Privacy: “Web fingerprinting is worse than I thought”

Web fingerprinting has emerged as a sophisticated method for tracking users across browsing sessions and websites, bypassing traditional privacy measures like clearing cookies or using private browsing modes. Unlike cookie-based tracking, fingerprinting leverages unique browser and device configurations—such as browser version, CPU count, screen size, and codecs—to generate a distinct identifier for each user. This blog post explores the severity of web fingerprinting through a practical test of FingerprintJS, a service that offers fingerprinting solutions to websites. By conducting experiments across Firefox, Chromium, and Tor Browser, the study reveals that standard browsers like Firefox and Chromium are highly vulnerable to fingerprinting, even in private modes. However, enabling Firefox’s privacy.resistFingerprinting setting or using Tor Browser significantly mitigates this risk by masking key identifiers. The findings highlight the growing challenge of maintaining online privacy and recommend using privacy-focused browsers like Tor or Firefox with enhanced settings to counter fingerprinting threats. Web fingerprinting is worse than I thought

Browser Fingerprinting: What Is It and How Does It Work?

Browser fingerprinting is a technique websites use to collect unique information about a user’s browser and device. Originally designed to ensure websites display correctly, it’s now commonly used to track online activity, build user profiles for targeted marketing, and, in some cases, compromise online privacy.

What is Browser Fingerprinting?

Browser fingerprinting occurs when websites gather specific data about visitors to distinguish them from other internet users. When you access a website, your device shares details with the web server through scripts that operate silently in the background. These scripts collect unique attributes to create a “fingerprint” that can track you across the internet. While it doesn’t reveal your name or face, this fingerprint can include:

• Your device type
• Operating system
• Browser type and version
• Installed software
• Time zone
• Approximate location
• Language settings
• Ad blocker usage
• Screen resolution and color depth
• Browser extensions
• Technical details about drivers and more

Browser fingerprinting is highly effective, identifying users with 90-99% accuracy by analyzing over 70 unique attributes in seconds. Even using tools like a residential proxy may not fully prevent tracking, as fingerprinting is deeply embedded in standard web operations.

Why is Browser Fingerprinting Used?

Browser fingerprinting serves various purposes, from improving user experience to enabling targeted advertising and enhancing security. Here’s how it’s used:

• Personalized Advertising: Websites leverage fingerprint data to tailor ads, boosting revenue for marketing campaigns.
• Data Sales: Third parties purchase browsing data to offer targeted services. For example, a bank might pitch a car loan if you’ve searched for cars, or an insurer may adjust rates based on health-related searches.
• Dynamic Pricing: Online retailers and travel agencies adjust prices based on your location, device type, or browsing habits. For instance, Mac users may see higher prices due to assumptions about income.
• Fraud Prevention: Fingerprinting helps detect suspicious activity, such as account hijacking or botnet connections, by profiling devices.
• Unlike cookies, which are regulated and can be deleted, fingerprints are collected silently without user consent and persist even in private browsing modes.
• How Does Browser Fingerprinting Work?
• Websites use background scripts, often indistinguishable from legitimate APIs, to collect data. These scripts compile attributes into a “hash” or digital fingerprint. Three main methods are used:
• Cookie Hash
• Cookies are small text files stored on your device, containing data to enhance your experience as a returning visitor. Clearing cookies generates a new hash, but it doesn’t stop fingerprinting.
• Browser Hash
• This collects data like user agent, operating system, screen resolution, and font settings. It remains consistent even after clearing cookies or using private mode, though different browsers on the same device produce unique hashes.
• Device Hash

This profiles hardware details, such as HTML canvas, audio fingerprint, battery health, and CPU specs. Identical devices with the same system version may share similar hashes, which fraudsters can exploit using emulators.

Websites often combine these hashes for a more accurate user profile.

Advantages and Disadvantages of Browser Fingerprinting

• User Identification: Unique hardware and software combinations allow websites to track visitors and distinguish new from returning users.
• Customized Content: Fingerprinting enables tailored content, such as localized web pages or personalized offers.
• Security: It helps detect suspicious login attempts, multi-account fraud, or emulators used by fraudsters.
• Fraud Detection: Fingerprinting flags VPNs, proxies, or Tor usage, which may indicate malicious intent, though these tools are also used legitimately.

Disadvantages

• Privacy Risks: Collected data can be used to build detailed profiles, making you a target for aggressive marketing.
• Data Breaches: Stored fingerprints increase the risk of privacy violations if breached.
• Fraud Evasion: Sophisticated fraudsters use spoofing tools to manipulate fingerprints.
• Legal Concerns: While legal in many regions, fingerprinting must comply with local privacy laws and be disclosed in website policies.
• Main Features of Browser Fingerprinting
• Websites use advanced techniques to gather granular data about your browser and device:
• Canvas Fingerprinting: HTML5 canvas elements capture font styles, sizes, and rendering details, creating a unique fingerprint that can’t be deleted like cookies.
• Device Fingerprinting: Tracks media devices, audio/video cards, and connected peripherals, often using mobile-specific software development kits.
• Audio Fingerprinting: Measures how devices process low-frequency sounds via audio APIs, without needing microphone or speaker access.
• WebGL Fingerprinting: A JavaScript API that analyzes screen resolution and graphics card details.
• Hashing: Converts fingerprint data into a fixed-size string for easy storage, encryption, and comparison.
• User Agent Detection: Identifies browser type and version to tailor content or detect spoofing attempts.
• Selenium Detection: Flags automated tools used for data scraping or server overload.
• Tor Detection: Identifies Tor browser usage, which standardizes fingerprints for anonymity but can be flagged as suspicious.

How to Prevent Browser Fingerprinting

Completely preventing fingerprinting is challenging since disabling browser scripts would break most websites. However, you can reduce your exposure with these methods: Private Browsing Mode: Browsers like Chrome, Edge, Safari, and Firefox offer incognito modes that make your fingerprint less unique, though not entirely anonymous.

We recommend three things to prevent or reduce tracking.

As a word of warning, we discuss here how to preserve privacy, not how to create anonymity. We will talk about anonymity in another post.

We recommend three things to increase privacy and prevent tracking:

1. Use a VPN
2. Use several Browsers. For banking and booking plane tickets, use a MAJOR (e.g. Edge, Chrome, Firefox) browser without plug ins.
3. For regular browsing, use a rugged browser with privacy plug ins. This will increase (no advertisement) but also decrease (break some websites) your browsing experience.

Recommended Browser Extensions:

• ClearURLs: Removes tracking elements from URLs to enhance privacy and reduce web tracking.
• Privacy Badger: Automatically blocks trackers that violate privacy, learning from browsing behavior.
• Random User-Agent Switcher: Randomly changes the browser’s user-agent string to obscure device and browser details, reducing fingerprinting.
• Temporary Containers: Creates isolated browsing containers for each tab, limiting data sharing and tracking across sites.
• uBlock Origin: Blocks ads, trackers, and malicious scripts, offering customizable content filtering.
• Canvas Blocker: Prevents websites from using canvas fingerprinting to track users by altering canvas data output.
• NoScript: Blocks all scripts by default, allowing users to selectively enable trusted scripts for enhanced security.
• Font Fingerprint Defender: Randomizes font-related data to mitigate font-based browser fingerprinting.