Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.
Browser Fingerprinting: Everything You Need to Know
In 2020, information is the new currency. The internet is free, but it comes at the price of our anonymity. While the average person holds privacy at a premium, most of us rarely realize the true value of our personal data until there’s a breach or our identity has been stolen. 💻
No matter how little time we spend online or how careful we are, we’re tracked, analyzed, and targeted every time we type an IP address into our browser.
Many of the tracking methods used online are innocuous.
They are deployed merely to gain information so that businesses can provide a more custom browsing experience.
Most consumers accept some amount of tracking as the price of convenience. Those who don’t simply delete their history and disable cookies.
An increasing number of computer users take the extra step of putting security measures in place to protect their privacy and keep them safe from hackers.
What if I told you that there’s still a way your device, network, and activity can be identified right down to a set of characteristics so unique that the odds are only one in 286,777 that another browser will have the same identifiers as you?
This method is called browser fingerprinting, and those who use it can gather and store your information without detection and despite your efforts to cover your tracks.
What is Browser Fingerprinting?
Browser fingerprinting is something that was created at the dawn of the internet for the purpose of identifying a particular computer and sending it pages that were optimized for that browser.
Nearly thirty years later, we have a wealth of devices, networks, browsers, and service providers, making unique identifiers relating to configuration necessary.
However, they aren’t just used to provide content in the correct time zone or make our surfing experience more comfortable and glitch-free.
Browser fingerprinting culls all kinds of information about our devices to create a unique but indirect profile of each user.
The data collected includes:
- The user-agent, which is your browser
- Platform, which is your operating system
- Whether you have plugins installed and which ones
- Whether you have cookies enabled or a “do not track” function activated
- Your timezone
- What fonts you have installed
- Your screen resolution
- Your canvas hash
- Whether you’re using local and/or session storage
- Your content language preference
- Your WebGL vendor and renderer
This is just a partial list of the data uncovered by browser fingerprinting, and new APIs are being developed all the time that will enable more detailed user profiles. You can check this information for yourself on your own browser right now.
Just go to your browser’s JS console and use the command key combo for your browser.
Chrome users: Control+Shift+J (Windows) or Command+Shift+J (Mac)
Firefox users: Control+Shift+K (Windows) or Command+Shift+K (Mac)
Safari users: Command+Option+C
Edge users: F12
These may seem like insignificant bits of information. Surely, they can’t reveal your name and address or account numbers, right?
While it’s true that fingerprinting won’t uncover personal information, it reveals just enough about you to show a pattern of activity and pinpoint your general location, among other possibilities.
The Implications of Fingerprinting
Advertising is a multi-billion dollar industry. Gaining a competitive edge is essential when there are literally thousands of companies fishing from the same pool of potential customers. As much as technology has been a boon to consumers, it’s the life’s blood of marketers and their clients.
Facebook alone relies on advertising for 97 percent of its profits.
Using browser fingerprinting techniques, companies can build huge databases of information about customers and use the characteristics to match and segment entire groups of people to target for advertising purposes.
The more data they collect, the more valuable and useful the information. In fact, digging deeper through cross-browser fingerprinting can identify a single device 99 percent of the time.
However, fingerprinting isn’t just about bolstering marketing efforts. Much like the police use fingerprints to solve crimes, digital fingerprints can be used to identify botnets and detect fraud on financial platforms by identifying when accounts are accessed from a new device or location.
So, there is an upside.
How Businesses, Internet Spies, and Others Get Your Digital Fingerprint
From a user standpoint, the internet is a miraculous but simple thing. You click on a link, tap an image, or type in an IP address, and the browser takes you to the appropriate web page.
Underneath, there’s a whole lot going on that only developers and tech writers know about.
Whenever you surf the internet, your course is guided by a series of requests and responses from your browser to a server and back again.
This is true even if you have a VPN installed.
Virtual private networks merely control the type of information collected, if any, and who will be able to access it.
Servers and browsers still need to know where you want to go and what you want to do while you’re online. Privacy guards simply keep other people, like hackers or government agencies, from seeing the details.
There is a variety of methods and purposes for tracking users and collecting their information.
Understanding these methods and reasons shouldn’t be the exclusive domain of developers and marketers. Your control over them varies by type of tracking method and your access to solutions, but knowing what methods are used and how they work will provide you with options for protecting your privacy.
Cookies and Tracking Technology
They’re small data packets that are downloaded and stored on your computer when you visit a website. The information that’s collected is supposed to provide visitors with a more meaningful experience, and it includes your browsing habits, screen size and resolution, interests, and more.
Each interaction triggers a response and collects more data.
You get a certain amount of “cookie” data sent when you load some page, but when you load another page from the same website the server hosting that website gets the information that it came from the same computer.
Unless you disable or delete cookies, they’ll identify you to the website each time you visit and customize your experience based on the information in the cookie text file.
This is an updated version of browser fingerprinting that’s in line with HTML5. With canvas fingerprinting, the HTML5 code that’s used to build the website contains a small snippet of code called a Canvas API that collects your digital fingerprint.
In the original HTML protocol, Canvas was an element that created graphics on web pages.
Calling that element in HTML5 using the ToDataURL method, developers have figured out how to exploit it to detect active background colors and font sizes on the user’s computer. In this way, a fairly unique identifier can be generated and used to create a user profile.
Because nothing is downloaded or changed on the user’s side, there is no data to delete or store on your computer. It ends up in a third-party database somewhere, and you’ll never know it’s there.
None of us likes the idea of being tracked and analyzed, no matter how benign the stated purpose or seemingly innocuous the information collected. But, you can limit their ability to collect the information used to target you.
You Can Protect Your Privacy. Here’s How
If you’re unsure about how private your network is, you can test it for tracking mechanisms. One great tool is called “Am I Unique?” It measures how easy you are to identify as you surf the internet by checking 19 separate data points.
A company called the Electronic Frontier Foundation (EFF) has developed an online testing interface that will detect your susceptibility to digital fingerprinting and other online tracking methods. It can also tell whether your browser is configured to:
- Block invisible trackers
- Block tracking ads
- Unblock websites that claim to honor “Do Not Track” requests
- Block “Whitelisted” trackers
- Browsing in incognito or private mode
This information is valuable to websites who use on-page advertisers to generate revenue. If they detect that you’re using an ad blocker or other means to prohibit tracking, they can block your access to their content until you disable these features in your browser settings.
Install Safe Browsers
The TOR project has attacked this problem more directly by giving every single device using their browser an identical fingerprint.
This doesn’t affect information such as screen resolution, which may still be used to narrow down the type of device you’re using.
The TOR community recommends leaving your settings as the Windows default resolution to avoid that problem.
Further research and development into browser fingerprinting by TOR developers will hopefully produce more comprehensive solutions in the future.
Furthermore, TOR will protect not only your privacy but keep you safe from malware practices, such as browser hijacking.
Know Your Rights Regarding Data Collection
Those on the advisory board that created Europe’s data collection and protection law, the General Data Protection Regulation (GDPR), foresaw arguments from marketers and others about the benign and harmless nature of fingerprinting, stating that:
“… to argue that individuals are not identifiable, where the purpose of the processing is precisely to identify them, would be a sheer contradiction in terms.”
This led to the inclusion of digital fingerprinting as a process of data collection under the auspices of GDPR oversight. Therefore, any company or other entity that employs browser fingerprinting to track users must inform visitors of this practice in an unambiguous manner and receive their consent to do so. Failure to comply will result in hefty fines and possible banishment.
However, this only applies to websites and companies located in Europe and those that have a European reach. US citizens can find out how they’re protected here.
You’re only as safe as your knowledge base and the technologies in place to protect you. Make sure to read any terms of service or disclosures, privacy policies, and popup notifications in their entirety before using a website or agreeing to anything.
If you come across a website that prohibits access until you disable features, decide how important your access to that content is and whether it’s worth being tracked or targeted.
Always install a good VPN on your devices and networks, and segment your network to keep personal, IoT, and business devices separated.
Make sure that your firewalls are properly configured and have rules set in place. Install plugins like AdBlocker Plus or NoScript to block invisible trackers and advertising spyware. Make sure that you’re using antivirus, anti-spyware, and anti-malware applications, and keep them updated.
In the end, they can only take your information if you allow it. You can’t halt all tracking. But, you can decide if the information you need from the internet is worth the information you give up to access it and surf accordingly.
While there’s no escaping the necessity or reality of fingerprinting, you can monitor your online vulnerabilities and take precautions to minimize the effects. For example, switching to Google product alternatives.
Hopefully, regulatory bodies and laws like the GDPR will also hold those who misuse these technologies to account.