Browser fingerprinting is a method of online tracking and data collection using the information web browsers provide with their requests. Websites use it to increase security, detect bots, and compile visitors' digital identities, called “fingerprints”.
It was named after the technique of human identification from our fingertips. But real-life fingerprints are only used to identify and charge criminals, while browser fingerprinting can track every visitor without regard to their intentions or consent.
In this article, we will cover what is browser fingerprinting - how it works, whether it is legal, what techniques websites use, and how you can minimize the risks of unveiling your online identity through browser-based fingerprints.
How does browser fingerprinting work?
When you connect to a website, your browser sends an HTTP request specifying what data and in what form is needed. When the server responds, the website is loaded. Developers can insert additional Javascript code asking the browser to provide software and hardware parameters.
Usually, the information is needed to load the website correctly and adapt the experience to your device. But in the case of browser fingerprinting, these parameters are used to compile a digital identity of a visitor.
The collected data can include anything from browser type to exact hardware specifications. Every parameter serves as a data point used for identification. More data means more accurate identification as the probability of two users with the same browser fingerprint becomes less likely.
With the exception of cookies, most of the collected data for user tracking doesn't require expressed consent. Techniques used for fingerprinting are integrated into the code of websites. So disabling their scripts would break most of them, which allows them not to ask if visitors agree to browser fingerprinting.
The uniqueness of the visitor's software and hardware setup, however, can only be measured by having a library of already collected fingerprints. So, every visitor's fingerprint is compared with thousands of others to determine its uniqueness and track actions across the web.
Collecting browser fingerprinting data in bulk is possible when all the parameters are hashed into a unique string of numbers and letters to identify each user. Such an ID is used to know if the visitor connected before, whether he had changed his parameters and to raise red flags against unwanted users.
In most cases, the complete browser fingerprint hash consists of two main parts:
Browser hash. Relies on visitor's browser data - browser type and version, installed plugins, User Agent, operating system, screen resolution, fonts used, etc.
Device hash. Relies on the information about the hardware - CPU, GPU, MAC address, serial number and more. Such ID applies to the hardware configuration of the device.
None of these browser fingerprinting parts can fully identify visitors by themselves. Browser data could be shared by multiple visitors and device similarities may overlap with hardware being identical. Combining both parts, as well as adding cookie and IP address data, creates a higher chance for unique identification.
You can check how your web browser stands against tracking. Non-profit organizations, such as the Electronic Frontier Foundation, try to raise awareness of the threat that browser fingerprinting poses. They have built a browser testing tool for ordinary internet users to check if they can be tracked.
Is browser fingerprinting legal?
Unfortunately, there aren't any effective legal tools against browser fingerprinting, so companies can legally engage in such a practice. At the time of writing, fingerprints are still considered public data, but there are some promising developments.
In the European Union, the General Data Protection Regulation (GDPR) defines cookies as personal data as long as they are used for identification. Companies can process such data only once you provide your consent or the company has a legitimate interest (E.g., to prevent financial fraud).
The United States doesn't have any national laws protecting its consumers from tracking, although there are initiatives in some states, such as the California Consumer Privacy Act. Much like GDPR, these laws only regulate cookies and do not address the issue of browser fingerprinting fully.
A step further against online tracking is the EU's ePrivacy directive that expands on GDPR by specifying the definition of cookies and consent pop-ups. More importantly, the ePrivacy directive will address browser fingerprinting by regulating it similarly to cookies.
The promised EU regulation will allow distinguishing between legitimate and illegitimate uses of browser fingerprinting. Hopefully, this law will come into effect soon, and other countries will follow its practices. As of now, websites can legally track users for a variety of reasons.
Browser fingerprinting use cases
Securing accounts
Websites are tasked with storing a lot of our personal data. If such data were leaked, a lot of damage could be caused to consumers. Account takeover (ATO) attacks are less likely when websites use browser fingerprinting as they can check the user's ID and implement extra verification measures if needed.
Targeted advertising
A majority of websites use browser fingerprinting for targeted advertising. It takes a step further from traditional ads by personalizing content to fit the traits and interests of a group or an individual consumer. Such practice has some controversial applications.
Ecommerce sites or ticket websites can change prices based on factors from your browser fingerprint. It can deny consumers access to fair prices and discriminate against certain groups or regions. Luckily, however, it’s mostly used to provide advertisements that would drive revenue for the company.
Data brokers
Data brokers are companies that process and profit from online data. They categorize enormous amounts of information from different sources and compile profiles of users and companies. Datasets are then sold to those who find them interesting.
*Cybersecurity *
Some cybersecurity measures are possible only after fingerprinting visitors, as websites may differentiate incoming traffic and act against malicious traffic. For example, Denial-of-Service (DDoS) attacks aim to overload the server until it crashes and cannot serve regular users. These attacks are performed by bots, so differentiating them from real visitors can help reduce their impact.
What are the techniques used for fingerprinting?
There is no single technique that websites use for fingerprinting, instead, they exploit different ways browsers work to create a unique fingerprint. We’ve outlined some of the more popular methods below.
Browser sniffing
Browser detection (or browser sniffing) techniques were created to determine parameters required for correctly loading web pages. For example, if a user visits from a mobile browser, a mobile version of the website should be loaded.
The primary source of browser information is HTTP headers. The User-Agent header is the main one because it states the browser and OS to the server with every request. However, websites frequently collect other related data, such as browser history and installed extensions.
Canvas
Canvas fingerprinting is a powerful technique that uses HTML5 to force your browser into drawing an image. Depending on the hardware and software used, the task is completed differently. So it is possible to identify GPU(s), font settings, drivers, browsers and operating systems.
Images the visitor's device must draw require little resources and aren't visible on the website's interface. Additionally, it is usually something simple, such as a two-dimensional blank rectangle. Parameters for the canvas fingerprint are collected by running overlays, anti-aliasing filters, fonts, etc.
WebGL
Web Graphics Library (WebGL for short) is a JavaScript API used for rendering graphic elements, usually interactive three-dimensional ones. Originally used for creating complex visualizations without additional plugins, WebGL can also help websites to identify and track visitors.
Similarly to canvas fingerprinting, it also rests on inferring device parameters from loading images that aren't visible to the users. However, this technique is more widespread as all major browsers support WebGL and provide identical parameters for fingerprinting as with HTML5 canvas.
Audio fingerprinting
Instead of relying on how your GPU draws images, websites can instruct your audio card to play a sound. Sending a low-frequency note to the device allows seeing how it will process such action. No audible tune is played to the visitor, so the website does not need sound permissions for audio fingerprinting.
It is enough for the website to detect device-specific parameters used to process sound-related tasks. Such information reveals audio hardware, drivers and other specifications required for audio fingerprinting. All of them are later used to build a unique fingerprint of your setup.
Device fingerprinting
Browser fingerprint is not limited to the machine you use to browse the web. It can also include IDs of media devices that are connected to it. Gadgets like headphones, microphones, and internal parts, such as video and audio cards, can be added to the device fingerprint for identifying the visitor.
Media device fingerprinting is rare as the visitor must permit access to his hardware. Most users don’t want to allow websites such access, especially when it comes to cameras and microphones. Therefore, media device fingerprinting is implemented by services that require a lot of access to function (e.g., video conferencing platforms).
Device fingerprinting can also refer to a broader term applied when no browser is involved. For example, mobile app developers use SDKs (Software Development Kits) supplied by OS developers for data collection. Device specifications are relatively easy to fingerprint when apps or programs are used.
Hardware benchmarking
Websites can conduct benchmark tests to assess the hardware that the visitor uses. Most commonly, websites run cryptographic algorithms. Differences in performance may reveal the CPU model and other details.
Similar APIs are used to assess the state of the device's battery, namely the capacity and charge level. It is especially effective for fingerprinting older systems as their batteries tend to have a unique ware which is used to ID them.
Another rarely used but intrusive method rests on observing the clock skew. It is a phenomenon when electrical signals arrive at different components at different times due to temperature changes. Detecting the clock skew range can tell a lot about the device and its software.
Cookies
Strictly speaking, collecting cookies isn’t enough for browser fingerprinting, and the practice is losing relevance due to regulations and privacy settings. Still, cookies supplement fingerprinting as the first step in identifying users.
Cookies are a client-side identification method based on little bits of data stored on the visitor's browser. Every time you visit a website, it sends you a cookie, and once you return, it can detect your identity.
Cookies were created for authentication and personalisation purposes, but now they are used for user tracking and advertisements. They can help websites document your actions, and advertisers can even place their third-party cookies for targeting purposes.
IP address detection
Monitoring IP addresses is another method that reinforces browser fingerprinting. An IP address is a string of numbers that uniquely identifies every device on the internet. Browsers send your IP address with the data requests, so the server would know where to return the data.
The IP address also unveils your approximate geo-location and the name of the internet service provider. Such information enables targeting the website's content accordingly, for example, adapting the language to the visitor's country.
However, IP addresses can be used for adjusting product prices and limiting availability to certain markets. Also, IP address blocks are the most common method of restricting access to the internet for specific subnets or locations.
What is cross-browser fingerprinting?
Cross-browser fingerprinting is a method of tracking visitors across multiple browsers. Just like single-browser fingerprinting, it utilizes operating system and hardware detection by asking browsers to perform various tasks. The data is then shared with other websites or added to an online fingerprint library.
Website owners and advertisers may share visitor data because it makes their browser fingerprinting efforts more effective. Cross-browser fingerprinting is justified as a security measure because it helps websites detect account breaches. However, it violates privacy by bringing unwanted personalization even if the visitor tries to avoid it by changing browsers.
Since fingerprinting does not rely on data stored in the browser, internet users lose any say in whether they want to be tracked and whether websites should know where they visited previously. Cross-browser tracking is one of the main reasons to stop browser fingerprinting.
How do I stop browser fingerprinting?
There is no ultimate solution to stop browser fingerprinting. Most effective ones will require sacrificing the quality of your browsing experience as some websites may limit usability or deny access entirely. But anti-fingerprinting techniques don't have to be perfect to make fingerprinting not worth the effort.
Disable JavaScript
Disabling JavaScript in your browser settings is the most straightforward and yet, the most effective measure against browser fingerprinting. It effectively restricts cookies, WebGL and canvas fingerprinting techniques, as well as most other APIs, to detect your device's parameters
Unfortunately, you will quickly notice that disabling JavaScript renders most websites unstable. You will lose speed, and most functionalities or the websites will crash. Rarely do websites would not require JavaScript to function these days, and those that do are unlikely to track their visitors.
Decrease browser uniqueness
Disabling JavaScript is too extreme for most, so we turn to browser uniqueness. The more your browser is unique, the easier it is to distinguish it from the rest of the internet traffic. If you use some unusual browser that wasn't updated for a while, that fact alone might be enough to create your fingerprint.
Using a common browser, such as Google Chrome, is a good start but far from the only factor that can lower the uniqueness of your browser fingerprint. Here are some steps you can take:
Uninstall unnecessary extensions. Browser add-ons can add useful functions, but better to delete those you can do without. Every plug inserts additional code, which makes you stand out more.
Use ordinary language preferences. Browsers can ask websites to load in a specific language. Most of the internet is in English, so it's best to keep your language settings only for this language to blend in.
Clear cookies and browsing history. While it isn't an extraordinary measure against fingerprinting, regularly deleting cookies and browser history will make it harder to track you.
Change privacy settings. Major browsers block basic tracking methods by default, but it isn't enough. Sending a "Do Not Track" request, restricting permissions and ads takes a couple of clicks.
Use incognito mode. It’s debatable whether incognito mode helps against browser fingerprinting. Still, if you don’t trust the website, it is better to disable at least some trackers with incognito mode.
Scan against viruses. It should be a no-brainer to keep your device safe. If you need an additional reason to fight malware, it can make it extremely easy to fingerprint you.
Use privacy add-ons
Installing privacy plugins to your browser is another easy way to disable trackers and, with correct settings, decrease uniqueness. Ad blockers, such as AdBlockPlus, can disable trackers and make the internet more visually pleasant and safe.
More privacy-focused add-ons, like Trace, Noscript and Privacy Badger, can block aggressive trackers and scripts automatically. They also help manage your privacy settings manually. If you trust a website, you can add it to a whitelist and access it without blocking anything.
The downside of using many plugins is that they might contribute to your browser's uniqueness. Don't overuse them and run fingerprint tests to know which ones are actually helping to fight browser fingerprinting.
Install anti-fingerprinting browser
Instead of looking for add-ons, switching to a more privacy-focused browser might be a better option. Most such browsers disable trackers and block ads by default. They even take a step further by fighting browser fingerprinting directly.
Brave is a free and open-source chromium-based web browser aiming to increase security while not decreasing usability. It protects from browser fingerprinting by randomizing the parameters you send while surfing the web.
Brave makes your fingerprint unique for every browsing session and every website. Such an approach doesn't limit usability and is fairly effective against fingerprinting. Changing Brave's settings can provide even more protection but will limit the usability.
Most other browsers and plugins are based on generalization - aiming to make all fingerprints identical to one another. To achieve it, they must mask the unique attributes of your browser, which does limit the usability of websites. However, it is usually more effective than randomization.
Tor browser was the first to take the fight against fingerprinting seriously. It changes users' IP addresses, aggressively limits JavaScript, generalizes your timezone, and many other parameters needed to collect fingerprints. Tor may be the best protection against browser fingerprinting, but you will sacrifice speed and convenience.
However, ease of use isn’t the primary reason to choose Tor. It is an open-source, volunteer-based project that aims to fight internet restrictions and help activists around the globe. Stopping browser fingerprinting is just a part of this battle.
Rotate your IP address
Changing your IP address is one of the first defense lines against browser fingerprinting. Even if you use a browser with randomization or privacy add-ons, the IP address from which the requests are sent will remain the same, so your browser fingerprint will be easy to compile.
While there are many ways to change your IP address, rotating residential proxies are the most effective and versatile option. Residential IPs originate from ordinary internet service providers and physical devices, which allows them to blend in with the rest of the internet traffic better.
Rotating such proxies means that every request or within a chosen timeframe has a new residential IP address assigned automatically. In combination with other anti-fingerprinting measures, it makes tracking your actions extremely hard.
Other methods of changing your IP address are usually applicable only for basic browsing tasks, while residential proxies can bring more to the table. They are easiest to integrate with specialized software (e.g., web scrapers and automation software) while not compromising speed and location targeting capabilities.
Conclusion
Browser fingerprinting is the newest and biggest threat to online privacy. With enough data points, websites can compile your fingerprint and identify you without your consent and across different browsers. Fingerprinting has some positive applications, but, in most cases, you don't want websites tracking you.
Although there is no guaranteed solution to browser fingerprinting, it isn't a lost cause. More sophisticated anti-fingerprinting measures might appear in the future. For now, using a browser with randomisation, decreasing uniqueness and rotating residential IP addresses are the best tools that will likely remain effective in the future.
Top comments (0)