What Is Browser Fingerprinting?
Websites can use browser fingerprinting to identify you. It works by running a script that looks at specific data your browser sends to the site and compiling a profile of you as a user. It’s called a fingerprint because, like with the ones on your fingers, with enough data, it can be made entirely unique.
Before we move on, though, let’s clear up some terminology: The terms browser fingerprinting and device fingerprinting are often used interchangeably, but that’s not entirely correct. A device fingerprint or a machine fingerprint is information about the device you’re on, collected either through a browser or an app.
A browser fingerprint is more specific, and is all of the information gathered through the browser. Besides device information, it includes data like the type and version of the browser that you’re using, the operating system that you’re rocking, the language that your browser is in, and a lot of other, more minor data points, like screen resolution.
At first glance, this might seem like pedestrian stuff. However, with enough of these data points, the picture of the user on the other end becomes clearer and clearer. Make it precise enough, and the site in question can be pretty sure who you are and use that information to target ads at you.
For example, there are only so many people who use a specific Android version. On top of that, there are only so many people who use a certain version of Chrome, only so many people who have their browser language set to French, only so many people who use a 1920×1080 resolution, etc. The script is running you through a funnel, and each step gets it closer to you.
How Does Browser Fingerprinting Work?
The list of data points that can be used to narrow down a profile is long, and you’d be surprised how accurate fingerprinting algorithms turn out to be. For example, in one 2016 study, 81% of website visitors were boiled down to a unique profile. This is done not only by using passive data, like browser type and screen resolution, but also, through more active means. Below are a few examples.
Canvas fingerprinting: The fingerprinting script will run a “canvas” over your image of the website, invisible to you, which displays differently to the script depending on the type of graphical hardware you’re using. It’s a great way to identify your graphics card and drivers. WebGL fingerprinting uses a similar method. Audio fingerprinting: This type of script analyzes how sound is played on your computer. Tiny variations in tone can narrow down your audio driver. Media fingerprinting: This method takes an inventory of the media drivers on your computer and identifies as many as possible.
The trick to browser fingerprinting isn’t to find a single data point that tells the script who you are, but rather, it’s all about finding as much information as possible and aggregating it to form a picture of you.
However, we should mention here that fingerprinting isn’t all bad. The technique is also used for security purposes. For example, it’s likely that your credit card company takes a print every time you log in to make sure that you’re you. You’ve probably seen the alerts when you log in from a weird location or from a different device.
What Is a Fingerprint Profile Good for?
The main reason to create a fingerprint is so that ads can be targeted more accurately at users. By narrowing down who you are, it’s easier for an algorithm to determine which ads to show or not show, as the case may be. If, for example, it’s determined that you’re on an Android device, you probably won’t see any iPhone-related messages.
That description might remind you of browser cookies, and while they serve a similar purpose, they work quite differently. A cookie is more like a tracking device. Once it’s on your computer, the site that stuck it there knows where you are and what you’re doing. A browser fingerprint is more static. It uses set data about you and your device to determine exactly who you are and marks when you visit its site, but it can’t follow you around.
Because of this, the data that a cookie collects is more valuable, although you can turn them off—and browsers are increasingly blocking third-party cookies in a blow to online tracking. A fingerprint is almost the opposite: Because much of the data that it transmits is vital to the way that you view the internet, there’s no way of switching it off. It’s less revealing but practically undetectable—and almost impossible to switch off.
How to Protect Yourself from Browser Fingerprinting
That’s the crux of browser fingerprinting: It’s almost impossible to dodge. There are ways to disable some of the data transfer by using extensions like NoScript (which disables JavaScript) or browser-like programs such as Tor, but while they keep you safe, they also make the overwhelming majority of the internet off-limits to you. Most sites won’t show up without the information that fingerprint scripts collect.
Such being the case, you’re more or less damned if you do, damned if you don’t. Even tactics that you can use to avoid law enforcement, like using incognito mode and a VPN together, won’t get in the way of browser fingerprinting. That being said, some browsers, among them Mozilla, claim to have developed techniques to block fingerprinting. Still, it looks like browser fingerprinting might be here to stay.