How to tell if a website is taking your (browser) fingerprints

Whether you’re looking at the whorls and loops of a fingertip or analogously unique browser information, using a fingerprint is a highly accurate way to identify someone. It’s a lot harder to get a person’s fingerprint without their knowledge, but all kinds of services on the Internet ID users by their browser “fingerprint” — and not always with your interests in mind.

A team at Bundeswehr University Munich has developed a browser extension that lets you track which websites collect your browser fingerprints and how they do it. The team also analyzed 10,000 popular websites to see what kind of information they collect. Team member Julian Fietkau’s presentation at the Remote Chaos Communication Congress (RC3) discussed the issue and the team’s work on it.

What is a browser fingerprint?

A browser fingerprint is an assembly of the data that a website can obtain about your computer and browser on request when a page loads. The fingerprint includes dozens of data points, from the language you use and the time zone you’re in to which extensions are installed and your browser version. It may also include information about your operating system, RAM, screen resolution, font settings, and much more.

Websites collect varying amounts and types of information, using it to generate a unique identifier for you. A browser fingerprint is not a cookie, although it can be used similarly. And, though you have to consent to the use of cookies (you’re probably already tired of closing “our site uses cookies” notifications), taking browser fingerprints does not require consent.

Moreover, even using Incognito mode won’t stop your browser fingerprint from being taken; almost all browser and device parameters remain the same and can be used to determine that the person browsing is you.

How browser fingerprints are used and misused

The first purpose of a browser fingerprint is to confirm a user’s identity without any effort on their part. For example, if a bank can tell from your browser fingerprint that it’s you carrying out a transaction, they don’t need to bother sending a security code to your phone and can expend a bit more effort if someone — even you — logs in to your account with a different browser fingerprint. In this example, browser fingerprints improve your experience.

The second purpose is to show targeted ads. Read a guide on one website about choosing an iron, then go to another website that uses the same ad network and the network will show you ads for irons. Basically, it’s tracking without your consent, and users’ hatred and suspicion of the practice is quite understandable.

That said, many websites with built-in components from various ad networks and analytics services collect and analyze your fingerprints.

How to tell if a site is taking your browser fingerprint

To obtain the information to compile a browser fingerprint, a website sends several requests through embedded JavaScript code to the browser. The aggregate of the browser’s responses makes up its fingerprint.

Fietkau and his colleagues analyzed the most popular libraries with this kind of JavaScript code, compiling a list of 115 distinct techniques most frequently used to work with browser fingerprints. They then created a browser extension called FPMON that analyzes Web pages to see if they use those techniques and tells the user exactly what data a particular site is trying to collect to compile a browser fingerprint.

Users with FPMON installed will receive a notification when a website requests such and such information from the browser. Moreover, the team divided the types of information into two categories: sensitive and aggressive.

The first category includes information that a website may request for legitimate reasons. For example, knowing the browser language enables a site to appear in your preferred language, and information about your time zone is required to show you the correct time. However, that information still might say something about you.

Aggressive information is irrelevant to the site, most likely used for the sole purpose of putting together your browser fingerprint. It might include the amount of device memory or a list of plugins installed in your browser, for example.

How aggressively do sites collect browser fingerprints?

FPMON can detect requests for 40 types of information. Almost all websites ask for at least some information about the browser or device. At what point should we assume that a website is actually trying to take a fingerprint? At what point should you worry?

The researchers used existing sites such as the EFF’s Panopticlick (aka Cover Your Tracks) project, which the privacy advocacy group created to demonstrate how browser fingerprinting works. Panopticlick requires 23 parameters to work and can identify a user with greater than 90% confidence. Fietkau and his team made 23 parameters their minimum value; at or above that, we can assume a website is tracking users.

The researchers went through the top 10,000 websites (as ranked by Alexa) and found that most of them — nearly 57% — ask for 7 to 15 parameters, with a median value of 11 parameters for the entire sample. Approximately 5% of the websites didn’t collect a single parameter, and the maximum number collected was 38 out of a possible 40. However, only three out of the 10,000 requested that many.

The websites in their sample used more than a hundred scripts to collect the data, and although very few scripts collected a lot of information from the aggressive category, they’re used on some very popular websites.

How to protect against fingerprinting

Two approaches can prevent website scripts from taking your browser fingerprint: blocking them and giving them incomplete or incorrect information. Privacy software uses one method or the other. On the browser side, Safari recently began providing only basic, impersonal information, thus protecting users from tracking through fingerprinting.

Some organizations have stepped in with browser extensions as well. For example, Privacy Badger, a privacy plugin developed by the EFF, tries to block scripts, although not all of them. For example, the plugin doesn’t affect scripts that request data that may be needed for a page to display correctly or for some of its functions to work (but that can also contribute to a fingerprint).

We use the same approach in our Kaspersky Protection browser extension, preventing websites from collecting too much user information and, thus, assembling a fingerprint. Kaspersky Protection is part of our main consumer security solutions. Just don’t forget to enable it.