Article Hero
Blog20+ minutes read
November 17, 2023
  • telegram
  • facebook
  • twitter
  • github

Full Device and Browser Fingerprinting Guide

Device and browser fingerprinting are the latest tracking methods set loose on the Internet. It is a complete replacement for third-party cookies, with a deeply sinister twist that allows it to evade any protection that VPNs can offer.

But even though the VPN industry knows about fingerprinting, they've decided to play along. This sets the stage for one of the biggest, most sweeping attacks on individual privacy in the past 21 years.

In this article, we'll talk about who is currently tracking you with these fingerprinting methods, and what they can find out about you, even when using Tor or a VPN.

We'll talk about all of the tricks they use to identify you, and why you're probably not safe with your current setup. Finally, we'll cover the ways you can fight back against this invasion of your privacy.


Online Privacy: The Current Situation

News sites say that third-party web browser cookies are on the way out, ending an era of relentless advertising and tracking that has plagued billions of people. And it's true; the world finally woke up to the harm that third-party cookies can cause, and something was finally done to sunset the practice.

With the tech industry talking more and more about privacy every day, it would be easy to fall into a false sense of security. After all, if the experts are on the case, what more can we as individuals do?

The problem with that kind of thinking is twofold...

First of all, the industry won't effectively police itself when hundreds of billions of dollars in annual ad revenue is on the line. And second of all, the online advertising industry is just one of a dozen groups that want to track your every move.

No amount of their 'self-policing' is going to help you against hackers, scammers, law enforcement officials, stalkers, business competitors, and government agencies (to name just a few interested parties).

Encryption and privacy protection laws are being torn down all around the world. Mass surveillance is on the rise. People are waking up to the realization that the industry will not protect you. We're rapidly moving towards a world with no privacy protection whatsoever.

If you don't defend your devices and software, everyone will be able to see what you're doing online: Your boss, the police, the government, and the community at large.

Experts have been talking about privacy disappearing for ages.

And if you're going to listen to experts, listen to the ones who encourage you to defend your privacy online. Particularly the non-profits. The Electronic Frontier Foundation (EFF) is a great example of an organization that works tirelessly to defend your privacy.

What do they think one of the biggest threats to digital and online privacy is?

Device and browser fingerprinting.

In fact, they've even gone through the trouble of setting up their own browser fingerprinting test site in an attempt to get the word out.

Fingerprinting is such a massive threat that it's changing entire industries. VPN services have come to realize that they're useless against browser fingerprinting, and with that threat looming on the horizon, they're quickly shifting their marketing.

They know that soon they'll no longer be able to claim that they're in the 'privacy' business, and they'll need to focus on the 'security' side of the coin. All they talk about now is protecting your IP address… but they know the threat has moved on. The VPN industry simply doesn't have the technology to deal with fingerprinting, and that's frightening given how massive their budgets are.

In short: Device and browser fingerprinting are the biggest privacy threats of the 2020's.

What Is Fingerprinting?

You probably know that traditional fingerprinting is a method that attempts to match tiny grooves and patterns on someone's skin to marks left at a crime scene. It's used in law enforcement and was adapted for things such as biometric locks.

So it's important to note right away: Device fingerprinting and browser fingerprinting have nothing to do with your safety. In fact, the opposite is true.

Fingerprinting in the digital world is an attempt to use all available information to identify you, even if you wish to remain anonymous. It's a tool for advertisers, stalkers, hackers, and spies. None of them have your best interest at heart.

How Does Digital Fingerprinting Work?

Digital fingerprinting starts with figuring out what information your system is freely giving away. Every device that communicates on the Internet needs to meet certain standards and use certain protocols to be 'heard'.

Some of these standards allow a remote host to ask additional questions about your system's capabilities so that they know how to best perform on your hardware and software.

This is the heart of device and browser fingerprinting.

By recording the answers to a series of configuration questions about your device and web browser, the attacker attempts to see if your particular combination of settings and hardware is unique.

At the moment, in most countries, this doesn't require your consent. You will never be informed that the process is happening. You will never be told what the results are.

Fingerprinting happens behind your back, in silence.

Usually, this battery of tests takes only a second, and they run in the background without any visual or audio cue. Once all of your device information is harvested, it can be compared to records from the past and used again in the future.

Sometimes the process stops here. Other times, the perpetrators then try to link your device fingerprint or browser fingerprint with your real identity.

That's where the danger really begins.

Why Is Being Unique Online A Bad Thing?

Imagine someone flying over a massive crowd in a helicopter. At first, they look down and see nothing but a sea of faces and bodies.

But they know that whoever they're looking for is wearing a red shirt. Suddenly, 95% of the crowd doesn't matter. They know that they're wearing a white baseball hat. Now 99.7% of the crowd doesn't matter.

Of the dozen or so people left, all it takes is one or two more identifying features to pick out their target… a chain wallet, and tan work boots for example.

None of the features that they used is particularly interesting or special. There are millions of red shirts in the world. There are millions of white hats. Tan work boots are amazingly common. Wallets on a chain might be the rarest thing on the list, but you wouldn't think twice about seeing one 'in the wild'.

It's the combination of these things that creates a unique search, even among tens of thousands of people.

Device fingerprinting and web browser fingerprinting work the same way.

Government organizations, law enforcement, advertisers, and shady website owners can build a hardware and software profile for any user who visits their site, or a site that has one of their fingerprinting scripts running on it.

Look at any group of Internet users, let's say a pool of ten million that visit a particular fashion site. You might think that it would be hard to pick out any one person anonymously - they have no login, and there's no username attached to their visits.

But just like in our crowd search scenario above, when you consider every detectable feature about someone's device and web browser, you have a ton of data points to work with.

And it won't just be data from this site they're working with. Any visit to one of the attacker's other websites or advertising clients will get thrown into the same database. Now they can start to correlate other things, like buying patterns and click tracking patterns.

Take every detail that can possibly be mined from your system: Hardware types, chip speeds, software versions, and firmware versions. That's what the fingerprinting scripts look for. The more data they get, the more unique your imprint is going to be.

So when looking at a particular hardware combination, like graphics card and monitor type, the ten million quickly becomes a hundred thousand. The exact size of your phone's screen or your browser's window? Now it's one thousand. Have a particular browser plugin enabled? Now it's a hundred. One or two more parameters, and they have you dead to rights.

A decent device or browser fingerprinting kit can pick out unique users over 95% of the time if they aren't running privacy software. Want to try it yourself? You should visit AmIUnique.

So without using third-party cookies, without opting into any kind of probing, and using only the script types that are typically turned on to make browsing a modern website functional, it's still extremely likely that you can be tracked. Want to turn off scripting altogether? Well, 95.2% of websites use Javascript, so good luck with that.

So how hard is it to just manually change the settings that are being used to track you, once in a while?

What Settings Are Used In Browser Fingerprinting?

Let's start by focusing on web browser and web app fingerprinting. We'll get back to device fingerprinting later.

Important to note: Any technique that can be used in web browser fingerprinting can be used via a web app. Functionally, the two are nearly identical, with some display and setup parameters that limit the presentation settings available in some web apps.

Browser fingerprinting is done using several techniques, executed in parallel:

Invisible Image Rendering

How do you test a graphic card's performance without displaying anything to the user? You run a script on a website that runs on a canvas that appears behind the browser or otherwise remains invisible to the naked eye. By timing how long it takes to draw a series of images on an invisible background layer, the website can choose a set of performance options that will make the user's experience smooth and pleasant.

…and at the same time, add a tone of data to a browser fingerprinting profile.

Two main settings can be used to perform these test drawing tasks: Canvas in HTML 5, or WebGL drivers.

Once these tests have been run, the site knows the user's window size, color depth, fonts, menu bars, graphics drivers, bookmark bars, web browser version, and operating system patch level.

That's a ton of information to cross-reference, and it's only the first step in at least three.

Sound Fingerprinting

Next, a series of brief tests are run using low-frequency sound pulses. Even though they're inaudible to the user, these audio tests can check the speaker and balance setups, to improve the website's sound quality.

But as you've guessed by now, that's not their main goal. Primarily, they want to detect the user's audio drivers, available media devices and microphones, preferred and acceptable audio formats, sound card type, preferred and acceptable video formats for A/V playback, device permissions, and browser audio settings.

At this point, the site in question probably has a unique hit on most users without privacy apps running. But just in case, there's one more layer of tests to run.

Helper Fingerprinting

This covers other miscellaneous data that browsers tend to give out. For example:

  • Keyboard layout
  • local storage availability
  • permissions settings
  • MIDI devices
  • geolocation settings
  • timezone
  • battery status or availability
  • presence of common plugins

Two specific details that certain 'privacy' companies don't want you to know, or they would lose their sponsorship deals:

Almost all of these test results are passed through a VPN without question. VPNs are woefully inadequate to stop browser fingerprinting. The best they can do is shift your IP address to another region, and sometimes they even manage to leak that.

But instead of researching new technologies that can fight back against fingerprinting, the entire industry seems to have surrendered.

Even worse, the majority of VPN companies keep your personal data on file in some way. Your address, billing and credit card information and other identifying features are in their records. So if they get raided there's clear evidence of who their customers are. That makes correlating browser fingerprints to real-world identities that much easier - they're just a government raid or a hack away.

How Is Browser Fingerprinting Different From Cookies?

Though many browsers have already banned third-party cookies, Chrome continues to make them optional. They started their plans to eliminate them in 2020, but pushed back acting on them until 2023... we're still waiting. And they plan to replace them with 'Topics', which opens up even more privacy issues.

The good news is that cookie restrictions can be set in the browser with 100% accuracy. That is unless there's a zero-day exploit that someone hasn't found or published yet. You can go into your web browser right now and turn off third-party cookies, or all cookies.

The bad news? Fingerprinting gets around cookie restrictions.

There are currently no standards or laws that force companies to warn you about gathering and using your device and browser fingerprint. Advertisers aren't required to tell you how they're using your fingerprint to target you. And governments certainly aren't going to warn you that they're gathering data from all of your activities!

Possibly the biggest difference between cookies and fingerprinting is where the data is stored. You have the right and the ability to go into your browser, right now, and delete all your cookies. You can start fresh whenever you like.

But device and browser fingerprint data aren't under your control.

It's gathered and stored on the server side, and put into massive databases that are resold to anyone who has the money: Governments, law enforcement, advertisers…even stalkers, hackers, and foreign agents. These companies make your personal information a simple transaction. They don't check who's buying it!

You have no way to erase your fingerprint data once it is gathered. You can't force them to delete it. And once they correlate your unique fingerprint with a real-world identity, they have their hooks in you.

That's the huge difference between cookies and fingerprinting: Control.

Using cookies, you can say 'no'. With device and browser fingerprinting, your consent is never required.

Why Not Just Use IP Addresses?

Your IP address, the series of numbers that identifies your device on the Internet, is not the best way to track you.

First of all, a lot of people use a dynamic IP address that shifts from time to time. They aren't pinned down to a single assigned series of numbers, therefore there's doubt as to who an advertiser might be dealing with unless they have direct access to your ISP's information.

Other people are given 'fake' IP addresses by their ISPs, which are then all combined by the thousands or millions using hardware and software sorting methods.

All of this traffic is pushed out of a single 'real' IP address, and all of the return traffic is split up and redistributed to the ISP's customers. This is called Network Address Translation, or NAT. When one IP address could be one in a million people, it's not reliable as identification.

Anyone who does have a real IP address can use a VPN to scramble it unless the VPN carelessly leaks that IP address because of misconfigurations or backdoors of course.

IP addresses can be spoofed, scrambled, and virtualized in so many ways that they're not a very useful or reliable way to identify someone.

You might be able to get their general location but in 90% of cases, the user isn't displaying their real IP information to the world. It would require a lot of detective work and a subpoena or hack of their ISP (or warrantless wiretapping in the U.S.) to get the real identity of a NAT user.

And unlike messing with scripting or cookie settings on a device or web browser, masking your IP address is very unlikely to change the way that an app or website functions. So everyone is free to scramble their IP address and there are no consequences.

On the other hand, browser fingerprinting doesn't care about your IP address. It doesn't care how many times your ISP shifts your internal identity around. It uses your own system against you. The desire of apps and web browsers to be 'optimal' is abused through scripted performance tests that give away far too much information about you.

As your VPN is hiding your IP address (which in a lot of cases is already being done, of course) and encrypting your traffic so that your ISP can't see what's going on, it's happily passing along all of your system information. This means all of your web browser parameters and everything else an attacker needs to uniquely identify you.

So much for guarding your privacy!

And of course, scrambling your system information at the source does have a real impact on how usable websites are. If you directly spoof false information about your system, websites can run slower, return inaccurate information, or stop working correctly. And turning off scripting has an even more immediate, dramatic effect that breaks the majority of dynamic websites and apps out there.

People who use fingerprinting know this and use it to their advantage.

But who are these people, exactly?

Who Is Doing The Browser Fingerprinting?

There are five big categories of people who use browser fingerprinting to track you: Information brokers, advertising agencies, government organizations, criminals, and grifters. A quarter of the top 10,000 sites on the net actively fingerprint their users. And that number is growing.

Information brokers

This includes any organization or person who is willing to sell you out for a buck. A huge number of companies have become information brokers over the past twenty years. Pharmacies resell your personal and prescription information to insurance companies. Popular websites gather as much personal information as possible and tie it to your browser fingerprint before reselling that to advertisers. Hackers compile databases that have leaked private details with fingerprint correlation and sell access on the open market. And of course, ad agencies themselves become information brokers when they're bought out by bigger companies.

Advertising agencies

We're talking about some of the largest companies in the world, such as Facebook/Meta and Google/Alphabet. They also include media corporations like Tencent/TikTok and Fox/Fox News, who happily gather your fingerprint data as you use their apps and services. Ad agencies will use every resource available to uniquely fingerprint you, combining databases from information brokers, corporate acquisitions, and gray market sources. Ultimately they want to serve ads… but as a side effect, they gather all of that information in one place, so that the next two groups can easily harvest or steal it.

Government organizations

This group includes law enforcement, intelligence groups, taxation enforcement entities, and business regulators. Using browser fingerprinting techniques to link online activities with real-world IDs and locations is their primary goal. They want to completely eliminate privacy from the equation. Why?

So that they can examine everything you're doing to see if you technically breached the law, earned a fine, showed disloyalty, or should be penalized with additional taxes.

They get their fingerprinting databases from commercial sources and their own corporate agreements and hacking efforts. Governments strike deals with the biggest corporations in the world to install 'backdoors' that give them direct access to this sort of information without asking. They can then use that to go after their own citizens. Read more about how the government hacks you in our E-Book.

Criminals

This includes those on the financial side, such as hackers, conmen, and robbers. But they also include invasive and violent criminals such as stalkers, rapists, and hitmen/murderers. All they need to do is correlate your browser fingerprint with a pattern of real-life activity, and they're in.

They'll know when you browse the web and from where. They'll know where and when you work. They'll know all of your interests and hobbies. They'll know your friends and family. And they'll use all of these against you to achieve their goals. This can result in being conned, having your identity stolen, break-ins, intimidation, blackmail, physical harm, or death.

Grifters

This is a broad category that includes anyone who plans to use your personal information and habits to achieve their financial goals, even if they are legal or quasi-legal.

Common grifters include religious representatives trying to secure massive donations for your 'sins', bounty hunters looking to cash in on technicalities, lawyers who make it their job to sue anyone they can get any angle on, and IP rights organizations trying to assign penalties for anything ranging from piracy to alleged copyright infringement, and fringe investment schemes.

They use your browser fingerprint and correlate personal data with one goal in mind: Extract as much money as they can from you. Failing that, they'll sell information about you to anyone who is buying.

Recently, criminals, grifters, and government organizations added a new tool to their fingerprinting arsenal. They can now hijack your browser fingerprint and pretend that you did things that you simply didn't do. This is a way of manufacturing evidence and creating fake incidents that they can use for leverage and blackmail opportunities.

Of course, all of this is only possible if they can get your fingerprint information to start with. So how do they do that?

How Is Device Fingerprinting Done?

We've covered the basics of browser fingerprinting in depth. But what about device fingerprinting?

Device fingerprinting is a way to identify and track you using your hardware profile. It carries the exact same threats as browser fingerprinting, as far as your privacy and safety are concerned. But there are even more ways to gather this information, as you're about to see.

Device fingerprinting methods (and other types of hardware fingerprinting) happen at a more 'base' level. It doesn't always require a web browser or web app at all, although versions of the technique still leverage such mediums.

We'll be talking about both versions of device fingerprinting, starting with non-browser methods.

Device fingerprinting WITHOUT a browser

This can be done at the most base levels of the networking stack: Network cards, routers, and access points. This means every time you connect to your ISP, every time you sync up with your mobile phone network, every time you connect to a wireless access point (WAP), and every time you connect to a work or client network is another opportunity to steal or utilize your device's fingerprint.

Every network card, wired or wireless, has a set of attributes that can be used to narrow down your uniqueness: Hardware version, firmware version, driver version, and exact response times to queries are all used to fingerprint your network connection.

The packets that are used to communicate with a router or WAP will communicate version information about your operating system, TCP/IP stack information, MAC hardware address, and miscellaneous preferences. That's a ton of information being transferred upon connecting to a network.

So who can gather this information?

Your ISP, of course, particularly if you're renting or using one of their routers. Wireless access points in fast food places, coffee shops, hotels, and malls can be owned by massive conglomerates that manage hundreds of thousands of WAPs all over the world. Or they can be owned by local or national ISPs. And of course, individual businesses might own and manage their own access points.

Whoever owns or manages these connection points can harvest your information. Remember that this is in addition to anything they can pick up from other sources: Credit or debit card information, address information, customer preferences, and IP address assignments…all of which are readily available to your ISP.

Payment information can also be correlated by a hotel chain if you're on the road. And of course, information brokers can bring the bounty of their browser fingerprinting information to bear as well, creating a complete end-to-end profile that is already correlated to a real-world identity and billing address.

It's clear that networking devices offer a plethora of device fingerprinting information, but what about Bluetooth?

Bluetooth Low Energy (BLE) protocols are notoriously 'chatty'. They offer a ton of information that can be used in fingerprinting. Transmission patterns that include measuring millisecond pauses, variations in radio frequency, the signal strength… all of these properties that are unique to certain Bluetooth chipsets and antennas can be used to fingerprint a particular Bluetooth device.

Once again, mega-corporations that offer everything from Bluetooth beacons to hotdesking connectivity solutions will be able to gather this information and correlate it with other collected data. Individual companies might collect this information and act as small-time data brokers as well.

Of course, almost everyone has a mobile phone these days. And anyone attempting anything 'covert' on their phone is completely out of their mind.

To say that there are multiple ways to fingerprint and track a phone's activity is an understatement. The entire system was literally designed with tracking in mind:

  • A phone's International Mobile Equipment Identity (IMEI) is a unique identifier tied to the phone's hardware. It is completely carrier and SIM-independent. Changing a phone's IMEI isn't just illegal in most countries, but in most cases, it will simply draw even more attention to the user. So-called 'black market' IMEIs are often from devices that have already been used to commit other crimes, and switching to them sets off alarm bells. Others are on watch lists and will be banned the moment they come online… after establishing the location of the hacked unit, of course.
  • The mobile phone's SIM card is required to get onto a carrier network. The card uses a fixed authentication and bounces its signal off of three to four towers whenever they're available. This means an active phone, even with GPS turned off, is triangulated at all times when it's within range of enough towers, and is 'dead reckoned' with an exact position when in range of four. Relative signal strength is enough to pinpoint a mobile phone's location to within a quarter city block with four hits. And of course, SIM cards carry a designator that lets the company look up your personal billing info on the server side. So unless a fake ID and payment method are used, or the phone is a burner, it's tied irrecoverably to you.
  • Even when you think it's turned off, GPS can be activated remotely in just about every country in the world. For example, the remote activation via the Five Eyes utility suite is part of their 'Tracker Smurf' bundle. Every major intelligence organization on Earth has something similar. So that's yet another method of triangulation when three GPS satellites are in range, or the far more accurate dead reckoning when four are available. This position is then reported back to the carrier network. The Russian alternative is even worse, as it has two-way communication and tracking by default.
  • Not even turning your phone off helps. This is because another Five Eyes utility is available, 'Dreamy Smurf'. It can remotely access mobile phone functions that will 'wake up' an apparently turned-off phone if it is in network range. Assume Russia, China, and India all have similar functionality available.

And that's just basic hardware tracking that can contribute to a mobile phone's fingerprint. The default communications with your carrier will always include phone make and model, firmware versions, OS versions, and a bunch of other data. No VPN can stop any of this.

Your best bet is to never, ever draw attention to yourself and hope that you fly under the radar while using your mobile device. Even then, you should be using a full privacy app and end-to-end encryption for all communications. If you're forced to use a mobile phone for anything important, it's the best chance you have.

Browser-based Hardware Fingerprinting

Finally, let's talk about browser-based hardware fingerprinting. This is the worst of both worlds, really. It expands who has access to your hardware information beyond just your ISP, carrier, or whatever wireless access point you've connected to.

In a nutshell, there are strictly hardware-based tests that can be executed if script execution is allowed in your web browser.

For example, the Web Graphics Library (WebGL) suite can now be used to clock the exact speed of your graphics card. This might not sound like a big deal until you realize just how unique that speed is.

When a card is made, the speed listed on the box is a minimum. The actual speed is going to be somewhere above that, depending on how well the fabrication process went. So every time a new graphics card is 'born', it gets tattooed with a fairly unique clock speed. This narrows down your hardware fingerprint profile dramatically.

Add in similar response times for things like onboard sound cards and CPU, and the hardware side alone is often enough to uniquely fingerprint you - even on web browsers that claim to randomize the software data they report to websites. Again, VPNs will not save you here. Instead, a full privacy app that makes use of remote virtual machines to emulate the browsing experience is the safest bet.

How Is UI Fingerprinting Done?

UI fingerprinting, otherwise known as User Interface (UI) tracking.

There's a kind of dark art to predict what habits a user will fall into. It includes monitoring where their mouse cursor is on the screen, tracking click order, and page access request order. By keeping note of things like common search terms, the habits of a user can contribute to their unique fingerprint. This works even with unauthenticated or anonymous users.

The process by which a user navigates a site, and the overall enjoyment or frustration they get from the process, is called user experience (UX). UX also contributes to UI fingerprinting. For example, signs of frustration picked up by cursor movement, by options selected, or by feedback chosen can help profile even an anonymous user.

Click tracking, idle timing, keystroke timing, hover heatmaps, scroll tracking, bookmark jumping, average 'fold' position, and several other metrics can be used to determine the habits of an anonymous user. When combined with all of the other fingerprinting methods mentioned above, this can contribute to the uniqueness of a browser fingerprint.

Although some of this can't be helped, a good privacy app can run some interference.

For example, it can introduce some micro-delays to keystroke timing. And it can manipulate apparent scroll position and average fold to some degree. Blocking certain Google Analytics metrics also helps to some degree, though they have other ways of tracking UX. But there are at least some countermeasures available.

Still, there are some fairly slimy ways to use browser cache to force methods of UI fingerprinting that emulate cookies… cookies that work even across domains.

For example, let's say a web page includes a particular cascading style sheet: 17439087alpha.css. In reality, this is a tracking ID.

It's just sitting inside the cache of your browser. The next person who visits the site will get an incremented number for that file. This little CSS file uses an ETag header to check if it is 'current' or 'stale' the next time you visit the site… and in the process, you've just identified that you're the same person who accessed the site previously!

If combined with iframe URL caching, this tracker can even work across sites, assuming the websites have common ownership or are using common resources that are looking for this tag (a shared advertiser, a content partner, etc.).

Etags are just one way that UI and UX (as well as the users themselves) can be tracked across sessions. This allows for protracted fingerprint-gathering sessions, even without any login. Every session will drive that user closer to a unique signature that can be correlated with a real-world ID.

In short: Behavioral fingerprinting using UI elements is very much real, and suitable replacements for third-party cookies are already in the wild. It's only a matter of time before these practices become mainstream.

Can Governments Use Browser Fingerprinting?

They can and they do.

Governments already use various fingerprinting methods to identify and track 'persons of interest'. Anyone singled out can expect a much greater level of scrutiny, well beyond the automated sweeps made by the 5, 9, and 14 Eyes international surveillance systems. Undersea cable tapping and keyphrase alerts are just the tip of the iceberg. Assuming those measures are mostly evaded by end-to-end encryption, governments rely on server-side user interaction and behavior to get their tracking data.

The BBC reported fingerprinting being used on government websites as early as 2014. Since then the practice has become far more prevalent. Knowing that they can simply ignore VPN use and that those VPN users have been lulled into a false sense of security by the false privacy advertising that is rampant in the industry, Governments around the world happily collect user fingerprints by the millions.

And they're in the best position to correlate that online activity to real identities. They have tax information, address information, banking information, and backdoor access to many ISPs and online services throughout the world.

Some advertising industry groups are condemning the use of browser fingerprinting as a violation of privacy. Some companies are even pushing for regulation to prevent the practice. But that hardly matters if government intelligence agencies are involved; they generally are exempt from such regulation.

If governments with such broad access and power are involved in browser fingerprinting, is there even a reliable way to evade such tracking?

Are There Ways To Obscure Or Modify A Browser Fingerprint?

It's difficult. Strictly software-based solutions fall short. Even onion-encrypted traffic can be easily fingerprinted across multiple dark websites. Browsers like Brave can't hide enough details to stop fingerprinting without completely breaking most websites. Tor and Waterox are similar stories.

And VPNs are useless against modern fingerprinting methods.

So how can you reliably scramble your browser fingerprint or device fingerprint while using the web, without destroying the online experience?

Only by using dedicated privacy apps that provide their own abstraction layer.

What does this mean?

To generate a fingerprint that isn't based on your hardware, and be able to function reliably well, a remote machine needs to do the browsing over a fully encrypted network. That way, everything from hardware to user agent, patch levels, firmware, and UI timing is based on something completely independent of your own devices and software.

But that alone isn't good enough.

For your chosen browsers and web apps to function properly without being correlated, every app and tab needs to remain independent of one another. This means a level of complexity that involves multiple remote virtual machines streaming information back to your system on a tab-by-tab and app-by-app basis so that each one can function independently of the other as needed.

This is going to require the same sort of entry and exit node setup found in the VPN industry but with a completely custom, encrypted network. It also needs to be completely unlogged at all levels, or else a government raid could bust the system wide open.

As of today, the only privacy app that meets all of these criteria is Hoody.

Hoody uses a unique direct memory injection technique to stream the content of each browser tab and web app into the right place while providing no correlation between tabs and apps unless the user specifies it.

They also run on their own private Cloud, on their own hardware. They use this infrastructure to give their users high-speed edge network access to their custom-compiled miniature Linux VMs running browsers that have been custom-engineered from the ground up.

Each browser streams the results of a query or interaction back to a specific tab or app while providing complete fingerprint misinformation to the server.

This means that a website will render perfectly on Hoody's end, and only the results will be streamed directly back to the user. It's a full layer of abstraction, fully encrypted, that doesn't harm the user experience.

If anything, Hoody improves the typical experience users have with modern VPNs. They boast three times the speed of a VPN on average, simply because their entire network has been built for purpose. They can also fire off multiple queries for each new request, which allows them to automatically circumvent censorship and pull data from the fastest available source across hundreds of countries.

When combined with custom Torrenting tools and options, tab and app-specific preferences that can be saved and modified as the user wishes, and a no-log infrastructure that runs entirely in memory and automatically scrambles a server if anyone tries to tamper with it… Hoody is the most complete privacy option on the Internet today.

That's not to say that the launch version of Hoody will be enough to protect privacy forever. Far from it. The creators understand that this is simply step one in a battle against browser fingerprinting that will evolve over time.

As fingerprinting methods become more subtle and far-reaching, particularly on the UI and UX side, they understand that they must change. And user behavior must change as well, with improving privacy education being a key first step.

Will Changing Fingerprints Ruin the Browsing Experience?

Without a full abstraction layer, only certain browser fingerprint parameters can be changed without risking the stability and functionality of the app or website in question.

Brave is a good case study for two reasons: It demonstrates how far the settings can be pushed, and why that isn't quite good enough without an additional abstraction layer.

There are two theories when modifying browser fingerprints (and device fingerprints that can be accessed via the browser): Make the user look random or make the user look like part of the herd.

Brave chose random. And that can work, as far as it goes. Shamelessly randomizing the parameters that don't generally influence things like image rendering and sound fidelity is a good measure. However, the parameters that aren't randomized can still provide plenty of fingerprinting information, easily enough to make most users unique.

For those interested in the technical aspects, the randomized parameters include Canvas, WebGL, WebGL v2, WebGL Extensions, User Agent, Web Audio, Plugins, Hardware Concurrency, Enumerate Devices (order, labels, and IDs), and Dark Mode. They've also been working on accepted language and font obscuring.

That's great. But the effort falls short, sadly, as far as the more powerful browser fingerprinting methods are concerned. Windows size, UI and UX timing, and hardware parameters are enough to catch most people out.

Browser privacy in the modern era requires a layer of abstraction to hide certain aspects from the remote server. For example, a virtual browser can hide the client's real window size from a fingerprint script. Similarly, a remote virtual browser can vary micro stutters for mouse movement, typing, and other UI interactions. It can get around those Etag issues mentioned earlier. It completely invalidates mouse loitering (heat mapping) and fold position techniques.

Simply put, while some parameters can be freely messed with, others can't be touched without completely breaking most websites. Going into Brave 'Strict' mode demonstrates the first step of this, messing with core User Agent settings. That alone is enough to break the functionality of some sites. And it's still nowhere near enough to provide the layered privacy protection required to be truly safe.

By way of contrast, look at how faithfully streamed browser tabs from a virtual machine are displayed. And remember: A setup like the Hoody app is just about the 'strictest' possible scenario, given that the client's browser is unlikely to have anything in common with a custom browser compiled in Linux.

So yes, messing with browser settings without using remote virtual machines to match those modified settings can cause websites to break severely. The same with web-based apps. Even with the likes of Hoody, there will be certain (albeit rare) parameters that need to be passed through and reflected faithfully on the remote side.

The key is to keep those down to the bare minimum, so that uniqueness never becomes an issue… at least with current device and browser fingerprinting tech.

Trends In Browser Fingerprinting

2024 is very likely when a lot of advertising companies will 'pull the trigger' and start relying heavily on fingerprinting methods to analyze their customers and deliver custom content. The DAA seems to agree, seeing as they issued a warning telling advertisers that they need to use consent-based practices if they wish to remain in good standing.

But even if regulators and watchdogs manage to get advertisers on a leash, all of the other groups mentioned above will simply ignore such guidance. Government surveillance will continue, criminals will keep grifting, and data brokers technically aren't advertisers. They're just a nice backdoor that advertisers will use to get their data all at once, in bulk, while technically remaining on the 'right side' of the issue.

Meanwhile, new dedicated fingerprinting companies are popping up all over the world and getting an unreasonable amount of money to help violate your privacy. They of course claim they're 'anti-fraud'. But you can bet on one sure thing: They aren't holding their clients to some kind of high moral standard when using their software.

Recently, Avast, Norton, and the usual suspects have been advertising new 'anti-tracking' software. It's expensive, and when asked to prove its effectiveness relative to the competition, the companies are hard-pressed to explain why their technology is superior. None of them go to the lengths of creating an end-to-end encrypted virtual browsing experience, so it's unlikely that any of them are highly effective.

Google's 'privacy budget' remains a joke.

Not only are their methods a half measure compared to dedicated privacy apps, but as industry experts pointed out, using a budget approach to privacy can be easily gamed. It's a compromise of the worst kind.

They've already 'whitelisted' certain kinds of applications, such as video conferencing, 3D gaming, and virtual reality. And they still haven't addressed the fact that their system becomes part of the very fingerprinting surface that they're trying to protect.

VR and AR in general are projected to be massive device fingerprinting goldmines. Gesture tracking is going to be one of the biggest UI 'tells' out there, since no two people will execute them in exactly the same way, and analyzing these patterns (which involve factors such as speed, three access fidelity, eye tracking, and a host of other metrics) might be an even better fingerprint than anything currently available.

Add in biometric data monitoring, and you have the perfect nightmare scenario for privacy. Ironically, those biometrics often include actual fingerprints.

The Future of Device And Browser Fingerprinting

The Metaverse will be the next big fingerprinting target.

The good news is, that the major standards so far are from fairly competent companies like Pixar, Nvidia, and OpenXR. The bad news is that biometric fingerprinting looks like it will be inevitable. And as we've mentioned, gesture tracking will become more trivial as time goes on. It's also likely that your avatar will be linked to a credit or debit card, which means a firm real-world connection.

Simply put, the Metaverse will be so tied in with the surrounding economy, that it will be nearly impossible to be anonymous on it. Unlike a browser or app-based experience, proxying immersive biometric data will result in artifacts and false feedback, two of the least desirable things in an immersive or haptic interface.

The best we can hope for is to avoid fingerprint 'spread'. That is, individual pages and apps accessed from the Metaverse can still be isolated from user data, in the same way, that it is currently. Your privacy app will become an important tool in your overall VR toolkit.

On the traditional Web, artificial intelligence and machine learning will make fingerprinting users based on their habits much easier. This will start to shift fingerprinting more into the realm of UI and UX.

This will also hit mobile users harder because their interface is more predictable, and they already hand over so much device fingerprinting data to their carriers.

Also, expect a backlash from the traditional anti-virus and VPN industries. The next five years will likely include smear campaigns, false flag attacks on privacy apps, and even touting the benefits of being fingerprinted! Hopefully, science will overcome advertising, but we all know in this world that can be a difficult task.

Summing up Device Fingerprinting and Browser Fingerprinting

With the death of third-party cookies, the tech industry wants you to believe that privacy is an enshrined right that they plan to help you protect. But as you've read (and hopefully checked out the linked journalism in your own time), they're actually treating privacy as a sick joke.

Cookies have been replaced with easily executed tricks by website owners. Device and browser fingerprinting have actually enhanced the ability of information brokers, advertising agencies, government organizations, criminals, and grifters to get a hold of your personal information and correlate your online activity with your real-world identity.

The people who are most at risk are the ones who are fighting against oppressive governments, such as journalists and minorities who are seen as easy targets by those who want to abuse them.

But to think that anyone in power would stop it is naive. Browser fingerprinting is the next evolution in mass surveillance. So either take steps to protect your privacy or be prepared to join the ranks of the victims.

If you want to learn more about how fingerprinting might affect you personally, then check out: The Impact Of Browser Fingerprinting On Individuals

Will R
Hoody Editorial Team

Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.

Latest


Blog
Timer7 minutes read

How the Government Hacks You, Final Chapter: IoT Hacks

Chapter 14: IoT Hacks

Will R
6 months ago
Blog
Timer9 minutes read

How the Government Hacks You, Chapter 13: GPS Tracking

Dive into the unsettling world of government-controlled GPS tracking!

Will R
6 months ago
Blog
Timer7 minutes read

How the Government Hacks You, Chapter 12: Garbage Day

Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies

Will R
7 months ago
Blog
Timer8 minutes read

How the Government Hacks You, Chapter 11: Resonance Attacks

It’s time to uncover how government surveillance gets personal.

Will R
7 months ago

Bulletproof privacy in one click

Discover the world's #1 privacy solution

  • Chrome Icon
  • Brave Icon
  • Edge Icon
  • Chromium Icon
  • Coming soon

    Firefox Icon
  • Coming soon

    Safari Icon
  • Coming soon

    Opera Icon

No name, no email, no credit card required

Create Key