Browser Fingerprinting is the latest sneaky way that websites can track your online activities. It is even more troublesome than browser cookies. And while most people have at least heard of cookies, far fewer have ever heard of Browser Fingerprinting.
However nowadays this is the way governments and companies are tracking your data. Even if your hiding behind a VPN or proxy, you can still leave yourself vulnerable. Read on to learn more.
Our goal for this article is to get you up to speed on the concept of Browser Fingerprinting; how it works, why you don’t want it to happen to you, and some steps you can take to at least make it harder for those who use this technique to spy on you.
More specifically, we will cover these topics:
- What is Browser Fingerprinting
- Some Characteristics Used in a Browser Fingerprint
- Can Someone Fingerprint My Browser Right Now?
- There Ought to Be a Law…
- What Can You Do to Stop Browser Fingerprinting?
What is Browser Fingerprinting?
Browser Fingerprinting is the process of gathering data that can be used to identify an individual Internet user. While it may not allow someone to identify a user by name, it can still be a highly profitable, and privacy destroying technique. Imagine a scenario like this:
Jane comes from a religious family. She is also 13 years old and pregnant. When her parents aren’t home, she uses the family computer and visits a site for kids who are in trouble and are looking for advice.Jane is careful to use the web browser’s Incognito Mode while visiting this site, makes sure not to download anything from the site, and deletes all the cookies on the computer after she uses it. She thinks she is safe from being tracked and goes back to the same discussion area the next day to see if she got any responses to her questions.
Unfortunately for Jane, the website uses an ad agency that practices Browser Fingerprinting. From the website’s perspective, Jane’s activities might look something like this:
Day 1: A computer connects to the site. The site’s ad agency fingerprints the computer. The fingerprint doesn’t match any of the ones they have on record, so they start a new log of what the computer with that fingerprint does while connected to the site. The computer spends 48 minutes in the ‘Under Age and Pregnant’ discussion area.
This is information that could be very valuable to certain advertisers.
Day 2: A computer connects to the site. The site’s ad agency fingerprints the computer. The fingerprint matches one of those they have on record, so they add everything that computer does to the log of what the computer with that fingerprint does while connected to the site.
With additional information in the log, it becomes even more valuable.
Unfortunately for Jane, the ad agency also serves ads to the website of her mom’s favorite craft supply store. And it has a client that runs an abortion clinic.
Day 3: Jane’s mom logs into the craft supply store website. The ad agency software notices a computer with the same fingerprint as one that logged in a few times recently and was looking for information related to being underage and pregnant. The ad agency starts serving ads targeted at young pregnant girls on mom’s favorite website.
Even though Jane thought she was doing everything right to protect her online privacy, and even though the websites, ad agency, and advertiser have no idea who she is, ads aimed specifically at her are showing up on the computer she used. That is the power of Browser Fingerprinting.
How do Browser Fingerprints Differ From Cookies?
Cookies are small text files that a web site can store on your computer to record information and retrieve it later. Because they are written to your computer, you can block them or delete them. Even if a website tries to hide their cookies by giving them names that aren’t obvious, you are ultimately in control.
Browser Fingerprints are fundamentally different. They are created from data that a website can read from your computer in the normal course of using your browser and are stored at the website, not on your computer. There is very little you can directly do to stop them.
But don’t give up yet. There are some things you can do to protect yourself. However, first, we need to look at the kind of information that websites use to fingerprint your browser.
Some Characteristics Used in a Browser Fingerprint
You might be surprised by the amount of information your web browser will share with a website. There are good reasons for doing so, but providing so much information can be a problem.
Collectively, there is enough information, and it varies enough from computer to computer, that the list can usually be used to identify a particular computer uniquely.
Find this hard to believe? Here is a list of some of the characteristics that your browser can send to the website and can be used to identify your computer:
- Accept Header – What types of media the browser will accept.
- Accept-Encoding Header – Types of data encoding that the browser will accept.
- Browser Plugins – Which plugins are installed and which versions are they.
- Clock Skew and Drift – How the system time differs from the correct time.
- Connection Header – What options are desired for this connection.
- Cookies Enabled?
- IP Address – The IP Address visible to the outside world as well as the one internal to your network.
- Preferred Language
- System Fonts – List of the System Fonts installed on the computer.
- User-Agent String – List of browser version, Operating System version, some plugins
This list is far from complete but gives an idea of the kinds of identifiable characteristics that your browser gives up to a website.
What is Canvas Fingerprinting?
In short, it is another tool to gather data about your system that nosy websites can use to identify you without storing anything on your computer for you to block or delete.
Can Someone Fingerprint My Browser Right Now?
Can someone fingerprint your browser right now? Hell yes! This isn’t some theoretical problem for someday in the future. Browser Fingerprinting is here now and almost certainly being used against you at this moment.
Here are two websites that you can use to see how vulnerable your browser is to fingerprinting at this very moment:
We will take a quick look at each of these sites. These are good guys in that they aim to help you learn about your system and Browser Fingerprinting, rather than spy on you.
Then we suggest you try them out with your own equipment and see how much information they can find out about you this way. And keep in mind that the people who are doing Browser Fingerprinting for profit are surely using more sophisticated techniques than these sites.
Panopticlick – An EFF Experiment in Browser Fingerprinting
Panopticlick is a research project that was started by the Electronic Frontier Foundation (EFF) in 2010. They use a few of the older Browser Fingerprinting techniques to gather data about your system when you hit the big orange Test Me button on the Panopticlick home page.
The basic tests are conducted with their own tools, and they only retain anonymized data about the results, as described on the Privacy page.
According to the About Panopticlick page, Panopticlick itself was last updated in 2015, where it added the test with a real tracking company option. Panopticlick states:
Enabling this test shouldn’t be a problem, but if you are concerned, feel free to disable it.
Understanding Panopticlick Results
Panopticlick is easy to use, but the results can be overwhelming. Reading the basic results isn’t bad. As you can see below, the browser I am using right now to write this article does not protect Browser Fingerprinting and other forms of tracking.
This obviously isn’t good, but it is clear. Because my browser has a nearly-unique fingerprint among those that Panopticlick has collected, it is highly likely that a website would be able to identify me uniquely.
But if I want to know how nearly-unique my browser fingerprint is, or what characteristics make my browser appear “nearly-unique,” I need to click the Show full results for fingerprinting link.
This is where things get messy.
Here are the detailed Browser Fingerprinting results from my test:
Unless you are willing to dig into some real technical details, this information won’t be of much use to you. After we look at “AmIUnique” we will look at some options that can make your browser less unique (the less unique, the harder it is to fingerprint you), without you having to understand HTTP_ACCEPT Headers User Agents.
AmIUnique – A European Browser Fingerprinting Research Project
AmIUnique Is another research project that addresses Browser Fingerprints. Based in Europe, this site does more than show you how well your browser resists fingerprinting. It includes global statistics, a collection of privacy-related browser extensions, and links to numerous Browser Fingerprinting articles and papers.
Here’s the AmIUnique home page. Hit the View my browser fingerprint button, and get ready for a flood of detailed information.
In my case, the first screenful of results looked like this (it takes a while to scroll through all the information):
Keeping in mind that the less unique your Browser Fingerprint is, the better, we can learn a lot from looking at this page, without having to get deep into the technical gibberish.
The colored blocks containing percentages tell us how what percentage of AmIUnique fingerprints match our results. And the colors tell us where the problems are.
We can see that the browser I am using (Google Chrome) and the language I have chosen to work in (EN, for English) are both listed in a large percentage of the site’s 130,000+ stored fingerprints. But the version of Chrome I am using (Version 74), and my User-Agent value are both very uncommon in the AmIUnique Browser Fingerprint database. Somehow changing them to be less unique (or to appear that way) would decrease the uniqueness of my Browser Fingerprint and make it less easy to identify.
As we’ll see shortly, there are several things you can do to reduce the uniqueness of your Browser Fingerprint by reducing the uniqueness of various characteristics.
There Ought to Be a Law…
There is a law against this, sort of. Before getting into steps you can take to protect yourself against Browser Fingerprinting, we should talk about some relevant legal activity that took place in the EU in 2018. That’s when the GDPR (General Data Protection Regulation) went into effect.
The idea behind GDPR is that companies can only gather personal data if it has a legitimate business use. According to the educational site EU GDPR.ORG,
Any organization gathering personal data needs to be able to prove that it is doing so in compliance with one of the six legally acceptable reasons described in the GDPR. Theoretically, any site complying with the GDPR requirements will be prevented from using Browser Fingerprinting to spy on you the way it does now.
Of course, the GDPR is not a cure-all. Sites that had no qualms about using Fingerprinting to spy on you in the first place may not bother to comply with the GDPR. And the law only applies to businesses established in the European Union (EU) or that offer goods or services to citizens of the EU. So sites that don’t have a deal with Europe can continue to fingerprint without worrying about the law.
The EFF (Electronic Frontier Foundation) has a great article with lots more details on how GDPR should make it harder for websites to use Browser Fingerprinting against you.
What Can You Do to Stop Browser Fingerprinting?
If you have tested your browser at Panopticlick and AmIUnique as we suggested, you are probably disgusted with how easily someone can identify your computer with Browser Fingerprinting.
So what can you do about this? There are some things you can do. But first, let’s address some common questions:
Can’t my anti-virus/malware app deal with this for me?
Your browser shares the information used for fingerprinting with any site out there automatically, and fingerprinting doesn’t require installing anything on your computer or making it do anything weird like a virus or malware would. As a result, unless a site is also using some kind of malware to gather additional information, your anti-virus/malware app has nothing to watch out for and nothing to block.
What about my VPN? Won’t that protect me?
Your VPN will hide your IP Address from the world, which helps a little bit. But your IP Address is only one of the many characteristics that make up a Browser Fingerprint. The end result is a slightly less unique fingerprint, nothing more.
Can Incognito Mode Help?
We’ve seen some writers recommend using a browser’s Incognito Mode (this mode goes by different names depending on which browser you are using) to protect against Browser Fingerprinting. But that’s not an approach we recommend.
As with using a VPN, Incognito Modes only affect some of the characteristics used to create a Browser Fingerprint. In most cases, that isn’t enough to really protect you. Let’s look at a few screenshots so you can see what we mean.
Note that in all the examples in this section, we used Panopticlick to see how well the browser was protected from fingerprinting. Also, keep in mind that these results are not a comprehensive study of the full range of Internet users. Instead, they are the results gathered from people who voluntarily used Panopticlick to test their browsers. Even so, they can give us an approximation of what is going on in the full universe of Internet users.
Normal and Incognito Window with Google Chrome
Here are the results for a regular Google Chrome window and an Incognito Window:
And here are the results for a Google Chrome Incognito Window:
As you can see, while my normal Google Chrome fingerprint was completely unique, the Incognito Window did match up with one other user. Still, with odds of over 108,000 to 1 against mistaking your browser for theirs, you are pretty darn close to unique.
So What Does Work?
Unfortunately, there isn’t a configuration setting we can change to eliminate Browser Fingerprinting. Nor is there some free browser extension (or set of browser extensions) we can install to eliminate the problem.
All we have right now is a set of things we can do to decrease the uniqueness of our Browser Fingerprints and block at least some of the companies that are likely to use this technique to spy on us. We recommend that you:
- Use a Popular Web Browser
- Install Browser Security Extensions
- Disable Flash
- Consider Compartmentalizing Your Internet Access
1. Use a Popular Web Browser
Information about the browser you are using is an essential part of any signature. Using a popular web browser like Chrome or Firefox significantly increases the universe of Internet users who might have the same Browser Fingerprint as you.
According to StatCounter (as reported on this Wikipedia page), these were the first and second most popular browsers as of May 2019. While Chrome has by far the biggest market share, Firefox is increasingly popular with privacy-minded individuals.
2. Install Browser Security Extensions
There are several security extensions that can help you fight against Browser Fingerprinting. Some aim to anonymize various characteristics used for fingerprinting, while others attempt to block related tracking techniques and/or sites that are known to spy on their visitors.
Two good options to consider here are:
Look for these in your browser’s app store.
3. Disable Flash
Flash is a multimedia platform that was once a big part of the web browsing experience. Unfortunately, it is also very vulnerable to hacker attacks, making it one of the prime ways trackers and spyware find their way onto computers.
And Flash is on its way out. Never supported in mobile browsers, all support is due to stop at the end of 2020. Few sites require Flash these days and disabling it can only help against fingerprinting and other forms of spying. Your browser likely has an option in Settings for disabling this.
5. Consider Compartmentalizing Your Internet Access
Compartmentalizing your Internet access means using more than one web browser to access the web. At its most basic, you would dedicate one browser (we’ll call it Browser1) to use for any site you need to log into, like your online banking account or your social media sites. You would dedicate another browser (Browser2) to doing searches, visiting news sites, anything you do online that doesn’t require logging in.
On Browser2, you can likely apply all the tips we’ve just covered without causing yourself problems. And if some of these less crucial sites break, you can always switch to a comparable site that doesn’t break just because you are protecting yourself.
On Browser1, you could then apply the tips we’ve listed here, one by one, and test to see that they don’t break those sites you need to log into. You wouldn’t end up with as much protection as with Browser2, but you will have as much as you can get without breaking anything crucial.
Even though Browser1 and Browser2 will still be fingerprintable, they will have different fingerprints, making it harder to track you across all your online activities.
You could, of course, continue to extend this approach. Use one browser for general stuff, another for online financial stuff, another for social media sites, and so on, limited only by the number of different web browsers you want to install on your computer. An even more extreme version of this approach is to use a different virtual machine (VM), or a different physical device, in place of each browser.
For more information on Compartmentalizing Your Internet Access, check out this Fast Company article.
Browser Fingerprinting is a difficult-to-counter way websites can track our Internet use without our permission and without leaving any evidence on our computers.
So far, there are no perfect solutions to the problem available, but there are steps you can take to minimize it. This article lists several things you can and should do to reduce your exposure to this problem.
We also recommend using a VPN whenever possible, although it won’t completely negate browser footprinting, it does offer good basic idenity protection from ISP snooping etc. Especially if you want to be downloading torrents, playing in online casinos, crypto exchanges etc when you are based in jurisdictions that do not allow that.