MTE Explains: Browser Fingerprinting and How to Avoid It

Browser Fingerprinting and Avoiding It

If you’ve ever looked into protecting your privacy online, you may have heard a thing or two about browser fingerprinting. Before I started researching this subject, I’d actually stumbled upon the term a few times while working on finding privacy extensions.

Now, I actually know what browser fingerprinting is, and very soon, so will you.

Browser fingerprinting is what occurs when a web site, web page, plugin or advertisement takes a “fingerprint” from your browser. This isn’t like a cookie, which is saved information from a site stored on your computer.

Instead, browser fingerprinting involves digging into settings and configuration information that the browser gives when the page or plugin suggests it. This information includes the user agent string from your browser, information like your resolution, the plugins and fonts you have installed, etc.

A lot of the time this information adds up to the point where there are very few other people out in the wild configuring exactly who you are, making it easier for third parties to track you.

browserfingerprinting-tor

The Tor browser, which we’ve covered before, remains the most powerful application there is for securing and protecting user privacy. Tor blocks browser fingerprinting and other forms of tracking completely while also circumventing any kind of website block you might be dealing with.

Unfortunately, Tor is fairly slow due to the nature of its connections. In addition, poor privacy practices on Tor can undermine its effectiveness, resulting in you being fingerprinted or tracked anyways.

browserfingerprinting-privacybadger

The Electronic Frontier Foundation’s Privacy Badger extension is a good way to help protect your privacy online, but it won’t completely block fingerprinting. It also requires some additional configuration.

browserfingerprinting-disconnect

Disconnect is a service that blocks most advertising and tracking domains. This extension, in addition to a great adblocker, will help you block the domains that are trying their hardest to fingerprint and track you. However, it still doesn’t have the full effectiveness offered by Tor.

Most fingerprinting methods (at least, deep-level fingerprinting methods) use Javascript or Flash to get the extra information required to make a more complete fingerprint.

Disabling JavaScript and Flash is a good way to circumvent a lot of (but not all) browser fingerprinting, but unfortunately, remains incomplete. While Flash can usually be disabled just fine without breaking all but the oldest websites, Javascript remains a key part of many website functions. Disabling Javascript will negatively impact your browsing experience at some point.

While these are supposedly the most effective methods of preventing browser fingerprinting aside from the Tor Browser, there is a reason why these extensions for Chrome and FireFox are ranked so low.

Like Javascript, using Random User Agent extensions means that on some web pages your browsing experience is going to get broken or otherwise aversely effected.

The reason here is that the extension is reporting false information about your browser. While this is great for preventing you from getting fingerprinted, pages with low compatibility range outside of a single browser can end up giving you some trouble.

browserfingerprinting-panoptic

Use the EFF’s Panopticlick Tool to discover how well your browser is avoiding third-party trackers and fingerprinting. Unfortunately, outside of Tor, there’s no real, super-solid way to completely block fingerprinting without having a real negative impact on your browsing experience.

It is a good sign, however, that things are being done. Perhaps one day every browser will value security and privacy like Tor does with little to no cost to user experience. Of course, now we’re just entering pipe dream territory.

But what do you think?

13 comments

  1. Why do I care if a web site knows what browser/version I’m using? Most of the time it’s done so the site can tailor its output for my browser, so I get a better user experience. I’m smelling a little tinfoil here. Hats anyone?

    • “Most of the time.”

      We live in an era where information like that can be and has been used to invade people’s privacy and security. It’s not a matter of tinfoiling, it’s just letting people know what’s out there and what they can do to alleviate it if they so please.

      Also, the tinfoil hat jab shouldn’t be coming from someone with a Bald Eagle for an avatar, considering how far the United States Government goes to invade the privacy of its allies and constituents.

      • This is an interesting point of view. You’re implying that there’s something inappropriate about a web site collecting all available information about the browser clients that are connecting to it. I’m not sure I agree with this.

        If I choose to visit a web site, there’s a tacit agreement that my browser client will make appropriately-formatted requests to the server, which the server will provide appropriately-formatted responses. What the server does with my requests is totally out of my (the client) control. Keep them, throw them away, pass them over to Google analytics, analyze them for browser-specific traits, whatever – that’s completely up to the owner of the web site.

        On top of that, the web site’s motivation is also out of my control. If they’re identifying browser versions for compatibility purposes to ensure a better UX; or to create the master evil database of IP/browser/user/history/behavior for ad-targeting purposes; or worse – the only thing I can do as a client is not go to that web site.

        Seems like a lot of effort – for very little benefit – which is what prompted the tin-foil hat reference.

        • this is ridiculous. when you go to a shoestore, there is not tacit agreement that they can use DNA left behind in shoes for any purpose. The only agreement is to view their wares, that and THAT ALONE. Anything else is a violation of privacy

          • Let’s take your shoe store analogy a little bit further. Let’s say the shoe store has video cameras that they use to analyze the traffic patterns of shoppers moving through the store. They also have a way of categorizing the shoppers in the video as male, female, adult, or child and include that data in their analysis. The video software also looks at the clothes the shoppers were wearing to make an estimate about income or social class for use in the analysis. They also use the video as a means to identify potential shoplifters, and use it as evidence when shoplifting occurs.

            This is the equivalent of the web site tracking scenario (by the way not anywhere near collecting DNA, so I disagree with your comparison there). If this seems like a privacy violation, you better not go to any malls or department stores from now on.

    • There’s more to it than that. Fingerprints can be recorded on web servers and if they get hacked, information you may not want public could get exposed. Conceivably, it could potentially be used to find people’s bank information.

      The fingerprint in your browser can be tied to your Facebook account, as an example. Let’s say you also visit “cure-my-bad-breath.com”, which records your fingerprint, and it gets hacked. If that fingerprint gets tied to your FB account, you could be publicly outed as seeking help for your halitosis.

      Now substitute the joke about bad breath in that last paragraph about something you wouldn’t want made public (Ashely Madison, anyone?).

        • Sure, no prob, thanks for the compliment!

          I don’t mind targeted advertising – in fact, I prefer it! (I’d rather see ads for motorcycles than tampons, for example). So if advertisers use my info to tailor ads to me, have at it!

          But other person info I’d like to keep to myself. I think the risk isn’t that great but it is a risk.

  2. I think for those of us, who are concerned about their privacy – We need to know about fingerprinting. This could be the next step for hackers to attack with their malware and etc.. With this knowledge we can possibly prevent hacking of our browsers. I tested my PC Browser -Chrome and I tested okay, for the moment.

    I use Chrome as my browser, I am wondering of using the Incognito aspect, might be the wise decision to prevent all of this?

    • Incognito won’t do anything, I’m afraid. It just doesn’t store cookies/logins/history after you close your browser.

  3. Oh I think we are all forgetting the obvious… Big brother Google knowing exactly who we are even if your using a VPN even if you don’t log in to your google account by finger printing your browser… Use that browser to log in to Facebook and the basically all your searches could be tracked back to you.

Comments are closed.

Sponsored Stories