browser fingerprintingAt the Apple Worldwide Developers Conference (WWDC) in early June 2018, Apple announced that Safari updates for macOS Mojave would better prevent sites and advertisers from tracking you through browser fingerprinting. However, if you’re not a tech-savvy individual, it’s possible that you haven’t heard of this tracking technique until this announcement. To find out more about browser fingerprinting, Apple’s plans and what you can do to better secure your online privacy, read on.

What is browser fingerprinting?

To fully understand what’s going on, it may be helpful to first cover what browser fingerprinting is. While it might not be a topic that’s brought up as frequently as cookies, browser fingerprinting, also known as device fingerprinting, is a different technique third parties (e.g., online advertisers, Facebook and other parties) can use to identify a remote device and track you. The idea behind fingerprinting is that information can be collected from a device to identify the user, which could then be compiled to create a unique profile. Websites can then draw on this profile, using it to better understand your habits and maintain a constant relationship with you. In other words, device fingerprinting is a means that offers the chance to connect your online identity with your offline identity.

So, how does browser fingerprinting work? The process begins as soon as you load a web page. When you do this, some of your device’s browser configurations are automatically transmitted. When viewed as a whole, these configurations make for a “unique set of characteristics” – your “fingerprint.” Your device can then be identified based on this unique aggregate of configurations – characteristics that could include the browser you use, browser location, time zone settings, operating system, whether or not cookies are enabled, screen resolution, language settings, plugins that you’ve installed, fonts and more.

Curious about what your browser fingerprint reveals? The Electronic Frontier Foundation’s Panopticlick website allows you to test your browser to find out — be aware that at the end of the test, you may be encouraged to download its ad/fingerprint/cookie-blocking software.

Why are fingerprints collected?

While browser fingerprinting has been referred to in a negative way, the truth of the matter is that browser fingerprinting is used in various and diverse ways – some of which aren’t inherently bad. Here are a few motivations that could drive the collection of your browser fingerprint:

  • Fingerprinting can be used to track and collect information on users, such as their likes and habits. This is something that’s exemplified in targeted advertising, and some may also earn money by tracking your web activities and selling that data.
  • Browser fingerprinting can be used to determine if someone is the person or user they claim to be. In fact, fingerprinting is something that can be useful in the fight against fraud.
  • According to Am I Unique?, hackers could potentially use fingerprinting to learn more about specific devices, enabling them to carry out attacks targeting these devices.

Browser fingerprinting isn’t easy to prevent

According to Ars Technica, “state-of-the-art fingerprinting techniques are highly effective at identifying users when they use browsers with default or commonly used settings.” As such, browser fingerprinting works effectively and is difficult to prevent for several reasons, including the following:

  • Simply using multiple devices or modifying your IP address won’t prevent browser fingerprinting from happening. Browsing through multiple devices might not help because your devices’ configurations can be cross-referenced (though doing so may be a demanding process), and an IP address change wouldn’t do the trick after you browse the web several times.
  • Using a VPN or a proxy alone also wouldn’t prevent yourself from being subjected to browser fingerprinting. A VPN can’t change settings like your screen’s resolution or font, and a proxy just changes your location — it doesn’t modify your device’s other configurations. As such, it may still be possible to identify you through the many configurations that haven’t been modified.
  • Using multiple browsers also might not prevent browser fingerprinting, though it may sound like an enticing idea. Researchers have developed a fingerprinting technique that lets websites track visitors who are using more than one browser. As such, spreading out your online activity over multiple browsers won’t be helpful.
  • Browser fingerprinting can be difficult to disable – more so than disabling cookies. The reason why? Unlike cookies, which can be disabled and deleted to prevent websites from tracking you through them, browser fingerprinting isn’t something that you can just disable. For these reasons, browser fingerprinting has been referred to as the cookieless monster.

More about Apple’s announcement

Now that you know more about browser fingerprinting, let’s go back to Apple’s big announcement at the WWDC. Apple announced that it would be introducing Safari updates for macOS 10.4 Mojave to prevent browser fingerprinting. How? By providing updates that will limit the browser data websites can access, so your computer’s configurations (and, consequently, your computer) will not appear unique, meaning a unique footprint won’t be created. Apple says that it will limit the information released about you to basic information, such as your general system settings and “built-in fonts.”

How to further protect yourself from browser fingerprinting

While Apple and other companies may be taking steps to better shield you from browser fingerprinting, there are some steps you can take to further increase your privacy. As exemplified by the strategy Apple will be trying to implement, one way to protect yourself from browser fingerprinting is to make your device blend in as much as possible. Here are some specific cautionary measures that you can undertake:

Disable JavaScript

Because some sites use JavaScript to identify your plugins, disabling JavaScript can be a good way to prevent yourself from being targeted through browser fingerprinting. However, disabling JavaScript may worsen your user experience, since many websites can’t function properly if it isn’t enabled. There are several ways to give only certain websites the ability to execute JavaScript, but these methods tend to either demand quite a bit of work from the user (e.g., NoScript Firefox extension) or tend to not work that effectively.

Try using TorButton

You can try using Torbutton, which can block JavaScript in your device’s browser and disable some active content. Torbutton can also help standardize some browser characteristics, allowing your device’s browser to blend in to the masses.

Some wonder if using a browser that exhibits few deviating variables helps

Some, such as Panopticlick, wonder if using a more “common” or “standard” browser (i.e., a browser that sports few deviations when it comes to plugins and other configurations) could be a good defense. According to Panopticlick’s website, “Pending the results of the Panopticlick experiment,” researchers believe that browsers in smartphones – specifically, in iPhones, Androids and Blackberries – may be more standard. That’s because these devices may feature fewer differences in terms of installed fonts, screen size and other configurations.

Now that you know more about browser fingerprinting, it may be good to learn more about how you can protect your identity on the web. While there are some ways to better prevent yourself from being tracked, the reality is that it can be difficult to protect your privacy. To find out more precautions you can take to better secure your identity, look to our privacy blog.