What is Browser Fingerprinting?'
If you’ve been following tech news for the past few weeks, you might have heard about “browser fingerprinting”, and Mozilla’s attempts to stop it. The new Firefox version includes an “enhanced tracking protection” to help protect privacy - whatever that means. Their own press release is pretty spartan with details about how exactly this protection is achieved. However, news articles were quick to pop up mentioning Firefox’s fingerprint blocking. This feature is not new - it has been available (although not yet default), since May, 2019. However, including it as part of Firefox’s default tracking protection is bringing attention back to the issue of fingerprinting. But what exactly is browser fingerprinting?
Browser fingerprinting came as a very clever response to the current fight against cookie usage and tracking on the internet. As tracking users through the default ways is becoming harder, websites have started resorting to less precise, but most times equally as effective ways of tracking. The most common, and easiest to implement, is fingerprinting. It works by taking publicly available information from your browser, and using it to create a unique profile of you. This profile, made from publicly available data, can be used to track you even if you are taking care of your privacy.
I was a bit skeptical when I first heard about this. How much information can be publicly available from your browser? I knew you could get the user agent - information such as browser used and version. In fact, if you used to frequent forums in the old days, you might have seen this information on an image with an emoji claimed they were hacking you, usually as part of other users’ signature. If you kept your browser up to date, not much from this can be used to identify you, right?
Well, it turns out that a lot more information is made publicly available whenever you access a website. A lot more. Some of the information that can be collected includes:
- Browser plugin details
- Screen information
- HTML5 Canvas information
- WebGL information
- System fonts
- Media devices (audio, video) technical information
- HTTP Headers Attributes
If you want to see for yourself, visit AmIUnique to see what information they can get from you just from accessing the page, and whether or not that is enough to uniquely identify you. As far as I can tell the website is not malicious in any way, and the exercise is done purely for information purposes. Their code is open source (although this version seems very outdated), and the owners of the website claim to be researchers. Either way, the information they collect is always publicly available - every website has access to this. In my case, the fonts installed on my computer are almost enough to uniquely identify me.
So fingerprinting refers to the tactic of creating a unique profile for you based on publicly available information from your browser. How can the average person[1] fight this? It turns out that, unfortunately, there is not much to be done. As far as I can tell, there are two reliable approaches to fighting fingerprinting:
Randomize What You Can
Most of the information made available from your browser cannot be randomized. A properly implemented algorithm would likely take this information into consideration. However, since these parameters can also be changed by the user (consider for instance my fonts mentioned above), most fingerprinting relies on all information being given. This means that by randomizing certain information you can throw off a lot of fingerprinting techniques, and give yourself a new profile when accessing websites. One of the most reliable parameters to spoof is the User Agent, and there is an open source plugin available to randomize it: Random User Agent. Randomizing your user agent should go a long way from protecting you from fingerprinting, and from that guy posting on the RuneScape forums.
Be Inconspicuous
Another way to disable fingerprinting is by having the most default browser combination possible, with as little added on as possible. This means no extra fonts, no add-ons, no extra configuration. Just blend in as much as possible. Anonymity by crowd. While this would work very well, the fact is that most of us want to keep our add-ons and extensions. Having a separate browser with no configurations might do the trick, but it’s also not an ideal approach.
The third approach is, of course, to use Firefox with fingerprinting disabled. As much as I appreciate Mozilla, I am usually wary of offering a recommendation like this - suggesting only one product and trusting that they are doing things for the best. However, as of December, 2019, there are no other reliable alternatives for blocking fingerprinting, other than trusting Firefox to do so. Given the way the wind is blowing, however, it is at least never harmful to move away from Chrome as soon as possible.[3]
Notes:
[1] Note on what I mean by “the average person”: when dealing with privacy issues, we always run into suggestions that make you completely safe, but are also completely impractical for most people. Disabling JavaScript, for instance, takes you a long way privacy-wise, but how feasible is it to get the regular person to do this, and to know when to toggle it back on to use some specific functionality? I assume that, if you’re learning about fingerprinting, then you are interested in privacy, but are not as committed as the most hardcore privacy users. If that’s the case, great! I’m writing these guides with you in mind.[2]
[2] Not you personally, as we don’t do tracking or fingerprinting here.
[3] The biggest issue I have with Firefox currently is this: it took me years to get my parents to move from Internet Explorer to Chrome. How can I tell them they need to move browsers again?