As everyone knows, companies used to secretly track our movements online via cookies.
But the public got wise, so they’re moving onto the next big thing: browser fingerprinting.
It’s much harder to defend against, way more accurate and crucially, not many people know about it yet.
What is Browser Fingerprinting?
It’s information about your device easily obtained from your browser.
But the scary thing is this information is so unique, it’s like an online fingerprint.
So it can be used to find your device out of billions, target you and track you online, even across browsers.
It can be coded as a string of numbers and letters – your own personal ID.
The chance of you having the same browser fingerprint as someone else is extremely low….1 in 286,777, to be precise.
And all of this information is easy peasy to get hold of, and in the hands of corporations.
Pretty terrifying, right?
How does it work?
This is some of the information anyone can pull just from your browser:
- All your browsers and versions
- Language eg. ‘en-US’
- Plugins/browser extensions
- Fonts installed
- ‘Do not track’ settings
- Screen width and height
- Color depth
- CPU information
- Graphics processor information
- Auditory information
- Canvas hash
Now, take most of these alone – not unique at all.
But put all these details together, and you’ve got a unique device profile, making it easy to identify your device out of billions.
Let’s take a look at which information tends to be the most unique.
Unfortunately, the canvas hash is almost a fingerprint all by itself.
Images are rendered slightly differently on each computer at the pixel level due to the differences in devices.
This uniqueness is stored as a ‘canvas hash’.
You might think fonts aren’t a big deal, but if you install new fonts on your computer, this creates a highly unique signature.
Having multiple different browsers with multiple different versions is bad news.
What is it used for and why is this bad?
Have you ever got a warning email when accessing an account from a different device than normal?
That’s browser fingerprinting.
It knows the account doesn’t match your usual digital fingerprint, and dutifully flags up warnings.
Traditionally, this is what browser fingerprinting was used for: to identify fraud by banks and other organizations.
However, times change.
With user information increasingly becoming the currency of the internet, companies like Google and Facebook are out to get your data and make a profit from it.
In 2017, Facebook made 97% of their profits from advertising, and Alphabet (Google) made 88%.
Large organisations like Facebook and Google are the primary sources of internet consumer data by gathering knowledge on their own users. Big data is big business.
Large data sets can be analysed and used to build profiles on us, predict our behavior, manipulate our behavior, and target us with personalized ads.
But the extremely alarming thing about browser fingerprinting is how accurately they can identify you specifically.
Being able to easily identify anyone online means a potential end to any internet privacy.
It means anyone can hunt you down or target you, track you, and build up a very specific profile.
And unlike cookies, browser fingerprinting can even track you across browsers.
Lehigh University recently created an algorithm that could track users across multiple browsers with a staggering success rate of 99.24%.
This gives companies, as well as governments and hackers, unprecedented power to identify us and track us without our consent.
For example, retailers track us from start to finish, manipulating our behaviour based on the products we view as well as potentially our whole internet profile.
Hackers and stalkers could wreak havoc with this information, and citizens or just visitors of oppressive countries could have their internet actions and free speech strictly monitored as the traditional weapon, a VPN, doesn’t protect them.
Governmental intelligence agencies such as the NSA can build up detailed databases of every internet user, to track and monitor citizens.
But is there any evidence browser fingerprinting is actually happening yet?
Social media widget AddThis was found to be secretly tracking people’s canvas hashes in 2014. Fortunately, the public backlash was so bad they stopped the practice.
In 2017 Uber was found to be using a type of fingerprinting on the iPhone app, even after users deleted the app.
A fascinating 2016 study by Princeton University analysed the top 1 million sites for browser fingerprinting.
It’s no surprise that Google was found to be the biggest tracker by far, followed by Facebook.
Canvas fingerprinting was the top method, used on a staggering 14,371 sites. Canvas font fingerprinting was second, used on 3,250 sites. The vast majority were from third-party scripts.
Both of these have shot up in the past few years.
The biggest trackers actually stopped using canvas fingerprinting (not canvas font fingerprinting) after public backlash from their initial 2014 study, but more lesser-known smaller trackers are now using it.
They also found trackers don’t use just one technique, but multiple together.
Check your own fingerprint
There are some truly excellent websites out there that give you more info and allow you to see how unique your fingerprint is.
Although you should firstly be aware, this is only tested against their database of previously tested fingerprints.
First up, browserleaks.com has its own canvas hash feature. This only shows your canvas hash and uniqueness.
Turns out, mine is pretty unique at 99.98%. Pretty incredible for just one stat alone.
Two other websites give a more detailed picture of your whole browser fingerprint.
Panopticlick is owned by the Electronic Frontier Foundation (EFF), a non-profit digital rights group.
This is all the information it’s able to collect:
First it shows whether you have a unique fingerprint.
As mine is.
However, be aware this is only against other fingerprints they’ve tested in the past 45 days.
It also shows your fingerprint in one neat table.
The third column shows how unique each piece of data is; the higher the number, the more unique.
Fonts, canvas hash and browsers are the top 3 most unique pieces of information by far.
In my case, fonts are actually the biggest identifier, more than twice as unique as the canvas hash.
WebGL, the third biggest, also relates to the canvas hash.
The fourth biggest is browsers and browser version.
As you can see, the rest of the data seems very insignificant compared to these top three factors.
I’m in an unusual time zone, so that puts that a little higher than normal.
However, together it all makes a perfect unique profile.
Second, there’s a similar website, AmIUnique.org.
Be aware this tries to put a cookie on your computer for 4 months.
Again, my fingerprint came up as unique. AmIUnique compares you to a lot more profiles than Panopticlick: 1,482,615.
It seems having the latest version of Chrome installed is extremely rare, which is a surprise.
AmIUnique shows a much more detailed data table than Panopticlick.
It also shows the uniqueness of each piece of data as a percentage, with a handy traffic light system so you can easily see what makes you stand out.
Instead of going to a website, you can see some of your browser fingerprinting information directly.
Try the following shortcuts whilst in your browser:
- Chrome: Control+Shift+J
- Safari: Command+Option+C
- Firefox: Control+Shift+K
- Edge: F12
Then enter the following simple expressions in the Console:
- OS: navigator.platform
- Language: navigator.language
- Browsers: navigator.userAgent
- Plugins: navigator.plugins
- ‘Do Not Track’ info: navigator.doNotTrack
- Screen width: screen.width
- Screen height: screen.height
- Time zone: Intl.DateTimeFormat().resolvedOptions().timeZone
And you can see exactly what data companies have on you.
What about Cookies?
Cookies are extremely popular, but they’re easier to guard against than browser fingerprinting.
They’re kind of like the old school browser fingerprinting.
Companies use these to track our data all the time, and they used to do it very secretly.
Cookies let websites store pieces of text on your machine. Everytime you visit a website from the same machine, the same cookie is loaded.
This lets websites store your password, for example, or remember your shopping cart for later.
They usually give you a unique ID, and also may record timestamps, location, content viewed, ads clicked on, things you’ve added to your cart, etc.
Each time you browse the website, more information might be added.
If you also give your name and address to the website, all this information is identifiable.
And if all these companies were to sell this data to marketing companies to aggregate, they could gain a lot of insights.
Here’s an interesting map of cookies around the world. Most originally come from Russia or Germany.
But in the early 2000s, people got wise to cookies, and started protecting themselves against them through deleting, blocking and using VPNs.
The EU ‘cookie law’ of 2009 also forced websites to be upfront about cookies.
However, cookies are probably still the most common way to track people.
This includes medical diagnoses, symptoms, prescriptions, and menstrual and fertility information. What’s more, they’re flouting the EU cookie law.
But companies are slowly starting to realize that browser fingerprinting is way harder to fight against.
Of course, the two aren’t mutually exclusive, and cookies won’t go away. Cookies and browser fingerprinting make the perfect partners, one for collecting information and the other for identifying the user.
What about IP address?
An IP address is a single data point that’s easily visible when you’re online.
It’s unique to your machine, and gives away your location.
So it’s an easy stat for companies to collect identify you with.
Apart from location, it doesn’t mean too much on its own, but coupled with more detailed usage data, it’s extremely powerful in identifying and tracking you personally.
But like cookies, most are aware of the dangers.
Plus, an IP address is easy to mask by taking simple precautions such as using a proxy, VPN or Tor.
How to protect yourself against browser fingerprinting
As of today there’s no easy, guaranteed protection against browser fingerprinting. But there are some solid steps you can take to definitely put a significant dent in it.
We’ll run through each method in turn, then sum up the steps we recommend overall.
Use browsers in-built protection
Some browsers aside from Tor have stepped up to the plate and started offering fingerprint protection.
Its fingerprinting protection mode blocks a ton of stuff that can be used to identify you.
And even with that mode off, it does things like protects against third-party cookies and makes your plugins look empty.
Are you worried about having an unusual browser? Don’t be, as Brave spoofs it to look like Chrome.
Firefox now also has a Privacy Protection setting that can protect against fingerprinting, which seems pretty effective.
Safari says it implemented in-built protection against fingerprinting in 2018, by showing less information for things like fonts and plugins.
In their words, “As a result, your Mac will look more like everyone else’s Mac, and it will be dramatically more difficult for data companies to uniquely identify your device and track you.”
Chrome has promised to implement some protections itself, but has yet to deliver.
Make your fingerprint less unique
Another reasonable way to protect yourself is to make your fingerprint more common.
Firstly, removing any extra fonts, plugins or browsers you don’t use will help a ton (or apps on mobiles).
For mobile, browsers on iPhone, Android and Blackberries are the safest. In fact these are safer than desktops, because things like fonts, plugins and screen sizes are fairly uniform among smartphones.
For desktops, the latest version of Firefox on a recent Windows version is probably the most common combination.
The third column in the table below also shows the most common user agents for different browsers. Run a check on your computer (see ‘See your own fingerprint’ for instructions) and see if yours matches or not.
Tor is a great protection against browser fingerprinting as they have taken major steps to combat the problem.
In fact, they started addressing the issue way back in 2007 before the term “browser fingerprinting” was created.
They aim to create the same fingerprint for every Tor user.
In particular, all user agents are the same.
This is remarkable, and Panopticlick found that 1 in 34,517 browsers were the same as ours, which is 6 times better than our original result.
The downside of Tor, though, is speed. Tor is very slow, often making things like streaming impossible.
You can easily turn this off under Settings in your browser.
However, most folks understandably won’t go for this as it’s not practical.
And more importantly, gifs.
Use a plugin
There are several very clever and free plugins out there that can do real damage to your fingerprint. Of course, you have to trust the plugin, and unless it spoofs your plugin list, it also makes your plugin list more unique.
This is an all-in-one solution that protects against user agents, canvas hash and a ton of other features. It’s advanced with a lot of customisation on offer, but also automatically sets a default level of protection for non-technical users, so you can just download and forget about it.
User-Agent Switcher and Manager
This spoofs your user agent (browsers and versions info).
Another one that spoofs your user agent. You can also set it to change at custom intervals.
This protects against your canvas hash.
Don’t use two plugins that target the same user agent, as it probably won’t work properly.
Use private browsing
Many browsers offer private modes, such as Chrome’s Incognito mode, Firefox and Safari’s Private Browsing, and Edge’s InPrivate browsing.
These block cookies and don’t record browsing history, which of course helps against cookie tracking.
But do they also protect against browser fingerprinting?
In some cases, they can seem to help slightly, but individual results vary and I wouldn’t rely on it.
In our tests, using Chrome’s incognito mode did help our fingerprint slightly.
Our fingerprint reduced from ‘unique’ to ‘nearly unique’, with 1 in 68,914 browsers being the same as us (as opposed to not matching any of their 208,360 fingerprints before).
But the change wasn’t so great on AmIUnique.
Firefox private mode showed some improvement, but even less than with Chrome. Panopticlick found my fingerprint the same as 1 in 103,395, whilst AmIUnique found no change at all.
Try it for yourself.
If browsers could improve this by hiding your browser information, plugins and fonts in private modes, this would help massively.
It would create an extremely simple way to protect ourselves against browser fingerprinting.
Use multiple browsers
Some recommend using different browsers for different activities.
Let’s outline one of the easiest scenarios:
Browser one: accounts
This is where you login to all of your accounts: email, social media, banks, shopping. Anything.
But the key here is you don’t do anything else. You never google anything for example.
Browser two: the rest
In a separate browser, you do the rest of your online activities which will mostly be googling and browsing websites you don’t need to login to.
But since it’s been proven that browser fingerprinting can track you across browsers, this seems a lot of effort for little reward.
Besides which, so many websites now force you to register or sign in with Google/Facebook just to view the content, there won’t really be much left to do on browser two.
Use a VPN
Does a VPN protect you against browser fingerprinting?
Unfortunately, no, and that’s what’s got people most alarmed, since VPNs usually protect against everything.
However, going to all the effort to protect yourself against browser fingerprinting and then not using a VPN would be kind of a waste of time, since a VPN protects against pretty much everything else like your IP address, location, and encrypts all your data.
See our reviews of the top VPNs.
The best overall method
Overall, we recommend using the Brave browser, with some of the best browser fingerprinting protections available.
Alternatively, a good option is to use Firefox on Windows, take advantage of Firefox’s fingerprint protect settings, and take steps to make your fingerprint more common by deleting fonts and plugins.
Safari also offers some inbuilt protection for Macs.
There are some clever plugins out there, but they also may make your fingerprint more unique by adding a rare plugin.
We wouldn’t recommend private browsing or multiple browsers, and a VPN definitely won’t help, but will protect against other things like your IP address.
For mobiles, browsers on iPhones, Android and Blackberries are a lot safer than desktops, but it wouldn’t hurt to also delete unused apps.
Browser fingerprinting is information obtained from your browser, which is so unique its like your own digital fingerprint. This can be used to find you, target you and track you.
It’s the new cookies: more subtle, more deadly and much harder to protect against. And it’s on the rise.
Currently, most people aren’t even aware of it, let alone there being specific legislation to protect us.
To protect yourself, we recommend using the Brave browser.
Alternatively, use Firefox on Windows with its fingerprint protecting settings, and make your fingerprint more common. Safari also offers some protection for Macs.
Shockingly a VPN can’t protect against a fingerprint, but it protects against everything else like IP addresses, location, and encrypting your data, so it would be pointless to do one without the other.
Protecting ourselves against browser fingerprinting shouldn’t be this hard. Organizations need to do a lot more against this new insidious tracking technique.
- Opera VPN Review (2020): Is It Safe?
- Ivacy VPN Review (2020): Cheap For a Reason?
- Hide.me VPN Review (2020): Awesome But Expensive
- Perfect Privacy VPN Review (2020): Has It Got Complacent?
- Goose VPN Review (2020): Nice, But Is It Good Value?