Browser Fingerprinting: How Does It Work?

Written by: Maria Kazarez

Browser Fingerprinting is a method that websites use to collect unique information about a browser and a network device. Initially, fingerprinting was used for websites to be displayed correctly but nowadays it allows to track a user’s online activity and create their online profiles, thus making them a perfect target for marketing campaigns and depriving their online privacy.

What is Browser Fingerprinting?

Browser Fingerprinting happens when websites collect various information about their visitors so they can identify them from other Internet users. 

When you connect to a website through a network device, it hands over the specific data to the webserver. Websites use different scripts to get to know you better. Being hidden and working silently these scripts gather unique information about you building up your specific “fingerprint”. You can be traced across the Internet through this “fingerprint”. Browser fingerprinting would not reveal your passport name or show your face, but websites will know:

  • your network device;
  • its operating system; 
  • the browser you use; 
  • the software installed;
  • the time zone you are in; 
  • the approximate location;
  • the content language;
  • whether you use an ad blocker; 
  • the screen resolution and color depth; 
  • installed browser extensions;
  • tech specs about the drivers and more.

In fact browser fingerprinting identifies users with 90-99% accuracy. Thus, for example, your fingerprint can be unique among millions of other users’ fingerprints revealing 70+ specific attributes about your device and its settings in a matter of seconds. The fingerprinting technique is so deeply rooted that you can hardly beat it even if you know how to use a residential proxy to hide your online activities. 

Browser Fingerprinting - 1

Why can Browser Fingerprinting be Used?

Why digital trails are useful and to whom? 

  1. Most websites use the collected data to personalize ads providing higher revenue for marketing campaigns. 
  2. The data sellers sell sensitive data that is left behind when you use the search engine to the third parties. By looking up the information you have requested these parties can make you a targeted offer. For example, a bank manager may offer you a loan to buy a car if you were looking for cars on sale. A life insurance company may set a higher price for the insurance policy based on the illness you have googled. 
  3. Online shops usually set different prices due to your location. If a browser shows that you live in a restricted neighborhood or in a well-to-do area, be ready to see higher price rates. Even the OS you’re browsing from affects the price. Some retailers will target Mac users with higher prices, as the price of Apple products means Mac users tend to have higher incomes. Travel agencies use dynamic pricing when you look for an air ticket or a hotel room based on the location you are in. 
  4. Browser fingerprinting may be used for device profiling, thus protecting you from account hijackers, potential fraudsters, or botnet connections.

Browser fingerprints are not the same as cookies. Cookies are regulated and websites notify if you are ok to use them or not. The digital fingerprints are traced silently and without your knowledge let alone your consent. 

Moreover, cookies can be deleted, whereas fingerprints are impossible to wipe out. The information about your digital activity is available even if you are not logged in to a website or use a “private” mode to surf the Internet.

 Browser Fingerprinting - 2

How does Browser Fingerprinting Work?

Browser fingerprinting is possible because websites run certain scripts in the background of your browser. You can never tell if a website collects your personal information because fingerprinting scripts are similar to legitimate scripts (build-in software called APIs) running on the website. Without them, a website would work erratically. Collected attributes can be compiled into a “hash” or a digital fingerprint. 

Websites collect a bulk of information about their visitors in order to identify their fingerprints in the future, constituting certain groups of users with similar digital fingerprints to target them for advertising purposes. Usually, websites use three methods to collect data about visitors’ search history, preferences, and hobbies.

These are:

Cookie Hash

Cookies are the small text packets stored on your computer. They contain some data about you as a website visitor, helping the websites to remember you and track your laptop to improve your user’s experience as a returning visitor. 

It is easy to prove multiple users are the same person if they share the same cookie hash. Clearing the cookie history is, however, generates a new cache. 

Browser Hash

Browser hash generates an online profile collecting information about the user agent, operating system, windows/IOS version, screen resolution, font settings, and more. This hash does not change if you clean up a cache and cookies or you use a “private” mode. However, different browsers on the same device will create different browser hashes. 

Device Hash

A unique profile is created based on hardware data such as HTML canvas, audio fingerprint, screen data, local date and time, operating system version, battery health, CPU details, and more. Some fraudsters’ tools and plug-ins can virtually generate or emulate the same device hash. Anyone with the same phone or a laptop and the system version will create the same hashes. 

For better results, websites combine all three hashes to have a better picture of their visitors.  

What are the Advantages and Disadvantages of Browser Fingerprinting?

As for benefits, browser fingerprinting allows to:

Identify users

Every hardware and configuration of the software is unique and it means that their combination can form a user’s online profile. By identifying users, websites can track their digital activity. It also helps to know if it is a unique visitor or a returning user. 

Deliver customized content 

Knowing a user’s fingerprint websites can offer their visitors specific content, like localized web pages.

Marketing specialists can also send special offers, bonuses, gift cards, or tailored discounts to loyal visitors. 

Block hacker attempts

When somebody is trying to log in to an account, that is not theirs, an online fingerprint helps to spot the suspicious actions. Thus, for instance, when a returning visitor is logging in from a new device or from a different geo-location, a website can ask for extra authentication to verify the user. 

Spot multi-accounting fraud attempts 

When hardware and software combinations are similar for several users, it might be a sign of a fraud attempt to benefit from bonus abuse, for example.

Flag suspicious hardware/software configurations 

Browser fingerprinting helps to:

  • spot emulators and spoofing tools: software masking the real data or replicating the configuration of another user;
  • fight fake accounts and the misuse of internet services;
  • discover VPN, proxy, and the Tor browser: software hiding the real IP address and rerouting user’s traffic through another network for possible malicious intentions. A user can legally create a virtual private network, use a proxy for business, or opt for the Tor to stay completely anonymous – the point is that the browser fingerprinting technology was designed to detect software hiding the real IP address and rerouting user’s traffic through another network for possible malicious intentions.

Browser fingerprinting is a great tool to know a visitor, but there are some shortcomings:

  • the details about your private life, your browser, or a network device can be used to track your activities, so it is possible for advertisers to create a comprehensive online profile on you. Thus, you become a target of highly effective marketing campaigns that make you spend more money;
  • the more information advertisers store, the higher the risk of a data breach. Once leaked, it would be impossible to restore your online privacy;
  • fraudsters are experienced with specific spoofing tools and device emulators, they know how to hide their real identities and manipulate data for malicious purposes;
  • although data collection is legal in most areas of the world, still the browser fingerprint solution must be compliant with local laws and regulations. Every digital fingerprint needs to be acknowledged in a website’s terms, privacy, and cookie policies. 

What are the Main Features of Browser Fingerprinting?

Websites can identify users with high accuracy using advanced techniques. The following features help websites to interact with your browser and obtain more granular technical specifications about it, hence, about you as well.

Canvas Fingerprinting

The canvas method is one of the most used fingerprinting techniques. 

Websites are written in HTML5 code, and it contains a little coding element called “canvas” that takes your browser’s fingerprint. Originally it was used to draw graphics on a web page but now it generates certain data about a browser. The moment you visit a website your browser renders the image(s)/text and provides detailed information about the font style, its size, and background colors.  

Canvas fingerprinting in contrast to cookie files is not downloaded onto a computer or a network device, so you can’t delete it.  

Device fingerprinting

This particular technique traces all media devices and their IDs, e.g. audio and video cards, and connected devices, e.g. headphones, on your computer. Companies usually use so-called software development kits designed for mobile devices to see by what vendors they have been built (Apple/Samsung or another). 

Audio fingerprinting

A website with the help of audio API sends a low-frequency sound through the browser to a device and measures how the data is processed and tests the way the device plays sound. This API does not require access to a microphone or to a speaker: the audio fingerprinting detects AudioBuffer and DynamicsCompressor values. 

WebGL fingerprinting and rendering fingerprinting

WebGL is a JavaScript API that renders on-screen images and graphics to estimate screen resolution and the kind of graphic card installed. 

Hashing

All the data obtained from digital fingerprinting is processed through a hash function and logged as a string of letters and numbers of a fixed size that points directly to your device. Stored this way this data is easier to encrypt, analyze and compare. 

User Agent Detection

A part of software designed to identify a browser and its version number with the website. When detected by a website the latter displays special content for specific users. Whereas web developers use User Agent switching tools to see what a site would look like on a variety of devices, fraudsters use the same tools to spoof a browser.  

Selenium Detection

An open-source tool that was originally developed for application testing but now is widely used by fraudsters as well. Selenium makes it possible to automatically scrape data from a website by sending abnormal amounts of requests in a short period of time, oftentimes leading to server overload.  

Tor Detection

An outstanding feature of the Tor browser is a generalized fingerprint for each Tor user. Tor provides the highest level of anonymity. Still, a website can run a test to see if a user is running Tor, thus flagging a potentially risky user or a fraudster. 

How to Prevent Browser Fingerprinting?

It is hardly possible to protect yourself against fingerprinting because you can’t switch off browser scripts: without them, websites would not work. However, there are tools and methods to enhance online privacy and minimize the chances of being identified. 

You can build up solid browser protection by installing anti-malware tools, using VPN, private browsing mode or anti-fingerprinting browsers, disabling JavaScript, and implementing security plugins.  

 

Use private browsing mode

Chrome, Edge, Safari, and Firefox allow users to browse the Internet in incognito mode. While in private mode your profile fingerprints look similar to other profiles of users who also use the same private browsing mode, thus reducing your chances (but not eliminating them completely) of being identified as a unique visitor.

 Browser Fingerprinting - 3

Use plugins 

Quite a few plugins can disable invisible software trackers and spying ads from running on your browser and tracking your online activity. Plugin activation can deteriorate users’ experience so you can disable these plugins while visiting websites you trust by whitelisting them. 

Adblock Plus 

A free and open-source plugin blocks scripts that activate intrusive ads. 

Privacy Badger 

The plugin detects invisible trackers and blocks them automatically. 

Disconnect 

The plugin blocks both general and invasive fingerprinters by default. 

NoScript browser extension 

Free and open-source software blocks JavaScript on every website by default, so you need to enable JavaScript manually on a trusted website. 

Disable JavaScript and Flash 

By disabling JavaScript and Flash you can protect yourself against fingerprinting more effectively. With disabled JavaScript, websites can not detect active plugins and fonts you are using and install certain cookies in your browser. Without the activated JavaScript websites do not function properly and that can affect your browsing experience. Flash, however, can be disabled without ruining websites’ performance.  

Install security software

Anti-malware software blocks ads, harmful toolbars, and spying software invisibly running in the background of your system. These ads and spying software are linked to your browser fingerprint. 

Use Tor browser

Tor — the Onion browser — is one of the best anti-fingerprinting tools and the most secure browser. Tor browser uses certain settings which are identical for all Tor users, thus it is almost impossible to identify unique visitors and establish their fingerprints. It also blocks JavaScript on websites. 

Tor, however, has a slow browsing speed and it protects traffic that is sent only through the Tor browser. 

Use VPN

VPN hides your true IP address. You connect to the Internet through a VPN server first, and VPN then connects you to the website. Address spoofing does not stop a webserver from building your online profile, because an IP address is just one aspect of your digital fingerprint. 

Masking your true IP VPN, however, does not block out your browser settings, version, and other data that generate your digital fingerprints, so a webserver will recognize you as a unique visitor anyway. 

A VPN service can not stop digital fingerprinting. It works more effectively protecting you against identifying when used in combination with other blocking methods. Thus, VPN is a great asset when it is used together with the Tor browser. 

Browser fingerprinting is a method of identifying a user when they are online and tracking their digital activity. This method is not based on cookies or login sessions,  which makes it impossible to be deleted or erased. Unique visitors are identified by a series of browser parameters (from browser version to screen resolutions and installed fonts collected by webservers). Each parameter is trivial but when combined with other parameters it creates a unique user profile. Primarily, websites use your browsing fingerprint to target you with personalized ads; worst-case scenario, you can become a target of fraudsters threatening your online safety by employing spying ads and invisible trackers that run in the background of your browser.

Maria Kazarez

Contact author