Browser fingerprinting has recently become a buzzword in the online privacy community. But do you know what, exactly, it is?
If not, we don’t blame you. It’s a little-known – but extremely powerful – way of identifying and tracking individuals across the web.
Imagine a website being able to track you without a trace. No cookies, no ad trackers, no personal input required.
Now imagine that this secret tracking is nearly 100% accurate and exploits the very technology you use to get online: your web browser.
What you’re picturing probably sounds like the plot of a cautionary dystopian novel. But it’s actually the current reality of the web, and it’s all thanks to browser fingerprinting.
We’ve got the lowdown on this sneaky, invasive tracking tactic. Let’s explore how browser fingerprinting works – and how to stop it.
What Is Browser Fingerprinting?
Everyone has a unique set of fingerprints, which serve as permanent identifiers.
No two are the same, so they’re invaluable for many applications, from unlocking your phone to connecting you to a crime.
Web browsers don’t have hands, so they don’t have fingerprints in the traditional sense. But they do have their own special signatures that serve the same purpose.
Rather than ridges and whorls, these fingerprints are comprised of various data points that, when viewed as a whole, are unique to each user.
This data can encompass everything from OS version to timezone to the fonts you have installed.
Websites need some of this data, like browser version and screen size, to load and function correctly. But the fingerprints themselves are used for another purpose altogether: user identification and tracking.
Sites can record your browser fingerprint and use it to link your past and future site activity.
The resulting data is valuable for website analytics – and for sale to advertisers and data brokers.
If you make an account on a site, your browser fingerprint can then be associated with your personal contact information. This makes that data set even more desirable to companies that buy and sell personal data.
What Types of Data Does My Browser Fingerprint Include?
Your browser fingerprint may differ from site to site depending on the specific fingerprinting techniques that each site uses.
There are so many potential data points that compiling each and every one is beyond the scope of this article. Security researchers have identified around 10,000 browser properties that are usable for fingerprinting purposes.
We can’t cover all of them, but here are the most common types of fingerprint data. Chances are, a site you’ve visited today has recorded these.
Language, Location and Timezone
It’s always nice to have a website load in the correct language, with timestamps that correspond with your timezone.
So, in a way, it’s beneficial for sites to collect this data from your browser.
But when this data is included in a browser fingerprint, there can be larger implications for your privacy.
It’s much easier to match your fingerprint with your name and contact info if your location is included. This data also enables ad targeting based on language or location.
Browser and Plugin Info
Obviously, you’re not the only person who uses Firefox to browse the web. But there’s a lot more to your browser than just its name.
There’s the version number, window size and settings like Do Not Track. Not to mention your unique collection of plugins and extensions, plus their respective versions and settings.
And, of course, your IP address – perhaps the most unique of all data points – is often recorded alongside your browser information.
So you’re far from alone in your choice of browser. But your specific configuration is, in all likelihood, unique to you.
Browser fingerprints often extend beyond the scope their name suggests.
Your device itself is a treasure trove of data that can be used to help identify you. That’s why browser fingerprints are sometimes referred to as device fingerprints.
With a bit of code, websites can tell what device you’re using, what OS you’re running and even which internal hardware components you use.
Settings like screen resolution, touch capability and system language can also be collected.
Perhaps most surprising is the inclusion of your system fonts in the fingerprint. Every OS comes with different fonts, and any additional ones you install make your specific collection more unique.
How Are Browser Fingerprints Collected?
Browser fingerprint data comes from many different places.
Some sources are obvious, while others are sneakily exploited for the purpose of gathering data.
Here’s a breakdown of the ways websites obtain your browser fingerprint.
But be aware: new methods are constantly under development and many still aren’t publicly known.
Websites need to know certain pieces of information about your browser before allowing you access.
Such information is automatically sent alongside your initial HTTP request in the form of headers.
Headers let the website know which types of code and file formats can be read by the requesting browser. They also communicate information about your cookie and Do Not Track settings.
When you type in a URL, your browser sends your headers to the website server. The server then analyzes the headers to determine if it’s compatible with your browser.
Depending on your headers, the server may return a different version of the site.
For instance, if your headers indicate that you’re using a mobile device, you’ll be sent to the mobile-optimized version of the site.
Or the headers might show that your browser doesn’t support a certain type of code. If the site relies on that unsupported code, then you may be shown an error instructing you to use a different browser.
Because headers are necessary for sites to load properly, they can’t generally be turned off.
Unfortunately, the data contained in them is the first building block of your unique browser fingerprint.
Websites are built using HTML (for the structure) and CSS (for the styling).
And it can run entirely behind the scenes, with no indication that it’s there at all.
These buttons collect your fingerprint even if you don’t click them, allowing Facebook to track you around the web.
Flash used to be everywhere around the internet. Videos and games depended on it, as did various ads and dynamic content like slideshows.
But Flash was also full of security vulnerabilities – in the eight-year span from 2005 to 2012, 184 different exploits were discovered.
These vulnerabilities enabled sites to access user data for browser fingerprinting and more. But exploits aren’t even necessary for fingerprinting with Flash.
Flash browser plugins let sites collect system information like fonts and hardware specs.
Such highly-specific configuration data is invaluable in crafting a unique browser fingerprint.
In recent years, HTML5, CSS3, WebGL and other advancements have replaced much of Flash’s functionality. Today, it’s rarely used and is set to be officially discontinued at the end of 2020.
However, as of 2018, around 8% of Chrome users per day load at least one page with Flash content.
That means that around 8% of users are vulnerable to invasive browser fingerprinting with Flash.
Canvas and WebGL
Though they’re distinct from each other, they function in very similar ways.
So your browser is instructed to render a certain graphic, be it an image, text or a combination of the two. You won’t see the graphic – it’s usually hidden in the background or rendered invisibly.
Though every user receives the same request, the resulting graphic is always a little different for each user.
That’s because different devices use different methods of compression, color profiles, fonts and rendering techniques. Even the tiniest variance in any one of these factors is enough to make a difference.
Once the graphic is rendered, it’s converted into a hash, which then becomes your unique fingerprint.
Canvas and WebGL Fingerprint Hashing
Hashing turns any piece of data into a unique string of uniform length. It’s a way of standardizing the form of data without losing the ability to uniquely identify it.
As long as the original data remains exactly the same, it’ll be converted into the same hash every time.
For instance, the word “cat” will always result in the MD5 hash “d077f244def8a70e5ea758bd8352fcd8” no matter who hashes it or when.
However, any change to the original data, no matter how small, changes the hash significantly.
The MD5 hash for the word “Cat” with a capital C is “fa3ebd6742c360b2d9652b7f78d9bd7d”.
That’s very different from the previous hash, yet all that changed was the case of one letter.
It’s the same with your fingerprinting graphic. It’ll always be converted into the same hash, but if there’s even one pixel that’s different from another user’s, the two hashes will be very distinct.
By hashing these browser-rendered graphics, a unique fingerprint can be generated for every user.
Even differences that can’t be seen with the naked eye can result in completely different fingerprints.
Next time your browser renders the fingerprint graphic, the hash will be matched to your previous one. Thus, your activities can be linked together – and to the rest of your data.
Cookies aren’t technically browser fingerprinting – they’re a separate method of web tracking.
But we mention them here for the sake of awareness, because they often go hand-in-hand with fingerprinting.
Cookies are small files that websites place in your web browser to identify you. They typically contain and collect data that allows you to be persistently identified over time.
Let’s say you visit a site and accept its cookie. It collects your browser info and IP address, plus it stores your language preferences and the pages you visit.
Next time you visit the site, it’ll automatically use your preferred language and show you your most recently-viewed pages. No need for an account – the cookie handled everything.
But data is valuable, and cookies gather it with such ease that they’re often used for tracking and advertising.
Often, their cookies also collect fingerprinting data like browser version and system stats.
These “tracking cookies” are collected by third parties, but also by websites themselves. The site owners collect visitor data and sell it to advertisers and data brokers.
When combined with other browser fingerprinting methods like WebGL, cookies are capable of powerful and discreet personal data collection.
Why Do Websites Want My Browser Fingerprint?
We’ve touched briefly on some of the reasons why websites collect browser fingerprints.
Now, let’s explore these motives in-depth.
By far the most popular use of browser fingerprinting is for advertising.
Advertising is the backbone of just about every free website these days.
You don’t need to pay for your Facebook profile, and that’s because Facebook made $16.6 billion from ads in Q4 2018.
That’s just three months of advertising revenue for one company. And, in many cases, such huge figures are largely thanks to browser fingerprinting.
By tracking your browsing activity, advertisers can learn a lot about you. Your interests, dislikes, habits, contacts, schedules, location and other personal data are reflected by your browsing history.
But if ad providers needed people to voluntarily hand over their browser history, they’d go out of business.
By using browser fingerprinting, they can reliably track you around the web without you ever knowing.
And once your activity log is in their hands, all it takes is a bit of analysis to figure out who you are.
Then you can be served with personalized ads, which you’re more likely to click on than irrelevant ads. And more clicks mean more money, especially when millions of others are clicking, too.
Hacking and Malware
Security researchers find new software exploits every day. Web browser vulnerabilities are common, as are OS security holes.
Usually, companies are quick to patch security vulnerabilities with updates. But users who don’t install those updates and continue running affected versions of software are still at risk.
Browser fingerprinting provides an easy, invisible way for websites to learn your browser and OS versions.
But it makes it equally easy for hackers to learn those, too.
All a hacker needs to do is set up a website with a fingerprinting script, then scan the results for anyone still using the vulnerable software version.
And voila – they’ve got a list of targets, plus their IP addresses. From there, they can steal data, spread malware and cause all manner of digital damage.
Not all uses of browser fingerprinting are so undesirable. Some websites implement it to detect fraud and prevent unauthorized access.
Say you usually access your bank’s website from the same computer.
The bank has your browser fingerprint on file, so next time it sees it, it knows you’re the real account owner.
But one day, an identity thief logs into your account. They used the right username and password, but their browser fingerprint is different from yours.
This new fingerprint hasn’t been associated with your account before.
So your bank blocks the login attempt and sends you an alert notifying you of a potential account breach.
It’s a scenario that happens every day, and an excellent example of how browser fingerprinting can be used to do good.
Fingerprinting can also be used to detect bot activity. Web bots attempt to imitate web browsers as they perform their automated behaviors like account registration and spam.
However, bots are often unsophisticated. They may send imperfect headers or fail to accurately render Canvas fingerprinting graphics.
When this occurs, some fingerprinting scripts will block the bot’s attempts to access the site.
No usable fingerprinting data, no access.
It’s a bit of a double-edged sword – real users need to give up their data to use the site. But unwanted or malicious bots that can’t provide that data are prevented from causing harm.
How Accurate Are Browser Fingerprints?
Browser fingerprints are, in a nutshell, scarily accurate.
A paper published by the Electronic Frontier Foundation revealed some shocking fingerprinting statistics.
Of the 470,161 analyzed browser fingerprints, 83.6% were instantly identifiable as unique. What’s more, 94.2% of browsers with Flash or Java enabled had instantaneously unique fingerprints.
Fingerprints change as software is upgraded and settings are adjusted, but the effect is minimal.
In the study, 37.4% of repeat visitors altered their fingerprint. But the old and new fingerprints could be automatically and accurately matched 99.1% of the time.
Desktop and laptop browsers are far easier to fingerprint than mobile browsers. The paper’s authors attribute this to the lack of mobile browser plugins and the difficulty of detecting fonts on mobile devices.
In another fingerprinting study, this one conducted by Slido, only 33% of iPhones were found to have unique fingerprints.
The remaining 67% shared a fingerprint with at least one other device; over 10% shared one with over 100 other devices.
Androids fared worse, with a little under 60% of devices possessing a unique fingerprint.
But that’s still better than any desktop OS – both Windows and macOS had unique fingerprint rates of over 70%.
What Is Fingerprint Entropy?
When determining how unique your particular browser fingerprint is, you’ll be dealing with units of entropy.
Entropy is simply a measure of uniqueness, measured in bits. The higher the entropy, the more unique the fingerprint is.
A fingerprint with 3 bits of entropy has a 1 in 23 chance of being the same as another fingerprint. Solve that exponent and you get 1 in 8 – so that fingerprint has a 1 out of 8 chance of matching another.
Entropy increases exponentially, so a fingerprint with 4 bits of entropy – 24, or 16 – is twice as unique as one with 3 bits.
The EFF paper found that their pool of fingerprints had an entropy of at least 18.1.
218.1 is 286,777 – so at best, a random fingerprint has just a 1 in 286,777 chance of being the same as another.
The Slido study measured entropy using various combinations of fingerprint data types.
It found that a fingerprint with only three data points – date format, user-agent (browser version) header and available screen dimensions – has an entropy of 14.2.
So based on that simple data alone, only 1 in 18,820 browsers has the same fingerprint as you. In many cases, that’s more than sufficient to identify you.
How Can I Test My Browser Fingerprint?
Want to see what your browser fingerprint looks like – and find out how unique it is?
You’re in luck! There are several excellent tools that allow you to do just that.
The EFF, which authored one of the studies we referenced in the previous section, offers a free fingerprinting tool: Panopticlick.
Just click the “Test Me” button and wait for your results. You’ll be shown a quick five-point breakdown as well as a full-length report.
In the full report, you’ll be told what your entropy value is as well as whether your fingerprint is unique among other Panopticlick users.
You’ll also see the various data points that were collected, like your Canvas hash, fonts and headers.
AmIUnique also provides breakdowns of your fingerprint data.
You can compare your fingerprint to other users over the past 7, 15, 30 or 90 days, or throughout all time. Over a million fingerprints have been tested, so if you pick “all time” you’ll get a highly thorough comparison.
Your WebGL and Canvas results are also provided. If you’re curious about the types of graphics that are used to fingerprint you, now’s your chance to see them.
AmIUnique also shows you what percentage of users match each of your data points. This allows you to see which factors have the most potential to identify you.
How Do I Protect Myself Against Browser Fingerprinting?
Unfortunately, the only way to completely stop browser fingerprinting is to not use the internet.
As we’ve seen, fingerprints use the headers that are included with every HTTP request. And those headers alone are often enough to identify you.
The best you can do is try to make your fingerprint as unoriginal as possible. That, combined with other good security practices, will make you much less trackable.
This one’s a no-brainer. Flash isn’t going to be around for too much longer, and most reputable sites no longer use it.
For most people, Flash currently serves no purpose other than providing websites with fingerprinting data.
We recommend disabling it unless you’re sure you need it – that is, if it’s enabled in the first place.
Flash is automatically turned off in newer versions of Chrome and Firefox. Microsoft Edge is also following suit and disabling Flash by default in new versions.
Manage Plugins and Extensions Wisely
Browser plugins and extensions can be great for security and privacy. Ad and tracker blockers are nuisance-avoiding necessities and can help to minimize fingerprinting.
But there’s a catch: the more plugins you have, the more unique your fingerprint is.
The odds of someone having the same ad blocker as you are pretty high. But the odds of them also using your other 20 plugins are much, much slimmer.
Uninstall any plugins you don’t use and consider removing ones you don’t absolutely need. Many can be replaced with standalone apps that don’t play a part in your fingerprint.
Keep Up with Updates
To protect yourself against hackers who use fingerprinting for evil, stay on top of software updates.
This means restarting your browser (and, occasionally, your computer) so updates can be installed. Yes, it’s annoying, but it’s worth it.
Make sure to keep your anti-malware software updated as well. Without the newest definitions downloaded, your antivirus program can’t protect you from the latest exploits.
Some anti-malware programs, like MalwareBytes, also block various ads and trackers. A little extra security is never a bad idea, even if you already have an ad blocker.
You can try Incognito Mode, but it will only get you so far. To see why, try visiting a fingerprint checker while you’re incognito – chances are, your fingerprint is still unique.
For the most private browsing experience, you’ll need to try a different browser altogether: Tor.
Many people think of Tor as the “dark web browser” – and, indeed, that is its most publicized use.
But it’s also excellent for avoiding all types of tracking, including fingerprinting.
All Tor users have the same fingerprint, provided they don’t resize their browser window.
That’s because Tor blocks WebGL and Canvas, alters its HTTP headers and even provides alternative fonts to mitigate fingerprinting.
You probably won’t want to use Tor for everyday browsing. It can be slow due to the way it reroutes traffic, and some sites block Tor users due to fears of abuse.
However, if there’s a particular site you don’t want to be fingerprinted on, consider viewing it in Tor.
Use a VPN
A virtual private network, or VPN, is a great way to boost your online security.
It allows you to mask your location and IP address, making you appear like you’re browsing from somewhere else. A VPN also encrypts your traffic so it can’t be intercepted or monitored.
VPNs offer excellent protection against surveillance, hackers, ISPs and nosy website owners.
Unfortunately, they can only do so much about fingerprinting.
Your location and IP address may change, but the rest of your fingerprint will stay the same.
That’s not to say that you shouldn’t use a VPN anyway. Online privacy extends far beyond browser fingerprinting, and VPNs are crucial for protecting your personal data.
VPN options range from budget-friendly to luxurious. Private Internet Access and AirVPN are great affordable choices, while NordVPN and ExpressVPN offer many premium features.
Summary: Did you know that you can be uniquely identified simply by your browser configuration? Web trackers do – and they employ many sneaky techniques to obtain your browser fingerprint.