You and your fingerprints are unique and that’s equally true online. When you land on a website, scripts leap into action to gather information about you, including your browser, device’s graphics card configuration, default language, and time zone. This is called browser fingerprinting and it makes you uniquely identifiable out of the millions of other users online. Read on to find out why this technique is deployed, how it works, and if it’s legal. You’ll also learn how privacy tools like Avira Secure Browser can help minimize it to better safeguard your privacy.
What is browser fingerprinting?
Unless you want to get caught, you’ll know it’s not recommended to leave fingerprints at a crime scene. It’s news for many that when they go online their computer has unique fingerprints too. Instead of loops and arches, these digital imprints are made up of the software and settings on your device, including the model, its operating system, browser version, and whether you use an ad blocker. When this information is discreetly gathered through an internet user’s browser, it’s called ‘browser fingerprinting’, ‘device fingerprinting’, or just plain ‘fingerprinting’.
But what about cookies? Aren’t they the ones following you around the web? Online user privacy is a hot topic, especially when you consider the many allegations that tech giants are facing regarding the misuse of sensitive data. As a result, cookies—those tiny text files that store data about you when you visit a website—have earned a bad rep as online trackers. We’ve all seen the annoying pop-ups that appear advising you of the cookies in action on a site. Third-party cookies are picked on with the most zeal and are now almost universally rejected. But there are other ways to track online behavior, and browser fingerprinting is considered effective—it’s accurate, evasive, and difficult to trace. Unlike cookies, there are no pop-up windows informing the user of which data is being collected and giving them the option to accept or reject it.
So, if you’re a real-life cookie thief, wiping away cookie crumbs might get rid of the evidence—not so with fingerprinting. It can persist, regardless of how many cookies you clear or fail to accept.
How does browser fingerprinting work?
Have you ever read off a script? It tells you exactly what to say and do. Similarly, websites use embedded web scripts to tell your browser what to do. This helps ensure that the website will work properly for your individual computer. So, when you visit a website, your browser hands over various software- and hardware-related information, such as the model and specifications of the device you’re using, the hardware and software versions installed, screen resolution and color depth, keyboard layout, plus your language preference, location, and time zone. It can even determine which browser extensions you’re using and whether you have an ad blocker! (You can read up on ad blockers in this blog if you want to know more). When you land on a web page, your browser passes on details even your mother may not know…
Speaking of mothers (or friends), how would yours describe you? It may be something along the lines of “tall, large-built, with dark hair and glasses, wearing ripped blue jeans and a T-shirt with a cat on it”. If someone wanted to pick you out of a crowd, they’d be able to do so if they received enough details on your personal attributes and any defining features. That’s how browser fingerprinting works. Individually, all the settings and data that are passed on might seem harmless but it’s like putting together a digital jigsaw. With enough pieces in place, a unique picture or ‘fingerprint’ of you emerges.
It turns out that there isn’t always safety in numbers… Considering the huge number of connected devices globally (5.18 billion internet users worldwide as of April 2023), it may come as a surprise just how accurate fingerprinting is at identifying you in this ocean of users! A study that collected 3,615 fingerprints from 1,903 users over a period of three months found that browser fingerprinting was able to successfully identify 99.2 percent of users. Impressive. The study also rather chillingly concluded: “This approach is lightweight, but we need to find all possible fingerprintable places, such as canvas and audio context”. That’s because besides traditional single-browser fingerprinting, other more surreptitious tracking methods are on the rise. This includes monitoring the way visitors type text and embedding inaudible sound in TV ads or websites. While the sound can’t be heard by the human ear, nearby devices like tablets and smartphones may detect it. Browser cookies can then link that single user to multiple devices, keeping track of what ads they watch, how long they spend on them, and which products they buy.
Understanding fingerprinting can put you in a stronger position to help shield your privacy, even in the face of emerging tracking technologies. Knowledge is power. Read on.
Why do websites use browser fingerprinting?
You may be asking why websites would want to hoover up your data in the first place and their top purpose is probably the most obvious: Targeted advertising. That’s because you’re not just an online browser; you’re an audience and potential customer. Any method that is this efficient at tracking and understanding users was bound to attract the attention of digital marketers who can then serve you up personalized ads. Here’s how it works: Let’s say you book a holiday to Barcelona. Working with websites, advertising technology companies recognize a user’s fingerprint as soon as they land on the page. Seconds later, that user is served up an ad that matches their profile—in this case it may be for Spanish vacation fashion or tours of Barcelona’s art galleries.
This leads us to the second reason behind fingerprinting: Dynamic pricing. Companies can (cheekily?) use the information they’ve gleaned above to alter their pricing! So, they now know that you might be willing to pay more for the right beach clothes. Plus, if a scan of your digital fingerprint reveals that you’re using an expensive device and live in an affluent area, boom! The price just got higher because you’re deemed likely to be able to afford it.
Browser fingerprinting is such an effective identifier that it can even bypass private browsing and virtual private networks (VPNs), making it harder for online scammers and hackers to conceal their actions. In fact, that’s why it was developed in the first place. Most of us don’t know that fingerprinting had quite such noble origins: It was initially used to track and block devices associated with suspicious activity—such as botnets using multiple devices and locations to access online accounts or scammers creating multiple social media accounts. It still plays this important role in online security. Banks, for example, can identify and flag potential fraudsters by seeing if a user accesses an account from multiple locations within a short period, or if they’re using a device with another configuration. Similarly, anti-botnet solutions use data harvested via browser fingerprinting to help prevent account takeover attacks.
If you’re feeling anti-fingerprinting, consider a browser designed for greater online privacy, like Avira Secure Browser. The integrated Privacy Guard includes ad and tracker blocking, as well as anti-fingerprinting protection to help keep your actions private and unprofiled.
Meet the methods behind fingerprinting
Websites deploy a range of techniques to collect data about you. These include:
Javascript and Flash: Websites may use JavaScript to gather information about your device so that it correctly displays the web content in your browser. These scripts are therefore generally legitimate and blocking them means that the website might not work properly. Similarly, the Adobe Flash plugin installed in your browser can provide information such as your operating system, time zone, and screen resolution. The website then uses this data to generate a hash or unique fingerprint.
Canvas fingerprinting: When you visit a website that’s running a canvas fingerprinting script, it makes the browser draw a two-dimensional image. In HTML5, drawing operations render differently depending on your computer, because machines use various graphics, drivers, etc. So, how your device creates that image will unlock unique information about its software and hardware. The fingerprinting script then converts this data into an encoded format and computes a canvas fingerprint hash for your device. This technique is generally considered fast and accurate, making it a popular choice of fingerprinting.
WebGL fingerprinting: This works in a similar way to canvas fingerprinting but creates a 3D image using JavaScript combined with OpenGL software (instead of a 2D image in HTML5) and then hashes this image data to create a unique fingerprint. It also supports more browsers than Canvas fingerprinting.
Media device fingerprinting: This uncovers information about any media devices (and their IDs) on your computer, including internal components like your video and audio cards, as well as connected devices like headphones, microphones, and external speakers. This method is less widely used because it’s not very stealthy! Luckily for you, it requires user permission to access media devices.
Audio fingerprinting: Rather than creating an image, this technique tests how your device plays sound. The sound waves generated showcase variations in the browser and your device’s audio configurations, including information about its sound hardware, drivers, and software. There is also the newer audioContext fingerprinting, which was identified by researchers at Princeton University. Instead of collecting sounds, it harvests the audio signature of the individual machine.
Once you’ve been tracked, details from your device fingerprint can be sold to data brokers who combine offline information (such as public records and offline loyalty cards) with online information to complete a detailed personal profile of you. This can include a staggering volume of intimate details, such as your current and previous addresses, telephone numbers, date of birth, gender, health issues, marital status, and any arrest records! The profile is then sold to advertisers who use it to target you more effectively.
What are the legal issues around browser fingerprinting?
France’s data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL), has published guidance on the use of alternatives to third-party cookies. It emphasizes that data protection principles must be applied to new technologies that have tracking ability. In short, tracking can take place, but it must be the informed choice of the website user.
If the information gathered is considered public and not personal, then collecting it should not be problematic.But information that can be linked to one individual is considered personal data by GDPR regulations in many countries (including the European Union). Most of what fingerprinting hoovers up, such as IP and email address and even the combination of browser characteristics, allows advertisers to identify an individual indirectly—therefore it’s classified as personal data and may be risky. GDPR requires that companies handling personal data be transparent about the data collection process and ask for consent. That sounds simple in theory but can be tricky with data collection techniques like browser fingerprinting as most of us are unaware that it’s going on at all.
Can you stop browser fingerprinting? Your anti-fingerprinting guide
Good luck. It’s stealthy, cunning, and all pervasive. You can minimize data collected about you but stopping it altogether is extremely difficult. There are the usual tips and tricks that help shield your privacy, including using a virtual private network or VPN, private or incognito mode, clearing your cookies, and erasing your search history. Avira Phantom VPN is available free for Windows, Mac, Android, and iOS if you want to help encrypt your communications and route them through a more secure virtual tunnel.
You could also disable JavaScript and Flash so websites can’t detect the active plugins and fonts you use. Beware that many websites won’t function properly if you go this route! Even if you deploy all the methods mentioned above in your privacy arsenal, your digital fingerprint is still unique and therefore identifiable.
Don’t despair though (well, maybe a little) as there are ways to take a stand. You can muddy the waters so your identifiable info paints a less clear picture. There are two techniques: Generalization manipulates browser API results to mask your unique attributes to help you blend in with the crowd. Randomization regularly changes your characteristics so that your browser fingerprint is constantly changing and you can’t be reliably identified.
If you’re not a tech geek, what’s a mere mortal to do? Thankfully, help is also at hand via tools and services. Some browsers like Tor and DuckDuckGo are staunchly anti-fingerprint and blocks ads and third-party trackers by default. They also generalize users and use HTTPS encryption for more private browsing. As more advertisers use online fingerprinting, even conventional browsers are starting to fight back. Firefox, for example, requires websites to ask for user permission before collecting data.
There’s a simple solution from the pioneers of free online security: Avira
Avira Secure Browser puts anti-fingerprinting powers at your fingertips for more online security and privacy: Use it to help protect you from incoming attacks and help avoid being tracked while you browse. It also helps block ads and there’s a Password Manager to help securely store, manage, and generate passwords.