Your Digital Browser Fingerprint
As long as you mask your IP address and use encryption with a VPN tunnel, it’s 100% impossible to identify your computer, right? Wrong! Unfortunately, a lot of people assume that just because they’re using a VPN tunnel, they’re perfectly safe, secure, and private. The ugly truth is that there are a lot of other ways a hacker or web service can identify you, and one of these methods is referred to as web browser fingerprinting. I have previously covered the type of information that is gathered from your browser by trackers. I also wrote a few guides on reducing cookie advertising, how supercookies work, as well as updated revisions with the latest cookie blocking techniques. But in this article, I will touch base mainly on what browser fingerprints are, and how to better reduce their uniqueness.
The discovery of browser fingerprinting can come as a real shock, even to technical users who do their best to increase privacy by disabling tracking cookies. These cookies are basically small text files that can be used to track a user, identify a visitor, and store information about them. The good news for Europeans is that the EU has created a cookie law that requires websites to first ask a user’s permission before installing a non-essential cookie in their browser. And even though there’s still going to be plenty of websites that break this law, it has at the very least helped educate EU members and citizens about cookies.
What is Browser Fingerprinting Exactly?
Every time you pull up a web page, your browser sends a small amount of data to the web server. This exchange is fundamental to the process of HTTP communication, and it can include data and flags that communicate pieces of information with the web server such as the device type you’re using, which web browser you’re using, version information, and a whole host of other related data. All of this data together can be referred to as your browser’s fingerprint.
But there’s actually a lot more variables and settings that can communicate information such as which plugins you’ve installed in your browser, supported data types (MIME types), installed fonts, system colors, screen resolution, and so forth. The idea is that the combination of all of these individual values and settings make it statistically unlikely that another user would have a 100% identical web browser, thus making it possible to run an algorithm that identifies individual users’ web browsers.
There are exceptions to this, though. For example, consider that all default web browsers on a brand new Windows system will likely be the same in the beginning, especially if they’re all the same model of computer. Nevertheless, modern computing has made the algorithm extremely fast, and it only takes a few milliseconds. Even if your IP address has changed, a website can still identify you by looking at your browser’s fingerprint.
Is Your Browser Fingerprint Unique?
Naturally, it’s bad to have a unique browser fingerprint, because it makes it possible for websites to run scripts that would analyze and discover your identity. According to expert parties in the field, a browser fingerprint is partially unique and will often contain some bits of identifying information. A profile can be created by trackers and assigned to your browser, further facilitating future tracking without relying on cookies either. Although these trackers cannot personally identify you, they can collect and store visited websites, along with a trove of browsing related data. Since it does not rely on your IP address or tracking cookies, it is much more difficult to avoid or block.
Browser Fingerpring Testing
If you’re worried about your cookies and the safety of your browser and its fingerprint, there are simple tools available for free. For example, you can use this free tool called Panoticlick provided by EFF.org to rate the uniqueness of your browser’s fingerprint. The irony is that the more plugins you install – even plugins designed to enhance security settings – your fingerprint will be more unique. On my initial test using a family member’s computer, the browser tested unique amon 120,000+ other browsers tested so far. This was better than average, considering the browser was using an adblocker.
Another growing browser fingerpring tester is a Github project called AmIUnique.org. It has garnished over 150,000 scans but would continuously need more to provide concrete sampling.
Changing or Avoiding Browser Fingerprints
It is possible to mitigate browser fingerprints by installing fresh, clean browsers, but most people don’t want to do so. Believe it or not, your fingerprint is very dynamic and changes each time you install new addons or make small changes and configurations. For example, if you did something as simple as install a new font, your browser would have a more unique fingerprint.
However, the algorithms used to detect fingerprints can spot small changes with a high degree of accuracy. Essentially, they can tell that you have merely “upgraded” your fingerprint by making minute changes to your browser. There are ways to edit a browser’s User Agent, which can drastically change your browser’s unique identity. The problem is that websites depend upon the User Agent being correctly configured, and by editing it, you could cause a lot problems that prevent pages from loading correctly.
Best Practices to Avoid Tracking
If you’re a security and privacy nut, there are some things you can do to effectively mitigate fingerprinting. Although it is difficult to completely avoid browser fingerprinting, one solution stands out more than others: the Tor browser. Being specifically designed to be standard across all platforms, so that one browser cannot be told from another and tracked in such a fashion. It proactively blocks websites from using specific fonts, javascript, and HTML5 canvas objects must be approved before loading.
Though I don’t do it personally, I’ve even heard of some people setting up a virtual VMWare environment that is used for the sole purpose of browsing the web. Many of these configurations can be a little frustrating, and there is a trade-off between functionality and privacy. In general, keep the following in mind:
- Use a fresh install of your operating system of choice – old systems have so many unique values that it’s easy to track them
- Use a fresh and unmodified version of Firefox or Chrome
- Either use a VPN, Tor, or a combination of the two to mask your IP address and encrypt data
- Delete your history, cookies, and cache data after every session
- Use your browser’s “privacy mode” when surfing the web
- Disable JavaScript
- Don’t install flash (which again, may not be feasible)
- Use the Panoptoclick tool to see how your fingerprint ranks
- Setup a VMWare environment with a fresh OS, and make sure nothing else is installed, and that the web browser is fresh, plain, and clean
An additional tool that should be considered is EFF’s Privacy Badger browser add-on, which was originally designed off Ad-block, but with much stronger security and privacy features.
Final Thoughts
It seems like a catch-22 when considering that the more security extensions and plugins you add to your browser, the easier it is to track and identify your browser. Tracking is a pain in the neck, but you can use the aforementioned best practices to stop people and websites from identifying you online. Some of these practices simply aren’t feasible though, especially on a work computer.
I’d highly recommend using the rating tool first, and then implement these steps if your browser’s fingerprint is easily tracked. I wish security and privacy ended at using a VPN tunnel to hide traffic, but there’s always a new security threat lurking around every corner of the Internet.