Searching for products and services through search engines is now a common occurrence. Chances are, if you have searched for a specific product or service, you’ve also notice that the ads that appear on the sites you visit will feature the same products you were looking for.
But, how do websites know what your interest are? Or what ads to show you?
The answer to these questions is browser fingerprinting. Browser fingerprinting is the process of collecting metadata available through browsers in order to identify specific users. By using these techniques, websites can track your online browsing habits and purchase patterns, with the aim of delivering ads and promotions that align with your interests.
Websites fingerprint browsers for a number of reasons, but the main driving force is the multi-billion dollar industry known as online marketing. Online marketing has taken the world by storm, and personalized ads are the main reason for its success.
Although cookies were the main way websites could track user behavior, browser fingerprinting has gained prominence in the online marketing world over the last four years. For many reasons, cookies are not as effective as they use to be, so browser fingerprinting has become the new standard for tracking and identifying users and their interests.
Browser fingerprinting technologies have become so effective that in a detailed study, which included around one million users, the Electronic Frontier Foundation (EFF) found that a unique fingerprint can be identified in 83.6% of all browsers. Moreover, 94.2% of browsers that had Java or Flash enabled showed a unique fingerprint as well, and that doesn’t even include cookies!
In this article, we will go over the most common types of browser fingerprinting methods and give a basic overview of how they work. Remember that this is not a complete list of fingerprinting methods; but we will cover the main and most effective types being used today, as well as the methods that we think will matter the most in the foreseeable future.
Why Does Browser Fingerprinting Pose a Threat?
Personalized ads may not sound like a terrible thing, and in essence, they are not. The main problem with browser fingerprinting is that it usually poses a threat to online privacy.
Most, if not all websites that implement browser fingerprinting either don’t ask a user’s consent when fingerprinting his or her browser, or do so in a very misleading manner. Chances are you can’t recall a website ever asking your permission to track your information. In case there’s any notification at all it’s usually buried in the site’s Terms of Service, written in the smallest font you could possibly imagine, and it usually goes something like this:
“By using our website you agree that we will save the digital signature of your machine.”
Don’t worry, if you didn’t understand that, you’re not alone. Most users have no idea what this means and since it doesn’t come with any real explanation of what the possible consequences may be, the few who manage to see it don’t really think twice about it.
Agreeing to these terms, however, can result in higher prices based on your location, mass information leaks due to hacker attacks, and other disadvantages that are not immediately obvious to consumers.
Types of Browser Fingerprinting
Browser fingerprinting methods vary tremendously, which is one of the reasons why they’re so difficult to combat. New fingerprinting methods are developed on regular basis, but there are also new solutions that address these innovative techniques. Because of this, fighting browser fingerprinting is a recurring effort, to say the least.
Below you will find the most common types of browser fingerprinting and the basics of how they read information from your browser or device.
Browser plugins are often confused with browser add-ons, but the main thing you must remember is that plugins pose more of a threat to your online privacy. The main difference between them is that plugins are executed outside of a browser in a completely different process.
Browsers can’t control how much access rights plugins have, instead, this is defined by the user which is currently logged onto the system. In most cases, users are working under administrator profiles, giving plugins a lot of freedom when it comes to collecting data.
Plugins are used to enhance browser experience, and to access resources such as Flash and other neat features. They are developed by third parties, and the most common ones include, but are not limited to:
- Shockwave Flash
- QuickTime Plug-in 7.7.3
- Default Browser Helper
- Unity Player
- Google Earth Plug-in
- Silverlight Plug-In
- Java Applet Plug-in
- Adobe Acrobat NPAPI Plug-in, Version 11.0.02
Each of these plugins can be used to track unique information about your machine and fingerprint your browser. Take Flash for instance. All other plugins aside, Flash API is able to read information that can be used to identify your machine, such as:
- Your complete font list
- Motherboard and other hardware IDs
- Real MAC address
- Real IP address, even if you are using a proxy connection
Besides the fact that plugins already reveal a lot of information, your plugin list itself can be a fingerprint. Plugin enumeration help websites obtain your full list of plugins, and because there are so many different plugin and version combinations, this list alone can accurately identify your browser.
Browser Add-On Enumeration
Browser add-on enumeration is similar to the aforementioned plugin enumeration technique. The main goal of add-on enumeration is to obtain the list of add-ons that you have installed on your browser, preferably both their names and versions.
Browser add-on enumeration is part of a broader set of methods called “JS behavioral tests” which can also read a browser’s exact version and other pieces of unique information about your browser. When collected together, the combination is unique enough to fingerprint your browser precisely.
System Fonts Enumeration
Another set of elements that can be used to fingerprint your browser is the list of fonts you have installed on your computer. Websites can use Flash or Java Applet plugins to obtain your system font list, which is then silently transferred to a server in the background through AJAX.
Another effective way to acquire this list is through system fonts enumeration, which is possible thanks to CSS introspection. In a nutshell, this method can deduce the fonts you have installed on your machine by measuring the width of a phrase produced by your browser in a specific font.
For instance, if you write “Hello World” with size 14 Times New Roman font, this element should have the same width measurement in pixels on every screen. If the width of the text on your browser matches size 14 Times New Roman it means that you have that font installed.
However, if the element width does not match, it means the browser has substituted the Times New Roman because it’s not installed on there. By cycling through the list of possible fonts and widths, websites can get an accurate picture of which fonts a user has installed, leading to precise fingerprinting.
User-Agent strings tell websites what browser version is being used in order to display the site properly, based on the user’s device. Each browser has a unique way of displaying a website, so the User-Agent string is critical for good user experience.
That being said, User-Agent strings also reveal a great deal of information to websites, including system and browser details, platform information, and much more. Each combination can be so unique, that the User-Agent string alone can sometimes be used to accurately identify users.
One of the best ways to avoid easy identification through User-Agent is to use a browser that was released less than 2 or 3 months ago, as it guarantees you will be using one of the most common User-Agent strings available.
Websites can read two variables when it comes to screen resolution. The first one is screen resolution as reported by your browser, and the second is the size available for web page displaying.
The screen resolution as reported by your browser can be adjusted manually, so it can it’s easily manipulated. For instance, you can set false resolution values, such as 10000×10000 and your browser will still broadcast those values.
The parameters available through JS.Navigator reveal a good amount of unique information about your computer. Although these parameters can be easily manipulated, they can also be easily discovered in a number of cases. For example, if a browser manipulates these parameters while the page is loading, websites can easily detect the false parameters and discover their real values.
Nowadays, the catch phrase “supercookies” refers to all cookies that are stored in a non-usual location. Common cleaning tools that are embedded into browsers usually have a hard time deleting these cookies, so they usually require specialized tools or manual deletion.
Although the term “supercookies” was used a synonym for Flash cookies, the term is now used to describe any and all cookies that are hard to delete or that are stored in uncommon places. They are often injected through Flash, Java, and other means, but they are all grouped under the same category because of their permanent storage and difficult removal characteristics.
Canvas, WebGL, and Audio Fingerprint
Canvas, WebGL and audio fingerprinting are different techniques, but they have one thing in common: they are not defined by a set of predetermined values, like JS.Navigator for instance. Instead, these fingerprinting mechanisms read information about your specific device and how it solves different tasks when compared to other machines.
These fingerprinting techniques can sometimes be referred to as “device fingerprints,” but there is no widely accepted term for them. We like to refer to them as “hardware fingerprints” because all three methods involve comparing how different computers solve unique tasks that are given by a website.
Browser fingerprinting is incredibly hard to combat because it encases so many different techniques and elements. The purpose of this article is to create a comprehensive list of the most common browser fingerprinting methods and the basics of how they operate.
That being said, we omitted certain methods that we don’t consider important because there is no sign that they have been used for anything except scientific articles and proof-of-concept solutions.
There are other browser fingerprinting methods that we discovered while developing Multilogin. But, because we have never seen them used in real life scenarios, we think it’s best to hold them back and not cover them in this article.
However, you can rest assured that whenever we find any signs that these methods are actively being used to fingerprint browsers, we will have our anti-fingerprinting solution ready to protect the privacy of our users!