Your browser’s ‘fingerprints’ and how to reduce them


Photo: flickr/CPOA

Those concerned about online security have likely already checked their browser’s “Do-not-track-me” option or installed add-ons like Ghostery that make it hard for cookies to crumb up their computers. But these days, that’s not enough. Websites can still easily identify you.

Digital fingerprinting is when websites digitally mine your browser for information to learn about you and your browsing as you surf the internet. This kind of fingerprinting is especially appealing to advertisers but can be used by others with more malevolent aims.

Browser fingerprinting of computers, smartphones and tablets has been around since at least 2009. The method works by collecting information about your browser configuration, such as add-ons and the fonts installed, the browser’s version information, or even its clock setting. The combination of these properties is unique for the vast majority of browers. Dusting for fingerprints remotely is especially easy when users have Flash or JavaScript enabled. All this data helps trackers uniquely identify devices and build up profiles of people who use them.

German software developer Henning Tillmann devoted his academic thesis to browser fingerprinting, finding that more than 90 percent of internet users leave unique fingerprints on websites. DW Akademie’s Natalia Karbasova talked to Tillmann to find out more about this sophisticated kind of tracking and if journalists can do anything to delete their traces.

What exactly are browser fingerprints?

TillmannWhen a browser visits a website, it sends data to the server hosting the site. This data, located in so-called protocol headers (HTTP, TCP or IP), contains information about the user’s computer, like its IP address or the browser name. This is a passive browser fingerprint, information that is sent automatically. But a website can also try to get additional like a list of all installed fonts and plugins, supported data types (so-called MIME types), screen resolution, system colors and more. This process is called active fingerprinting. When all attributes of a fingerprint are combined it is very likely a user’s fingerprint will be unique. For example, if you visited a website yesterday and open it again today, you could be identified by your browser fingerprint even if you had deleted all cookies and changed your IP address.

Is it difficult to install a fingerprinting script on a website and analyze the results?

No, scripts that collect browser fingerprints are integrated into the normal website code. Collecting active fingerprinting data takes just a few milliseconds and algorithms are run that compare millions of fingerprints.

Does that mean that whatever I do on the web, I’m being tracked?

Passive fingerprints are always sent while surfing the web. The question is whether the transmitted data is stored on a server and will be used for identification purposes. The collection of active fingerprints has to be manually programmed by a content provider.

What’s done with the collected data?

Passive fingerprints can be stored on a server and used for identification purposes. Research by students at the University of Leuven showed that at least 145 of the internet’s 10,000 most popular sites engage in active fingerprinting. One of them was the website of Germany’s biggest internet service provider, T-Online.

Which characteristics of the computer system are most revealing in case someone wants to find out a user’s identity?

The most revealing attributes are the list of installed plugins, supported MIME types and installed fonts (part of active fingerprinting) if those are combined with the user’s browser identification, the “user agent.” In my research, I found that 87 percent of the collected fingerprints were unique just through looking at these four attributes.

Can users change their fingerprints?

In some ways, yes. By installing new fonts or new plugins the fingerprint changes. It’s also possible to fake the user agent string, that is, you can pretend you’re using a Firefox browser on a Mac OS X machine but in fact you are using Chrome with Windows. Some browsers let you alter the User-Agent string. But that’s not always a good idea since the functionality of some websites depends on a correct user agent. In general, changing your system or browser settings affects your browser fingerprint but every setting that differs from the default setting makes a browser fingerprint more unique.

Does that mean that using an iPhone is less dangerous than using an Android device because iOS allows fewer software modifications?

Yes. You can’t install plugins or fonts on an iPhone because it’s not as customizable as an Android device. This makes an iPhone’s configuration less unique. [They basically look similar to the millions of other iPhones out there.] The fewer configuration options a device allows, the better fingerprinting protection it has.

So it is better to use Safari on an iPhone? What about on a desktop?

Using Safari on an iPhone is a better option, because most iPhone owners use Safari, resulting in similar fingerprints [and harder tracking.] On a desktop machine you should use a common browser like Firefox, which has the highest market share in Germany, or Chrome, which has the highest market share worldwide. Safari is okay, but Microsoft’s browser, Internet Explorer, provides more identifying information than other ones do.

Are there  other ways for ordinary users and journalists to protect themselves from being spied on?

Protecting yourself from being tracked by your browser fingerprint is extremely difficult, almost impossible. But there are some options. If someone uses a “Click To Flash“ plugin that disables Flash objects by default and requires manual activation, browser fingerprinting through Flash will fail. Still, JavaScript can be used to detect that plugin or other ones. And if [you have a plugin that is not that widely used,] it makes you more unique. Every attempt to blur your fingerprint one way sharpens it in another way.

What other tracking methods besides cookies and fingerprinting are out there?

There are a lot of ways to track users online. One is to use graphic files as a substitute for cookies. An image is created on a server with an identification number encoded as color information. This image will be saved on a user’s computer in the browser cache. When this user visits the website again, the locally stored image file will be opened and analyzed. The stored color information will be sent back to the server to make tracking possible. Since graphics are stored in a different location than cookies, they aren’t deleted when you clear your cookies. Other techniques include HTTP E-Tags, Flash cookies or web storage.

Do you have recommendations for journalists who want to avoid tracking?

To minimize the risk you should use a system configuration that is the same as that used by many others. This could be a freshly installed Windows 7, the most-used operating system worldwide, without the addition of other software or fonts. It’s always good to clear your browser cache and cookies after every session. JavaScript and Flash should be disabled or not even installed. The problem is most websites won’t work properly if JavaScript is disabled.

Can the Tor network help keeping the spies at bay?

Tor can increase your privacy. But there’s a catch, of course. Everyone using Tor has a similar browser fingerprint and if a website only has one visitor using Tor this makes him or her unique and identifiable.

You can check how unique your browser is at Panopticlick, a project run by the Electronic Frontier Foundation. Here’s an article about the project.

Written by Natalia Karbasova and edited by Kyle James