If you’re a privacy-minded person, you may have heard of browser fingerprinting or canvas fingerprinting. The former often implies the latter, but you may be wondering what these terms refer to. And once you do know, you may be wondering what you can do to stop it. We’ll be discussing all of this below. So read on!
Browser fingerprinting is an Internet tracking technique. It enables websites to obtain technical information on the configuration of your Web browser.
If they can glean enough of it, they can uniquely distinguish your browser from all the other browsers that visit the website. Once you are uniquely identified, a profile can be built on your activities and, with the help of cookies and other tracking tools, you can be tracked across the Internet.
This achieves the same thing as cookies, but without having to drop a code snippet on your computer. And without you being able to block it in your browser like you can do with cookies.
A 2010 study, conducted by the EFF, found that the majority of Web browsers on the Internet were able to be uniquely identified, using browser fingerprinting techniques.
How Do You Fingerprint a Web Browser?
Fingerprinting a browser is achieved by combining two things:
- The information contained in the HTTP headers. Your browser transmits a wealth of information when making a request over the Internet (accessing a website, for example).
The information in the HTTP headers includes:
- The Accept header - The media formats supported by the browser.
- The Connection header - The type of connection: HTTP, HTTPS, TLS version.
- The Encoding header - The types of data encoding (typically compression) supported by the browser.
- The Language header - The language settings of the browser.
- The User-agent header - How the browser identifies itself.
There is a lot more information included in HTTP headers than this list. These are just a few of the more significant pieces of information communicated by your HTTP headers.
- Your timezone
- Your system fonts
- Your cookies settings
- Your screen resolution and color depth
- Your local storage settings
- Your list of installed plugins
- Your operating system
Remember the opening paragraph? We mentioned that browser fingerprinting typically implies canvas fingerprinting. Well, that’s because canvas fingerprinting is a browser fingerprinting technique.
Not every website performs canvas fingerprinting. Your browser can still be fingerprinted without resorting to canvas fingerprinting. But the technique is becoming more common.
Canvas fingerprinting enables the website to gain insight into your hardware configuration.
Canvas fingerprinting uses the HTML5 canvas. The HTML5 canvas is used to render HTML5 graphics in your browser. By drawing arbitrary text of specified size, font, and background color, the canvas fingerprinting script tricks your browser into rendering graphics.
It can then obtain information on your graphics card, your graphics driver, or your GPU (graphics processing unit. This enhances your uniqueness. And as your uniqueness goes up, so do your chances of being identified and tracked online.
View Your Fingerprints
Several websites provide tools for you to see what your browser fingerprint looks like.
Popular Browser Fingerprinting Websites:
They are all quite good. They all supply A LOT of information, which can be overwhelming and confusing sometimes. In my opinion, the easiest to read is AmIUnique.org. They have a color-coded uniqueness score, displayed as a percentage value. This makes it easy to clearly understand the elements that make your browser unique.
Here’s a screenshot of my browser fingerprint, from AmIUnique.org. Obviously, the higher the percentage value, the better. A high percentage value means that my browser is not unique in that category.
What Can You Do to Stop Browser Fingerprinting?
So you can view your browser fingerprint. Great. But can you stop browser fingerprinting?
Unfortunately, not much can be done to stop it. Some browser plugins claim to mitigate browser fingerprinting. But they cannot block it. Most plugins mitigate fingerprinting attempts by spoofing the data.
This means the plugin will expose bogus information to the fingerprinting script. But you will still be fingerprinted using that fake data. And in the end, that fake data may make your browser more unique.
Another issue with browser plugins is trust. Browser plugins typically have access to your online activities.
And many of them, whether for Chrome or Firefox, have been caught stealing user data. Be very careful with browser plugins. You don’t want to end in a situation where the cure is worse than the illness…
The only software tool I would recommend, if you are serious about thwarting browser fingerprinting would be to use the Brave Web browser.
The Brave browser is a privacy-focused Web browser. It includes built-in ad-blocking and script-blocking. It also has cross-site tracking protection and it upgrades your connections to HTTPS, whenever possible. And it also includes - you guessed it - browser fingerprinting protection.
Again, this is a mitigation approach, though it will block certain fingerprinting scripts. The real benefit here, beyond more comprehensive protection than browser plugins, is trust. By using Brave, you do not need to hand over your online activity logs to the makers of a plugin.
If you don’t want to switch Web browsers, there are still a few common-sense approaches to mitigating browser fingerprinting. Again, you won’t be able to stop it. But you can reduce the size of the fingerprint and be somewhat less identifiable.
Common Sense Tips to Mitigate Browser Fingerprinting:
- Use a common Web browser.
- Disable Flash - Does anyone even need Flash anymore?
- Use a different browser for different online activities (compartmentalization).
So, technical solutions to browser fingerprinting are rather incomplete. This is because fingerprinting uses the datarequired to view Web pages.
If you stay off the Internet altogether, you won’t be fingerprinted. But that’s a bit like curing the disease by killing the patient… So beyond mitigation, there isn’t much we can do.
A glimmer of hope comes in the form of the General Data Protection Regulation (GDPR), enacted in May of 2018. Provisions in the GDPR specifically address browser fingerprinting. It does so by treating your browser settings and configuration as personal information.
But without GDPR agents combing through the troves of personal data on every company’s servers, the GDPR is largely unenforceable. So only time will tell…
Browser Fingerprinting: Everything You Should Know
By Marc Dahan
Last updated: April 8, 2020