What is browser fingerprinting?

Browser fingerprinting is the process web services use to collect browser data from their users to generate unique digital fingerprints for tracking purposes.
Copy definition

Related terms: IP address | JavaScript | Web scraping

What is browser fingerprinting?

Browser fingerprinting is a Javascript-based method of tracking detailed information about your browser. Websites use these specialized scripts to gather small bits of data, which they can combine to generate a unique hash value that serves as your "fingerprint".

These data points can include your:

  • Browser version
  • Timezone
  • Installed plugins
  • Screen resolution
  • Hardware-specific hashes generated through technologies like Canvas and AudioContext

Surprisingly, between 80 to 90 percent of browser fingerprints are unique, making this a highly effective tracking method. Unlike cookies, which can be deleted or blocked, and IP addresses which can be spoofed via proxy servers, browser fingerprinting is more persistent and harder to detect or avoid.

The increasing adoption of browser fingerprinting by web services raises significant privacy concerns. Companies use browser fingerprints to track users across the internet without your consent, creating a more invasive form of surveillance that is difficult to avoid.

How does browser fingerprinting work?

Browser fingerprinting is a sophisticated tracking method that exploits the slight variations between different people when all their browser details are combined. The process starts right from your browser, where the script can gather all the necessary information. 

Some of these details are readily available via the Javascript or browser API. Others details use WebGL, Canvas, or AudioContext to generate a unique hash.

When the script has collected the correct data, it combines it to create a detailed profile of your browser. Even though each data point may not be unique on its own, the combination of these points often results in a highly distinctive browser profile. 

The script then generates a hash using a hashing algorithm and sends it to the web service to store. When subsequent requests are sent, the same hash is generated and compared with the already existing fingerprint to tell whether the user is a new or existing user.

Browser fingerprinting data points

The individual data points on their own might not be unique, but when combined, the chances of the end result being unique from device to device are extremely high. Combined uniqueness is the key to browser fingerprinting and its what creates highly distinctive fingerprints.

User-agent string

The user-agent string is a string that conveys the browser name, type, version, operating system, and device. It looks like this:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/117.0.0.0 Safari/537.36

As you can see, this user-agent string provided reveals the device and browser as Chrome on a Windows 10 machine. This on its own is not unique, but it narrows down the pool of browsers that match these attributes.

Screen resolution and color depth

The screen resolution and color depth reveal the display capability of your device. An example of this attribute is 1920x1080 for screen resolution and 24-bit for color depth. Considering these two attributes vary across devices, they are good data points to combine to generate unique identifiers.

Installed browser plugins

Your browser API exposes the plugins installed on your browser. It's rare for people to have the same combination of browser plugins installed, making them good data data points for building a unique browser fingerprint.

Timezone and language settings

These data points tell the fingerprinting script your local time and the language you use. While this data point is not very unique on its own, it helps to identify you compared to other people in different timezones. For example, Spanish and French people use the same timezone, but different languages.

Canvas fingerprinting

Canvas fingerprinting uses the HTML5 Canvas API to draw graphics that you can't see, allow them to render, and then generate a hash from the rendered graphics. The resulting datapoint is very unique to you, because it exploits the variations in your hardware and software specifications to generate a hash.

This data point can even be used as a browser fingerprint on its own, but fingerprinting scripts usually pair it with other data points to generate better results.

WebGL fingerprinting

This technique uses the WebGL API to render 3D graphics based on your GPU and drivers. The resulting hash is based on the rendering output which is influences by your GPU, drivers, and other hardware factors. WebGL fingerprinting is highly effective because GPUs and drivers vary between devices.

Why do websites use browser fingerprinting?

Websites use browser fingerprinting to track you and your activities across their resources. The reasons they want to track you, however, can vary. For example, some websites may want to serve you with targeted ads, whereas other web resources might want to make sure you are a real human and not a bot.

Targeted advertising

Advertising companies such as Google generate unique fingerprints to track you across different websites. The goal is to build a profile of your interests and browsing history.

By tracking you, ads become personalized and tailored specifically based on the content you consume online. This increases the likelihood of clicking on ads, generating money for both the advertisers and publishers.

Fraud detection and prevention

With browser fingerprinting, web services can prevent fraudulent activities such as account takeover, multi-accounting, and even payment fraud. This is because fraudsters mask their IP address and delete cookies when perpetrating these acts.

However, even if you use proxy servers or a VPN, web services can still tell it is the same person based on your unique browser fingerprint.

You may have noticed that sometimes, accessing your account on a different device requires an one-time passcode (OTP) as the service detects this is not the regular device you use.

Spam protection

Sometimes, the reason some services use fingerprints is to prevent spam. If your browser fingerprint looks suspicious, the website will deny access.

Similarly, when too many requests sent within a short period share the same browser fingerprint but originate from a different IP address, it suggests the requests are from the same device but routed via proxies to evade detection. This is one way that websites prevent large-scale web scraping.

Privacy implications of browser fingerprinting

Browser fingerprinting raises privacy concerns because of how unique a browser's fingerprint can be, coupled with the fact that you do not opt-in to this kind of tracking. In fact, many people do not even realize that websites are tracking them in this way.

Persistent

Fingerprints are persistent, remaining the same across sessions, even if you delete cookies or are in incognito mode. Whatever you do, your fingerprint remains the same. The persistent nature of browser fingerprinting means the websites do not delete the data they store about you and can be used to track you for as long as they like.

No consent

You do not have control over your browser fingerprint and cannot delete it. This is quite different from cookies which you can manage and delete where necessary. Browser fingerprinting also doesn't require you to opt-in or consent: it is done silently in the background without you even knowing.

Cross-site tracking

Other tracking methods such as cookies are site-specific. However, in the case of browser fingerprinting, it is not.

Web services that have their scripts on hundreds, thousands, or millions of sites can track you across different sites. Advertising companies like Google and anti-spam systems like Cloudflare can track you and your activities across many of the most popular sites on the web.

Lack of transparency

Another issue is the lack of transparency. No one knows what their generated fingerprint is used for, how it is stored, and whether they are shared with third parties or not. This gives room for potential abuse as it can be exploited by malicious actors for identity theft, fraud, or surveillance.

Countermeasures

While browser fingerprints are difficult to evade, they are not foolproof. There are countermeasures to stay ahead of browser fingerprinting or prevent it altogether.

Use privacy-focused browsers and extensions

Browsers like the Tor browser resist fingerprinting by making all devices and browsers look the same. They also disable or limit access to browser APIs that reveal some identifiable details. However, Tor can be really slow. An alternative available is the use of anti-fingerprinting browser extensions such as Privacy Badger, CanvasBlocker, and uBlock Origin.

Disable JavaScript

Since most fingerprinting measures are based on JavaScript, disabling JavaScript will render them useless. However, most websites depend on JavaScript for some of their functionality, so disabling it might make the web inaccessible. For example, in the past, you could access Google Search without enabling JavaScript, but this is no longer the case, and you'll need to enable JavaScript to access search results.

Virtual machines

If you run a browser on a virtual machine, the fingerprint script will generate a hash based on your virtual machine rather than your real browser. This is a very effective way to evade browser fingerprinting, but it is resource-intensive and slow. It also requires some technical knowledge and financial investment to achieve correctly.

Antidetect browsers

The best way to counter browser fingerprinting measures is by using an antidetect browser. These browsers are spoof your real browser fingerprint with a different one, depriving web services of your real fingerprint. Antidetect browsers also allow you to generate multiple browser profiles, each with their own fingerprint.

Don't get caught out by browser fingerprinting. Use Web Unblocker to automatically manage your browsers, headers, and fingerprints when web scraping.

Web Unblocker