Browser fingerprinting is the third avenue of user tracking after cookies and supercookies. Fingerprinting is initiated by websites that analyze the requests sent by HTTP clients to uniquely identify a specific machine by collecting a digital fingerprint. Data acquired in this manner can be used to continually track users even after cookie deletion.
In our brief article, we will outline the basics of browser fingerprinting, how it’s used to track internet users and what can be done to reduce the likelihood of being recognized through the details sent.
How does browser fingerprinting work?
Browser fingerprinting is becoming increasingly ubiquitous. Numerous websites, including top ranked websites, are utilizing fingerprinting to identify new and returning users. Search engines like Google and Bing are no exception and have been employing various measures to identify specific users.
Advanced browser fingerprinting versions can provide even more data on the machine, mostly through accessing HTML5 Canvas and requesting some measure of graphics processing. Employing HTML5 Canvas can reveal the operating system, browser, and GPU of a machine. HTML5 Canvas generally requests the browser to render a specific image. Due to slight differences in how GPUs render images, device-specific details might be acquired.
Finally, extreme measures include analyzing clock skew. Clock skew is when the electrical signals from one source (mostly from the clock generator) arrive at different components unevenly. These differences are affected by hardware temperature variations. Thus, with enough data and numerical analysis, clock skew differences can be measured to determine hardware specifications and many other aspects of a machine.
Understanding browser uniqueness
Browser uniqueness is the determining factor in whether a user can be recognized. To put it simply, browser uniqueness compares one device to many other computer fingerprints to find possible duplicates. If very few copies exist in the data set, the device is considered to be unique.
As a large amount of data about a particular device and browser can be collected, a user might be identified by the website as unique even without having access to cookie data. A study by The Electronic Frontier Foundation (EFF) found that only 1 in 286 777 browsers will share its fingerprint. Such a high level of browser uniqueness means that the same user can be easily recognized purely through fingerprinting.
Note that the global uniqueness of fingerprints might be even worse as the study participants were likely to be more tech-savvy and privacy-conscious than the average internet user. However, accurately predicting the global uniqueness of a fingerprint seems to be nearly impossible. A mathematical limitation is apparent due to the difference between an experimental sample and the global set of fingerprints.
Improving browser uniqueness
Browser uniqueness can be tested by using a project developed by EFF: Panopticlick. The Panopticlick browser fingerprinting test will reveal all data collected about your device, and provide possible options to defend against it.
If getting tracked by large companies isn’t your cup of tea, then lowering browser uniqueness is the most effective option for fingerprint protection:
- Use a commonly used browser. Running odd browsers (e.g., Comodo IceDragon) will greatly increase the likelihood of having a unique fingerprint.
- Avoid custom user agents. Unique user agents are a surefire way to stand out from the crowd.
- Reduce the amount of plugins used. Uniqueness is severely impacted by the amount of plugins installed in a browser.
- Narrow down the preferred language list. Requesting pages for different languages greatly increases browser fingerprintability. For example, TorButton requests only EN versions of websites by default.
- Use TorButton. TorButton implements most of the security features used in Tor Browser to a Firefox browser.
Ironically, anti-fingerprinting solutions and plugins that are supposed to enhance privacy and reduce uniqueness can often have the opposite effect. Installed plugins (and their versions) can be detected, which means that they often add to rather than subtract from browser uniqueness.
We recommend experimenting with these options, utilizing the Panopticlick test, and browsing around the internet to find the most suitable combination. Using all the options listed above at once will likely break a lot of websites without providing clarity on what exactly happened.
Want to read about the other side of the coin – how future web scraping tools will need to build workarounds for fingerprinting? Read our blog post on fingerprinting and its impact on web scraping!