All about browser fingerprinting and how to avoid this severe web threat
Back in the 1960s, the internet started off as a privacy-oriented information sharing and networking technology.
It certainly continued respecting the privacy of the users for quite a while, until the time the Silicon Valley started rising.
After that, the tech giants and advertisers began leveraging the internet for monetization by increasing user tracking. These advertisers and tracking entities keep on chasing internet users as they surf online.
Though, thanks to privacy advocates, that people started to become aware of their internet privacy. Today, 90% of American users deem their online privacy very important.
That is the reason why we have so many anti-tracking tools, such as adblockers and IP masking tools. These tools tend to prevent the trackers to a certain extent. However, still, the advertisers and trackers keep on hunting users’ privacy.
The base of all this tracking phenomenon is digital or browser fingerprinting.
Every user, knowingly or unknowingly, leaves a unique browser fingerprint online. It is because of these digital fingerprints left online by the users, including you, that the trackers can chase you.
Does that mean that you cannot fend off these tracking elements ever?
With this article, you will learn how browser fingerprinting works and how you can ensure protection against digital fingerprints.
What is browser fingerprinting
The moment you connect to the internet via your PC, laptop, or smartphone, your device communicates with the websites you visit. During this communication, the device sends a lot of data about you to the sites.
Since you use a browser to step into the online world, all the data is transmitted through your browser.
This information includes precise details about you, such as your device information, browser information, your location, network, and other details. All this is in addition to the information about your browsing habits.
After you complete your browsing session and close your browser, ideally, your data generated online should disappear. But this does not happen.
Rather, the online world stores all your data so that you do not appear anonymous online the next time you visit.
Although, this looks like a facility for the netizens as it helps in achieving a tailored browsing experience. Yet, the advertisers and web trackers also use the same data to keep an eye on the users.
This entire process is called ‘browser fingerprinting’ – that is – the tracking of your online fingerprint generated by your browser.
With browser fingerprints, the information collected about you includes numerous data points that predominantly help track the following details.
- Type of browser and version
- Browser settings
- Active plugins
- IP address
- Device Operating System
- Device type and model
- Network type (or ISP)
- Device time zone
- Users’ location
- Screen resolution
- Active Flash
Though, these details do not precisely help in identifying you as Alice or Joe. But it certainly makes it easier to profile the user behind the device, whom, upon tracking further, may be identified as Alice or Joe.
This happens because these details together make up a unique fingerprint not likely to be present with someone else too.
For instance, there could be many users living in the USA who use Chrome browser on their Windows systems. But, not all of them would likely have the same IP address, location, browsing habits, screen resolution, active plugins, etc.
According to a Panopticlick study, only 1 in 286,777 users will likely have the same browser fingerprints. This makes you quite unique (and identifiable) online.
So, you see, this is how websites and web trackers keep a record of you.
And, when they continue recording all this information, they eventually become able to identify you in person. For example, by tracking your social media profiles or other data.
Who uses it (and why)?
Although, the idea of continuous tracking of online activities seems absurd.
Obviously, as an independent citizen, freedom of using the internet is your due right, which, browser fingerprinting seemingly violates.
Such browser tracking constantly leaks (rather shares) explicit details about your device and your browsing habits. The brokers log all this information to eventually sell to or share with the third parties.
Pretty intrusive, isn’t it?
However, browser fingerprints are not always so bad. Sometimes, it is used for good purposes too, such as for security.
In short, it all depends on the ultimate aim of the third-party collecting the data whether user fingerprinting is good or bad. Likewise, it also depends on whether the users give their consent to such tracking.
To let you understand things better, here I briefly about how different sources use browser fingerprints.
1. Ensuring users online security
One of the prime uses of browser fingerprinting is in the domain of online security.
Wondering how is this privacy-intrusive feature important for security purposes?
Well, as you now know, device fingerprinting lets the authorities get a good record of an online user. While they may not know your names, they certainly identify you via your digital footprints as the ‘user X.
This digital tracking of users lets the cyber authorities identify whenever someone tries to perform malicious activity.
For instance, security companies employ browser fingerprinting as a means to detect bad traffic, and hence, the ‘bad guys.’
Since they know how a genuine user behaves online, they will immediately detect any unusual activity and block it, such as a botnet attack.
Likewise, digital fingerprinting also helps in identifying individual perpetrators by tracking persistent malicious behavior. This helps the authorities in taking down malicious content from the web.
Also, this is useful for assuring a safe online experience for all by spotting pirated software, malicious tools, online frauds and PayPal scams (alongside other online shopping hoaxes), and cases of identity theft.
2. Securing internet banking
Just like you, the users, who have to implement the best practices for safe online banking, like setting up strong passwords and 2FA, the banks, on their end, also have to work day and night to provide you with the most secure banking experience.
That’s where they leverage browser fingerprints.
Tracking the users visiting their portals, banks strive to ensure that only their legit customers make their way through.
Of course, your bank can’t see your face or know your name when you log in to your online account. However, by knowing your online fingerprints, it would be able to verify the real you on the other end.
You can understand this monitoring by observing how you easily sign in to your account using your trusted device, but you face problems when you try to log in from some other device.
And, that becomes even more troublesome if you change your geographical location.
In the same way, in case someone else attempts to sign in to your online banking account, the bank authorities would be alerted. Thereby fending off the malicious attempt.
3. Online advertising purposes
Last, but not the least, is the use of browser fingerprinting for a reason that you might not like – that is – advertising.
Be it the tech giants like Facebook and Google, or the advertisers themselves, these companies keep on fingerprinting your online existence.
For this, they can go to any extent, from fingerprinting cookies with your consent to the defiant and stealth use of web trackers.
Such data collected by logging your online details is very useful for the advertisers. This way, they get your unique online profiles which further helps them in showing you ads relevant to your interests.
On one hand, such precise ad targeting directly helps the business to generate more sales revenue.
Whereas, on the other hand, this precise profiling lets them dominate the online advertising realm as they can share your data with others too.
As far as the breach of privacy is concerned, certainly, browser fingerprinting looks a bad idea.
However, it is also useful for the services that cater to the needs of their customers for free.
For example, you don’t have to pay anything to use Facebook, Twitter, or even Google. It’s because they make their money by profiling your data and selling it to the advertisers.
Similarly, this online fingerprinting and subsequent advertising also supports free journalism.
GDPR and browser fingerprints
Digital tracking has its own pros and cons for both the users as well as the advertisers and web trackers.
However, since the internet users are predominantly left at the mercy of tech giants and advertisers, this data collection seems more controlling on the users only, giving undue or extensive advantages to the other party.
Therefore, to keep a check on the monetization of users’ privacy, GDPR partially ensures browser fingerprinting protection.
The GDPR (General Data Protection Regulation) came into effect in 2018, in an attempt to empower users with privacy.
However, the apparent advocacy of privacy and security left the businesses wondering how these laws would affect their revenue.
Nonetheless, these European laws are struggling to maintain a balance between data privacy and data monetization to make things a win-win for both the users as well as the businesses.
Moreover, it has also bound all businesses collecting users’ personal data to elaborate on why and how they need to collect that data. Something which GDPR refers to as the ‘legitimate interest.’
GDPR defines this ‘personal data’ as,
“Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
While these laws sound good to the users, they do not explicitly regulate browser fingerprinting. Rather they merely revolve around the collection of data via cookies.
However, the ePrivacy Directive more precisely addresses the browser fingerprinting issues.
It is because of these laws that you often see websites explicitly asking your consent for different types of cookies, giving you more control.
How browser tracking (fingerprinting) gets done
Now that you know that your browser throws online data about you, it is also obvious that the websites have employed certain ways to catch and record all of this information.
So how do these websites manage receiving all this data from the browser installed on your devices?
They actually use some small tools that give them big gains in this regard. Here I list some of these methods predominantly used by the web trackers.
The most common and most used way of collecting your data is via cookies tracking. (This is the same thing that you usually give consent to by clicking on ‘I accept’ or ‘OK’ when you visit a website for the first time.)
So, what are cookies?
Well, you can think of them as bribe from the websites to your browser to share your data.
Technically speaking, they are small data files placed on your device (computer or smartphones) by the websites you visit.
Through these data files, the websites log and identify your device on your next visit.
That’s the reason why previously visited sites load relatively more quickly than the ones you visit the first time.
Besides optimizing the user experience, cookies also help websites to provide your data for statistical analyses. For instance, these cookies help the sites identify new and recurring visitors.
2. IP address logging
While some websites let you disallow cookies, you can never block the sites from seeing your IP address.
It’s because a web server requires this IP address to respond to your query whenever you visit a website. When it can’t get your IP, it can’t respond to you, and hence, you can’t visit the desired site.
The IP address plays a key role in chasing you online.
This unique set of numbers suffices to inform websites about your location, network, device, and a lot more.
The websites can even chase this IP address to track all of your devices connected to the network and log your browsing habits.
Ever wondered why you get a similar browsing experience on your smartphone and PC at home? Or, why do you start seeing ads of products that someone in your family bought online through some other device?
It’s because both of your devices show the same IP address online – the one assigned by your network. This enables the websites to know that both the devices belong to the same user.
In short, your IP address is your online identity which the websites love to record about you. That’s why I always advise hiding or changing IP address while talking about online security.
3. Canvas fingerprinting
Another, relatively newer strategy to log your browser fingerprints is canvas fingerprinting. That is, the websites take help from the element managing the graphics on the web page to track you.
How does this work? I hear you ask.
Websites, today, employ HTML5 – a coding language – as its core fundamental.
The HTML5 code includes an element called ‘canvas’. This element mainly handles the way graphics appear on your screen.
That includes the appearance of fonts, colors, background, and other settings of your device.
Since this isn’t likely the same for every user, it becomes a distinct identifier for the respective device.
Thus, the subsequent detail is what the websites use as your digital fingerprint.
What makes this method even more powerful is that it allows cross-browser fingerprinting. That is, the websites can still identify you even when you use multiple browsers on your device.
This is because this method doesn’t rely on browser information. Rather it goes far and beyond to track your device settings.
The idea of canvas fingerprinting gained traction in 2014, when Acar et al. elaborated on it in their research paper together with other web tracking methods. Explaining how canvas fingerprinting works, the researchers stated in their paper,
“When a user visits a page, the fingerprinting script first draws text with the font and size of its choice and adds background colors. Next, the script calls Canvas API’s ToDataURL method to get the canvas pixel data in the data URL format, which is basically a Base64 encoded representation of the binary pixel data. Finally, the script takes the hash of the text-encoded pixel data, which serves as the fingerprint and may be combined with other high-entropy browser properties such as the list of plugins, the list of fonts, or the user agent string.”
This particular tracker is certainly beyond your control because this method doesn’t involve storing anything on your device.
Rather, just like the IP address, this is simply what the websites log about you. However, unlike the IP address, you cannot change or mask it.
How can I test my browser’s fingerprinting
Perhaps, after knowing how websites track you, you might be thinking to test and see your own browser fingerprint. Aren’t you?
Well, thanks to the privacy freaks and security enthusiasts that you do have some tools to check how websites chase you.
Though, they might not be 100% accurate. But, at least, they are robust enough to give you an idea of what your browser leaks about you so that you can control it.
Here I list two of these.
Powered by the Electronic Frontier Foundation (EFF), Panopticlick started off as a research project to assess browser fingerprinting.
Today, it is one of the reliable tools for users to check what data their browsers or their devices leak online.
Using the tool is quite easy. Just go to the Panopticlick website and click on the ‘TEST ME’ button appearing on your screen.
After a few seconds, you will be redirected to a new screen showing the results.
The tool will assess your device fingerprint against the following parameters.
- Whether the browser blocks tracking ads.
- If the browser blocks invisible trackers.
- Whether the browser blocks trackers embedded in ‘acceptable ads’ (the type of ads that some adblockers allow considering non-intrusive).
- Whether the browser blocks third-party trackers honoring ‘Do Not Track’.
- Whether your browser has a unique fingerprint.
In my case, the tool showed me mixed results for my browser fingerprints protection.
Despite using adblocker, preventing cookies, and blocking most other plugins, my browser still managed to generate a unique fingerprint for me.
2. Am I Unique
Another wonderful tool to check your online fingerprint is ‘Am I Unique’. This tool also analyzes the browser data against a comprehensive list of attributes.
As compared to Panopticlick, Am I Unique shows more detailed results, making it suitable for techies.
Using this tool is also simple. Just visit the website of Am I Unique (https://amiunique.org/) and click on the ‘View my browser fingerprint’ button.
You will then see the results where the tool will tell you about all the details gathered from your device.
It also tells how unique your fingerprint is among all others gathered over the period.
In my case, Am I Unique marked my device as having a unique fingerprint among 2146295 others.
Apart from browser fingerprinting, this tool has also set up a dedicated FAQ section sharing quick information about the niche.
How to keep yourself protected against browser tracking
Regardless of how intrusive and sneaky strategies web trackers adopt, you can always find ways to protect yourself.
Thanks to the cybersecurity community that keeps working on different methods to help you protect your privacy.
Below I quickly list all the useful methods that help you prevent browser fingerprinting.
1. Using Virtual Private Network (VPN)
Like always, a VPN is your savior to protect you against most privacy breaching attempts.
As you know, VPN or Virtual Private Network is a great tool that masks your online identity. It acts as a barrier between your device and the internet, creating a veil on your device.
Doing so enables the VPN to redirect all data generated from your device to its own servers first. Then, when your data leaves its servers, the web sees your details as the one belonging to your VPN client.
Hence, VPN lets you mask your country IP address, change your virtual location, and encrypt all your data.
So, with regards to browser fingerprints, VPN lets you fend off IP address and location tracking elements.
Though, not every VPN is robust enough to hide you online. For instance, VPNs often leak your real IP address and other details to the websites. Things are even worst for the free VPNs that do not shy away from logging your data too.
So, if you are truly concerned about your privacy, use a robust VPN like the ExpressVPN. It offers numerous great features that ensure adequate privacy for you, such as military-grade encryption, Kill Switch, and a huge network of servers offering a seemingly never-ending range of IP addresses for you.
Nonetheless, as I stated above, other fingerprinting methods such as canvas fingerprinting directly track your device hardware.
Of course, a VPN can’t mask your hardware. Nor can it change your device display settings.
Therefore, for an inclusive browser fingerprint spoofing, you need to employ other strategies as well.
2. Using private browsing or Incognito mode
Another way to avoid generating your unique browser fingerprint online is to use private browsing.
The first benefit of using private browsing modes is that it prevents websites from setting cookies on your device. The moment you close the private browser window, all the cookies are deleted, leaving no traces behind to the websites you visit.
This is especially important for visiting websites that are known to have trackers, such as e-stores and social media platforms.
Secondly, with stealth browsing, you also prevent websites from remembering your custom settings. Hence, they cannot count you and trace you as a new visitor.
Although, private browsing doesn’t prevent websites from canvas fingerprinting, or other evasive methods. Yet, it at least protects from continuous surveillance.
Moreover, private browsing settings also assign a generalized profile setting to your device.
So, even if the websites log these details, they won’t be exclusive to you. In this way, you can avoid generating a unique fingerprint online for yourself to a greater extent.
Using this method doesn’t require you to have technical knowledge. Just remember, whichever browser you use, make it a habit to surf online in the private mode.
This mode has various names in different browsers, so you may need to watch out for it via browser settings.
As for the users of popular browsers, here is what you should look for:
- Mozilla Firefox: Private Window
- Google Chrome: Incognito Window
- Microsoft Edge: InPrivate Window
- Apple Safari: Private Browsing
Also, you can turn to secure web browsers instead of traditional ones for private browsing.
3. Using anti-tracking plugins
Another way to prevent browser fingerprinting is to block known tracking elements. For this, you can install various add-ons to your browser.
Although, users of Mozilla Firefox might not need to install different plugins.
It’s because the Firefox browser offers the users to set up ‘Strict’ settings for content. Enabling this setting automatically blocks all web trackers, ads, fingerprints, and even crypto miners.
However, for users of other browsers, plugins like AdBlock Plus, EFF’s Privacy Badger, and NoScript work wonders. These plugins specifically block malicious ads, spying and malicious codes, invisible trackers, and other fingerprinters.
Though, such performance issues are a red flag in themselves. So, you can either choose to stop browsing such sites or enable their content if you really need to visit those sites.
A common problem with using browser plugins is that these plugins themselves start collecting users’ data at times.
Doing so enables you to prevent websites from detecting the details of your device like a list of active plugins, device fonts, and others.
Also, disabling Flash and Java prevents websites from placing certain cookies.
However, blocking Flash does not impact your browsing experience at all.
In fact, most modern browsers already disable Flash by default given its intrusive properties. So, unless you are visiting a very old website, you’ll face no trouble.
5. Using anti-malware program
Don’t scroll down just by reading the word ‘antimalware’ in the heading.
Here, we are not talking about the average antivirus that you might already have installed on your device.
Rather, I’m referring to the more robust and comprehensive solution, the antimalware.
Confused? Let us explain.
Antivirus is just a program that protects your device against viruses.
But an antimalware is an advanced tool that also protects your device against malicious software, such as spyware, adware, and others.
So, on top of your antivirus, you need a robust antimalware that can block intrusive elements and web trackers.
After you install a comprehensive antivirus with antimalware capabilities, the software will alert you whenever a website attempts to install a toolbar, show a popup, or an intrusive ad. You can then decide whether to allow the blocked elements or not.
Besides, you can also set up regular scans on your antimalware tool for real-time protection.
6. Using Tor Browser
Lastly, you can simply avoid browser fingerprinting by using the Tor browser.
Tor, or The Onion Router, is a dedicated browser offered by Mozilla – the makers of Firefox browser.
Though, Tor works just like another browser.
However, it is merely a browser. So, if you use multiple browsers, using Tor together with Firefox or Chrome won’t help protect browser fingerprints.
Yet, switching to Tor as your sole browser might provide you with better control.
Nonetheless, considering the greater access of Tor to the dark web, using Tor may bring you on the radar of your ISP and the governments.
So, you should ideally use a VPN with Tor. Doing so will only make your ISP see that your data is encrypted, without it getting a hint about you using Tor. Plus, the benefits of a VPN will make your browsing safer than ever.
Although, this combination of Tor+VPN provides much greater control on browser fingerprinting, be ready to witness speed lags while browsing.
Browser fingerprinting future
Earlier, browser fingerprints relied more on cookies.
However, when it’s about browser fingerprinting, the technology is continuously developing as the browsers evolve. Thus, it includes a lot more than the average cookies, some of which I just mentioned in the above sections. That’s where things seemingly go out of users’ control.
Nonetheless, a deeper look at browser fingerprinting reveals that the technology does not really suffice user identification. Nor does it produce accurate results when it’s about user tracking.
So, the sole viable purpose of fingerprinting remains to ensure online security.
With adequate fingerprinting, services can get more comprehensive data about their userbase. This, in turn, helps them in better statistical analyses for improving customer experience.
Similarly, cybersecurity services can use browser fingerprinting for segregating legit users from the bots and perpetrators.
Owing to these beneficial uses, rest assured that online fingerprinting isn’t going anywhere. It was there even when the internet was is in its infancy. And, it is here to stay for the foreseeable future too.
The only change it may undergo would be in the ways and means used by websites for device fingerprinting.
Although, these plus points do not blur the fact that identifying and preventing fingerprinters remains quite difficult.
But keeping in view the increasing awareness about online privacy among internet users, we may expect to have more advanced and privacy-friendly device fingerprinting in the days to come.
What I believe, and I trust most of you would agree to, is that no technology is good or bad in itself.
Instead, it’s the use that makes the technology advantageous or destructive.
The same applies to browser fingerprinting too.
As explained above, browser fingerprints do not always come with an intent of privacy breach.
Rather, this unique way of user profiling plays a key role in making the world wide web a safe place for all.
So, as an average user, you should not worry much about how websites track your fingerprints.
As for your privacy and smooth browsing experience, you can use plugins to block invasive ads and intrusive trackers.
You can also achieve a greater level of privacy with Mozilla Firefox that blocks most fingerprinters by default.
Besides, make a habit of private browsing to fend off cookies too.
With a little effort, you can make yourself more generalized among all internet users, eliminating your digital uniqueness. Once you succeed in this, you don’t have to ponder over browser fingerprinting anymore.
Whereas, for the tech-savvy users, the privacy tools and advanced programs like Tor are all there. Use them to make yourself anonymous online on any device.
Enjoy safe browsing!
About the author
Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.