Browser Fingerprinting and 'Do Not Track'

Ever wondered why you’re seeing so many ads for VPN services recently? Enabling “Do Not Track” on your browser preferences might be the reason.

If you’ve spent any amount of time researching ways to improve your privacy online, you have probably come across the “Do Not Track” (DNT) browser option. It is one of the lowest effort privacy measures, not requiring you to sacrifice any quality of life or to ask your parents to install a different messaging service on their phones. It shouldn’t be your only defense against tracking, but there is no reason not to enable it, right? However, it turns out that enabling DNT might make you less anonymous, and more likely to be tracked across the internet.

In order to explain why that is the case, we need to explain what “fingerprinting” means in the context of internet privacy. Fingerprinting refers to a set of tracking practices that manage to dodge most currently existing data protection directives. Since GDPR came into force, many websites have started being more careful with the tracking. This doesn’t necessarily mean we are less tracked than before - just that they had to get more creative in order to do it without risking being fined. Websites still want to have a profile of you in order to better direct advertisement. The best way to do this without requiring cookies is by fingerprinting: these websites take all publicly available information about your browser, such as screen size, operating system, installed add-ons, and more, to create a profile which is very likely to be unique to you.

How common is the practice of fingerprinting? Technology columnist Geoffrey A. Fowler recently ran an experiment on browser fingerprinting being done by the 500 most popular websites in the United States. Around one-third of these websites fingerprint you (including, ironically enough, The Washington Post, where this article was first posted). For websites that engage in this practice, all publicly available data about you is used in order to create a profile that can be used to track you around the web even if you don’t use any cookies. That’s where the “Do Not Track” flag comes in to help identify you.

DNT does not in any way anonymize your data, it is just the browser sending a request to not be tracked. Basically, it says “I do not want to be tracked so, you know, please don’t”. There is no implicit threat behind it, and no penalty for ignoring it. That’s not to say that the DNT setting is useless - many websites (including Insights) respect it. The problem is that, for those websites that don’t respect it, this setting is just an extra piece of information that you’ve willingly given them. These websites not only keep tracking you, but they also know that you are privacy-conscious. This information is then passed on to the many ad providers around the internet, which can now tailor ads towards you a bit better. Just like that, you’re being shown ads for VPN services.

So let’s double down on our privacy. Let’s switch to using DuckDuckGo, Signal, Protonmail. Let’s go through the effort of telling our parents to download another messaging tool. Let’s do everything to protect our privacy. But do we still keep the DNT setting enabled in our browser? Because if we do, that might be one of the few pieces of information they have on you. Together with the rest of the metadata used for fingerprinting (including all those privacy add-ons you have installed), the DNT flag might help uniquely identify you. This, in turn, allows for the creation of a user profile that does, in fact, allow them to track you.

I wish I could leave you with reassuring remarks at this point about circumventing these issues and keeping our privacy. Unfortunately, I cannot. Instead, I will leave you with a quote from Fowler, from the previously mentioned article: “They’re doing it, I suspect because more of us are taking steps to protect our data. Privacy is an arms race — and we are falling behind.”