We explain “browser fingerprinting” and how it is used to profile users and target ads to them. We then summarize measures (gleaned from articles we cite) you can take to protect against browser fingerprinting.
What is browser fingerprinting?
In plain language, browser fingerprinting (a.k.a. “device fingerprinting”) is a technique some websites use to identify a user’s computer or mobile device by analyzing data the user’s browser provides to the website, for the purpose of building a profile and usually in order to target ads matching that user’s profile.
When you browse a website, it can detect characteristics of the computer or smartphone, such as the following:
Operating system and its version number
Browser and its version number
Fonts installed on the machine
Browser plug-ins installed
And more, including “Canvas” fingerprinting, a graphics encoding technique, to which we refer you to one of the cited articles further below for details.
In actuality, the website can detect the above as well as additional device characteristics, and the combination tends to differ from one user to the next. Thus, although a website does not know who you are or what your name, address or other identifying attributes may be, it can still build a profile of your interests and history based on detecting the same technical characteristics connecting online again. Unlike a website's cookies, which are stored on your computer and which you can delete, a fingerprinting website does not need to store this information on your computer, but rather on their own or their marketing provider’s server.
How is device fingerprinting used?
Consider the following sample scenario:
A user browses a site for tennis rackets, without logging in and without providing any input data. Assume this user follows the privacy recommendations presented throughout this BoostMyPrivacy.org blog, including deleting tracking cookies whenever a session ends and using a VPN service to obfuscate the real IP address. Nonetheless, the rather unique combination of technical characteristics of the user’s computer – for example, Windows 10 with a specific release number, Firefox version 79.0, the time zone such as UTC -6, screen resolution 1920x1080, language as American English, 5 specific Firefox-plug-ins, and other technical characteristics – are then logged to infer a particular user and his or her browsing behavior or areas of interest.
The next day, the same user uses the same device (or even worse from a privacy perspective, a different user uses the same device). The website will probably assume it is likely the same user because the technical characteristics of the device are the same. It can then start serving ads for tennis rackets and other tennis-related merchandise.
To see how privacy invasive this is, imagine the following real-world analogy. You enter a sports equipment physical store, without identifying yourself. A magic machine records your physical fingerprint as you enter, and a magic camera records that you were looking at tennis rackets, but walked out. You then start getting snail-mail and email advertising tennis equipment. In addition, the next time you revisit the store (e.g., to buy socks), even if unrelated to tennis, the fingerprinting machine recognizes you as a repeat customer and alerts the salesperson that you were here looking for tennis rackets the prior week, and that salesperson starts a hard sell. While the analogy isn’t perfect, it portrays the intrusiveness in question.
The more rare the combination of your device's and browser's technical characteristics, the more likely it is that you will be identifiable via fingerprinting. You can check "how unique" your computer is, and therefore how susceptible it is to fingerprinting, on either of the following sites:
If these sites tell you that the combination of your computer’s technical characteristics is relatively unique, then the more reason to take the defensive measures discussed in the next section.
Browser fingerprinting defense: the legislative route
In the EU, the GDPR data privacy legislation puts limits on what personal data can be collected and lays out privacy rights for users, including informed consent, opting out by default, and other rights that should apply to fingerprinting. In the US, however, although California and other states have taken privacy rights legislation a big step forward, a comprehensive national data privacy bill is still far from reality. So we urge voters to advocate for such protections that would include constraints on device fingerprinting as a result of core privacy tenets of limited data collection, disclosure of what is collected or transferred to other parties, informed consent, and user ability to access, delete, or correct personal data, or stop the sharing of collected personal data.
Note: There are valid uses of fingerprinting, such as when a bank monitoring fraud detection observes that within a short time, different devices tried or succeeded to login to an account from different locations.
Browser fingerprinting defense: the technical route
There are technical steps you can take to mitigate negative effects of device fingerprinting. Each of the following sources, among others, presents device fingerprinting solutions that in combination can hinder a website's ability to exploit fingerprinting for targeted ads.
Comparitech’s How to protect yourself against invisible fingerprinting
Restore Privacy’s Device fingerprinting: explanation, tests, solutions
Wikipedia, Device Fingerprinting
For this post, while we did not do our own original experimentation, based on the cited sources, we summarize below a curated and less dense checklist of steps you can take, each advocated by several of the above sources, to reduce the uniqueness of your computer’s technical characteristics; i.e. steps to make your computer look like a lot of other users’ devices and hence hinder fingerprinting:
Employ a widely-used yet privacy-focused browser: Although Google’s Chrome is the most widely used browser, we have recommended using Firefox (for Windows) or Safari (for Mac OS X or iOS), as they are more privacy-sensitive in our view, yet are also reasonably widely used, and thus force the fingerprinting algorithm to see a relatively larger pool of users for a given browser type. The privacy-focused browser Brave has a much smaller market share, but they (and some other browsers) promise current and future built-in protections against browser fingerprinting.
Use VPN online: It obfuscates your real IP address, which means one less factor that can be used for fingerprinting.
Disable Flash: Adobe’s Flash used to be popular as a graphic animation technology, but since it is used now less and less by websites, you can safely disable it in your browser settings, thus suppressing one more factor in fingerprinting.
Browse using your browser's Private or Incognito mode: this tip has no consensus; some say it helps while others claim it is useless.
Restore Privacy’s "Device Fingerprinting: Explanation, Tests, & Solutions" provides a more technical guide for the technically-savvy for configuring and adding browser plug-ins to fight fingerprinting for those who use the Firefox or Brave browsers.
Consider TOR: Some, including the Restore Privacy piece and the Pixel Privacy article, recommend considering the TOR browser for its privacy benefits, as well as its hindering of device fingerprinting by techniques that include disabling two technical factors that fingerprinting exploits (the use of HTML5 Canvas element and WebGL, discussion of which is beyond the scope of this post). We should note that TOR may require more technical experience and may run more slowly than what the average user would tolerate.
Compartmentalize: Some, such as the Comparitech article cited above, advocate using a separate browser and VPN service for your private use of the Internet (e.g., when you log into an account) and your public use.
Browser fingerprinting is a growing technique used by websites to achieve targeted advertising without cookies (though it has some legitimate uses such as detecting banking fraud). To fight it:
In your advocacy of data privacy protection to your legislative representatives, stipulate that the legal language protecting personal information privacy rights applies to fingerprinting as well; and
Consider the checklist above to mitigate the intrusive effects of device fingerprinting, while waiting for browsers and extensions to fight fingerprinting better themselves.