Web tracking has been around for a long time, and exists in multiple forms. While most widespread ad blockers such as uBlock Origin, or AdBlock will block trackers and third party cookies they will not prevent Fingerprinting.
In this blog post we are going to talk about this lesser known method, and how to protect against it.
What is a Fingerprint?
Modern browsers expose a lot of information via their Javascript API, such as
- User Agent: Information about the browser being used
- HTTP Accept header: Media type and encoding accepted as a response
- Browser plugin details: The list of plugins / add-ons installed (Later versions of Firefox now block this information, yay!)
- Time zone
- Screen information: Size, color depth
- System fonts
- Cookie settings: DNT enabled? Third party cookies enabled?
- HTML5 Canvas information
- WebGL information
When combined together, those information provide a unique identifier that is reliable for tracking and that, contrary to cookies, cannot be blocked or removed by the user.
What is Fingerprinting?
Fingerprinting is the process of tracking users across websites using their fingerprint. When a user accesses a website, a fingerprint is generated on the client side, and is sent and stored on the server. Whenever two fingerprints match, there is a high likelihood that they correspond to the same user and thus the two sessions can be linked together for profiling.
Assuming that the fingerprint is unique, this identifier will reliably represent the same user across several domains, even if they clear their cache, use an ad-blocker, are in Private Mode, or change their IP address!
How to prevent Fingerprinting
It is not possible to prevent having a fingerprint, since the browser will always expose some information about your config. However it is possible to prevent being tracked by fingerprinting. Here are few tips:
Diagnosis
Find out whether your browser is vulnerable to fingerprinting (and other tracking methods) by visiting the Panopticlick website, from the EFF
Use a random fingerprint
By randomizing some information exposed by your browser, you will be able to obtain a new fingerprint every time you visit a new page, and therefore fingerprinting will be ineffective.
However, not all information can be randomized. For example screen size, current time zone, or system fonts while most likely alter the quality of your navigation. The User-Agent, on the other hand is a great candidate:
- It is a long string with high entropy, therefore most fingerprint software will use it
- It contains several version numbers (browser, browser engine, OS) that can be randomized without any impact on the navigation
Certain add-ons such as Random User Agent will do that for you, to ensure a new fingerprint is generated at a regular time interval, or every time a new page is visited
Use a common fingerprint
If your configuration is the same as most people who browse the internet, then your fingerprint will not be unique and your traffic information will be blended with other people’s, rendering it useless.
It is the approach used by the Tor browser. By using always exactly the same configuration it insures that each user are indistinguishable from each other because they all have the same fingerprint. Download it and give it a try!
You also may want to check out Tails, for routing your entire web traffic through the Tor network for even more privacy and security
For other browsers, you can check this list of the most common User-Agents and set yours using the Random User Agent add-on
Enable fingerprint protection
- On Firefox, visit about:config and set privacy.resistFingerprinting to true
- On Chrome: Not available
Disable Canvas fingerprinting
Canvas Fingerprinting is an advanced method that uses the HTML5 Canvas API to enrich the fingerprint with information about the client’s OS, graphic’s card, pilots, etc…
To protect against it, use the CanvasBlocker extension
Disable Javascript
Disclaimer: You probably don’t want to do this.
It is a more radical step that will break most websites, but will radically decrease the likelihood of being tracked using either fingerprint or cookies.
- On Firefox, visit about:config and set javascript.enabled to false
- On Chrome, visit chrome://settings and under Site Settings, set Javascript to Blocked
What about you? Do you know of an another way to protect against fingerprinting, or tracking on the web in general?
Resources
- An essential tool for checking browser settings against tracking: https://panopticlick.eff.org/
- What User-Agent are most commonly used: http://www.browser-info.net/useragent
- Javascript tool for calculating a fingerprint: https://github.com/Valve/fingerprintjs2:
- Firefox Add-on (also exists on Chrome) to periodically change the user agent to a randomly selected one: https://addons.mozilla.org/en-US/firefox/addon/random_user_agent/:
- More reading on Firefox Privacy: https://restoreprivacy.com/firefox-privacy/
- Tor project: https://www.torproject.org/
- Tails project: https://tails.boum.org/doc/about/fingerprint/index.en.html
- The first paper to describe a comprehensive list of fingerprinting techniques: https://www.ftc.gov/system/files/documents/public_comments/2015/10/00064-98109.pdf
