in Resources

Browser Fingerprinting: An In-Depth Understanding of How You‘re Tracked Online

default image

Browser fingerprinting has rapidly emerged as a stealthy technique for companies to profile your interests and behavior across the web. But most users remain unaware of how browser fingerprinting works and its privacy implications. This comprehensive guide will fully demystify this important online tracking method.

The Rising Popularity of Browser Fingerprinting

In recent years, browser fingerprinting has exploded in adoption among advertisers, data brokers, and tech giants like Google and Facebook. By 2019, over 30% of the top 100,000 websites were using browser fingerprinting according to a study by Mozilla.

What accounts for its popularity? Browser fingerprinting offers companies unparalleled capability to track users without consent compared to cookies:

  • Fingerprints uniquely identify users with 90%+ accuracy according to researchers at Princeton and KU Leuven.

  • Fingerprinting connects user activity across devices, avoiding the limitations of device-specific cookies.

  • Browser fingerprints are near impossible for average users to mask or spoof due to the diversity of collected attributes.

  • Users have no notice that fingerprinting is occurring, unlike cookie consent banners under GDPR rules.

Armed with user data derived from fingerprinting, companies can assemble detailed behavior profiles and target advertising with frightening accuracy. With profits to be made, the online tracking industry has raced to deploy fingerprinting widely.

But privacy advocates argue this fundamentally erodes individual rights – turning web users into data commodities without their knowledge or choice. As users come to understand fingerprinting, many will likely take steps to mitigate such invasive tracking.

How Browser Fingerprinting Works Technically

Websites rely on front-end code primarily written in JavaScript to extract identifying information from browsers:

Diagram showing how browser fingerprinting collects data

This code utilizes standard web APIs implemented in all major browsers – no special plugins or extensions required. For instance:

  • The Canvas API provides functions like drawImage() to render shapes, text, and images that sites analyze for unique graphic capabilities.

  • The WebGL API offers 3D rendering through methods like drawElements() to characterize a device‘s GPU.

  • The Audio API with createOscillator() generates tones to identify microphone and speaker configurations.

  • The Font Enumeration API detects installed fonts through methods like queryCommandSupported().

In this way, benign APIs meant for other purposes are repurposed for fingerprinting. The script collects results across various APIs and combines them into a consolidated fingerprint array that might look like:

Fingerprint = {
  userAgent: "Chrome 101.0.4951.64 on Windows 10",
  screenResolution: [1280, 720],
  timezone: "America/Los_Angeles", 
  fonts: ["Arial", "Times New Roman", ...],
  audio: "24 bit, 48000 Hz, stereo",
  webgl: ["WebGL 1.0 (OpenGL ES 2.0 Chromium)", "ANGLE (NVIDIA, NVIDIA GeForce ..."],
  canvas: "18ee342086e9ae1db2f5c10f74a81492c",
  cookiesEnabled: true,
  ...
}

With dozens of attributes in the final fingerprint, websites can assign users long-lived statistical identifiers with high accuracy, avoiding logins.

Major Companies Using Fingerprinting

Many prominent tech companies quietly adopt browser fingerprinting even while publicly championing privacy:

  • Google – Uses fingerprinting for cross-device ad targeting and fraud prevention in services like Google Ads according to researchers.

  • Facebook – Leverages fingerprinting to augment user data from across Facebook‘s family of apps and services.

  • Oracle – Deploys fingerprinting on sites of cloud customers like Lowe‘s and AMC Theatres to enhance Oracle Data Cloud‘s profiles.

  • Twitter – Uses fingerprinting signals to improve ad targeting and correlating activity across browsers and devices according to reports.

  • Adobe – Adobe Analytics uses fingerprinting to identify website visitors in the absence of cookies according to Adobe documentation.

  • Mailchimp – Fingerprinting helped Mailchimp link activity to individual subscribers and lower fake signups on their platform.

In each case, companies cite benefits around fraud prevention and personalization as justification. But consumers often perceive fingerprinting as a violation of expectations that would likely provoke backlash if not done so surreptitiously.

Controversies Around Browser Fingerprinting

The opaque nature of browser fingerprinting has fueled many controversies in recent years:

  • In 2021, a class action lawsuit alleged Oracle engaged in illegal tracking by fingerprinting visitors to customer websites like Walmart, TMZ, and HuffPost.

  • Privacy researchers have highlighted fingerprinting on sites like PatientBank and WebMD as extremely concerning, allowing sensitive health data to be correlated.

  • The media site Gizmodo faced backlash after readers discovered their site was fingerprinting all visitors without notice to sell data.

  • Browser makers like Apple, Mozilla, and Brave have worked to restrict fingerprinting capabilities in order to protect user privacy.

  • The Electronic Frontier Foundation includes eliminating fingerprinting as part of its campaign for "Do Not Track" to become an enforceable web standard.

As awareness grows, companies utilizing fingerprinting will likely need to provide much more transparency into how they handle data derived from the technique. And better legal safeguards around consent may arise in response to rising privacy concerns.

Fingerprinting vs. Cookies: A Comparison

Browser fingerprinting is often portrayed as a successor to cookie tracking, but the two approaches have key differences:

Cookies Fingerprinting
Blockability Can be blocked by user settings or extensions Very difficult to block completely
Spoofability Simple to edit, spoof, or clear cookies Challenging to mask fingerprint due to many factors
Consent Prompts required in EU and California Typically occurs without notice or consent
Persistence Disappear after each session Persists across sessions until configuration changes
Correction Data can be updated/deleted No ability for user to correct data
Cross-device tracking Usually device-specific Can track across all user‘s devices

Fingerprinting provides marketers, advertisers, and data companies compelling advantages in secretly collecting user information. But those same strengths raise alarm among privacy advocates.

Emerging and Future Browser Fingerprinting Techniques

Researchers continue exploring new avenues to derive identifying signals from browsers:

  • Stylometry – analyzing small variations in how users type and write based on keystroke patterns and language use.

  • WebRTC Leaks – fingerprinting via WebRTC APIs designed for real-time communications.

  • Battery Status – JavaScript battery status APIs reveal battery charge level and discharge time.

  • Sensor Fingerprinting – tapping into device accelerometers, gyroscopes, magnetometers.

  • Bluetooth Fingerprinting – using Bluetooth beacons to physically track proximity and correlate across devices.

These emerging techniques demonstrate how browser fingerprinting continues evolving rapidly, outpacing attempts by users and regulators to control it. Expect companies at the forefront of tracking technology to aggressively deploy new fingerprinting methods.

How Fingerprinting Compares Across Browsers

Your choice of web browser impacts what fingerprinting data can be collected:

Browser Fingerprint Strengths Fingerprint Weaknesses
Chrome Very accurate canvas prints;
Many detectable fonts and plugins		 Can spoof user agent via extension
Safari Hard to spoof user agent or WebGL;
Captures GPU driver details		 Limited font enumeration
Firefox Extensive font detection;
Difficult to spoof browser version		 Inconsistent canvas prints;
WebGL often blocked
Edge Excellent WebGL fingerprinting Weak font support due to privacy measures
Brave Uniquely blocks most fingerprinting Easily identifiable as Brave

To minimize tracking, privacy-focused browsers like Firefox, Brave, and Tor aim to restrict fingerprinting while maintaining site compatibility. But opting for niche privacy browsers also makes your choice itself identifiable. There are always trade-offs.

Anti-Fingerprinting Defenses and Techniques

While no single approach can fully block browser fingerprinting, combining tactics can help thwart tracking:

  • Use a popular browser configuration shared by many others.
  • Limit extension and plugins that increase identifiable signals.
  • Install browser extensions like CanvasBlocker and Random Agent Spoofer.
  • Regularly clear cookies, cache, and site data.
  • Access websites through Tor or a trusted VPN service.
  • Use Private/Incognito browsing which limits history and cookies.
  • On iOS/Android, limit ad tracker permissions and use privacy-focused browsers.
  • Disable JavaScript when possible, especially on sites you don‘t fully trust.
  • Lobby governments and companies for enhanced fingerprinting consent laws.

Researchers also propose new technical defenses against fingerprinting:

  • Privaricator – Open-source plugin that feeds websites randomized fingerprint data.

  • FP-Scanner – Tool that analyzes sites‘ fingerprinting methods and detects new techniques.

  • Government legislation – Laws strictly regulating consent and use of fingerprinting data.

But browser fingerprinting continues evolving rapidly. Expect an ongoing cat-and-mouse game between companies determined to track users and consumers pushing back to protect privacy.

In Conclusion: Understanding Browser Fingerprinting

For those concerned about privacy, understanding the techniques, incentives, risks and controversies around browser fingerprinting is key. While robust fingerprinting defenses remain elusive, this guide outlined actionable steps individuals can take to better protect themselves.

Transparency and consent should be the backbone for any ethical use of browser fingerprinting. But at present the online tracking industry remains resistant to meaningfully informing users when fingerprinting occurs.

As consumers become more aware, look for rising pressure on governments and companies to provide the protections against covert fingerprinting that people deserve. The path forward requires reconciling the appetites of commerce with consumer rights and expectations. And that dialogue must include openness about formerly hidden techniques like browser fingerprinting.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.