What is Browser Fingerprinting and How to Stay Away From It?

Abeerah Hashim  - Security Expert
Last updated: August 25, 2024
Read time: 21 minutes Disclosure
Share

Web browser fingerprinting, also dubbed canvas fingerprinting, is a serious threat you must learn about and take the necessary steps to avoid.

THE TAKEAWAYS

No technology is good or bad in itself. It’s its use that makes it advantageous or destructive. The same applies to browser fingerprinting, too. This unique method of user profiling plays a crucial role in making the World Wide Web a safe place for everyone. For your privacy and smooth browsing experience, you can use plugins to block intrusive ads and trackers. You can also achieve greater privacy with Mozilla Firefox, which blocks most fingerprinters by default. Besides, make a habit of private browsing to fend off cookies, too.

Encryption

As you visit any website, your device communicates with the site and sends your information to it, such as device details, location, and browsing history. These remain stored on the internet and serve as digital fingerprints. Its sole purpose is to enhance users’ browsing experience.

Unfortunately, browser-generated fingerprints aid advertising agencies and snoopers in tracking your online activities. They provide enough data to impersonate your profile. Fortunately, there are effective methods to control online tracking via browser fingerprinting.

In this guide, we will explain browser fingerprinting and how to avoid it.

What is browser fingerprinting?

What is browser fingerprinting?

When you connect to the internet via your PC, laptop, or smartphone, your device communicates with the websites you visit, sending lots of data about you to the sites.

Since you use a browser to enter the online world, all the data is transmitted through your browser.

This information includes precise details about you, such as your device information, browser information, location, network, and other data. All this is in addition to the information about your browsing habits.

Ideally, your data generated online should disappear after you complete your browsing session and close your browser. But this does not happen.

Instead, the online world stores all your data so that you do not appear anonymous online the next time you visit.

However, this looks like a facility for netizens as it helps them achieve a tailored browsing experience. Yet, advertisers and web trackers also use the same data to monitor users.

This entire process is called ‘digital fingerprinting’ – tracking your online fingerprint generated by your browser.

How does an online fingerprint identify me?

With browser fingerprints, the information collected about you includes numerous data points that predominantly help track the following details.

  • Type of browser and version
  • Browser settings
  • Active plugins
  • IP address
  • Device Operating System
  • Device type and model
  • Network type (or ISP)
  • Device time zone
  • Users’ location
  • Language
  • Screen resolution
  • Active JavaScript
  • Active Flash

These details do not precisely help identify you as Alice or Joe. However, it certainly makes it easier to profile the user behind the device, who, upon further tracking, may be identified as Alice or Joe.

This happens because these details together make up a unique fingerprint that is not likely to be present with someone else.

For instance, many users living in the USA might use Chrome browsers on their Windows systems. However, not all of them would likely have the same IP address, location, browsing habits, screen resolution, active plugins, etc.

According to a Panopticlick study, only 1 in 286,777 users will likely have the same browser fingerprints. This makes you unique (and identifiable) online.

So, this is how websites and web trackers keep a record of you.

When they continue recording all this information, they eventually can identify you in person, for example, by tracking your social media profiles or other data.


Who uses browser fingerprints and why?

Browser Fingerprinting

Although, the idea of continuous tracking of online activities seems absurd.

As an independent citizen, internet freedom is your due right, which brows tracking seemingly violates.

Such browser tracking constantly leaks (or shares) explicit details about your device and your browsing habits. The brokers eventually log all this information to sell or share with third parties.

Pretty intrusive, isn’t it?

However, browser fingerprints are not always so bad. Sometimes, it is used for good purposes, such as security.

In short, it all depends on the ultimate aim of the third party collecting the data, whether user fingerprinting is good or bad. Likewise, it also depends on whether the users consent to such tracking.

To let you understand things better, here I briefly discuss how different sources use browser fingerprints.

1. Ensuring users’ online security

One of the prime uses of browser fingerprints is in the domain of online security.

Wondering how this privacy-intrusive feature is vital for security purposes?

As you know, device fingerprinting lets the authorities get a good record of an online user. So while they may not know your name, they certainly identify you via your digital footprints as the ‘user X.

This digital tracking of users lets the cyber authorities identify whenever someone tries to perform malicious activity.

For instance, security companies employ fingerprint browsers to detect lousy traffic and hence, the ‘bad guys.’

Since they know how a genuine user behaves online, they will immediately detect and block any unusual activity, such as a botnet attack.

Likewise, digital fingerprinting helps identify individual perpetrators by tracking persistent malicious behavior. This helps the authorities in taking down malicious content from the web.

Also, this is useful for assuring a safe online experience for all by spotting pirated software, malicious tools, online frauds and PayPal scams (alongside other online shopping hoaxes), and identity theft cases.


2. Securing internet banking

Like you, the users, who have to implement the best practices for safe online banking, like setting up strong passwords and 2FA, the banks, on their end, also have to work day and night to provide you with the most secure banking experience.

That’s where they leverage browser fingerprints.

Tracking the users visiting their portals, banks strive to ensure that only their legit customers make their way through.

Of course, your bank can’t see your face or know your name when you log in to your online account. However, knowing your online fingerprints would verify the real you on the other end.

You can understand this monitoring by observing how you quickly sign in to your account using your trusted device, but you face problems logging in from another device.

And that becomes even more troublesome if you change your geographical location.

In the same way, if someone else attempts to sign in to your online banking account, the bank authorities would be alerted. Thereby fending off the malicious attempt.


3. Online advertising purposes

Another common reason (though not a good one) for digital fingerprinting is online advertising.

Be it the tech giants, like Facebook and Google, or the advertisers themselves, these companies keep on fingerprinting your online existence.

For this, they can go to any extent, from fingerprinting cookies with your consent to the defiant and stealth use of web trackers.

Such data collected by logging your online details is beneficial for advertisers. This way, they get your unique online profiles, which further helps them show you ads that are relevant to your interests.

On the one hand, such precise ad targeting directly helps the business to generate more sales revenue.

On the other hand, this precise profiling lets them dominate online advertising as they can share your data with others.

As far as the breach of privacy is concerned, it looks like a bad idea.

However, it is also helpful for the services that cater to the needs of their customers for free.

For example, you don’t have to pay anything to use Facebook, Twitter, or even Google, because they make their money by profiling your data and selling it to advertisers.

Similarly, this online fingerprinting and subsequent advertising also support free journalism.


How browser tracking (fingerprinting) gets done

Tracking-Icon

Now that you know that your browser throws online data about you, it is also evident that the websites have employed specific ways to catch and record all of this information.

So how do these websites receive all this data from the browser installed on your devices?

They actually use some small tools that give them significant gains in this regard. Here I list some of these methods predominantly used by web trackers.

1. Cookies and javaScript

The most common and used way of collecting data is via cookie tracking. (This is the same thing you usually consent to by clicking on ‘I accept’ or ‘OK’ when you visit a website for the first time.)

So, what are cookies?

Well, you can think of them as bribes from the websites to your browser to share your data.

Technically, they are small data files placed on your device (computer or smartphone) by the websites you visit.

The websites log and identify your device on your next visit through these data files.

That’s why previously visited sites load relatively more quickly than the ones you visit the first time.

Moreover, the sites also use cookies to remember your customized settings and provide you with the desired experience in the future. This includes your desired screen resolution, site fonts, themes, and other changes.

Besides optimizing the user experience, cookies also help websites to provide your data for statistical analyses. For instance, these cookies help the sites identify new and recurring visitors.

Similarly, websites belonging to businesses and advertisers use cookies to track your browsing habits and show ads.

Together with fingerprinting cookies, websites also use JavaScript to track users.

The JavaScript interacts with your browser to show dynamic media, such as playing videos. However, alongside loading the content, JavaScript also gathers data about you.


2. IP address logging

While some websites let you disallow cookies, you can never block the sites from seeing your IP address.

It’s because a web server requires this IP address to respond to your query whenever you visit a website. It can’t respond to you if it doesn’t get your IP. Hence, you can’t visit the desired site.

The IP address plays a crucial role in chasing you online.

These unique numbers inform websites about your location, network, device, etc.

The websites can even chase this IP address to track all of your devices connected to the network and log your browsing habits.

Ever wondered why you get a similar browsing experience on your smartphone and PC at home? Or, why do you start seeing ads for products that someone in your family bought online through some other device?

Both devices show the same IP address online – the one assigned by your network. This lets the websites know that both devices belong to the same user.

In short, your IP address is your online identity which the websites love to record about you. That’s why I always advise hiding or changing IP addresses while discussing online security.


3. Canvas fingerprinting

Another relatively newer strategy to log your browser fingerprints is canvas fingerprinting. Here, the websites take help from the element managing the graphics on the web page to track you.

How does this work? I hear you ask.

Websites today employ HTML5 – a coding language – as its core fundamental.

The HTML5 code includes an element called ‘canvas.’ This element mainly handles the way graphics appear on your screen.

That includes the appearance of your device’s fonts, colors, backgrounds, and other settings.

Since this isn’t likely the same for every user, it becomes a distinct identifier for the respective device.

Thus, the following detail is what the websites use as your digital fingerprint.

What makes this method even more powerful is that it allows cross-browser fingerprints. The websites can still identify you even when you use multiple browsers on your device.

This is because this method doesn’t rely on browser information. Instead, it goes far and beyond to track your device settings.

The idea of canvas fingerprinting gained traction in 2014 when Acar et al. elaborated on it in their research paper and other web-tracking methods. Explaining how canvas fingerprinting works, the researchers stated in their paper,

When a user visits a page, the fingerprinting script first draws text with the font and size of its choice and adds background colors. Next, the script calls Canvas API’s ToDataURL method to get the canvas pixel data in the data URL format, which is basically a Base64 encoded representation of the binary pixel data. Finally, the script takes the hash of the text-encoded pixel data, which serves as the fingerprint and may be combined with other high-entropy browser properties such as the list of plugins, the list of fonts, or the user agent string.

This particular tracker is beyond your control because this method doesn’t involve storing anything on your device.

Instead, just like the IP address, this is simply what the websites log about you. However, unlike the IP address, you cannot change or mask it.


How to keep yourself protected against browser tracking

Online safety tips

Regardless of how intrusive and sneaky strategies web trackers adopt, you can always find ways to protect yourself.

Thanks to the cybersecurity community that keeps working on different methods to help you protect your privacy.

Below I quickly list all the practical methods that help you prevent browser fingerprinting.

1. Using Virtual Private Network (VPN)

Like always, a VPN is your savior to protect you against most privacy-breaching attempts.

As you know, VPN or Virtual Private Network is a great tool that masks your online identity. It acts as a barrier between your device and the internet, creating a veil on your device.

What is a VPN 1220x745

Doing so enables the VPN to redirect all data generated from your device to its own servers first. Then, when your data leaves its servers, the web sees your details as belonging to your VPN client.

Hence, VPN lets you mask your country’s IP address, change your virtual location, and encrypt all your data.

So, regarding browser fingerprints, VPN lets you fend off IP address and location tracking elements.

Though, not every VPN is robust enough to hide you online. For instance, VPNs often leak your actual IP address and other details to the websites. Things are even worse for free VPNs that do not shy away from logging your data.

So, if you are genuinely concerned about your privacy, use a robust VPN like ExpressVPN. It offers numerous great features that ensure adequate privacy for you, such as military-grade encryption, a Kill Switch, and a huge network of servers offering a seemingly never-ending range of IP addresses you.

Nonetheless, as stated above, other fingerprinting methods, such as canvas fingerprinting, directly track your device’s hardware.

Of course, a VPN can’t mask your hardware. Nor can it change your device display settings.

Therefore, you must also employ other strategies for inclusive browser fingerprint spoofing.


2. Using private browsing or Incognito mode

Another way to avoid generating your unique browser fingerprint online is to use private browsing.

Most secure browsers

The first benefit of using private browsing modes is that it prevents websites from setting cookies on your device. When you close the private browser window, all the cookies are deleted, leaving no traces of the websites you visit.

This is especially important for visiting websites with trackers like e-stores and social media platforms.

Secondly, with stealth browsing, you also prevent websites from remembering your custom settings. Hence, they cannot count on you and trace you as a new visitor.

Although, private browsing doesn’t prevent websites from canvas fingerprinting or other evasive methods. Yet, it at least protects from continuous surveillance.

Moreover, private browsing settings also assign a generalized profile set to your device.

So, even if the websites log these details, they won’t be exclusive to you. In this way, you can avoid generating a unique fingerprint online for yourself to a greater extent.

Using this method doesn’t require you to have technical knowledge. Remember, whichever browser you use, make it a habit to surf online in private mode.

This model has various names in different browsers, so you may need to watch out for it via browser settings.

As for the users of popular browsers, here is what you should look for:

  • Mozilla Firefox: Private Window
  • Google Chrome: Incognito Window
  • Microsoft Edge: InPrivate Window
  • Apple Safari: Private Browsing

Also, you can turn to secure web browsers instead of traditional ones for private browsing.


3. Using anti-tracking plugins

Another way to avoid online fingerprinting is to block known tracking elements. For this, you can install various add-ons to your browser.

web browsers engines

As explained above, everyday things through which websites chase you include JavaScript, advertisements, invisible trackers in otherwise non-intrusive ads, and graphics.

So, to prevent all such elements, you use plugins that block ads, malicious JavaScript, and block trackers.

Although, users of Mozilla Firefox might not need to install different plugins.

The Firefox browser allows users to set up ‘Strict’ settings for content. This setting automatically blocks all web trackers, ads, fingerprints, and crypto miners.

However, for users of other browsers, plugins like AdBlock Plus, EFF’s Privacy Badger, and NoScript work wonders. These plugins specifically block malicious ads, spying and malicious codes, invisible trackers, and other fingerprinters.

However, while using these plugins, be ready to experience some browsing issues, as some websites do not load correctly when tracking elements like JavaScript are blocked.

Though, such performance issues are a red flag in themselves. So, you can either choose to stop browsing such sites or enable their content if you really need to visit those sites.


4. Disabling Flash and JavaScript

A common problem with browser plugins is that they sometimes collect users’ data.

Hence, you can manually disable Flash and JavaScript on your browser as an alternative.

Doing so enables you to prevent websites from detecting the details of your device, like a list of active plugins, device fonts, and others.

Also, disabling Flash and Java prevents websites from placing certain cookies.

Though, as with blocking JavaScript via plugins, disabling Java may cause some websites to break. In turn, you will experience coarse browsing.

However, blocking Flash does not impact your browsing experience at all.

In fact, most modern browsers already disable Flash by default, given its intrusive properties. So, unless you visit an old website, you’ll face no trouble.


5. Using the anti-malware program

Don’t scroll down just by reading the word ‘antimalware’ in the heading.

Here, we are not talking about the average antivirus that you might already have installed on your device.

FFdroider malware

Instead, I’m referring to the more robust and comprehensive antimalware solution.

Confused? Let us explain.

Antivirus is just a program that protects your device against viruses.

But antimalware is an advanced tool that protects your device against malicious software, such as spyware and adware.

So, on top of your antivirus, you need robust antimalware that can block intrusive elements and web trackers.

After installing a comprehensive antivirus with antimalware capabilities, the software will alert you whenever a website attempts to install a toolbar, show a popup, or an intrusive ad. You can then decide whether to allow the blocked elements or not.

Besides, you can also set up regular scans on your antimalware tool for real-time protection.


6. Using Tor Browser

Lastly, you can avoid device fingerprinting by using the Tor browser.

Tor, or The Onion Router, is a dedicated browser offered by Mozilla – the maker of the Firefox browser.

Use TOR to unblock blocked websites

Though, Tor works just like another browser.

But it brings numerous innate features to protect your privacy, such as automatic blocking of web trackers and JavaScript, encrypting your data, and more. These features make Tor browser fingerprinting difficult for most websites.

However, it is merely a browser. So, if you use multiple browsers, using Tor together with Firefox or Chrome won’t help protect browser fingerprints.

Yet, switching to Tor as your sole browser might provide you with better control.

Nonetheless, considering the greater access of Tor to the dark web, using Tor may bring you on the radar of your ISP and the governments.

So, you should ideally use a VPN with Tor. Doing so will only make your ISP see that your data is encrypted without getting a hint about you using Tor. Plus, the benefits of a VPN will make your browsing safer than ever.

Although this combination of Tor+VPN provides much greater control of the device fingerprint, be ready to witness speed lags while browsing.


How can I test my browser’s fingerprinting?

Pay attention to what your browser considers unsafe

Perhaps, after knowing how websites track you, you might consider testing and seeing your browser fingerprint. Aren’t you?

Thanks to privacy freaks and security enthusiasts, you have some tools to check how websites chase you.

Though, they might not be 100% accurate. But, at least they are robust enough to give you an idea of what your browser leaks about you so that you can control it.

Here I list two of these.

1. Panopticlick

Powered by the Electronic Frontier Foundation (EFF), Panopticlick started as a research project to assess browser fingerprinting.

Today, it is one of the reliable tools for users to check what data their browsers or devices leak online.

Using the tool is relatively easy. Go to the Panopticlick website and click the ‘TEST ME’ button on your screen.

After a few seconds, you will be redirected to a new screen showing the results.

The tool will assess your device’s fingerprint by checking whether the browser

  • Blocks are tracking ads.
  • Blocks invisible trackers.
  • Prevents trackers embedded in ‘acceptable ads’ (the type of ads some adblockers allow considering non-intrusive).
  • Blocks third-party trackers honoring ‘Do Not Track.’
  • Has a unique fingerprint.

In my case, the tool showed me mixed results for my browser fingerprint protection.

Despite using Adblocker, preventing cookies, and blocking most other plugins, my browser generated a unique fingerprint for me.

Panopticlick browser data leak test

2. Am I Unique

Another excellent tool to check your online fingerprint is ‘Am I Unique.’ This tool also analyzes the browser data against a comprehensive list of attributes.

Compared to Panopticlick, Am I Unique shows more detailed results, making it suitable for techies?

Using this tool is also simple. Just visit the website of Am I Unique (https://amiunique.org/) and click on the ‘View my browser fingerprint’ button.

You will then see the results where the tool will tell you about all the details gathered from your device.

It also tells how unique your fingerprint is among all others gathered over the period.

In my case, Am I Unique marked my device as having a unique fingerprint among 2146295 others.

Besides this tool has also set up a dedicated FAQ section sharing quick information about the niche.


GDPR and browser fingerprints

Digital tracking has pros and cons for users, advertisers, and web trackers.

Fingerprints

However, since internet users are predominantly left at the mercy of tech giants and advertisers, this data collection seems more controlling on the users, giving undue or extensive advantages to the other party.

Therefore, to keep a check on the monetization of users’ privacy, GDPR partially ensures browser fingerprinting protection.

The GDPR (General Data Protection Regulation) came into effect in 2018 to empower users with privacy.

However, the apparent privacy and security advocacy left the businesses wondering how these laws would affect their revenue.

Nonetheless, these European laws are struggling to balance data privacy and monetization to make things a win-win for both users and businesses.

For this, GDPR compels all services to explicitly explain to the users the use of cookies – the prime tool for browser tracking.

Moreover, it has bound all businesses collecting users’ data to elaborate on why and how they need to collect it. Something which GDPR refers to as the ‘legitimate interest.’

GDPR defines this ‘personal data’ as,

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

While these laws sound good to the users, they do not explicitly regulate online tracking. Instead, they merely revolve around the collection of data via cookies.

However, the ePrivacy Directive more precisely addresses the browser fingerprinting issues.

Because of these laws, you often see websites explicitly asking for your consent for different types of cookies, giving you more control.

Browser fingerprinting future

Earlier, browser fingerprints relied more on cookies.

But today, cookies merely serve as a visible and direct means for websites to obtain user data for different purposes. Thanks to the GDPR and other laws that compel websites to mention the use of cookies clearly.

Browser Fingerprinting

However, when it’s fingerprinting, the technology continuously develops as the browsers evolve. Thus, it includes much more than the average cookies, some of which I mentioned in the above sections. That’s where things seemingly go out of users’ control.

Nonetheless, a deeper look at browser fingerprinting reveals that the technology does not really suffice user identification. Nor does it produce accurate results when it’s about user tracking.

So, the sole viable purpose of fingerprinting remains to ensure online security.

With adequate fingerprinting, services can get more comprehensive data about their user base. This, in turn, helps them in better statistical analyses for improving customer experience.

Similarly, cybersecurity services can use browser tracking to segregate legit users from the bots and perpetrators.

Due to these beneficial uses, online fingerprinting isn’t going anywhere. It was there even when the internet was in its infancy. And it is here to stay for the foreseeable future too.

The only change it may undergo would be in the ways and means websites use for device fingerprinting.

Although, these plus points do not blur the fact that identifying and preventing fingerprinters remains tricky.

However, keeping in view the increasing awareness about online privacy among internet users, we may expect to see more advanced and privacy-friendly device fingerprinting in the coming days.

Share this article

About the Author

Abeerah Hashim

Abeerah Hashim

Security Expert
172 Posts

Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.

More from Abeerah Hashim

Comments

No comments.