All about browser fingerprinting and how to avoid this severe web threat

Last updated by   Abeerah Hashim
Disclosure
Web browser fingerprinting, also dubbed canvas fingerprinting, is a serious threat you must learn about and take the necessary steps to avoid.

Back in the 1960s, the internet started as a privacy-oriented information sharing and networking technology.

It certainly continued respecting the users’ privacy for quite a while until Silicon Valley started rising.

After that, the tech giants and advertisers began leveraging the internet for monetization by increasing user tracking. These advertisers and tracking entities keep on chasing internet users as they surf online.

Though, thanks to privacy advocates, that people started to become aware of their internet privacy. Today, 90% of American users deem their online privacy paramount.

That is the reason why we have so many anti-tracking tools, such as adblockers and IP masking tools. These tools tend to prevent the trackers to a certain extent. However, still, the advertisers and trackers keep on hunting users’ privacy.

The base of all this tracking phenomenon is digital or browser fingerprinting.

Every user, knowingly or unknowingly, leaves a unique browser fingerprint online. Because of these digital fingerprints left online by the users, including you, the trackers can chase you.

Does that mean that you cannot fend off these tracking elements ever?

Certainly, no!

With this article, you will learn how browser fingerprinting works and how you can ensure protection against digital fingerprints.

What is browser fingerprinting

When you connect to the internet via your PC, laptop, or smartphone, your device communicates with the websites you visit, sending lots of data about you to the sites.

Since you use a browser to step into the online world, all the data is transmitted through your browser.

This information includes precise details about you, such as your device information, browser information, location, network, and other data. All this is in addition to the information about your browsing habits.

After you complete your browsing session and close your browser, ideally, your data generated online should disappear. But this does not happen.

Rather, the online world stores all your data so that you do not appear anonymous online the next time you visit.

Although, this looks like a facility for the netizens as it helps achieve a tailored browsing experience. Yet, the advertisers and web trackers also use the same data to keep an eye on the users.

This entire process is called ‘browser fingerprinting’ – that is – tracking your online fingerprint generated by your browser.

How does online fingerprint identify me?

With browser fingerprints, the information collected about you includes numerous data points that predominantly help track the following details.

  • Type of browser and version
  • Browser settings
  • Active plugins
  • IP address
  • Device Operating System
  • Device type and model
  • Network type (or ISP)
  • Device time zone
  • Users’ location
  • Language
  • Screen resolution
  • Active JavaScript
  • Active Flash

Though, these details do not precisely help in identifying you as Alice or Joe. But it certainly makes it easier to profile the user behind the device, who, upon tracking further, may be identified as Alice or Joe.

This happens because these details together make up a unique fingerprint that is not likely to be present with someone else.

For instance, many users living in the USA might use Chrome browsers on their Windows systems. But, not all of them would likely have the same IP address, location, browsing habits, screen resolution, active plugins, etc.

According to a Panopticlick study, only 1 in 286,777 users will likely have the same browser fingerprints. This makes you unique (and identifiable) online.

So, you see, this is how websites and web trackers keep a record of you.

And, when they continue recording all this information, they eventually become able to identify you in person, for example, by tracking your social media profiles or other data.

Who uses it (and why)?

Although, the idea of continuous tracking of online activities seems absurd.

Obviously, as an independent citizen, freedom of using the internet is your due right, which brows tracking seemingly violates.

Who Uses It (and Why)
(Pixabay)

Such browser tracking constantly leaks (or shares) explicit details about your device and your browsing habits. The brokers log all this information to sell to or share with the third parties eventually.

Pretty intrusive, isn’t it?

However, browser fingerprints are not always so bad. Sometimes, it is used for good purposes, too, such as for security.

In short, it all depends on the ultimate aim of the third party collecting the data, whether user fingerprinting is good or bad. Likewise, it also depends on whether the users give their consent to such tracking.

To let you understand things better, here I briefly about how different sources use browser fingerprints.

1. Ensuring users online security

One of the prime uses of browser fingerprinting is in the domain of online security.

Wondering how this privacy-intrusive feature is important for security purposes?

Well, as you now know, device fingerprinting lets the authorities get a good record of an online user. So while they may not know your names, they certainly identify you via your digital footprints as the ‘user X.

This digital tracking of users lets the cyber authorities identify whenever someone tries to perform malicious activity.

For instance, security companies employ fingerprint browsers to detect bad traffic, and hence, the ‘bad guys.’

Since they know how a genuine user behaves online, they will immediately detect any unusual activity and block it, such as a botnet attack.

Likewise, digital fingerprinting also helps in identifying individual perpetrators by tracking persistent malicious behavior. This helps the authorities in taking down malicious content from the web.

Also, this is useful for assuring a safe online experience for all by spotting pirated software, malicious tools, online frauds and PayPal scams (alongside other online shopping hoaxes), and identity theft cases.

2. Securing internet banking

Just like you, the users, who have to implement the best practices for safe online banking, like setting up strong passwords and 2FA, the banks, on their end, also have to work day and night to provide you with the most secure banking experience.

That’s where they leverage browser fingerprints.

Tracking the users visiting their portals, banks strive to ensure that only their legit customers make their way through.

Of course, your bank can’t see your face or know your name when you log in to your online account. However, by knowing your online fingerprints, it would verify the real you on the other end.

You can understand this monitoring by observing how you easily sign in to your account using your trusted device, but you face problems when you try to log in from some other device.

And, that becomes even more troublesome if you change your geographical location.

In the same way, if someone else attempts to sign in to your online banking account, the bank authorities would be alerted. Thereby fending off the malicious attempt.

3. Online advertising purposes

Another common reason (though, not a good one) for digital fingerprinting is online advertising.

Be it the tech giants, like Facebook and Google, or the advertisers themselves, these companies keep on fingerprinting your online existence.

Online Advertising Purposes
(Pixabay)

For this, they can go to any extent, from fingerprinting cookies with your consent to the defiant and stealth use of web trackers.

Such data collected by logging your online details is beneficial for advertisers. This way, they get your unique online profiles which further helps them show you ads relevant to your interests.

On the one hand, such precise ad targeting directly helps the business to generate more sales revenue.

On the other hand, this precise profiling lets them dominate the online advertising realm as they can share your data with others.

As far as the breach of privacy is concerned, certainly, browser fingerprinting looks like a bad idea.

However, it is also useful for the services that cater to the needs of their customers for free.

For example, you don’t have to pay anything to use Facebook, Twitter, or even Google, because they make their money by profiling your data and selling it to the advertisers.

Similarly, this online fingerprinting and subsequent advertising also supports free journalism.

GDPR and browser fingerprints

Digital tracking has its own pros and cons for both the users and the advertisers and web trackers.

However, since the internet users are predominantly left at the mercy of tech giants and advertisers, this data collection seems more controlling on the users only, giving undue or extensive advantages to the other party.

Therefore, to keep a check on the monetization of users’ privacy, GDPR partially ensures browser fingerprinting protection.

The GDPR (General Data Protection Regulation) came into effect in 2018 to empower users with privacy.

However, the apparent advocacy of privacy and security left the businesses wondering how these laws would affect their revenue.

Nonetheless, these European laws are struggling to maintain a balance between data privacy and data monetization to make things a win-win for both the users and the businesses.

For this, GDPR compels all services to explicitly explain to the users about the use of cookies – the prime tool for browser tracking.

Moreover, it has also bound all businesses collecting users’ personal data to elaborate on why and how they need to collect that data. Something which GDPR refers to as the ‘legitimate interest.’

GDPR defines this ‘personal data’ as,

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

While these laws sound good to the users, they do not explicitly regulate online tracking. Rather they merely revolve around the collection of data via cookies.

However, the ePrivacy Directive more precisely addresses the browser fingerprinting issues.

Because of these laws, you often see websites explicitly asking for your consent for different types of cookies, giving you more control.

How browser tracking (fingerprinting) gets done

Now that you know that your browser throws online data about you, it is also obvious that the websites have employed certain ways to catch and record all of this information.

How Browser Tracking (Fingerprinting) Gets Done
(Pixabay)

So how do these websites manage receiving all this data from the browser installed on your devices?

They actually use some small tools that give them big gains in this regard. Here I list some of these methods predominantly used by the web trackers.

1. Cookies and javaScript

The most common and most used way of collecting your data is via cookie tracking. (This is the same thing that you usually give consent to by clicking on ‘I accept’ or ‘OK’ when you visit a website for the first time.)

So, what are cookies?

Well, you can think of them as bribes from the websites to your browser to share your data.

Technically speaking, they are small data files placed on your device (computer or smartphones) by the websites you visit.

Through these data files, the websites log and identify your device on your next visit.

That’s the reason why previously visited sites load relatively more quickly than the ones you visit the first time.

Moreover, the sites also use cookies to remember your customized settings and provide you with the desired experience in the future. This includes your desired screen resolution, site fonts, themes, and other changes.

Besides optimizing the user experience, cookies also help websites to provide your data for statistical analyses. For instance, these cookies help the sites identify new and recurring visitors.

Similarly, the websites belonging to businesses and advertisers use cookies to track your browsing habits and show ads.

Together with fingerprinting cookies, websites also use JavaScript to track users.

The JavaScript interacts with your browser to show dynamic media, such as for playing videos. However, alongside loading the content, JavaScript also gathers data about you.

2. IP address logging

While some websites let you disallow cookies, you can never block the sites from seeing your IP address.

It’s because a web server requires this IP address to respond to your query whenever you visit a website. If it doesn’t get your IP, it can’t respond to you. Hence, you can’t visit the desired site.

The IP address plays a key role in chasing you online.

This unique set of numbers suffices to inform websites about your location, network, device, and much more.

The websites can even chase this IP address to track all of your devices connected to the network and log your browsing habits.

Ever wondered why you get a similar browsing experience on your smartphone and PC at home? Or, why do you start seeing ads of products that someone in your family bought online through some other device?

It’s because both of your devices show the same IP address online – the one assigned by your network. This enables the websites to know that both the devices belong to the same user.

In short, your IP address is your online identity which the websites love to record about you. That’s why I always advise hiding or changing IP addresses while talking about online security.

3. Canvas fingerprinting

Another relatively newer strategy to log your browser fingerprints is canvas fingerprinting. Here, the websites take help from the element managing the graphics on the web page to track you.

How does this work? I hear you ask.

Websites today employ HTML5 – a coding language – as its core fundamental.

The HTML5 code includes an element called ‘canvas.’ This element mainly handles the way graphics appear on your screen.

That includes the appearance of fonts, colors, background, and other settings of your device.

Since this isn’t likely the same for every user, it becomes a distinct identifier for the respective device.

Thus, the subsequent detail is what the websites use as your digital fingerprint.

What makes this method even more powerful is that it allows cross-browser fingerprints. That is, the websites can still identify you even when you use multiple browsers on your device.

This is because this method doesn’t rely on browser information. Rather it goes far and beyond to track your device settings.

The idea of canvas fingerprinting gained traction in 2014, when Acar et al. elaborated on it in their research paper together with other web tracking methods. Explaining how canvas fingerprinting works, the researchers stated in their paper,

When a user visits a page, the fingerprinting script first draws text with the font and size of its choice and adds background colors. Next, the script calls Canvas API’s ToDataURL method to get the canvas pixel data in the data URL format, which is basically a Base64 encoded representation of the binary pixel data. Finally, the script takes the hash of the text-encoded pixel data, which serves as the fingerprint and may be combined with other high-entropy browser properties such as the list of plugins, the list of fonts, or the user agent string.

This particular tracker is certainly beyond your control because this method doesn’t involve storing anything on your device.

Rather, just like the IP address, this is simply what the websites log about you. However, unlike the IP address, you cannot change or mask it.

How can I test my browser’s fingerprinting

Perhaps, after knowing how websites track you, you might be thinking of testing and see your own browser fingerprint. Aren’t you?

How Can I Test My Browser's Fingerprinting
(Pixabay)

Thanks to the privacy freaks and security enthusiasts, you have some tools to check how websites chase you.

Though, they might not be 100% accurate. But, at least, they are robust enough to give you an idea of what your browser leaks about you so that you can control it.

Here I list two of these.

1. Panopticlick

Powered by the Electronic Frontier Foundation (EFF), Panopticlick started as a research project to assess browser fingerprinting.

Today, it is one of the reliable tools for users to check what data their browsers or their devices leak online.

Using the tool is quite easy. Just go to the Panopticlick website and click on the ‘TEST ME’ button appearing on your screen.

After a few seconds, you will be redirected to a new screen showing the results.

The tool will assess your device fingerprint by checking whether the browser,

  • blocks tracking ads.
  • blocks invisible trackers.
  • prevents trackers embedded in ‘acceptable ads’ (the type of ads that some adblockers allow considering non-intrusive).
  • blocks third-party trackers honoring ‘Do Not Track’.
  • has a unique fingerprint.

In my case, the tool showed me mixed results for my browser fingerprints protection.

Despite using adblocker, preventing cookies, and blocking most other plugins, my browser still managed to generate a unique fingerprint for me.

Panopticlick browser data leak test

2. Am I Unique

Another wonderful tool to check your online fingerprint is ‘Am I Unique.’ This tool also analyzes the browser data against a comprehensive list of attributes.

As compared to Panopticlick, Am I Unique shows more detailed results, making it suitable for techies.

Using this tool is also simple. Just visit the website of Am I Unique (https://amiunique.org/) and click on the ‘View my browser fingerprint’ button.

You will then see the results where the tool will tell you about all the details gathered from your device.

It also tells how unique your fingerprint is among all others gathered over the period.

In my case, Am I Unique marked my device as having a unique fingerprint among 2146295 others.

Besides, this tool has also set up a dedicated FAQ section sharing quick information about the niche.

How to keep yourself protected against browser tracking

Regardless of how intrusive and sneaky strategies web trackers adopt, you can always find ways to protect yourself.

How to Keep Yourself Protected Against Browser Tracking
(Pixabay)

Thanks to the cybersecurity community that keeps working on different methods to help you protect your privacy.

Below I quickly list all the useful methods that help you prevent browser fingerprinting.

1. Using Virtual Private Network (VPN)

Like always, a VPN is your savior to protect you against most privacy breaching attempts.

As you know, VPN or Virtual Private Network is a great tool that masks your online identity. It acts as a barrier between your device and the internet, creating a veil on your device.

Use VPN for digital fingerprints protection
(Pixabay)

Doing so enables the VPN to redirect all data generated from your device to its own servers first. Then, when your data leaves its servers, the web sees your details as the ones belonging to your VPN client.

Hence, VPN lets you mask your country’s IP address, change your virtual location, and encrypt all your data.

So, with regards to browser fingerprints, VPN lets you fend off IP address and location tracking elements.

Though, not every VPN is robust enough to hide you online. For instance, VPNs often leak your real IP address and other details to the websites. Things are even worst for the free VPNs that do not shy away from logging your data too.

So, if you are truly concerned about your privacy, use a robust VPN like ExpressVPN. It offers numerous great features that ensure adequate privacy for you, such as military-grade encryption, Kill Switch, and a huge network of servers offering a seemingly never-ending range of IP addresses for you.

Nonetheless, as I stated above, other fingerprinting methods, such as canvas fingerprinting directly track your device hardware.

Of course, a VPN can’t mask your hardware. Nor can it change your device display settings.

Therefore, for inclusive browser fingerprint spoofing, you need to employ other strategies as well.

2. Using private browsing or Incognito mode

Another way to avoid generating your unique browser fingerprint online is to use private browsing.

Using Private Browsing Or Incognito Mode
(Pixabay)

The first benefit of using private browsing modes is that it prevents websites from setting cookies on your device. When you close the private browser window, all the cookies are deleted, leaving no traces behind about the websites you visit.

This is especially important for visiting websites known to have trackers, such as e-stores and social media platforms.

Secondly, with stealth browsing, you also prevent websites from remembering your custom settings. Hence, they cannot count you and trace you as a new visitor.

Although, private browsing doesn’t prevent websites from canvas fingerprinting or other evasive methods. Yet, it at least protects from continuous surveillance.

Moreover, private browsing settings also assign a generalized profile setting to your device.

So, even if the websites log these details, they won’t be exclusive to you. In this way, you can avoid generating a unique fingerprint online for yourself to a greater extent.

Using this method doesn’t require you to have technical knowledge. Just remember, whichever browser you use, make it a habit to surf online in private mode.

This mode has various names in different browsers, so you may need to watch out for it via browser settings.

As for the users of popular browsers, here is what you should look for:

  • Mozilla Firefox: Private Window
  • Google Chrome: Incognito Window
  • Microsoft Edge: InPrivate Window
  • Apple Safari: Private Browsing

Also, you can turn to secure web browsers instead of traditional ones for private browsing.

3. Using anti-tracking plugins

Another way to avoid online fingerprinting is to block known tracking elements. For this, you can install various add-ons to your browser.

Using Anti-Tracking Plugins
(Pixabay)

As explained above, common things through which websites chase you include JavaScript, advertisements, invisible trackers in otherwise non-intrusive ads, and graphics.

So, to prevent all such elements, you use plugins that block ads, block malicious JavaScript, and block trackers.

Although, users of Mozilla Firefox might not need to install different plugins.

It’s because the Firefox browser offers the users to set up ‘Strict’ settings for content. Enabling this setting automatically blocks all web trackers, ads, fingerprints, and even crypto miners.

However, for users of other browsers, plugins like AdBlock Plus, EFF’s Privacy Badger, and NoScript work wonders. These plugins specifically block malicious ads, spying and malicious codes, invisible trackers, and other fingerprinters.

However, while using these plugins, be ready to experience some browsing issues as some websites do not load correctly when tracking elements like JavaScript are blocked.

Though, such performance issues are a red flag in themselves. So, you can either choose to stop browsing such sites or enable their content if you really need to visit those sites.

4. Disabling flash and JavaScript

A common problem with using browser plugins is that they start collecting users’ data at times.

Disabling Flash and JavaScript
(Pixabay)

Hence, as an alternative, you can disable Flash and JavaScript on your browser manually.

Doing so enables you to prevent websites from detecting the details of your device, like a list of active plugins, device fonts, and others.

Also, disabling Flash and Java prevents websites from placing certain cookies.

Though, as is the case with blocking JavaScript via plugins, disabling Java may cause some websites to break. In turn, you will experience coarse browsing.

However, blocking Flash does not impact your browsing experience at all.

In fact, most modern browsers already disable Flash by default, given its intrusive properties. So, unless you are visiting an ancient website, you’ll face no trouble.

5. Using anti-malware program

Don’t scroll down just by reading the word ‘antimalware’ in the heading.

Here, we are not talking about the average antivirus that you might already have installed on your device.

Using Anti-Malware Program
(Pixabay)

Rather, I’m referring to the more robust and comprehensive solution, the antimalware.

Confused? Let us explain.

Antivirus is just a program that protects your device against viruses.

But an antimalware is an advanced tool that protects your device against malicious software, such as spyware, adware, and others.

So, on top of your antivirus, you need robust antimalware that can block intrusive elements and web trackers.

After installing a comprehensive antivirus with antimalware capabilities, the software will alert you whenever a website attempts to install a toolbar, show a popup, or an intrusive ad. You can then decide whether to allow the blocked elements or not.

Besides, you can also set up regular scans on your antimalware tool for real-time protection.

6. Using Tor Browser

Lastly, you can simply avoid device fingerprinting by using the Tor browser.

Tor, or The Onion Router, is a dedicated browser offered by Mozilla – the makers of the Firefox browser.

TOR Browser Privacy

Though, Tor works just like another browser.

But it brings numerous innate features to protect your privacy, such as automatic blocking of web trackers and JavaScript, encrypting your data, and more. These features make Tor browser fingerprinting difficult for most websites.

However, it is merely a browser. So, if you use multiple browsers, using Tor together with Firefox or Chrome won’t help protect browser fingerprints.

Yet, switching to Tor as your sole browser might provide you with better control.

Nonetheless, considering the greater access of Tor to the dark web, using Tor may bring you on the radar of your ISP and the governments.

So, you should ideally use a VPN with Tor. Doing so will only make your ISP see that your data is encrypted without getting a hint about you using Tor. Plus, the benefits of a VPN will make your browsing safer than ever.

Although this combination of Tor+VPN provides much greater control on device fingerprint, be ready to witness speed lags while browsing.

Browser fingerprinting future

Earlier, browser fingerprints relied more on cookies.

But today, cookies merely serve as a visible and direct means for websites to obtain user data for different purposes. Thanks to the GDPR and other laws that compel websites to mention about the use of cookies clearly.

Browser Fingerprinting Future
(Pixabay)

However, when it’s about fingerprinting, the technology is continuously developing as the browsers evolve. Thus, it includes much more than the average cookies, some of which I just mentioned in the above sections. That’s where things seemingly go out of users’ control.

Nonetheless, a deeper look at browser fingerprinting reveals that the technology does not really suffice user identification. Nor does it produce accurate results when it’s about user tracking.

So, the sole viable purpose of fingerprinting remains to ensure online security.

With adequate fingerprinting, services can get more comprehensive data about their userbase. This, in turn, helps them in better statistical analyses for improving customer experience.

Similarly, cybersecurity services can use browser tracking for segregating legit users from the bots and perpetrators.

Owing to these beneficial uses, rest assured that online fingerprinting isn’t going anywhere. It was there even when the internet was is in its infancy. And, it is here to stay for the foreseeable future too.

The only change it may undergo would be in the ways and means used by websites for device fingerprinting.

Although, these plus points do not blur the fact that identifying and preventing fingerprinters remains quite difficult.

But keeping in view the increasing awareness about online privacy among internet users, we may expect to have more advanced and privacy-friendly device fingerprinting in the days to come.

Final thoughts

What I believe, and I trust most of you would agree to, is that no technology is good or bad in itself.

Instead, it’s the use that makes the technology advantageous or destructive.

The same applies to browser fingerprinting too.

As explained above, browser fingerprints do not always come with an intent of privacy breach.

Rather, this unique way of user profiling plays a key role in making the world wide web a safe place for all.

So, as an average user, you should not worry much about how websites track your fingerprints.

As for your privacy and smooth browsing experience, you can use plugins to block invasive ads and intrusive trackers.

You can also achieve a greater level of privacy with Mozilla Firefox that blocks most fingerprinters by default.

Besides, make a habit of private browsing to fend off cookies too.

With a little effort, you can make yourself more generalized among all internet users, eliminating your digital uniqueness. Once you succeed in this, you don’t have to ponder over device fingerprinting anymore.

Whereas, for the tech-savvy users, the privacy tools and advanced programs like Tor are all there. Use them to make yourself anonymous online on any device.

Enjoy safe browsing!

Share this article

About the author

Abeerah Hashim
Abeerah Hashim

Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.

Comments

No comments.

Got Something to Say?

Leave a reply

Your email address will not be published.