What Is Browser Fingerprinting and How It Works?Updated: October 02, 2019
Nowadays, it's hard to escape the eyes praying on us everywhere we go across the internet. And they collect more information about us than we would imagine.
Websites follow or online activity wherever we go and, most of the times, they do so without even us realizing it is happening and without being aware of how much information they actually draw from our online behavior.
You might've never heard about browser fingerprinting before.
But you should be aware of browser fingerprinting as it is an efficient method website use to track your online activity even when you're using incognito mode or even a VPN.
So let's see what browser fingerprinting is and how it works.
Browser fingerprinting is all the identification information collected about a device. Fingerprints are used to identify individual users even in scenarios when cookies aren't stored, the IP address is hidden, or multiple web browsers are used on the same device.
Its main purpose is to prevent credit card fraud and identity theft. Even so, the practice of creating detailed records about users' browsing histories without their knowledge and when they are trying to avoid being tracked, raises significant concerns for online privacy.
When you connect to the internet, your device shares sets of specific data with the websites you're visiting. This data contains information about what web browser you're using and its version, your operating system, your timezone, installed plugins, screen resolution, and so on. Taken as individual pieces of information, they don't sound like much. But when you putting them all together, websites are able to identify unique users and track their online activity.
Here's a list of data that can be used for browser fingerprinting:
- the User-agent header
- the Accept header
- the Connection header
- the Encoding header
- the Language header
- the Upgrade Insecure Requests header
- the Referer header
- the Cache-Control header
- the BuildId of the browser
- the list of plugins
- the platform
- the cookies preferences (allowed or not)
- the Do Not Track preferences (yes, no or not communicated)
- the timezone
- the screen resolution and its color depth
- the use of local storage
- the use of session storage
- a picture rendered with the HTML Canvas element
- a picture rendered with WebGL
- Supported Audio formats
- Supported Video formats
- the presence of AdBlock
- the list of fonts
Browser fingerprinting lays on the same concept as human fingerprints. Ideally, every device has a different fingerprint that never changes in time, which makes it possible for users to be fully identified. This is in theory, but the reality is that there are more variables that don't guarantee the exact accuracy of a fingerprint.
For example, for a fingerprint to be unique, it would mean that no two devices share the same fingerprint. But it is possible for two devices to have the same data configuration, especially for devices with factory-installed operating systems. In this case, scripting can be used to harvest more parameters from the device, but this technique is also not perfected because those parameters can change in time due to their origin from the browser configuration. For instance, if when first creating the fingerprint the browser was configured with the cookies on, turning the cookies off will also change the fingerprint.
Still, it doesn't mean devices can't be uniquely identified. just that not all of them can't be. A study conducted by Slido shows a lot about how accurate the fingerprints can be. They found out that 74% of desktop devices can be uniquely identified, while only 45% of mobile devices can. Comparing Android with iPhone, around 60% of Android devices can be uniquely identified while only 33% of iPhone fingerprints are unique. iPhone devices are the hardest to be uniquely identified through fingerprinting as many of them share the same configurations, hence, the same fingerprint.
The research also shows that fingerprints change pretty quickly. For most devices, at least a couple of changes take place each day. In this study, 19% of iPhone users changed their fingerprint within a week, while only 3% of Android users did, suggesting that Android devices are easier to track in time than iPhones. This doesn't mean algorithms are not able to guess and follow these changes.
What conclusion should we draw?
Well, for now at least, browsing fingerprinting is not fully precise. Even though the variables needed for browser fingerprinting are easy to collect, sometimes you can be uniquely identified, sometimes you share the same fingerprint with other users. But the development of technology, especially of cross-browsing fingerprinting, makes it easier and easier for websites to accurately identify users.
And keep in mind that the above numbers are the result of a research made on only a collection of browser fingerprints. There are other researches that found out 83.6% of the browsers analyzed gave instantaneously unique fingerprints.
One common question is if the incognito or private mode will prevent your online activity from being tracked by websites.
The disappointing answer is - not at all. While the incognito mode stops your browsing history from being saved, it does nothing against fingerprinting through storing data related to your browser and system such as screen resolution, plugins, user agent, and so on.
If you want to see how all your actions can be tracked in real-time, even when you're switching to incognito mode, spend a little time on ClickClickClick.
When you go online, websites track your online activities, gather information and create your browser fingerprint. They do so by using various methods.
Cookies are a well-known method for websites to collect information about users. Cookies are small files stored on your computer or device, that store a small amount of information about you. They hold information such as your online activity and data about your browser.
Cookies are sent to your computer by the websites you visit and they've been designed so websites can remember information about your online behavior (e.g. when you add an item in your cart) or remember activities such as logging in, your browsing history, and the buttons you click while surfing online. They also contain information about your interests, browsing history, and so on.
When it comes to cookies, you have the ability to delete them or to set your browser not store cookies.
The fingerprint created through canvas fingerprinting is based on the operating system, the browser, and the graphics hardware. While this information is not enough to uniquely identify users, it can be turned into a unique identifier when it is combined with additional data.
Your IP address is unique to you and it's needed so that the requests you send over the internet know where to come, exactly how your home address tells the mailman where to deliver your packages. This means the IP address uniquely identifies your device.
It is possible for websites to track your location, the websites you visit, and the accounts you log into by using your IP address.
The above browser fingerprinting techniques create a fingerprint specific to one web browser. If you're using Google Chrome and websites created a fingerprint for you on that browser, when you switch to Firefox, they won't be able to track you there - a new fingerprint will be created.
With the introduction of cross-browsing fingerprint technology, now websites are able to track your fingerprint across multiple browsers. And it turns out the results are also more accurate than with single-browser fingerprinting.
Browser fingerprints were originally developed to operate as a mean against fraud and identity theft. For instance, banks use browsing fingerprinting to ensure users' security. Through analyzing the fingerprint, they can tell if the logins were made from the same device as usual or if something has changed. This way, the bank can warn users in case they notice something suspicious, and they can also get information about the device that has been used in case of a fraudulent attack.
While browser fingerprinting turns out to be useful for a couple of practices, as it is for banks and other institutions that need high security, it doesn't have any uses for individuals. In fact, browser fingerprinting violate users' privacy to a large extent.
Browser fingerprinting means piecing together information about your web browser and online activity across websites. Advertisers use this information to create a detailed profile of you.
Nowadays, for advertisers, it's extremely important to collect as many data about users as possible so they can target them with personalized ads. Fingerprinting gives them a discrete way of gathering this information without users even being aware of it. They are able to track users' online activity across the web, so they know what websites you visited, what products you're interested in, what devices you're using. Based on your previous online actions and interests, they can even predict what products you'll be needing in the future so they can serve you with exact ads that'll make you click.
Keep in mind that websites don't follow your online activity only when you are on their domain. Through social media widgets, fonts, or analytics scripts on websites, third-parties are able to track your online activity all across the web.
There are various tools you can use so you check how unique your browsing fingerprint is. These tools use a series of attributes and review your browser fingerprint to conclude how unique your fingerprint is.
Keep in mind that they compare your fingerprint to the sets of data they gathered so far when they decide on the uniqueness of your fingerprint.
As a conclusion, browser fingerprinting is a powerful technique of tracking users all around the internet and uniquely identify them by the device they are using.
Although the technology is not perfected yet, and fingerprints are not exactly stable, algorithms can still follow and guess the changes. With all the information that's collected without users even realizing, it's harder than ever to maintain your online privacy even when disabling cookies or hiding your IP address.
Even so, it might be tricky to prevent browser fingerprinting, but it is not impossible.
Reference: How to stop browser fingerprinting