Browser Fingerprinting is a method that websites use to collect unique information about a browser and a network device. Initially, fingerprinting was used for websites to be displayed correctly but nowadays it allows to track a user’s online activity and create their online profiles, thus making them a perfect target for marketing campaigns and depriving their online privacy.
Browser Fingerprinting happens when websites collect various information about their visitors so they can identify them from other Internet users.
When you connect to a website through a network device, it hands over the specific data to the webserver. Websites use different scripts to get to know you better. Being hidden and working silently these scripts gather unique information about you building up your specific “fingerprint”. You can be traced across the Internet through this “fingerprint”. Browser fingerprinting would not reveal your passport name or show your face, but websites will know:
In fact browser fingerprinting identifies users with 90-99% accuracy. Thus, for example, your fingerprint can be unique among millions of other users’ fingerprints revealing 70+ specific attributes about your device and its settings in a matter of seconds. The fingerprinting technique is so deeply rooted that you can hardly beat it even if you know how to use a residential proxy to hide your online activities.
Why digital trails are useful and to whom?
Browser fingerprints are not the same as cookies. Cookies are regulated and websites notify if you are ok to use them or not. The digital fingerprints are traced silently and without your knowledge let alone your consent.
Moreover, cookies can be deleted, whereas fingerprints are impossible to wipe out. The information about your digital activity is available even if you are not logged in to a website or use a “private” mode to surf the Internet.
Browser fingerprinting is possible because websites run certain scripts in the background of your browser. You can never tell if a website collects your personal information because fingerprinting scripts are similar to legitimate scripts (build-in software called APIs) running on the website. Without them, a website would work erratically. Collected attributes can be compiled into a “hash” or a digital fingerprint.
Websites collect a bulk of information about their visitors in order to identify their fingerprints in the future, constituting certain groups of users with similar digital fingerprints to target them for advertising purposes. Usually, websites use three methods to collect data about visitors’ search history, preferences, and hobbies.
Cookies are the small text packets stored on your computer. They contain some data about you as a website visitor, helping the websites to remember you and track your laptop to improve your user’s experience as a returning visitor.
It is easy to prove multiple users are the same person if they share the same cookie hash. Clearing the cookie history is, however, generates a new cache.
Browser hash generates an online profile collecting information about the user agent, operating system, windows/IOS version, screen resolution, font settings, and more. This hash does not change if you clean up a cache and cookies or you use a “private” mode. However, different browsers on the same device will create different browser hashes.
A unique profile is created based on hardware data such as HTML canvas, audio fingerprint, screen data, local date and time, operating system version, battery health, CPU details, and more. Some fraudsters’ tools and plug-ins can virtually generate or emulate the same device hash. Anyone with the same phone or a laptop and the system version will create the same hashes.
For better results, websites combine all three hashes to have a better picture of their visitors.
As for benefits, browser fingerprinting allows to:
Every hardware and configuration of the software is unique and it means that their combination can form a user’s online profile. By identifying users, websites can track their digital activity. It also helps to know if it is a unique visitor or a returning user.
Knowing a user’s fingerprint websites can offer their visitors specific content, like localized web pages.
Marketing specialists can also send special offers, bonuses, gift cards, or tailored discounts to loyal visitors.
When somebody is trying to log in to an account, that is not theirs, an online fingerprint helps to spot the suspicious actions. Thus, for instance, when a returning visitor is logging in from a new device or from a different geo-location, a website can ask for extra authentication to verify the user.
When hardware and software combinations are similar for several users, it might be a sign of a fraud attempt to benefit from bonus abuse, for example.
Browser fingerprinting helps to:
Browser fingerprinting is a great tool to know a visitor, but there are some shortcomings:
Websites can identify users with high accuracy using advanced techniques. The following features help websites to interact with your browser and obtain more granular technical specifications about it, hence, about you as well.
The canvas method is one of the most used fingerprinting techniques.
Websites are written in HTML5 code, and it contains a little coding element called “canvas” that takes your browser’s fingerprint. Originally it was used to draw graphics on a web page but now it generates certain data about a browser. The moment you visit a website your browser renders the image(s)/text and provides detailed information about the font style, its size, and background colors.
Canvas fingerprinting in contrast to cookie files is not downloaded onto a computer or a network device, so you can’t delete it.
This particular technique traces all media devices and their IDs, e.g. audio and video cards, and connected devices, e.g. headphones, on your computer. Companies usually use so-called software development kits designed for mobile devices to see by what vendors they have been built (Apple/Samsung or another).
A website with the help of audio API sends a low-frequency sound through the browser to a device and measures how the data is processed and tests the way the device plays sound. This API does not require access to a microphone or to a speaker: the audio fingerprinting detects AudioBuffer and DynamicsCompressor values.
All the data obtained from digital fingerprinting is processed through a hash function and logged as a string of letters and numbers of a fixed size that points directly to your device. Stored this way this data is easier to encrypt, analyze and compare.
A part of software designed to identify a browser and its version number with the website. When detected by a website the latter displays special content for specific users. Whereas web developers use User Agent switching tools to see what a site would look like on a variety of devices, fraudsters use the same tools to spoof a browser.
An open-source tool that was originally developed for application testing but now is widely used by fraudsters as well. Selenium makes it possible to automatically scrape data from a website by sending abnormal amounts of requests in a short period of time, oftentimes leading to server overload.
An outstanding feature of the Tor browser is a generalized fingerprint for each Tor user. Tor provides the highest level of anonymity. Still, a website can run a test to see if a user is running Tor, thus flagging a potentially risky user or a fraudster.
It is hardly possible to protect yourself against fingerprinting because you can’t switch off browser scripts: without them, websites would not work. However, there are tools and methods to enhance online privacy and minimize the chances of being identified.
Chrome, Edge, Safari, and Firefox allow users to browse the Internet in incognito mode. While in private mode your profile fingerprints look similar to other profiles of users who also use the same private browsing mode, thus reducing your chances (but not eliminating them completely) of being identified as a unique visitor.
Quite a few plugins can disable invisible software trackers and spying ads from running on your browser and tracking your online activity. Plugin activation can deteriorate users’ experience so you can disable these plugins while visiting websites you trust by whitelisting them.
A free and open-source plugin blocks scripts that activate intrusive ads.
The plugin detects invisible trackers and blocks them automatically.
The plugin blocks both general and invasive fingerprinters by default.
Anti-malware software blocks ads, harmful toolbars, and spying software invisibly running in the background of your system. These ads and spying software are linked to your browser fingerprint.
Tor, however, has a slow browsing speed and it protects traffic that is sent only through the Tor browser.
VPN hides your true IP address. You connect to the Internet through a VPN server first, and VPN then connects you to the website. Address spoofing does not stop a webserver from building your online profile, because an IP address is just one aspect of your digital fingerprint.
Masking your true IP VPN, however, does not block out your browser settings, version, and other data that generate your digital fingerprints, so a webserver will recognize you as a unique visitor anyway.
A VPN service can not stop digital fingerprinting. It works more effectively protecting you against identifying when used in combination with other blocking methods. Thus, VPN is a great asset when it is used together with the Tor browser.
Browser fingerprinting is a method of identifying a user when they are online and tracking their digital activity. This method is not based on cookies or login sessions, which makes it impossible to be deleted or erased. Unique visitors are identified by a series of browser parameters (from browser version to screen resolutions and installed fonts collected by webservers). Each parameter is trivial but when combined with other parameters it creates a unique user profile. Primarily, websites use your browsing fingerprint to target you with personalized ads; worst-case scenario, you can become a target of fraudsters threatening your online safety by employing spying ads and invisible trackers that run in the background of your browser.