Article Hero
Blog8 minutes read
October 10, 2023
  • telegram
  • facebook
  • twitter
  • github

What Is Browser Fingerprinting and Why You'll Want to Stop It

Browser fingerprinting is an internet tracking technology used by websites to identify and follow your every move across the world wide web. It's so effective and invasive in its data gathering that it can pick you out amongst the sea of internet users. But what is fingerprinting exactly, how does it work, why is it used, and what can you use for browser fingerprint protection? Read on to find out.


What is browser fingerprinting?

Browser fingerprinting is an internet tracking technology with several aliases— it is also known as online fingerprinting, device fingerprinting, and digital fingerprinting. But no matter what guise it's under, browser fingerprinting has one main purpose: to identify users and track their behavior.

In the same way that your physical fingerprints are a unique configuration of lines and swirls, digital devices also possess subtle differences that mean they can be “fingerprinted”.

Details such as the hardware, software, and drivers installed on a device, and how they are configured act like the unique swirls of a fingerprint. When you visit a website, your device leaves behind its fingerprints.

Websites can run a fingerprinting script which is an invisible process to gather all these data “signals” to create a profile of you as an internet user.

This gives websites the ability to accurately identify you and trace your internet activity across remote devices, browser sessions, incognito, or VPN access.

The ability to accurately fingerprint a device is a relatively new discovery by the Electronic Frontier Foundation (EFF) in 2010. However, since then, it has been widely adopted by advertisers as a means to bypass cookie regulations, blocks, and ad tracking limits.

What data does browser fingerprinting collect?

Internet tracking using fingerprinting collects a huge amount of data using various methods, which we'll go into a little later. All the pieces of information are gathered together to create a unique device fingerprint.

Here's just some of the data that makes up your web browser fingerprint:

  • IP address
  • HTTP request headers
  • User agent
  • Keyboard layout
  • Platform
  • Screen resolution
  • Cookies enabled or not
  • If Tor browser is in use
  • Operating system
  • Active plugins
  • Timezone
  • Language
  • System fonts

But this is just the tip of the iceberg. There are literally HUNDREDS of data signals being collected through internet tracking fingerprinting.

Perhaps a better question would be, what data doesn't fingerprinting collect?

When all this information from your browser activity and devices is put together, websites and marketers can gain a clear picture of not only your online history but also your preferences, hobbies, and even your life circumstances. This is why you might want to look into browser fingerprint protection which we'll get to a little later.

How does fingerprinting work?

Browser fingerprinting uses many internet tracking techniques to gather the data needed to be able to distinguish a single internet user from millions of others online.

Although digital fingerprints aren't quite as unique as physical fingerprints, studies have shown that fingerprinting technology has more than an 80% success rate in individual user recognition. Some fingerprinting providers even claim it to be as much as 99.9% accurate.

Let's look at some of the different data collection methods used:

Canvas fingerprinting

Canvas fingerprinting is one of the most widely used internet tracking techniques due to its speed and accuracy. The process takes advantage of the website's HTML5 canvas element to gather data about a device.

If you happen to land on a website that is running a canvas fingerprinting script, it will force your browser to “draw” an image or text. As devices are configured in different ways, the way each device renders an image will be slightly different.

The canvas fingerprinting script records how your browser renders the image and from that, it can determine specific details about your device's graphics hardware, including the graphics card, drivers, and graphic processing unit (GPU). Using this information, the script will then convert the data and assign it a unique hash, i.e., your canvas fingerprint.

WebGL fingerprinting

Web Graphics Library (WebGL) is a JavaScript API for rendering 3D graphics. WebGL is supported by all major web browsers without using plugins meaning websites can easily exploit it to fingerprint you.

The WebGL fingerprinting method works very much in the same way as canvas fingerprinting in the sense that it is also a script that tests how your device renders an image.

The WebGL fingerprinting script forces your device to draw a 3D triangle and convert it into a hash. The different combinations of drivers and configurations of a device will result in a 3D image that is unique to it.

Audio fingerprinting

Using the same approach as canvas and WebGL, audio fingerprinting creates a fingerprint from data collected after forcing your web browser to render a certain element, in this case, audio. Audio fingerprinting uses a web audio API to decipher how your computer plays sound and gathers details on your device's audio drivers, sound hardware/software, and CPU architecture.

Connected device fingerprinting

Connected device fingerprinting or media fingerprinting gathers data about all of the media devices, internal and external, connected to your computer. This can be sound or video cards or headphones, speakers, microphones, or webcams. This method of fingerprinting isn't as popular but only because the website has to be upfront about it and ask for your permission.

Why do websites use fingerprinting?

A website might adopt browser fingerprinting for security reasons as it can be used to identify botnets and potential fraudsters. However, most websites will be using internet tracking technology for their own financial gain. How?

Targeted advertising

Websites use fingerprinting to gather as much information on a consumer as possible. The more they know, the more they can assume, and the more accurately they can advertise to you, which they hope will indirectly lead to an increase in revenue.

On the surface, this may not seem like such a bad thing. After all, you'll see adverts you're interested in. But if it costs you your privacy, is it really worth it?

Dynamic pricing

Browser fingerprinting enables dynamic pricing, a practice where websites adjust their prices according to various factors. In other words, websites can adjust prices according to the data stored in your digital fingerprint.

For example, if you're fingerprint has your location pinpointed in an affluent area, chances are you'll be shown more expensive prices than someone located in a less affluent area.

Your search history can also affect pricing.

Say you were to search for “chest pain”. That search becomes a part of your fingerprint which data brokers buy and sell.

Now, say they were to sell your personal data to a health insurance company. They see your search history and assume “heart disease risk” and suddenly your insurance rates soar.

The darker dangers of internet tracking by fingerprinting

It's not just about advertising and price inflation, internet tracking with digital fingerprinting raises real security concerns. While your run-of-the-mill marketer isn't going to present a huge threat, the data collected doesn't always stay in the hands of those who gathered it. Or those collecting might not have advertising in mind at all...

Online fingerprints can find their way onto cybercrime marketplaces, such as Genesis, on the dark web where they can be bought and sold for as little as $5.

Fraudsters use these ill-gotten digital fingerprints to log in to customers' accounts. Appearing as a legitimate user, they can access photos and sensitive documents, submit official papers on their behalf, or even slip through anti-fraud controls to steal funds and assets.

All they have to do is install a specially Genesis-created Chrome extension that automatically imports and applies all the data of the bought digital identity, essentially transforming the fraudster's browser into an almost identical clone of the real user. This is why browser fingerprint protection is a good idea!

Is browser fingerprinting the same as cookie tracking?

While cookies are also able to follow you around the web, they are entirely different from browser fingerprints. For starters, cookies are stored on your device so you can block or delete them, and they can also expire.

On the other hand, browser fingerprints are stored remotely and not within your control. They can update with any changes you make to your device or browser, and you can't delete them. The fingerprinting script also uses elements that are essential for a website to function properly, which makes it harder to detect and even harder to stop.

One of the main differences between them, however, is the fact that cookies are regulated in the EU and the state of California.

Under the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), websites must notify their visitors of the use of cookies to capture data, explain what that data will be used for, and provide the opportunity to opt-out. There are no such requirements for browser fingerprinting.

With browser fingerprinting, websites can basically gather all the same information (and then some) without your knowledge or consent.

Is browser fingerprinting legal?

As previously mentioned, cookies are currently the only regulated internet tracking method, meaning tracking by browser fingerprints is legal and unregulated.

However, the European Commission is planning to change this. Their proposed legislation, the ePrivacy Regulation, is supposed to address browser fingerprinting. However, the proposal is still just that: a proposal (and has been since its first draft in 2017) and can still be amended.

Browser fingerprint protection— can you stop browser fingerprinting?

Fingerprinting is difficult to stop as the data gathered is necessary for websites to function properly, so prevention would affect your browsing experience or limit it completely. Fingerprint data is also stored remotely, so finding it to remove it is pretty much impossible.

That said, there are some ways you can make internet tracking via fingerprinting harder to better protect your privacy and your personal data.

Ad blockers

You can install plugins that are meant to disable trackers. But ad blockers focus on cookies. Fingerprinting uses scripts that are essential for the website to run, so they won't be blocked.

They are still a good idea to tackle any other potentially harmful scripts and invisible trackers. The only downside is that they can really slow down your browser speed. You can always disable the plugin for websites you trust, but since some websites aren't aware they are fingerprinting users on their own sites, it's not the best form of browser fingerprint protection.

VPN

Virtual Private Networks (VPNs) are often touted as one of the best methods of browser fingerprint protection. Instead of connecting directly to a website's server, you first connect to the VPN, and then they connect you to the intended destination.

The idea is that this hides your IP address from the web server. But the thing is, your IP address is only one tiny piece of your digital fingerprint. A VPN doesn't and can't hide all the rest of your device data which means a unique fingerprint can still be generated.

Privacy-focused browsers

Using privacy-focused browsers such as Aloha, Brave or Tor can give you a more secure internet experience. Tor, otherwise known as the Onion Router, uses default browser settings, identical for every user, and blocks Javascript code on websites. This makes it harder to accurately identify unique fingerprints.

BUT disabling Javascript means most websites won't work properly. So now you have this Catch-22 situation. You can prevent fingerprinting, but you can't load the sites you need protection from. Tor is also much slower than regular browsing and it only protects traffic sent through their browser.

Incognito mode

All the major browsers, Chrome, Edge, Safari, and Firefox, provide users with the ability to browse incognito. Incognito mode makes your browsing “private”, in that your browsing history and cookies are not saved on your device.

This keeps the information private from anyone else using your device but incognito doesn't stop the tracking scripts on a website from gathering data. So, if you're using incognito mode to avoid companies hiking up prices on you, then bad news— those websites and services you visit in incognito mode can still identify you.

Disable JavaScript

An effective browser fingerprint protection is to disable JavaScript. This means that websites won't be able to detect certain details about your device, such as the list of plugins or fonts. It will also limit them from installing certain cookies on your browser. But just as with Tor, disabling JavaScript means websites might not function properly.

If you're reading this and thinking that none of these really sound like an effective way to STOP fingerprinting, then you're right. As mentioned, blocking finger printing entirely means websites won't work, and that kind of defeats the purpose!

Blocking just SOME of the data signals is pointless.

As we said before, there are hundreds of data items being collected and even a small number of them would give enough data to uniquely identify you online. Browser fingerprint protection is an all-or-nothing kind of game.

So, what are you to do?

Enter, Hoody

Hoody takes a completely different approach to browser fingerprinting— Hoody doesn't block browser fingerprinting. Blocking is for chumps. Instead, Hoody provides websites with exactly what they want and need to function properly ie. data and fingerprints. It's just that none of it is real.

Think of Hoody as your personal online bodyguard, protecting you from the sneaky data collectors lurking in the script of the website you want to visit.

When you request to visit a website using the Hoody app you connect to the Hoody servers. They connect to the website feeding them false data for every single data signal possible, creating false fingerprints for every tab on every browser.

The website doesn't know, of course, it's just happy it's got data so it loads correctly, and off it skips with what it believes to be “your” fingerprints. The website is then relayed back to your browser instantly, without any effect on your browsing experience, AND with your personal data 100% secure.

If you're a privacy-concerned internet user, you can get browser fingerprint protection today by signing up for Hoody.

Ruby M
Hoody Editorial Team

Ruby is a full-time writer covering everything from tech innovations to SaaS, Web 3, and blockchain technology. She is now turning her virtual pen to the world of data privacy and online anonymity.

Latest


Blog
Timer7 minutes read

How the Government Hacks You, Final Chapter: IoT Hacks

Chapter 14: IoT Hacks

Will R
6 months ago
Blog
Timer9 minutes read

How the Government Hacks You, Chapter 13: GPS Tracking

Dive into the unsettling world of government-controlled GPS tracking!

Will R
6 months ago
Blog
Timer7 minutes read

How the Government Hacks You, Chapter 12: Garbage Day

Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies

Will R
7 months ago
Blog
Timer8 minutes read

How the Government Hacks You, Chapter 11: Resonance Attacks

It’s time to uncover how government surveillance gets personal.

Will R
7 months ago

Bulletproof privacy in one click

Discover the world's #1 privacy solution

  • Chrome Icon
  • Brave Icon
  • Edge Icon
  • Chromium Icon
  • Coming soon

    Firefox Icon
  • Coming soon

    Safari Icon
  • Coming soon

    Opera Icon

No name, no email, no credit card required

Create Key