Device & Browser Fingerprinting: Explanations, Tests, & Solutions

Fingerprinting, more precisely known as browser fingerprinting and device fingerprinting, is basically a way by which websites and advertisers track you online. Every time you visit a web page, your browser sends information about its operating system, settings, IP address, and some other data about your device like screen resolution, date and time, etc.

Your browser or device sends this information, when you load a website or install an app on your phone, partly because the website or the app needs to know things like the resolution of your screen, time zones, etc so it can adapt accordingly.

You can go visit DeviceInfo.me to see what data your browser is sending, the problem is that the combination of all these “identifiers” make your browser/device and proactively you unique and capable of tracking online, even if you say change your IP address using a VPN, clear your browsing history & cache, or use Incognito browsing.

What Does My Device / Browser Fingerprint Contain?

Your browser or device fingerprint contains a whole host of data points or identifiers that can be used by adversaries to tack you, here are some things that your browser / device fingerprint is composed of:

  • Device Type / Model
  • Operating System
  • Browser Type & Version
  • IP address
  • Location data
  • ISP
  • Resolving Name Server Provider
  • Internet Connection Type
  • Time Zone Information
  • Languages
  • Fonts data
  • Speakers, Microphones, Webcams data
  • CPU, GPU, & Memory Information
  • Battery Status
  • Bluetooth & Other Radio Information
  • Screen Resolution, Orientation, Touchscreen, etc
  • User Agent & Browser Extensions Data
  • Flash, Java, ActiveX support information
  • Ads or other content blockers
  • Cookies & Cache-control preference
  • Canvas data
  • Do Not Track preference
  • Accounts you are logged in
  • Browser tabs data
  • WebRTC, WebGL, WebSocket Information
  • Device performance / Hardware benchmarks

All of this combined with things like your typing speed, pointer navigation data, and much more can help paint a very vivid picture of anyone online, and helps the advertisers track you online even if you are using Incognito mode or heck even a VPN. There is a list of a more complete fingerprinting methods, compiled by Mozilla.

These identifiers might seem generic at first, however, there’s a minuscule chance for another user to have 100% matching browser information. Panopticlick found that only 1 in 286,777 other browsers will share the same fingerprint with another user.

Why is Device / Browser Fingerprinting Done?

Believe it or not, browser & device fingerprinting started as a security measure, as a means of identifying and authenticating users online. Fingerprint analysis cab help identification and prevention of fraud and suspicious activities.

Your bank probably uses device fingerprint to identify fraud cases, and questionable online behavior, say for example, a banks’ security system would be able to identify and block access, if your account is being accessed from multiple locations, and devices in a short period of time.

It is also being used in identification of botnets and other security measures like making two-factor authentication a bit less painful.

But, the issue is that fingerprinting is now more of a tracking & analytics feature for adversaries online, which is more invasive than ordinary cookie-based tracking.

It allows you to be tracked for months, even when you clear your browsing history, use private browsing mode, or even a VPN — disregarding very clear indications that you don’t want to be tracked.

Fingerprinting is increasingly becoming more and more common, in response to privacy-respecting browsers like Firefox that go on great lengths to block traditional trackers like cookies and other common trackers.

How to Check for Device / Browser Fingerprinting?

Apart from DeviceInfo.me and BrowserLeaks, which reveals all the information that your browser sends to a website, there are many other tools that you can use to check for your browser’s “uniqueness” or a unique fingerprint:

Panopticlick

Panopticlick is an open source research project by Electronic Frontier Foundation, designed to better uncover the tools and techniques of online trackers and test the efficacy of privacy add-ons. It uses several simulated tracking domains to trigger tracker blockers and measures uniqueness of your browser.

Panopticlick generates a uniqueness score based on how well your browser and add-ons protect you against online tracking techniques, and how uniquely your device and browser is configured—and thus identifiable, so you can see how easily identifiable you might be as you surf the web.

AmIUnique

AmIUnique is another open source research project by DIVERSIFY, that aims to measure and study the diversity of browser fingerprints, and provide developers with data to help them design good defenses. It uses techniques for fingerprinting, including webGL and canvas.

AmIUnique provides you with a concise summary of your browsers’ information as well as its uniqueness with similarity ratio duration of 7, 15, 30, and 90 days. There are Global Stats if you want to check what devices, browsers, time zones, and languages are the most common.

Are these Browser Fingerprinting Test Websites Accurate?

Yes and No.

Yes, both Panopticlick and AmIUnique does check how “Unique” your browser’s configuration is compared to all the other browsers that have been tested on these websites.

AmIUnique also lists all the information that your browser is sending along with how unique that particular data, be it user agent, screen resolution, etc is compared to others in their database.

Panopticlick also checks for tracking protection i.e. if your browser is blocking ads and trackers along with the uniqueness of your browser compared to others in their database.

However, they can check only from their database and that’s where the issue with these browser fingerprinting website tests reside. The data sample that they are using is huge, for sure, but it also contains lots of old browser data, the data sample may also not be an accurate representation of internet users around the world.

This may not help paint a more accurate representation of your browser’s fingerprint, but, in general they are pretty good, just don’t sweat it if your browser shows up unique if you have already taken proper steps listed below to mitigate browser fingerprinting.

How to Prevent Device / Browser Fingerprinting?

Preventing Device & Browser Fingerprinting requires blocking a lot of functionality that facilitates fingerprinting, while not making many changes to your browser / device that makes it unique — defeating the whole purpose.

The ironic aspect of blocking such functionalities and installing privacy add-ons is that the more measures you take to avoid tracking, the more unique your browser fingerprint becomes, do consider your threat model.

Mitigating fingerprinting is complicated, and you may not be able to do much on locked-in devices like phones unless you switch to something like GrapheneOS, with all of that out of the way, here are some good ways to mitigate device and browser fingerprinting:

1. Switch to a Privacy-first Browser.

Switch to a privacy respecting browser like Firefox or Brave that comes with lots of tracking protections baked in, and can be modified and hardened for your unique level of privacy and security.

A private and secure browser will not only make your internet usage private, but will also make your data secure, while boosting your browsing experience as you won’t be loading trackers and ads, that consume a considerable amount of your system resources.

2. Do Browser Modifications and Tweaks.

Follow this Firefox privacy & security guide to learn about all the about:config tweaks:

  • privacy.resistFingerprinting = true
  • privacy.trackingprotection.fingerprinting.enabled = true
  • privacy.firstparty.isolate = true
  • geo.enabled = false
  • beacon.enabled = false
  • webgl.disabled = true
  • browser.send_pings = false
  • dom.battery.enabled = false
  • media.navigator.enabled = false
  • dom.event.clipboardevents.enabled = false

Do keep in mind that blocking such functions can break some websites, check the full Firefox guide to learn more about these configs and how you can restore your Firefox if something breaks.

3. Use Browser Extensions & Add-ons.

Install privacy-enhancing add-ons that can help block ads, tracker, cookies, help you spoof your browser’s user agent, and minimize the fingerprint. Here are some add-ons that you should look into:

  • uBlock Origin
  • CanvasBlocker
  • Decentraleyes
  • ClearURLs
  • Firefox Multi-Account Containers
  • Cookie AutoDelete
  • User-Agent Switcher and Manager
  • Privacy Badger
  • NoScript Security Suite
  • uMatrix

Most of these add-ons are available for both Firefox and Chromium-based browsers. Check out the complete list of privacy and security add-ons to learn more about these extensions.

4. Use a Privacy-respecting Operating System.

Your operating system is at the core of everything you do on your device, switch to a secure and open source operating system like QubesOS on the desktop and GrapheneOS on your phone.

These open source operating systems are not only make you private, secure, and anonymous if you are using Tails OS, but also gives you lots of granular controls, along with tools that can help block trackers and prevent fingerprinting.

5. Consider Doing Compartmentalization.

Compartmentalization is a wonderful way that works on the principle of preventing access to all of your data to a single entity, by using different apps and services for different scenarios — Your email provider should not be your search engine provider, cloud storage provider and so on.

Check out this post on Privacy, Security, and Anonymity by Data Compartmentalization to learn about all the tactics you can employ to do compartmentalization of your digital life.

6. Disable JavaScript?

JavaScript is used in almost 97% of the websites, it is crucial for the basic functioning of lots and lots of websites and web apps on the internet. Websites like YouTube won’t even load if you disable JavaScript, but disabling JavaScript might be the most powerful defense against browser fingerprinting.

JavaScript is the programming language of the internet, so when you disable it, you are basically cutting off all the methods that websites use to detect plugins, fonts, and other functionalities, as well as preventing use of most kinds of supercookies.

Unfortunately, JavaScript can’t be disabled without breaking pretty much most of the websites we use every day. Using NoScript might be the only reasonable enough way to safely block JavaScript in your browser, it blocks JavaScript by default everywhere and allows you to manually re-enable it for some sites — this is a lot of work, and requires good intuitions about when a site isn’t working because JavaScript is disabled.

NoScript is an open source add-on for Firefox and Chrome, that protects you against XSS, cross-zone DNS rebinding / CSRF attacks, and Clickjacking attempts. It comes pre-installed on Tor Browser, and uses a unique whitelist based preemptive script blocking approach that prevents exploitation of security vulnerabilities with no loss of functionality.

7. Use Tor Browser.

Using the Tor Browser, without installing any additional add-ons and making any changes to settings, is the best way to get protection against browser fingerprinting for most people.

All Tor Browsers have built in protections against trackers and fingerprinting, using standardized characteristics like user agent string, default fallback fonts, etc that makes it harder to differentiate one tor browser from another. And since Tor Browser is based on Firefox, more and more of such modifications are making their way into Firefox as part of the Tor Uplift program.

The Tor Browser includes lots of patches to prevent font fingerprinting (by restricting which fonts websites can use) and Canvas fingerprinting (by detecting reads to HTML5 Canvas objects and asking users to approve them) — all of that taken together with the functionality to block JavaScript using the built-in NoScript makes the Tor Browser a strong defense against fingerprinting.

8. Try Using “Non-Rare” Stuff and Shared devices.

Last but not the least, try to use the “non-rare”, “common” browsers, install “regular” add-ons, and use shared devices, all of this may sound counterintuitive, and this approach will not provide you the most privacy and security, but it will make your stuff seem regular and not unique.

If you use a computer or phone that is shared among your family members, it will be harder to uniquely identify your device through fingerprinting. Someone who is using the latest version of Chrome on Windows will be way less likely have a unique fingerprint than those Chrome user with lots of plugins, themes, and fonts installed. The first generations of smartphone browsers were comparatively hard to fingerprint.

I would still not recommend using such device and browsers for personal use, as they don’t have proper privacy and security measures to block traditional trackers like cookies — what’s the point of using browsers and devices that have non-unique fingerprints if you are still being tracked.

The Incognito Browsing Mode & VPNs.

Let’s address the elephants in the room — Private Browsing or Incognito Browsing Modes and use of Virtual Private Networks to prevent fingerprinting.

The Incognito or Private browsing mode just deletes traces of your incognito online activity from your computer after you close the browser, which in no way shape of form helps you prevent fingerprinting, as there are many other things like browser type, OS, screen resolution, location, font, timezone data, etc that are used for fingerprinting, not just cookies.

Virtual Private Networks or VPNs just mask your IP address, which is cool if you are trying to get access to something that is blocked in your region/IP address, but just as I discussed in earlier sections and in the Private browsing mode, there are many other data points that make up your unique fingerprint, IP address is just one of those data points.

Don’t get me wrong, both Incognito browsing mode and VPNs are great tools, but they do little to nothing to prevent fingerprinting.

Additional Sources

Device and Browser Fingerprinting

That wraps up this post about pretty much everything you need to know about this invasive tracking capability called Device & Browser Fingerprinting. I would recommend switching to Tor Browser, Firefox or Brave to get better protection against browser fingerprinting, You should also switch to a privacy respecting operating system for additional protection.

That’s all Folks!

I will be updating this page frequently with more information on device and browser fingerprinting and how you can prevent it. You should check out all the privacy tools that i recommend that provide you with better protection.

Do let me know of any feedback, tips, or suggestions based on device and browser fingerprinting solutions are using, feel free to drop a comment below and share this article!

Leave a Comment