You’ve probably heard the phrase “if you’re not paying for it, you’re the product.” With free web services, that’s especially true. Advertisers and data brokers collect data about where you go and what you view online, and they use data that your browser freely supplies to create a fingerprint that uniquely identifies you. As a result, they know where you go, what you click on, and what you buy. Unlike other tracking techniques, browser fingerprinting leaves no traces and happens without your direct knowledge. So how do you protect your privacy and avoid being fingerprinted?
Browser Fingerprints vs. Cookies
When you click a link, your browser sends a request for information to a server on the internet. The server responds with the requested information, and the conversation is over. The server doesn’t remember you or your request—that would require a huge database of every visitor ever.
And yet, when you’re interacting with a website, you really want some continuity. Early in the evolution of web browsers, cookies were invented to provide that continuity. Each cookie is a simple text file that lives on your computer, not on the site. The site can put information into the cookie, such as your preferred street address, things you’ve bought, or which page you were reading in an online novel. When you revisit that site, it can retrieve data from its own cookie (but not from any other) and read back that information.
However, modern websites aren’t simply monolithic entities. They contain links and content from advertisers and other third-party sites. These third parties can save their own cookies to your PC, containing whatever data they have available, including the name of the site that’s hosting the ad. If an advertiser has a presence on multiple sites, data from multiple cookies now lets it link your presence on each of those sites you visit. Suddenly, cookies don’t seem so tasty.
In 2009, privacy experts proposed reining in this abuse by allowing browsers to add a “Do Not Track” header to page requests. This effort fizzled because sites were free to ignore the header, and it has since been deprecated (with some browsers removing the option entirely). Security companies responded by devising Do Not Track technology that actively prevented tracking. Trackers have responded with new technologies, including supercookies, evercookies, Flash cookies, and more.
All these tracking technologies involve placing something (a text file, a script, or some other file) on the victim’s computer, and they’ve all been foiled in various ways.
Browser fingerprinting is different. It doesn’t change anything on the local computer; it simply leverages standard browser functions.
What Elements Go Into a Browser Fingerprint?
When you’re surfing the web, it really feels like you have a direct, continuous connection with the site you’re perusing. In truth, your experience is made up of many small interactions between your browser and the website’s server. The browser sends a request, and the server responds. That request necessarily includes your IP address—without it, the server wouldn’t know where to send the response. But over time, browsers have come to send ever-increasing amounts of information.
Compatibility isn’t much of an issue these days, but if you go back far enough, you’ll find a time when websites had to tune their responses to the requesting browser, perhaps sending a different page to Netscape Navigator than they did to Internet Explorer. Requests to a server identify the browser making the request, right down to the precise version and build number. That’s a simple enough interaction, but it’s the start of a slippery slope.
(Credit: Microsoft/PCMag)
To render a design-rich page from a website, your browser needs access to the right fonts. The fonts available depend on your operating system. Your browser queries the OS for a list of fonts and passes that list along to the website. If a needed font is missing, the site might choose to display a simplified page. Yes, we all have the same basic set of fonts that come with Windows, but installation of other programs often adds new fonts, and uninstallation doesn’t always remove them. After a while, our font collections start to diverge.
For a quick look at the many arcane bits that make up your browser fingerprint, pay a visit to the Electronic Frontier Foundation’s Cover Your Tracks page (launched in 2010 under the name Panopticlick). With your permission, this page gathers the information used to generate a fingerprint, along with some useful stats. I learned, for example, that my fingerprint is unique among more than 300,000 fingerprints tested by the site in the last 45 days.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
(Credit: Friedrich-Alexander-Universität Erlangen-Nürnberg/PCMag)
Taking a long-term view, security and privacy researchers at Friedrich-Alexander University Erlangen-Nürnberg, Germany, have been running a study on browser fingerprinting since 2016. I’ve participated since the beginning. Participation is simple; once a week, you get an email with a link to check your fingerprint. You can review the stats of your own participation at any time. For example, I now know that I had the same unique and trackable fingerprint for 263 days in 2017. You don’t have to register if you just want to view the aggregate statistics.
(Credit: AmIUnique.org/PCMag)
There are numerous other pages that can display the components of your browser fingerprint, with varying degrees of detail. Reporting from the open-source AmIUnique site, the components that are the farthest from the norm are helpfully color-coded, highlighting those that contribute the most to making your fingerprint different from the rest. Device Info lists a vast array of information that is revealed to any website through your browser.
What Info Is Your Browser Sharing?
Modern browsers reveal a vast amount of information not only about themselves, but also about the operating system on which they reside. Sites can run simple scripts to learn even more, such as the screen resolution in use and which plug-ins are installed. A crazy string of text called User Agent reveals a lot about your browser. Here’s a User Agent string from Chrome: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36”. And here’s one from Edge: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Edg/140.0.0.0”.
Websites can query and receive a wealth of information about your system’s settings and configuration. This massive amount of available information can be condensed into a single, simple value called a fingerprint. The chance of any two PCs having the same fingerprint is low, and the consequences for a tracker who did encounter such a duplication are likewise low. Yes, your fingerprint might change due to system updates, but that doesn’t happen often. When it does, it’s not all that important to the tracker, either. Trackers don’t care about losing track of you temporarily. As long as they can track plenty of others, no problem! And with browser fingerprinting, they don’t need to worry about cookies.
Recommended by Our Editors
How to Hide Your Browser Fingerprint
After a lifetime of working with clay, potters may find their fingerprints have simply abraded away. What can you do to obscure your browser fingerprint and prevent it from revealing your identity?
As with any other topic, the internet offers endless how-to advice for hiding your fingerprint. Using a VPN is a common suggestion, as it masks your IP address. Sticking with your browser’s privacy mode, whether it’s called Incognito, InPrivate, or something else, eliminates other elements that go into the fingerprint. Make no mistake, using a VPN is smart, but these simple fixes aren’t sufficient to completely mask your digital footprint.
(Credit: Brave Software/PCMag)
One simple possibility is to switch to a browser with built-in protection or utilize existing browser-based protection. The security-focused Brave browser, for one, offers a feature called Shields that can protect your privacy in various ways. Shields protection includes blocking ads, cookies, and scripts, but in a fine-tuned fashion that lets you retain the benefits of these features. If its attempt to foil trackers causes problems, you can fine-tune just which data sources get randomized.
The Best Private Browsers We’ve Tested
After years of development, Firefox now includes built-in fingerprinting protection, which is turned on by default. It works by “blocking third-party requests to companies that are known to participate in fingerprinting,” which means you may still be tracked by companies not yet identified by Mozilla.
When you use the TOR Browser, it routes all your web traffic through the TOR network. TOR is short for The Onion Router, so-called because your connection is hidden behind many layers. Your traffic goes into the network, bounces around from server to server, and comes out from a server with no connection to you. This tangled route can foil fingerprinters, but TOR is notorious for slowing down connections. You probably don’t want to use it as your go-to browser.
If you prefer to continue using your familiar browser, that’s no problem! You can enlist help to obfuscate your fingerprint. For example, Avast AntiTrack and Norton AntiTrack both inject false information into the elements of your digital fingerprint, focusing on the items that do the most to make your fingerprint unique. Your faked-up fingerprint may still be unique, but it keeps changing, so trackers get nothing useful. Other tools, such as the Electronic Frontier Foundation’s Privacy Badger, monitor sites that gather fingerprint data and block their access.
White Glove Web Browsing
If you just surf the web willy-nilly, you leave browser fingerprints everywhere. Advertisers and others can track you based on those prints. To continue enjoying the internet without leaving traces, you have two main choices. You can choose a browser designed to foil browser fingerprinting, or you can add an app dedicated to that purpose. Whatever you choose, your privacy is in your own hands.
About Our Expert
Neil J. Rubenking
Principal Writer, Security
Experience
When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.
Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my “User to User” and “Ask Neil” columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.
In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.
Latest By Neil J. Rubenking
Read Full Bio
