What is Browser Fingerprinting?

Browser fingerprinting is the third avenue of user tracking after cookies and supercookies. Fingerprinting is initiated by websites that analyze the requests sent by HTTP clients to uniquely identify a specific machine by collecting a digital fingerprint. Data acquired in this manner can be used to continually track users even after cookie deletion.

In our brief article, we will outline the basics of browser fingerprinting, how it’s used to track internet users and what can be done to reduce the likelihood of being recognized through the details sent.

What is browser fingerprinting and how does it work?

Browser fingerprinting is an active way of data collection which hashes unique browser parameters and creates a digital signature. Websites can add additional JavaScript code (either by creating their own script or buying from third party providers) to an HTTP request response. The JavaScript code scans all public browser parameters and creates a unique browser signature from the data. 

Data acquired through employing additional JavaScript code includes user agents, screen size and resolution, installed fonts, plugins and extensions, GPU/CPU, etc. Each data point adds to the uniqueness of the device, allowing websites to identify a particular machine more easily.

Note that the global uniqueness of fingerprints might be even worse as the study participants were likely to be more tech-savvy and privacy-conscious than the average internet user. However, accurately predicting the global uniqueness of a fingerprint seems to be nearly impossible. A mathematical limitation is apparent due to the difference between an experimental sample and the global set of fingerprints.

The existence of unique fingerprints may seem puzzling at first glance. To the average internet user, most browsers might seem rather similar. However, uniqueness is often determined by the amount of information divulged by plugins. For example, JavaScript version data often includes numbering that is only intended for debugging purposes (e.g., 1.6.0_17). As there are numerous minor changes over the development process, a single plugin might have hundreds of different versions. Combining the details of the browser, all its plugins, and many other data points can create millions of uniquely identifiable devices.

Improving browser uniqueness

Browser uniqueness can be tested by using a project developed by EFF: Panopticlick. The Panopticlick browser fingerprinting test will reveal all data collected about your device, and provide possible options to defend against it.

If getting tracked by large companies isn’t your cup of tea, then lowering browser uniqueness is the most effective option for fingerprint protection:

• Use a commonly used browser. Running odd browsers (e.g., Comodo IceDragon) will greatly increase the likelihood of having a unique fingerprint.

• Avoid custom user agents. Unique user agents are a surefire way to stand out from the crowd, so it’s always better to use common user agents.

• Reduce the amount of plugins used. Uniqueness is severely impacted by the amount of plugins installed in a browser.

• Narrow down the preferred language list. Requesting pages for different languages greatly increases browser fingerprintability. For example, TorButton requests only EN versions of websites by default.

• Use TorButton. TorButton implements most of the security features used in Tor Browser to a Firefox browser.

• Disable JavaScript. Disabling JavaScript is an extreme measure that will break almost all websites. Yet, EFF finds that NoScript (an extension that allows users to switch off JavaScript) users were the most resistant to fingerprinting.

Ironically, anti-fingerprinting solutions and plugins that are supposed to enhance privacy and reduce uniqueness can often have the opposite effect. Installed plugins (and their versions) can be detected, which means that they often add to rather than subtract from browser uniqueness. 

We recommend experimenting with these options, utilizing the Panopticlick test, and browsing around the internet to find the most suitable combination. Using all the options listed above at once will likely break a lot of websites without providing clarity on what exactly happened.

Conclusion

Browser fingerprinting is becoming more common as a tracking measure. Unlike previous generations of tracking tools (e.g., HTTP cookies), defending against browser fingerprinting is significantly more difficult. Improving browser uniqueness is one option, yet the most effective measure is disabling JavaScript, which might cause client-side issues when displaying websites.

Want to read about the other side of the coin – how future web scraping tools will need to build workarounds for fingerprinting? Read our blog post on fingerprinting and its impact on web scraping!

If you're looking for a reliable scraping infrastructure, we recommend taking a look at our Scraper APIs, which are equipped with all the features necessary to overcome sophisticated anti-bot measures. In addition, our API is specifically adapted to extract data from the most demanded targets with ease. For a practical demonstration, see this guide to scraping Bing.