Browser fingerprinting: the surveillance you can't stop

MAY 29, 2017 | FINGERPRINTS

Searching for products and services through search engines is what everybody does now. Chances are you have done so too. Then you might also notice ads appearing on sites, featuring the same products you were looking for.

But, how do websites know your interests? Or which ads to show you?

The answer to these questions is browser fingerprinting. It's a process of collecting metadata available through browsers to
identify specific users. By using these techniques, websites track online browsing habits and purchase patterns to deliver ads and promotions that align with users' interests.

Websites fingerprint browsers for several reasons. But the key driving force is a multi-billion dollar industry known as online marketing. Online marketing has taken the world by storm, and personalized ads are the main reason for its success.

Although cookies were the principal way websites could track user behavior, browser fingerprinting has gained prominence in online marketing over the last four years.

For many reasons, cookies are not as effective as they used to be. Browser fingerprinting has become the new standard for tracking and identifying users and their interests.

Electronic Frontier Foundation (EFF) proves that browser fingerprinting technologies have become very effective. In their detailed study, which included around one million users, they found that a unique fingerprint can be identified in 83.6% of all browsers. Moreover, 94.2% of browsers that had Java or Flash enabled showed a unique fingerprint as well, even excluding cookies!

In this article, we will go over the most common types of browser fingerprinting methods and give a basic overview of how they work. It is not a complete list of fingerprinting methods. We will cover these main and most effective types being used today, as well as the methods that we think will matter in the foreseeable future.

Why does browser fingerprinting pose a threat?

Personalized ads may not sound like a terrible thing, and in essence, they are not. The primary issue with browser
fingerprinting is that it usually poses a threat to online privacy.

Almost every website that implements browser fingerprinting either don’t ask for user’s consent when fingerprinting their browser or does so in a very misleading manner. Chances are you can’t recall a website ever asking permission to track your information. In case there’s any notification at all, it’s usually buried in the site’s Terms of Service, written in the smallest font you could imagine. Usually, it goes like this:
“By using our website you agree that we will save the digital signature of your machine.”

Don’t worry, if you didn’t understand it. You’re not alone. Most users have no idea what it means. Since it doesn’t come with any real explanation of what the possible consequences may be, few who manage to see it never think twice about it.

Agreeing to these terms can result in higher prices based on your location, mass information leaks due to
hacker attacks, and other disadvantages that are not immediately obvious to consumers.

Types of browser fingerprinting

Browser fingerprinting methods vary tremendously. It's one of the reasons why they are so difficult to combat.
There are new fingerprinting methods being developed regularly. Also, new solutions are addressing these innovative techniques. As a result, fighting browser fingerprinting is an ongoing effort at least.

Below you will find the most common types of browser fingerprinting and the basics of how they read information from your browser or device.

Browser plugins

Browser plugins are often confused with browser add-ons. The main thing you must remember is that plugins pose more of a threat to your online privacy. The main difference between them is that plugins are executed outside of a browser in a completely different process.

Browsers can’t control how much access rights plugins have. Instead, it is defined by the user who is currently logged in to the system. In most cases, users are working under administrator accounts, giving plugins a lot of freedom when it comes to collecting data.

Plugins are used to enhance browser experience, and to access resources such as Flash and other neat features. They are developed by the third parties and the most common ones include, but are not limited to:

  • Shockwave Flash

  • QuickTime Plug-in 7.7.3

  • Default Browser

  • Helper

  • Unity Player

  • Google Earth Plug-in

  • Silverlight Plug-In

  • Java Applet Plug-in

  • Adobe Acrobat NPAPI Plug-in, Version 11.0.02

  • WacomTabletPlugin.

Each of these plugins can be used to track unique information about your machine and fingerprint your browser.

Take Flash, for instance. All other plugins aside, Flash API can read the information that can be used to identify your machine, such as:

  • Your complete font list

  • Motherboard and other hardware IDs

  • Real MAC address

  • Real IP address, even if you are using a proxy connection.

Besides the fact that plugins already reveal a lot of information, your plugin list itself can be a fingerprint. Plugin enumeration help websites obtain your full list of plugins. As there are so various plugin and version combinations, this list alone can accurately identify your browser.

Browser add-on enumeration

Add-on enumeration is similar to the previously-mentioned plugin, its enumeration technique. A key goal of add-on enumeration is to obtain a list of add-ons installed on your browser, preferably both their names and versions.

Browser add-on enumeration is a part of a broader set of methods called JS behavioral tests. It can also read a browser’s exact version and other pieces of unique information. When collected together, the combination is unique enough to fingerprint your browser precisely.

System fonts enumeration

Another set of elements that can be used to fingerprint your browser is a list of fonts you have installed on your computer. Websites can use Flash or Java Applet plugins to obtain your system font list, which is then silently transferred to a server in the background through AJAX.

Another effective way to acquire this list is through system fonts enumeration. It is possible with CSS introspection. In a nutshell, this method can deduce fonts you have installed on your machine by measuring the width of a phrase produced by your browser in a specific font.

For instance, if you write “Hello World” with size 14 Times New Roman font, this element should have the same width measurement in pixels on every screen. If the text width in your browser matches size 14 Times New Roman, it means that you have that font installed.

However, if the element width does not match, it means that the browser has substituted Times New Roman because it’s not installed. By cycling through this list of possible fonts and widths, websites can get an accurate picture of the installed fonts leading to precise fingerprinting.

User-Agent string

User-Agent strings tell websites what browser version is being used to display the site properly based on user’s device. Each browser has a unique way of displaying a website, whereas the User-Agent string is critical for good user experience.

That being said, User-Agent strings also reveal a great deal of information to websites, including system and browser details, platform information, and much more. Each combination can be so unique that the User-Agent string alone can sometimes be used to accurately identify users.

One of the best ways to avoid easy identification through User-Agent is to use a browser that was released less than 2 or 3 months ago. It guarantees you will be using one of the most common User-Agent strings available.

Screen resolution

Websites can read two variables when it comes to screen resolution. The first one is screen resolution as reported by your browser, and the second is the size available for web page displaying.

Screen resolution is reported by your browser can be adjusted manually, so it can it’s easily manipulated. For instance, you can set false resolution values, such as 10000×10000, and your browser will still broadcast those values.

On the other hand, the size available for web page display is measured using Javascript. It checks the distance between top and bottom, or left and right borders of a browser window. It will depend solely on window size.

Granted that you maximize your windows for convenient work, this combination of display size with your screen resolution and browser version is often enough to create a unique fingerprint. This method is so effective it can even track protected browsers such as Tor if Javascript is left enabled of course.

JS.Navigator parameter

As you may have guessed, Javascript has full access to JS.Navigator and its parameters, so they can also be used for browser fingerprinting. Through JS.Navigator, websites have access to information such as your time zone, browser language, build ID, DoNotTrack variable, platform, AppVersion variable, and even the number of CPU cores.

The parameters available through JS.Navigator reveal a good amount of unique information about your computer. Although easily manipulated, they can also be easily discovered in several cases. For example, if a browser manipulates these parameters while the page is loading, websites can easily detect the false parameters and discover their real values.

Supercookies

Nowadays, the catchphrase “supercookies” refers to all cookies that are stored in a non-usual location. Common cleaning tools that are embedded into browsers, usually, have a hard time deleting these cookies. Typically, they require specialized tools or manual deletion.

Although the term “supercookies” used to be a synonym for Flash cookies, now it stands for any cookies that are either hard to delete or stored in uncommon places. They are often injected through Flash, Java, and other means. However, they all are grouped under the same category because of their permanent storage and difficult removal characteristics.

Canvas, webGL, and audio fingerprint

Canvas, WebGL and audio fingerprinting are different techniques, but they have one thing in common: they are not defined by a set of predetermined values, like JS.Navigator for instance. Instead, these fingerprinting mechanisms read information about your specific device and how it solves different tasks when compared to other machines.

These fingerprinting techniques can sometimes be referred to as “device fingerprints”, but there is no widely accepted term for them. We like to refer to them as “hardware fingerprints”. These three methods involve comparing ways that different computers solve unique tasks from websites.

Finally…

Browser fingerprinting is incredibly hard to combat because it encases so many different techniques and elements. Our purpose is to present a comprehensive list of most common browser fingerprinting methods and basics of how they operate.

That being said, we omitted certain methods that we don’t consider important now. There are no signs that they have been used for anything except scientific articles and proof-of-concept solutions.

We have discovered other browser fingerprinting methods while developing Multilogin. But, because we have never seen them used in real-life scenarios, we think it’s best to hold them back and not cover them in this article.
However, you can rest assured that whenever we find any signs of these methods actively being used to fingerprint browsers, we will have our anti-fingerprinting solution ready to protect our users’ privacy!