Digital fingerprinting is the process by which remote servers that we connect to when using an online app or service, gathers little bits of information about devices, and then puts those little bits of data to form sort of a unique picture or fingerprint so to speak of our devices.
Every time you visit a web page, open up an app, your browser or device sends information about its operating system, settings, IP address, and some other data about your device like screen resolution, date and time, etc.
This is done because the website or the app needs to know things like the resolution of your screen, time zone, language preferences, etc. to adapt accordingly; you can go visit DeviceInfo.me to see what data is being sent.
The combination of all these “identifiers”, which essentially make up your device/browser fingerprint makes you, unique, and capable of being tracked online; even if you say change your IP address using a VPN, clear your browsing history & cache, or use the incognito browsing mode.
What does the digital fingerprint contain?
Web browser and installed applications have access to a great deal of data, including things like:
- Device Type / Model
- Operating System
- Browser Type & Version
- IP address
- Location data
- Resolving Name Server Provider
- Internet Connection Type
- Time Zone Information
- Fonts data
- Speakers, Microphones, Webcams data
- CPU, GPU, & Memory Information
- Battery Status
- Bluetooth & Other Radio Information
- Screen Resolution, Orientation, Touchscreen, etc
- User Agent & Browser Extensions Data
- Flash, Java, ActiveX support information
- Ads or other content blockers
- Cookies & Cache-control preference
- Canvas data
- Do Not Track preference
- Accounts you are logged in
- Browser tabs data
- WebRTC, WebGL, WebSocket Information
- Device performance / Hardware benchmarks
Mozilla has compiled a more complete list of all fingerprinting methods, which even include things like typing speed, window size, and zoom levels, among other things.
How accurate is fingerprinting?
Some websites even deploy a variety of scripts, such as the FingerprintJS library to better fingerprint users, research from 2020 found a quarter of the world’s top 10,000 websites run fingerprinting scripts.
Once a fingerprint is established, it can potentially be combined with other personal information—such as linking it with existing profiles or information murky data brokers hold about you.
Believe it or not, digital fingerprinting started as a security measure, as a means of identifying and authenticating users online, to help better identify and prevent fraud and other suspicious activity.
Say, for example, your banks’ security system probably uses fingerprinting to identify and block access to your bank account, if it detects something suspicious like your account being accessed from multiple locations and devices in a short period of time.
Fingerprint is also being used in identification of botnets, making other security measures like making things like captchas and two-factor authentication a bit less painful.
Fingerprinting isn’t something new, in fact, the EFF first identified fingerprinting back in 2010, although it has become increasingly common as advertisers try to get around ads and 3rd-party cookie blocking done by users, and browsers like Firefox.
Fingerprinting allows you to be tracked for months, even when you clear your browsing history, use private browsing mode, or even a VPN—disregarding very clear indications that you don’t want to be tracked.
Fingerprinting is increasingly becoming more and more common, in response to privacy-respecting browsers like Firefox that go to great lengths to block traditional trackers like cookies and other common trackers.
How to check for fingerprinting?
Cover Your Tracks
Cover Your Tracks, formely Panopticlick, is an open-source research project by Electronic Frontier Foundation, designed to better uncover the tools and techniques of online trackers and test the efficacy of privacy add-ons.
It uses several simulated tracking domains to trigger tracker blockers and measures uniqueness of your browser, and generates a uniqueness score based on how well your browser and add-ons protect you against online tracking techniques.
AmIUnique is another open-source research project by DIVERSIFY, that aims to measure and study the diversity of browser fingerprints, and provide developers with data to help them design good defenses.
AmIUnique provides you with a concise summary of your browsers’ information as well as its uniqueness with similarity ratio duration of 7, 15, 30, and 90 days.
There are Global Stats if you want to check what devices, browsers, time zones, and languages are the most common.
Are these Browser Fingerprinting Test Websites Accurate?
Yes and No.
Yes, both Cover Your Tracks and AmIUnique does check how “unique” your browser’s configuration is, compared to all the other browsers that have been tested on these websites.
AmIUnique also lists all the information that your browser is sending along with how unique that particular data, be it user agent, screen resolution, etc. is compared to others in their database.
Cover Your Tracks also checks for tracking protection, i.e., if your browser is blocking ads and trackers along with the uniqueness of your browser compared to others in their database.
However, they can check only from their database, and that’s where the issue with these browser fingerprinting website tests reside, the data sample of these projects may not be an accurate representation of internet users around the world.
This may not help paint a more accurate representation of your browser’s fingerprint, but, in general, they are pretty good, just don’t sweat it if your browser shows up unique if you have already taken proper steps listed below to mitigate browser fingerprinting.
How to prevent fingerprinting?
Preventing device/browser fingerprinting requires blocking a lot of functionality that facilitates fingerprinting, while not making many a whole lot of changes to your browser/device that will make it standout, and hence unique.
The weird, ironic aspect of taking measures to prevent fingerprinting like blocking functionalities and installing privacy add-ons is that the more measures you take to avoid tracking, the more unique your browser fingerprint gets—which just defeats the whole purpose of doing it in the first place.
It all depends on your threat model and what you want to protect and from whom, anyway, here are some of our recommendations:
Switch to a privacy-first browser
Privacy-respecting browsers like the Tor Browser, Mozilla Firefox, Brave come with lots of tracking and fingerprinting protections baked in to them.
Using the Tor browser will be your best bet when it comes to reducing fingerprinting, as all Tor browsers share the same privacy-enhancing configuration, making it almost indistinguishable from any other Tor browser.
It’s also recommended to not install a whole lot of add-ons, or make modifications, as they tend to make your browser unique.
Switch to a privacy-first operating system
Tails, or The Amnesic Incognito Live System, a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity, can help prevent fingerprinting as all internet connections are made exclusively through the anonymity network Tor.
Another great alternative is Whonix, a Debian–based security-focused Linux distribution that aims to provide privacy, security and anonymity on the internet.
Even using something like Fedora Workstation or Ubuntu will go a long way as they don’t collect a whole of data in the first place, and comes with lots of privacy and security features.
Consider doing compartmentalization
Compartmentalization is all about preventing access to all of your data to a single entity, by using different apps and services for different scenarios—your email provider should not be your search engine, cloud storage and so on.
Even though compartmentalization doesn’t add much to actively preventing fingerprinting, it does help prevent one data point from being potentially combined with other personal information; our guide on compartmentalization goes in a bit more detail about it.
The incognito browsing mode & VPNs
Alright, let’s address the elephants in the room—private browsing or incognito browsing modes and use of Virtual Private Networks to prevent fingerprinting.
The Incognito or Private browsing mode just deletes traces of your incognito online activity from your computer after you close the browser, which in no way shape or form helps you prevent fingerprinting; as there are many other things like browser type, OS, screen resolution, location, font, timezone data, etc. that are used for fingerprinting, not just cookies.
Virtual Private Networks or VPNs just mask your IP address, which can come handy if you want to access geo-blocked content, but just as discussed above there are many other data points that make up your unique fingerprint, IP address is just one of those data points.
Incognito browsing mode and VPNs are great tools, but they do little to nothing to prevent fingerprinting.
- Webbkoll by Anders Jensen-Urstad and Amelia Andersdotter
- This is Your Digital Fingerprint by Nick Briz and Mozilla
That’s all folks!