Browser fingerprinting – tracking behind the curtain
When it comes to mass surveillance, browser fingerprinting as a means for tracking people, isn’t as straightforward as tracking via IP addresses and cookies. Your IP address has a direct link to you as a person, cookies are locally saved on your specific device; there’s no doubt whatsoever that those techniques are used to gathering information about you and to follow you all over the internet over time. This is not the case for browser fingerprinting – which creates a very different challenge. Let’s get into it.
Quick intro (or recap if you’ve already read the tracking techniques post): browser fingerprints are the information your browser collects and shares with a website when you visit it. The procedure itself has to do with the internet and how it was built; a website simply ‘asks’ your browser things like which browser you have, which graphics card you use, which plugins you have installed, what resolution your screen has, which fonts you have downloaded, etc. This practice is used to give you the ‘right’ web experience, but also for legitimate purposes like combating fraud. The number of questions and the combination of answers make it possible to build a fingerprint and uniquely identify you.
Fingerprinting – you don’t even know you’re tracked.
Compared to cookies and IP addresses, browser fingerprinting is a bit more fuzzy. In simple terms, it’s not entirely established to what extent it’s possible, or how widely the use of browser fingerprinting is used to uniquely track masses of people globally over time. That uncertainty is not something you should rely on, however, but rather the opposite: it’s a reason for vigilance. It’s also good to remember that the situation is ever-changing, as browsers evolve all the time. This uncertainty in itself means browser fingerprinting isn’t regulated – and that there is little awareness of it as a mass surveillance tool.
It’s pretty obvious how IP addresses are being used to track people and what you could do to protect yourself against it (use a VPN). When it comes to cookies, they are increasingly regulated by law, and it’s also possible to read the text files (yes, that’s what cookies are) to find out who’s tracking you. It’s possible to remove them and manage them (note: this isn’t sufficient, and you aren’t free from cookies just because you hit ‘Reject’, but we think you’re starting to get the point). In contrast to your IP address and the cookies, browser fingerprinting as a mass surveillance tool is much more difficult to figure out. It’s a technology that acts in a much more incognito way. It’s more difficult to detect attempts and target them. In plain language: you can be tracked by browser fingerprinting without even knowing about it.
If one attribute of your browser fingerprint is unique or if the combination of several attributes is unique, your device can be identified and tracked online. In that case, no need for a cookie with an ID in it, the fingerprint is enough.
The Tor Project
Given the fact that cookies are being put under legal pressure, and that browsers today are starting to limit third-party-based tracking, it’s not a wild guess that data collectors are putting more focus on fingerprinting. As an organization focused on defending online privacy with a proven record of developing browsers that resist fingerprinting, the Tor Project consider fingerprint a growing privacy threat:
“What makes fingerprinting a threat to online privacy? It is pretty simple. First, there is no need to ask for permissions to collect all this information. Any script running in your browser can silently build a fingerprint of your device without you even knowing about it. Second, if one attribute of your browser fingerprint is unique or if the combination of several attributes is unique, your device can be identified and tracked online. In that case, no need for a cookie with an ID in it, the fingerprint is enough.”
For journalists, activists, businesses, or members of the military that rely on the confidentiality and privacy of their communications, they must now take this technique into account to protect their activities.
Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, Gildas Avoine.
Browser fingerprints have been part of the privacy discussion for 15 years, and as the Tor Project puts it: “as the web is getting richer, new APIs make their way into browsers and new fingerprinting techniques are discovered.”
But it hasn’t been until recent years that the discussion has started to gain serious momentum. As an academic survey at universities in France and Sweden stated in 2020: “For journalists, activists, businesses, or members of the military that rely on the confidentiality and privacy of their communications, they must now take this technique into account to protect their activities.”
A quarter of the world’s biggest websites are using it
Exactly how (and how much) the technology is used as mass surveillance is hidden beneath the surface. But there are a few statistics to look at. In an article titled “The Quiet Way Advertisers Are Tracking Your Browsing”, Wired tells us about a survey where they discovered that a quarter of Alexa's top 10,000 websites are running fingerprinting scripts. Or as ZDNET put it when they reported that 10 percent of the top 100,000 sites use it: “Today, browser fingerprinting is commonly used by online advertisers as a next-gen user tracking mechanism.”
“Almost one hundred percent of the fingerprints were unique”
Okay, so the technology exists and is being used. But how accurate is it? It seems like it’s not possible to say for sure that browser fingerprinting can be used as tracking technology over a longer period of time – as with cookies and IP addresses – but snapshots of unique fingerprints have been subject to research for quite some time. Back in 2010, the Electronic Frontier Foundation was able to extract unique fingerprints from 94 percent of browser users who used Flash or Java. By following users over time, as their fingerprints changed, they could guess when a fingerprint was an ‘upgraded’ version of a previously observed browser’s fingerprint, with 99.1% of guesses correct.
In 2016 researchers at universities at Rennes and Lille collected over 100,000 browser fingerprints and 90 percent of them were unique.
And researchers at Lehigh University and Washington University in St. Louis have concluded that their approach can successfully identify 99.24 percent of users.
Sophisticated scanning of your device
If you have read this far, you deserve some examples of how fingerprinting is done in practice. In its simplest form, fingerprinting techniques can just ask your browser questions: which browser do you have, which plugins are installed and so on. But there are more sophisticated ways to distinguish different people and their devices. One of the better-known techniques is called the Canvas API, and this asks asking your browser to render a specific image with text in different colors together with an emoji. Yes, an emoji. It’s true. The way your browser ‘paints’ this text and emoji gives away information about your graphics card, your video drivers and which fonts you have installed.
Another technique is used in the so-called WebGL API, where the website asks your browser to draw a triangle in 3D. The same applies here, to the naked eye it might be hard to see differences between your triangle and those created by others, but the data analysis says otherwise. The Tor project specifically calls WebGL one of the single largest fingerprinting threat browsers face: “in fact, the hash of the rendered image can be used almost identically to a tracking cookie by the web server.”
Similarly, there is a fingerprint identifying technique that uses the AudioContext API, where your browser leaves a low-frequency signal that reveals data from your sound card and its drivers.
Even nominally identical hardware devices have slight differences induced by their manufacturing process.
DrawnApart research paper
Even more sophisticated is the technology DrawnApart, where researchers from France, Israel, and Australia have shown that it’s possible to create distinct fingerprints from users that share the same model of graphics cards (GPU). The researchers wrote that “even nominally identical hardware devices have slight differences induced by their manufacturing process”; and by measuring rendering speed, they were able to bring out distinct timing variations that not only computers could see – the differences were so visual that even the human eye could detect them.
“Fingerprints are here to stay”
Alright, let’s close this fingerprint lesson with some final words from the Tor Project.
“Is fingerprinting here to stay? In the near future at least, yes. This technique is so rooted in mechanisms that have existed since the beginning of the web that it is very complex to get rid of it.”