Browser Fingerprinting: A Hidden Threat to Your Online Privacy

Suppose you’re surfing the internet, but don’t realize that everything you’re doing – every click, every scroll, every page you visit – is being recorded. No matter how many privacy features you employ, online entities can follow every step you take thanks to a process known as browser fingerprinting. It works by collecting several hundred data points, including the kind of browser you’re using, your operating system, screen resolution, and even the configuration of your hardware. As a result, whenever you visit a website, it can create a custom profile just for you. In the current era of heightened concern regarding privacy, it behooves anyone with an internet connection to understand just how browser fingerprinting works so that steps can be taken to protect your data.

What is browser fingerprinting?

Browser fingerprinting is the process by which multiple data points from a web browser are extracted to create a unique identifier known as a ‘fingerprint’ – a means for tracking. Websites and advertisers use browser fingerprinting to develop detailed files on internet surfers, often without any knowledge or consent. This is a major invasion of privacy because browser fingerprinting can bypass common privacy protections such as cookies and VPNs to track internet users, making it very difficult to evade tracking online.

Your browser’s settings – from screen resolution to installed plugins, timezone to fonts – create a fingerprint unique to your machine. These differences, seemingly small and insignificant, can collectively be enough to create a unique profile that websites can recognize and track you across sessions. This lack of anonymity makes for some very real issues regarding data security and online privacy. Sites use these fingerprints for targeted advertising, invasive tracking, and even for the sale of your data to third parties in ways that raise their own ethical and legal questions surrounding transparency and consent.

How browser fingerprinting works

Browser fingerprinting is based on a sophisticated collection of data from your web browser and your device. Parameters include your operating system, your browser type, its version, the size of your screen, the fonts installed on it, your browser plugins, and much more. Each of these parameters contributes a grain to your digital fingerprint and enables you to be identified across websites. The more parameters are collected, the more accurate and resilient the fingerprint becomes.

The Electronic Frontier Foundation (EFF) found that 94.2% of browser fingerprints are utterly unique. As few people worldwide have the same configuration of hardware, operating system, and browser, it’s extremely difficult to be anonymous online. Web browser fingerprinting can be used to build detailed profiles of each visitor. Websites can then show you targeted ads, customized content, or simply track your movements. It doesn’t matter if you’ve deleted your cookies, gone into Incognito mode, or used every privacy extension available to you. Fingerprinting means you can still be tracked – with pinpoint accuracy. It’s this ability to circumvent traditional privacy defenses that have brought wider attention to the issue and helped to stoke a sense of unease about the loss of privacy online, along with fears of how such practices could be abused.

How is fingerprinting different from cookies?

Cookies and browser fingerprints are quite different in how they track your activity online. Cookies track your preferences, login names, and other information you want your device to remember. They are small data files stored directly on your browser. Unlike browser fingerprints, you can control what cookies can do by deleting, blocking, or setting them to only store data for a certain time span through your browser settings. You also have extra legal protection against cookies under GDPR, which compels you to give explicit consent for their use – in other words, you get a say in whether or not you’re tracked and what information about you is collected.

By comparison, browser fingerprinting takes information from your web browser and hardware attributes and creates a profile around you that’s difficult to change or delete. Because fingerprints are stored on the server side, they outlast a browser session and, unlike cookies, they survive users who switch into Incognito mode, who delete cookies, or who use different browsers. Targeting via fingerprinting is persistent and can happen regardless of the browser you use or the settings you configure. Fingerprinting is both pervasive and insidious.

Browser fingerprints in particular routinely sidestep the forms of consent that are required for cookies, which raises fundamental privacy issues. Because individuals generally don’t know when fingerprints are being collected, they are usually unaware that they are exposed to intrusive monitoring and consequently may be poorly placed to protect themselves. Tracking in this way could result in immoral practices, such as exploitative price discrimination, detailed behavioral profiling, and the sale of individual-level data that people do not wish to expose. This should alert us to the urgent need for regulation of such targeting techniques.

Browser fingerprinting techniques

The technique of browser fingerprinting comprises several approaches. Each exploits a different characteristic of the browser and device to generate a fingerprint. It is very hard for a user to prevent the tracking.

Canvas fingerprinting

This works by having the HTML5 canvas element draw an image or bit of text and capture the rendering, as you can see. Since the rendering inherently depends upon the graphics card, drivers, and other hardware installed on your system, it will slightly vary from system to system — enough to form a unique fingerprint. Since it works by measuring the way your device renders an image, canvas fingerprinting is a reliable method for tracking.

WebGL fingerprinting

This method does its work by using the WebGL API to render 3D images, looking for tiny differences in how hardware and driver configurations are set up across devices. WebGL fingerprinting is one of the more accurate methods out there. It’s capable of doing this because some devices render 3D graphics a bit differently from others. The slight variances in how shadows are rendered, for example, or texture, all have the effect of giving your fingerprint little quirks that make it particularly distinctive.

Media device fingerprinting

This probes the different media devices on your machine (microphones, cameras, etc.) and requires access privileges, but it can give lots of detail about your media set-up and could thus help to form your fingerprint. Differences in device model, firmware, configurations and so on can be an important part of the specificity of your fingerprint.

Audio fingerprinting

This is done using AudioContext, a programming interface that captures audio profiles of the device. Differences in audio hardware and software configuration result in distinct profiles, which is why audio is useful as a fingerprint for both keyloggers and digital rights management schemes. Every machine handles sound differently, from frequency response to latency, making audio fingerprinting a way of compromising user privacy with digital subliminal messaging.

How to check your browser’s fingerprint

Knowing your browser’s fingerprint is one way to see how easily identifiable you are online. The following tools offer insights into your digital fingerprint and what you can do to guard your privacy:

AmIUnique

Created to help researchers track the diversity of web browsers, the tool allows people to see their own browser fingerprints. It queries the user’s browser for fonts, plugins, and screen resolutions, among other features, and shows a visualization of how your browser has a unique fingerprint. Developer Eleanor Saitta hopes that AmIUnique will collect anonymized data to help web developers create better anti-fingerprinting defenses.

Cover Your Tracks

The EFF has constructed this browser extension that shows you the way trackers see your browser. It highlights your browser’s most distinctive and vulnerable digital characteristics, telling you how you’re exposed to tracking – and how much privacy protection actually helps. The Cover Your Tracks app works with any browser and collects only anonymized data, so you can find out how you’re fingerprinted, and what it means for your online privacy, without giving away more information about yourself.

Tips to defend against browser fingerprinting

Although browser fingerprinting is nearly impossible to avoid altogether, there are several things that you can do to reduce your recognisability and improve your online privacy level:

Use WOT

Web of Trust (WOT) offers a Safe Browsing feature, which alerts you to unsafe sites and helps you avoid visiting them. Ratings for individual sites are calculated in real-time, and users can see these ratings along with live alerts of new or changed ratings. This feature can help you avoid sites that resort to aggressive fingerprinting.

Private browsing

Using private browsing modes such as Incognito mode will also reduce the amount of information that your browser shares, though it won’t eliminate all possibilities for fingerprinting. That’s because, while using this mode, your browser won’t store your browsing history or cookies (versions of themselves, at least) when you close up shop at the end of each browsing session. Instead, the browser engine forgets you and your browsing history when a session is closed. That will reduce the likelihood of tracking – but not eliminate it.

Disable JavaScript

If you disable JavaScript, this will prevent sites from running any scripts, which greatly limits the amount of information websites can gather about your browser and device, but at the expense of significantly degraded website functionality. If you want to maintain a balance between usability and privacy, one solution is to selectively disable scripts or use a script-blocking extension, such as NoScript or uMatrix. Using this method, you can reduce the number of data points by a factor of 10 or more.

Use a VPN

Using a Virtual Private Network (VPN) conceals your IP address and scrambles your internet traffic, eliminating some facets of the digital fingerprint. This doesn’t totally defeat all the fingerprinting techniques, but it does add a bit of anonymity cloak by obfuscating your location and internet behavior. The more hoops a user attempts to leap through, the greater the odds that they’ll defeat targeted tracking If you use a VPN in conjunction with other privacy tools, that should at least shove your browser fingerprint into a sea of others, making it much harder for any user to become a target.

Minimize the risks of browser fingerprinting

Preserving your privacy online has never been more important. Try the steps outlined and use WOT to browse the web more securely. Every action you take on the web lowers the chances of browser fingerprinting attacks, keeping your privacy and personal information safe.

FAQs

What data does browser fingerprinting collect?

Browser fingerprinting collects data such as your browser type, operating system, screen dimensions, installed plugins, time zone, fonts, and, potentially, even some of your firmware and hardware configurations – all of which together create a unique digital signature.

Can browser fingerprinting be used for security?

Yes, the use of browser fingerprints is supported to protect banks from fraud. Bank security systems use this information to prevent unauthorized users from accessing sensitive accounts or transactions. Similarly, security systems on computers use similar methods to identify potential threats.

Does Incognito mode prevent browser fingerprinting?

Incognito mode clears browsing history and cookies but, with some exceptions, that’s about it. While incognito offers some privacy gains, it is not enough to stop browser fingerprinting because it fails to alter those device and browser characteristics that the browser fingerprint is interested in.

Are there legal concerns with browser fingerprinting?

While GDPR and other current regulations that specifically govern the use of cookies in Europe require explicit user consent, no such laws govern fingerprinting currently. There are, however, areas of active discussion and emerging regulations that could establish such governing rules for fingerprinting in the future.

Does clearing cookies help in stopping browser fingerprinting?

No, deleting cookies won’t affect fingerprinting, which is built using your device settings and those of your browser, rather than the data stored by cookies.