Over the last few years, internet users have become increasingly aware of threats to privacy such as the use of HTTP browser cookies. The websites you visit store these small text files on your computer and they can be used to identify you when you visit a specific website, but that is not all. They can can be used by other websites to track you across internet as well. Apart of knowing about the existence of cookies, people have taken steps to manage, block or delete them.
Although a cookie law was introduced in the EU in 2013, it has been widely criticized and deemed as ineffective. Under this law, EU websites (as well as those intended for an EU audience), have to ask their visitor’s consent before placing “non-essential” cookies on their computers. The legislation is set to be reviewed and while it has failed to fix the issue, at least it has helped to spread the word about cookies and the risks they pose to privacy.
Addressing the issue is difficult because it is unlikely that websites stop using cookies since they are a very profitable option, particularly for those involved in analytics and marketing. As such, they have looked for alternatives that allow them to identify and track users. The use of supercookies (such as Flash cookies and zombie cookies) is one of these methods.
While in some cases cookies can be very practical, as they allow you to easily access certain options in your favorite websites, they compromise your privacy. The most concerning part is that as mentioned, there are other options used to track your activities online and in this article, we will focus on browser fingerprinting.
What is browser fingerprinting?
Every time you visit a website, your browser forwards information to the server that hosts the site. The data sent includes browser name, its exact version number, as well as your operating system. The process of sending this data is known as passive browser fingerprinting since it takes place automatically.Still, websites can also install scripts asking for further information including a list of all the plugins and fonts installed, screen resolution, system colors and more. Since this data has to be requested from your browser, it is called active fingerprinting.
All the information collected can be combined to create a unique fingerprint, which will allow to identify an individual user with great precision. The fingerprint attributes can be put together quite quickly (it only takes a few milliseconds to run algorithms that can compare millions of different fingerprints) and the unique fingerprint can be created, even if the IP address is changed every time the website is visited or if cookies have been deleted.
How unique is your fingerprint?
According to research by the EFF (Electronic Frontier Foundation), in a sample of over 286,000 browsers, it is unlikely to find two browsers sharing the same fingerprint. In order to follow up on their investigation, the digital rights group has created Panoptoclick, a website that actively fingerprints your browser to let you know how unique it is. If you want to find out how secure your browser is from tracking, you can visit https://panopticlick.eff.org and click “Test me”.
Is it possible to change your fingerprint?
Whenever you install a new plugin, a new font, or if you modify one of the fingerprinted attributes, your fingerprint changes. When it comes to these attributes, the most important ones are: Installed fonts, installed plugins and supported MIME types. These attributes along with the browser’s User Agent (which gives away information about the browser), are enough to offer a high level of accuracy (87%) for unique identification.
The bad news is that the EFF concluded that even if fingerprints are changed very quickly, a simple heuristic would allow to get an estimated idea of when a fingerprint was a modified version of a previously examined browser’s fingerprint. In over 99% of cases, the guesses were correct, which shows that it is still possible to find out if a browser’s fingerprint has been changed.
While you can change a browser’s User Agent in order to get a more significant effect on the modification of your fingerprint, it should be noted that many websites depend on getting the right User Agent to work properly, meaning that this is not the most convenient option. In fact, changing your User Agent would make your browser even more unique.
The challenges of addressing fingerprinting
Probably the most annoying aspect about fingerprinting is that by implementing measures to prevent tracking, you could be making yourself easier to identify. If you block Flash cookies, or change your User Agent, your browser becomes more unique, which defeats the purpose. As frustrating and difficult that it can be, protecting yourself from fingerprinting is possible, at least to a certain extent.
One of the main things that you can do is to opt for an unmodified version of a widely used browser, which prevents you from standing out from the crowd. Most users would not bother installing additional plugins or making any changes with their software, so you should be able to remain unnoticed, if you avoid doing that too.
One of the main things that you can do is to opt for an unmodified version of a widely used browser, which prevents you from standing out from the crowd. Most users would not bother installing additional plugins or making any changes with their software, so you should be able to remain unnoticed, if you avoid doing that too. Desktop users are better off choosing Firefox or Chrome.
Safari is also a good option, but avoid Internet Explorer as it reveals more identifying information than the others. Since iOS Safari offers less customization options, it less unique and more secure in that sense than the default Android browser. In terms of operating system, you should also consider using the most popular option for your device, without adding fonts or extra software, if possible.
Although the majority of features that aim to improve your privacy can actually affect it when it comes to fingerprinting, options like Torbutton (in fact, the Tor network as a whole) can help you to defend yourself against this practice. However, it is important to keep in mind that security experts have warned that all Tor users have a similar browser fingerprint and if only one of the visitors to a website uses Tor, they would be easuer to identify.
General measures to prevent tracking
Below we will go through the measures (some of which we have already mentioned) that you can take to minimize tracking.
- Opt for an unmodified version of Firefox or Chrome browser
- Use a newly installed copy of a popular operating system
- Clear browser cookies and cache after every session. Alternatively, use the privacy mode
- Disguise your IP address and browse your data using a VPN or the Tor network
- Avoid installing Flash or disable it. Again, it is important to keep in mind that many application and functions rely on Flash.
- Once you have implemented these measures, you can visit Panoptoclick to find out if your browser is ready to “blend in with the crowd”.