Skip to content

Browser Fingerprinting: A Comprehensive Guide

Browser fingerprinting has become an increasingly common way for websites and advertisers to track users‘ online activities without their knowledge or consent. In this comprehensive guide, we‘ll cover everything you need to know about browser fingerprinting.

What is Browser Fingerprinting?

Browser fingerprinting is the process of collecting information about a user‘s device, browser, and operating system in order to create a unique "fingerprint" to identify and track them online. This can include details like:

  • Device type (desktop, phone, tablet)
  • Operating system
  • Browser type and version
  • Screen resolution
  • Installed fonts
  • Plugins
  • Timezone
  • Language
  • IP address

When this information is combined, it forms a distinctive fingerprint that can be used to identify a user across multiple sites and services. Unlike cookies, browser fingerprinting works without storing any data on the user‘s device.

How Browser Fingerprinting Works

Websites and advertisers use browser fingerprinting scripts that run in the background when you visit a webpage. These scripts can access browser APIs and system information that is exposed to any website you visit.

By combining this information from multiple sources, the scripts create a unique identifier that persists even if you clear your cookies, use private browsing mode, or switch devices.

Some examples of how browser fingerprinting works:

Canvas element: The scripts can use the HTML5 canvas API to analyze differences in how text and graphics are rendered to create a fingerprint. Variations in devices, graphics cards, drivers etc. cause slight differences.

WebGL: WebGL is used similarly to analyze a device‘s graphics capabilities for fingerprinting.

Font detection: The scripts detect what fonts are installed to generate fingerprints.

Plugin detection: Plugins like Flash, Java, WebRTC etc. can be detected and used as well.

Advanced techniques even use sensors like microphones, cameras and accelerometers which websites can access to add more fingerprinting signals.

Why Companies Use Browser Fingerprinting

Websites and advertisers rely on browser fingerprinting for:

1. Cross-device tracking: Fingerprints let companies connect the browsing activity of a user across smartphones, laptops, tablets etc., associating them to a single profile.

2. Retargeting: Using fingerprints, advertisers can target ads to users as they browse across sites, based on past browsing history.

3. Fraud prevention: Fingerprints help detect bots, account sharing between regions etc.

4. Analytics: To better understand user demographics and behavior across sites.

5. Personalization: Fingerprints allow for customized content and experiences for users.

Essentially, browser fingerprints have become the most persistent way to track users without obtaining any actual personal data or consent. They have many advantages over traditional cookies and allow seamless cross-site and cross-device tracking at scale.

Is Browser Fingerprinting Legal?

The legality of browser fingerprinting is still a gray area. Most countries do not have clear regulations addressing it.

General data protection regulations like GDPR and CCPA require informed user consent before collecting device data. Strict interpretations would require sites to disclose fingerprinting activities and obtain opt-in consent from users.

However, many sites argue that data collected is not personally identifiable information (PII) and hence consent is not necessary. Most sites do not reveal their browser fingerprinting methods or give options to opt out.

Until more robust consumer privacy laws address fingerprinting specifically, users have little recourse. Using privacy tools remains the best option to minimize fingerprinting.

Browser Fingerprinting vs Cookies

While cookies have been the traditional method to track users, browser fingerprinting provides some key advantages:

Browser Fingerprinting Cookies
Persistence Fingerprints persist across browser sessions and device changes unless configuration changes significantly. Cookies can be easily cleared by users manually or by using private browsing.
Consent No user notification or consent required currently by most sites. Collected silently. Sites generally must disclose cookie usage in privacy policies and cookie notices under regulations.
Blockability No browser based blocking mechanisms currently. Requires using external privacy tools. Can be blocked by cookie managers, ads blockers and browser settings usually.
Accuracy Collects many difficult to spoof hardware and software signals making fingerprints highly unique More prone to inaccuracies since cookie data is self reported.

So while browser fingerprinting represents a greater infringement on user privacy currently, legal restrictions on cookies have made them less reliable for cross-site tracking compared to fingerprints.

Browser Fingerprinting Techniques

There are a variety of browser fingerprinting techniques that exploit different browser APIs and system information exposure:

Canvas Fingerprinting

Canvas fingerprinting utilizes the HTML 5 Canvas API that is used for drawing graphics. It renders and analyzes imagery to detect differences in devices and configurations.

AudioContext Fingerprinting

The AudioContext JavaScript API is used to fingerprint devices based on audio setups and capabilities.

WebRTC Fingerprinting

WebRTC leaks IP addresses and system data that is used by this technique.

Font Detection

Lists installed fonts. Font rendering provides signals for fingerprinting.

Battery Status

Battery charge level and information is fingerprinted.

Browser Plugin Detection

Installed browsers plugins can be detected.

WebGL Fingerprinting

Similar to canvas fingerprinting but uses WebGL instead to detect device graphics capabilities.

Timezone

The timezone set on the device OS can be a fingerprinting signal.

And many more…new fingerprinting techniques continue to emerge.

Examples of Browser Fingerprinting

To illustrate what kind of data browser fingerprinting might expose here are two sample fingerprints generated:

Fingerprint 1

{
  "browser": {
    "name": "Chrome",
    "version": "108.0.5359",
    "engine": "Blink",
    "capability": [...] 
  },

  "os": {
    "name": "Windows", 
    "version": "10",
    "arch": "x86_64"
  },

  "device": {
    "model": "Asus Laptop",
    "type": "computer"
    "memory": 16
  },

  "gpu": {
    "vendor": "NVIDIA",
    "model": "RTX 3060" 
  }  

  "fonts": [
    "Arial",
    "Times News Roman"
    ...
  ]

  "plugins": [
    "Native Client", 
    "Widevine",
    "Flash",
  ]

  "timezone": "UTC+5",

  "language": "en-US"

}

Fingerprint 2

{

  "browser": {
    "name": "Firefox",
    "version": "107.0.1", 
  },

  "os": {
    "name": "iOS",
    "version": "15.5",
  },

  "device": {
    "model": "iPhone 11 Pro",
    "type": "phone"    
  },

  "gpu": {
    "vendor": "Apple"
  },

  "fonts": [
    "Helvetica", 
    "American Typewriter"
    ...
  ],

  "plugins": [],

  "timezone": "UTC+7",

  "language": "th-TH"

}

These illustrate how fingerprints provide a good amount of information about a user‘s browsing environment. While not directly personally identifiable, they provide strong signals for tracking and targeting.

Browser Fingerprinting vs IP Address

Browser fingerprints and IP addresses are both used to identify and track users but have some differences:

  • An IP address provides an indicator of a user‘s geographic location and ISP details. Browser fingerprints contain more specific information about the actual device, browser and configuration.

  • IP addresses can be masked using VPNs and proxies. Browser fingerprints adapt to configuration changes so cannot be easily masked for long without changing hardware or browsers.

  • Static IP addresses can help connect sessions across sites for tracking. But mobile devices often use dynamic IPs changing across sessions. Browser fingerprints persist uniformly despite public/private IP changes.

So while IP addresses provide some location and ISP details, browser fingerprints are better for creating unique, persistent identifiers for cross-site tracking and monitoring.

How to Prevent Browser Fingerprinting

Since most sites do not disclose browser fingerprinting activities or provide opt-out options, users have to rely on privacy tools to minimize detection and tracking:

1. Use the Tor browser

The Tor browser aims to provide complete anonimity by routing connections through multiple servers making fingerprinting very difficult.

2. Install browser extensions

Extensions like NoScript Security Suite can disable JavaScript which is required for most fingerprinting methods.

3. Use a VPN

Using a trusted VPN hides the native browser fingerprint and exposes the VPN fingerprint instead if browser leaks are blocked effectively. This provides some level of anonymization.

4. Disable/limit browser APIs

Privacy oriented browsers like Brave allow disabling select APIs like WebRTC which stops specific fingerprint vectors.

5. Reset configuration

Simply resetting and changing fonts, timezone, canvas permissions etc. occasionally can render older fingerprints invalid.

6. Limit browser/device info

Changing user agent strings and limiting JavaScript access to metadata can trick scripts. But advanced fingerprinters have countermeasures.

7. Anti-fingerprinting browsers

Emerging privacy focused browsers like Brave, Tor and Firefox are trying to combat fingerprinting with built-in protections.

The Future of Browser Fingerprinting

Browser fingerprinting represents a big shift in how user privacy and expectations around security have evolved on the internet.

Many critics argue fingerprinting essentially allows the level of tracking and surveillance online normally only expected from intelligence agencies, but without proportional accountability.

And fingerprinting techniques only continue to get more advanced and invasive over time.

Without meaningful legal safeguards and improved browser privacy protections, responsible disclosure and consent requirements, browser fingerprints could render current notions of online anonymity and privacy obsolete.

Conclusion

Browser fingerprinting has quickly emerged as a powerful way for advertisers and websites to identify, monitor and profile all visitors.

Using fingerprints in conjunction with techniques like behavioral analysis and machine learning will only make user tracking more precise.

As browsers evolve, new APIs and sensors are providing even more fingerprinting signals to exploit.

For users relying on current privacy tools and settings, comprehensive protection is difficult as sites get better at fingerprinting around obstacles.

Hopefully growing public awareness and demand for transparency around data collection practises will drive positive change. Getting lawmakers involved is key.

In the meantime, understanding the reach of browser fingerprinting can help users make more informed choices to best protect their privacy.

Tags: