve the rubik's cube site, which seems like the kind of thing it was actually designed for!).
Honest question, what is WebGL supposed to be needed for, because I can't really see a good reason to have something running that exposes such a low level to your system, via your browser? It never seemed like a good idea to me when it was new, and it seems worse now, and seems not to be worth having it turned on, based on how little I seem to have missed it.
Obviously, you can't lock everything down completely, as then you have quite basic browsing capability, though, the TOR browser is surprisingly usable considering, but you can do your best, as much as the time as possible, to try and keep the wolf from the door!
The paper also doesn't state what differing underlying operating systems makes to the equation either (that I could see in the paper)?
Matt. (with an uncommon OS and a lot of Firefox features turned off, and a lot of privacy/security extensions in the browser, plus lots of O/S and network level stuff on top... (just do the best you can and hope! ;) ))