What is browser fingerprinting?

,
Browser fingerprinting

The never-ending cat and mouse game where we are constantly trying to protect our right to privacy against creepy corporate marketers watching everything we do on our devices, tech companies have developed a stalking tool called “browser fingerprinting.”.

What is browser fingerprinting?

Web fingerprinting uses JavaScript code on a web page or location to analyze your browser settings, computer, and other hardware specs, such as fonts, monitor screen resolution, which OS you use (and what version), extension settings, the type of graphics card you have, and other hardware configurations.

The point of browser fingerprinting is to enable the tracking company (data controller) to identify unique individuals among a sea of Internet users so that they can be tracked, a behavioral profile can be created, and then targeted advertising can be served to them.

In this way, a site can track your browsing habits without relying on cookies, which we are all now aware of and have learned to block and delete.

However, fingerprinting can be used to recreate tracking cookies that you have already deleted.

Let me repeat that.

In spite of your knowledge and consent, corporate trackers are not only peering into your machine to see its configuration and characteristics, but they are also re-creating trackers that you have deleted.

And this doesn’t just apply to the sites you visit directly. The pervasive inclusion of remote resources, like fonts, analytics scripts, or social media widgets on websites means that the third parties behind them can track your browsing habits across the web, rather than just on their own websites. – source

Browser Fingerprinting for fraud prevention

It’s not all bad. Browser fingerprinting is used to help detect fraud, unauthorized log ins say to your bank account, and even dating apps.  I personally have no problem with its use for security purposes. The issue is that everyone is using it and most aren’t using it for your security, they’re using it to track you and your specific characteristics to profit from your data.

There are no rules, industry ethics, or legislative oversight whatsoever.

What can browser fingerprinting detect?

The totality of data that browser fingerprinting can siphon from you specifically is an effective tool in building your individual profile.

  • Your user agent header info
  • your Accept header
  • your Connection header
  • you’re Encoding header
  • your Language header
  • your list of plugins
  • your platform
  • your cookie preferences (allowed or not)
  • your Do Not Track preferences (yes, no or not communicated)
  • your time zone
  • your screen resolution and its color depth
  • your use of local storage
  • your use of session storage
  • your pictures rendered with the HTML Canvas element
  • your pictures rendered with WebGL
  • your use of ad blockers
  • your operating system and version
  • last key pressed
  • which browser you are using
  • which add-ons you have installed
  • your installed fonts
  • your microphones
  • your webcams
  • what kind of graphics card you have installed
  • your CPU and # of cores
  • how much RAM you have
  • Battery level
  • Bluetooth status
  • accelerometer info
  • …and more.

See your browser fingerprint

The following sites allow you to see your browser fingerprint:

Arguments against mitigation

There are some privacy “experts” and enthusiasts that say attempting to mitigate browser fingerprinting with add-ons and tools just makes you stand out more and create an even more unique profile.

I disagree with this position for 2 reasons.

  1. Stand out to whom? Whom are we afraid of, so much so that we should be scared to use the tools and resources that we want on our own devices as we see fit? And what are we afraid of? That they’re going to track us more?
  2. Given the specific data browser fingerprinting captures, doing nothing is already a unique fingerprint. I mean, how many people with your IP address use the same version of the same browser, and are on the same devices that use the exact same OS, CPU, GPU, RAM, and Fonts?
    Yes, many people across the internet may have that exact same configuration, but this isn’t about averages and weeding through them to find the one that matches you. We are way past that now.They are spying on you through a direct connection to your device, and gathering data specifically to you and your hardware. No matter what consumer level tools you use, unless you’ve created them yourself just for your own usage, you’re not the only one on the planet who is using them.

Arguments for mitigation

In my opinion, you should use whatever tools at your disposal to limit data collection against you without fear that something will anger the data gods and make you even more of a target. We haven’t been able to hide among the crowd for at least five years.

The more of us who make it harder and harder to siphon our data, the more the cat and mouse game continues, the more I can make my data fuzzy, incorrect, uncertain…the more data collectors will have to spend in time and money to keep trying to thwart our efforts to keep their noses out of our private actions and business.

Nothing about all of this is perfect, and we can’t get this right without significant legislation that provides some oversight and protections, or at least limits who can observe and control our activities. Until then, I will do what I want with my device. Isn’t that the point of privacy and freedom in the first place?

What can you do about it?

I do not like reinventing the wheel. Many have done good work on this issue and explaining pros and cons of some “solutions”.

Before I do that, I’ll just tell you what I use and how I use it.

Firefox

I use multiple browsers for various things, or just to mix it up now and then. But I like that Firefox has some privacy features and controls out of the box and can be tweaked and customized to harden it even further.

https://www.mozilla.org/en-US/firefox/new/

Firefox’s add-ons that I use (some may be redundant) to address fingerprinting, cookies, tracking, and social networks.

  • Firefox Containers. Containers allow me to put visited sites inside a barrier that prevents that website’s cookies from seeing other cookies and information about my browser or device other than what’s inside its own container. By default, Firefox puts Facebook in a container.
     https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/
  • Privacy Badger (from EFF) “Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser.”
     https://privacybadger.org/#What-is-Privacy-Badger
  • HTTPS everywhere (from EFF): This is more about general security than it is browser fingerprinting.
    “HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure.” In short, it forces every website you visit to use its “HTTPS” secure version and warns you when you’re visiting a non-secure website.
     https://www.eff.org/https-everywhere
  • Disable JavaScript. Since browser fingerprinting relies on its use of JavaScript, simply disabling JavaScript from running has a significant effect on trackers that use it.I suggest running your own experiment by installing just this extension on your Firefox browser and see the difference in what the browser fingerprinting tools above can and cannot see when you toggle JS off and on.
    https://addons.mozilla.org/en-US/firefox/addon/disable-javascript/
  • Use a VPN. I will discuss this more later, but if you already have or use a VPN service, you definitely want to use it when you want to throw a misdirect at the websites you visit.

I use other tools such as a Pi-hole, my own VPN and use different operating systems mostly because I just generally like tech and trying different things. Having some variety in how you use your devices, and the internet can make it more difficult to get a clear read on your exact details.

Even if you’ve read this far you may not care about any of this. If you’re using work devices on work networks, whether they’re tracked and fingerprinted may not directly affect you.

If it’s your own fingerprint and it angers you that random websites are peeking at your hardware configurations, you may want to mitigate that.

Below are some guides and solutions put together by privacy organizations that have done a deep dive into possible solutions including using advanced Firefox settings.

More guides, solutions and options

There are no doubt more options and solutions available to you, but this is enough to get you started in the right direction.