Advertisers desperately want to track you as you traverse the web. They want to know as much about you as possible so that they can target you with ads. Knowing which sites you visit, when you visit them, how long you stay there, what you do while you’re there, and even how you move from site to site can all reveal valuable insights about you and your buying proclivities. It’s been an arms race for decades now between ravenous marketers and privacy advocates. As new tracking technologies are created by marketers, privacy defenders have developed tools to block (or at least mitigate) this tracking. But the ad companies have devised a clever tracking technique that is extremely difficult to prevent: web fingerprinting. Let’s talk about what it is, how it works, and what you can do about it.
From Cookies to Web Fingerprinting
In early days of the Internet, advertisers like Google and Facebook used third party cookies to track you across websites. Cookies are just little text files that sites can store on your computer and that your browser will dutifully regurgitate later to the site that put them there. What you may not realize is that most web pages are sourced from multiple sites, like a patchwork quilt. A single web page represents the site you actually intended to visit (first-party) and perhaps dozens of other supporting sites (third-party). You can see this by opening the developer tools in your web browser, clicking the Network tab, and reloading any page. (Try it yourself. I suggest visiting USA Today, which is crammed with trackers.) Google has trackers on 86% of the top 50,000 websites in the world.
When browsers started making it easier to block third-party cookies to prevent this tracking, marketers tried other techniques, including super-cookies and tracking pixels. Those could also be blocked. But it turns out that it wasn’t necessary to lace websites with snippets of code or hidden images to track people. In the end, web browsers and web protocols were already designed to rat out their users. All you had to do was ask.
What is Web Fingerprinting?
So, why does that matter? Well, it turns out that if you ask enough ‘questions’, the specific answers – when taken as a whole – can uniquely identify your device – and by association, identify you. You can test this yourself right now. Go to AmIUnique.org and click the “view my browser fingerprint” button. It will tell you how unique you appear to be, including the specific attributes that are giving you away. You can also try the EFF’s Cover Your Tracks tool and even a free fingerprinting tool from one of the companies who sells tracking tools to marketers.
Note that fingerprinting your device doesn’t necessarily identify you, specifically. Like dusting for real fingerprints, you can say that the person who touched this lipstick case is also the one who held the murder weapon, without knowing the killer’s name. But if marketers can tie your name to your prints one just one site (say, by logging in to an account on that site), then they can identify you everywhere you go.
Defeating Web Fingerprinting
As you might expect, defeating or even mitigating device fingerprinting is not easy to do. Much of the data used to track you also influences how websites present themselves to you: your IP address, your location (usually derived from your IP address), your time zone, your exact screen size, what your keyboard language is, and even what fonts and browser plugins you have installed. Your browser also tells every site you visit what browser and operating system you’re using, down to the specific version number. It even gets worse than that – your device can be identified simply by how it draws images.
So, how can you stop fingerprinting? Using private browsing mode doesn’t help – that only affects data stored on your local device. A VPN won’t help, either – it changes your IP address, but that’s just one of many data points used for fingerprinting. Blocking cookies doesn’t prevent fingerprinting, either.
The simplest strategy is to blend in – to try not to stand out in any way. You want to try to reduce your uniqueness. When these websites ask all these probing questions, you need to give them the most bland, milquetoast replies you can – which will probably require you to lie. Unfortunately, these sites aren’t asking you – they’re asking your web browser.
There are some browsers and plugins that attempt to mitigate device fingerprinting. The techniques include introducing giving wrong answers (lying) or constraining your browser to a simple, common configuration. Unfortunately, this approach can break some websites or cause them to look weird. For example, the privacy-focused Tor Browser always reports that you are in the UTC timezone – that will definitely mess up results for stuff ‘near me’ and may even give you the wrong language. Firefox (on which Tor Browser is based) recently exposed this resistFingerprinting option, but warns that it may cause problems.
Another technique for defeating fingerprinting is to add some slight randomization to your device characteristics – a type of spoofing sometimes referred to as fuzzing. For example, if your browser window size is 1000×500, maybe report 1002×499 to one website and 999×501 to another. This method might actually make you appear to be very unique, but would make it hard to recognize you as the same user across different sites. I’m not sure why this technique isn’t more prevalent.
The bottom line is that defeating fingerprinting is really hard to do. While I think it’s important to continue work on anti-fingerprinting tools and revising web protocols to stop giving away so much identifying info, we really just need to give consumers the legal right to privacy and provide a simple, universal mechanism by which to assert this right.
NOTE: Tor has a great whitepaper that talks about fingerprinting and defense mechanisms, if you want to take a deep dive.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!