GUIDE

Your browser’s fingerprint and how to reduce it

‘[The internet] user seeking to avoid being followed around the Web must pass three tests. The first is tricky: find appropriate settings that allow sites to use cookies for necessary user interface features, but prevent other less welcome kinds of tracking. The second is harder: learn about all the kinds of supercookies, perhaps including some quite obscure, and find ways to disable them. Only a tiny minority of people will pass the first two tests, but those who do will be confronted by a third challenge: fingerprinting.’ Electronic Frontier Foundation, How Unique is your web browser.

The internet-using public is increasingly aware of the dangers to privacy posed by HTTP browser cookies – small text files stored on your computer by websites which can be used not only to identify you when visiting a particular website, but also by other websites so that you can be tracked as you surf around the World Wide Web – and are increasingly taking steps to control them, delete them regularly, or block them permanently.

In May this year (2013) the EU ‘cookie law’ came into force, requiring EU websites and all websites that serve an EU audience to ask permission from visitors before  leaving ‘non-essential’ cookies on their computers. In practice, implementation and enforcement of the law has been patchy and only partially effective at best (and not helped by some very vague wording), but it has helped to raise awareness about cookies among netizens everywhere.

Websites (and in particular third party analytics and advertising domains) however gain a great deal financially from the use of cookies, and have thus looked for new ways to uniquely identify and track website visitors by other means. One of these methods is the use of supercookies (including Flash cookies and zombie cookies), and another is browser fingerprinting (HTTP E-Tags, web storage, and history stealing are also lesser used methods which we will discuss in another article).

What is browser fingerprinting?

Whenever you visit a website your browser sends data to the server hosting that site. This data includes basic information, including the browser name, operating system, and exact version number of the browser. This information is known as passive browser fingerprint because it happens automatically.

However websites can also easily install scripts that ask for additional information, such as a list of all installed fonts and plugins, supported data types (so-called MIME types), screen resolution, system colors and more. Because this information has to be solicited from your browser, it is known as active fingerprinting.

Taken altogether, the various fingerprint attributes can be almost instantly (it takes just a few milliseconds to run algorithms that compare millions of fingerprints) combined to create a unique fingerprint that can be used to very accurately identify an individual user, no matter if cookies have been deleted or IP address changed between website visits.

How unique is your fingerprint?

The EFF’s research shows that ‘if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint.’ As part of its investigation it has created the Panoptoclick website, which actively fingerprints your browser, and tells you how unique it is.

panopto
We use a lots of privacy related plugins in our browser, which ironically makes us more unique, and therefore identifiable by fingerprinting

Can I change my fingerprint?

Every time you install a new font or plugin, or otherwise change one of the fingerprinted attributes, you change your fingerprint. The most important attributes in this regard are the list of installed plugins, supported MIME types, and installed fonts, which alone when combined with the browser’s User Agent (which provides information about the browser) allow unique identification with an 87 percent accuracy.

Unfortunately, the EEF determined that even when ‘fingerprints changed quite rapidly, … even a simple heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%’

It is possible to change a browser’s User Agent, which has the most dramatic effect on changing your fingerprint, but many websites rely on being given correct User Agent to function properly, so this is not an ideal solution. In addition to this, by changing your User Agent you actually increase your browser’s uniqueness (we discuss this more below), but if you do want to try doing it then check out guides for doing so in desktop browsers, Android and iOS Safari.

user agentChanging our User Agent in Chrome

Be a sheep… baaa…

One of the most frustrating and paradoxical aspects of fingerprinting is that any measures you take to prevent tracking, such as blocking Flash cookies or changing your User Agent, actually make you more uniquely identifiable. The truth is that protecting yourself from being fingerprinted is currently difficult to the point of being impossible, but there are things that you can do to minimize the problem.

The most important of these is to use a popular browser that is as ‘plain vanilla’ (i.e. as unmodified) as possible, so that you blend in with the majority non-tech savvy internet users who never install additional plugins or otherwise tamper with their software. Firefox and Chrome are therefore good choices for desktop users (Safari isn’t too bad, but Microsoft Internet Explorer gives away more identifying information than the others do), while iOS Safari users are safer than Android users because iOS Safari is less customizable (and therefore less unique) than the stock Android browser. Ideally you should also use the plainest Operating System possible, so a freshly installed Windows 7 (the world’s most popular OS) with no additional software or fonts would be best, although admittedly totally impractical for most people.

While most privacy enhancing measures (which we cover in some detail in our Ultimate Privacy Guide) actually decrease your privacy when it comes to fingerprinting, the EFF noted that Torbutton (and the Tor network in general) gave ‘considerable thought to fingerprint resistance’, and that ‘NoScript is a useful privacy enhancing technology that seems to reduce fingerprintability.’ Commendable as these efforts are however, such measures are not perfect, as fingerprinting expert Henning Tillmann explained, ’Everyone using Tor has a similar browser fingerprint and if a website only has one visitor using Tor this makes him or her unique and identifiable.’

So what can I do to prevent tracking (in general)?

  • Use a freshly installed copy of Windows 7
  • Use an unmodified Chrome or Firefox browser
  • Use a VPN service to mask your IP address and encrypt your browsing data (or use Tor)
  • Clear browser cache and cookies after every session (working in the browsers ‘privacy mode’ should have a similar effect)
  • Disable or don’t install JavaScript (unfortunately though, many websites will not work properly without it)
  • Disable or (better yet) don’t install Flash. Unfortunately however again, Flash is responsible for a lot of the more user-friendly features and functionality found on the on the web, so if you must run it then see here for a guide to deleting Flash cookies and dealing with other supercookies, a subject we will deal with in another article soon)
  • Visit the EFF’s Panoptoclick website to see how effective your measures have been

Conclusion

Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability. Although fingerprints turn out not to be particularly stable, browsers reveal so much version and configuration information that they remain overwhelmingly trackable’ EFF.

As we internet users have become more aware of privacy and tracking issues, so have those who would track us become increasingly devious in their methods of doing so. With fingerprinting this has reached the point that it is almost impossible to prevent (although as noted above there are steps that can be taken to make it more difficult). The EFF therefore concludes its report by saying that the answer lies in government action and legislation, and that ‘policymakers should start treating fingerprintable records as potentially personally identifiable, and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms’.

Now it has to said that we have very limited faith governments’ will or ability to enact such changes (although the EEC ‘cookie laws’ at least show some positive intention in this direction), so in the meantime we will just have to take as many measures as we can live with (since all measures impact our user experience in some way), and hope for the best.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


22 responses to “Your browser’s fingerprint and how to reduce it

  1. Scaremongering seems to be the only thing some people are good at!

    Any legal authority can query (read legally force) your phone company to surrender your personal details if needed, and I doubt they’d opt to use “browser fingerprinting” which is nothing but a joke.

    1. Hi GR,

      Browser fingerprinting is not widely used by governmnet agencies (as far as we know), but it is widely used by websites to track visitors for advertising purposes. As for a legal authority being able to demand that your ISP surrender your personal details if needed – sure, but using a good no logs VPN (preferably based well outside the jurisdiction of your local legal authority) is a good defense against this.

  2. I saw no mention of web rtc and canvas fingerprinting to track and or identify you.
    Probably the easiest and best solution is to either not ever use the internet or perhaps use TAILS.

    Windows and MAC both have built in back doors to everyone under the sun to get in without your knowledge and consent.

    An example – google “nsa keys” and that was only ONE way they got in.

    Linux is better but still not perfect.

    Backtrack linux is excellent if you are a computer expert (far too difficult for most people to set up, use and know what and what not to do)

    Qubes-OS is very good too but again a PITA to set up and try to use.

    Liberte` ‘was’ good but the developer does not have the time and money to maintain it. Too bad. It showed great promise.

    Don’t think that the browser is the only way to track you.

    System UUID’s (makes fixed fingerprints) can track you.

    Heck, even your laptop battery can hide tracking software!

    So, ‘one use’ USED laptops running TAILS and being careful not to disclose any sort of identifying info is the closest you will have to any semblance of privacy.

    They ARE out to get you. Be paranoid or be a victim. Your choice.

    GRC dot com is a good place to learn a few things.

    You can use TOR and go to .onion sites. Yahoo.onion I think works.
    emails using .onion addresses can help too.

    But those are stop gap methods.

    1. Hi anonymous,

      – WebRTC has nothing to do with fingerprinting, but you can find out more details about it here. Canvas fingerprinting is indeed a refinement of browser fingerprinting. You can find out more about in a more recent article here.

      – The best solution to fingerprinting is probably to use a plain vanilla version of Windows 7 using the Tor Browser. That way you look just like every other Tor user. Using Tails will probably flag you up, as it is a very unique identifier.

      – I agree with you comments about Windows, Mac, and Linux. Note that even with the most secure Linux, your computer’s processor might betray you (ME/PSP).

      – That link doesn’t seem to be right (takes me to a hard drive recovery site

      – Tor is good, but lacks practicality for day-to-day use.

      1. I was looking into the issue. Web rtc is part of the fingerprinting process. It is like a key that opens a door of sorts.
        Of course other things are needed for an accurate fingerprint, but web rtc is just e pluribus unum.

        Regarding Win7. Ever try to buy a copy in a store?
        It is no longer offered for sale by Microsoft.

        Only way to get a new copy is a pirated one and that may involve certain undesirable risks.

        You could spoof your system under linux to appear like you are using win7 though.

        A long time ago there used to be a program called guard dog by cybermedia. Too bad they didn’t keep it developed and incorporate more anonymous features.

        Also a long time ago there were really great firewalls that would let you EASILY see what parts of which program were connecting to what other web sites, right click on that offending portion, and block it. I used one to block the ads that weatherbug used to spam me with.

        Perhaps there is a way to nullify the STUN protocol?

        I use TOR for emails and a few things. I use firefox, opera, srware, palemoon browsers for others things (get bored with the same old browser).

        Running several browsers at the same time using https can obfuscate some of your activities.

        Tor can be use for day to day activities to some degree. Obviously high bandwidth activities like online games and streaming will be problematic. But general surfing and such it usually works fine.

        1. Hi anonymous,

          – But WebRTC simply hands over your IP address when asked (even when using a VPN). No fingerprinting required!

          – I said Win7 because it remains by far the most commonly used OS in the world. With regards to fingerprinting, Win10 is probably also quite effective these days.

          – Spoofing your system under Linux to appear like you are using Win7 sounds very interesting, as is something I have not heard of. If you like to send me some links for doing this, that would be great!

          – Have you looked at Glasswire?

          – If it is WebRTC that you want to disable (WebRTC uses STUN), then please check out The WebRTC VPN “Bug” and How to Fix It. I am not aware of any way to disable STUN itslef.

          – Ha ha. Yeah, I can be quite geeky like that too! 🙂 I’m not sure how much it obfuscates your fingerprint, though.

          – Sure, but I don’t pay for a 50 Mbs broadband connection so I can surf the web at 2 Mbs…

  3. Run Tor in vpn mode and bridges enabled. Slam that connection to a high end, no-log vpn that you paid for with Bitcoin and uses some bullshit email address. Only use this connection when “necessary”. This is the most anonymous you will ever get aside from the old ” single use device” (throw your device in the river after one use, and get another one).

    1. Hi Anonymous Nut,

      Yes, using the the Tor Browser with Tor turned off is considered the best way to defeat browser fingerprinting as all Tor Browsers should look identical. I have inclded this information in the newly updated Ultimate Guide, and will add it here when I have the time.

        1. Hi Tor User,

          Sorry! It’s not immediately obvious.

          1. Go to Options -> Advanced tab -> Network -> Settings, select “No Proxy” and hit OK.

          Then type “about:config” into the url bar. Search for “network.proxy.socks_remote_dns” and double-click to disable.

          At that point your browser won´t be using TOR proxy to access to the internet, but if you also want to disable the TOR service running in the background, type “about:config” into the url bar, go to “extensions.torlauncher.start_tor” and double-click to disable.

    2. Not a bad suggestion but there is a problem or two.
      TOR will not give out bridge information without a fully traceable emails address like gmail, yahoo, bing, similar.And all those want your identity, including a cell phone number.

      Buying bitcoin can leave a trail too. The initial purchase usually is not in person but online and with the use of a credit/debit card with your identity attached to the transaction.

      There are many ways to be anonymous. The more private you want to be the more work you have to do and the more ‘they’ will watch you.

      Beware of the fourteen eyes countries….

  4. Actually, there’s more things that can be done. Like stated in the article, being completely anonymous while browsing the web is impossible. Not nearly, just purely impossible. You will always leave a fingerprint behind you.

    With that in mind, the best you can do is reduce how traceable you are. But doing so require concessions, choices to make.

    As of measures to take, a no-log VPN seems to be the first thing to set up. Of course, no one can ensure you that there really is no logs, whatever VPN you use. Like I said, you have to do concessions. Either you trust your FAI, or a VPN provider, a Tor exit node,… It’s all up to you. But you have to trust someone at some point.
    Then you have to make a choice between being tracked by trackers itselves or by the use of anti-tracking plugins (or addons, or whatever). Like stated in the article, you will leave a fingerprint behind you anyway, you just get to decide which kind (and who can make a use of it, maybe).
    A native Windows system is also known for tracking you so you’d better get yourself a GNU/Linux distribution or whatever you do to enhance your privacy will be completely pointless. But that being said, most common computer users have a Windows operating system, so using a GNU/Linux distribution may be a way to track you down somehow.

    What to do then ? Once again, it’s all up to you, and what concessions you are willing to make. Personally, the best I could come up with is running a vanilla (or closely) Windows 7 OS (most used operating system at the moment) to browse the web. I don’t know if the virtual OS has a way to get access to your data, on your real machine, so maybe it’s not an efficient measure at all. In any case, this is not a perfect solution, it’s not even close to be. But you have to keep in mind that there is no such thing.

    1. Hello Hello,

      I refer to this as identifying your threat model. It is worth noting that although a Tor exit node can monitor your network traffic, it does not know the IP address from which it originated. So as long as you only give out personal information to HTTPS-protected websites, Tor provides a high level of real anonymity.

  5. The article speaks about plugins, but what about firefox extensions? Can a server know how many or which of them do I have installed?

    1. Hi Alex,

      Yes, which is why using anti-tracking plugins actually makes you more vulnerable to tracking using browser fingerprinting techniques. Its very sneaky, and there is no real solution to this problem at the moment. The current best option is probably to use the Tor Browser. Even with Tor itself disabled, this browser is hardened, and when using it you will look like every other Tor user.

  6. There have always been tradeoffs. You just have to give away fingerprintability in order to have privacy and anonymity, or if you want the first, give away privacy and anonymity. Using a VPN you encrypt your real IP replacing it with a virtual one, against your ISP, but you actually have to trust your VPN 100%, but even VPN services can sell you out for a couple of bucks i guess.

  7. I suspect it’s a lot easier than this to identify you.
    1. If I was the NSA or simlar I would be running the VPN companies.
    2. All computers have a unique burnt in machine code. Hence Windows won’t install a system image on another PC.
    3. Windows OS can be uniquely identified as well as Explorer.

    There is only one way to be truly anonymous.
    Laptop that fell off a lorry.
    Linux or similar only. (Windows etc. are of course trackable)
    ONLY connect through public wifi hotspots. Don’t even set it up or turn on it on near your home wifi.

    i.e. you need to be pretty serious about being anonymous.

    1. Hi Lucky,

      The browser fingerprinting techniques discussed in this article are primarily used by commercial websites, rather than the NSA.

      1. Thing is, true criminals and terrorists do not use VPN – they use Tor, or simply hide in plain sight (encryption was not used by the perpetrators of any recent terrorist attacks in Europe).
      2 & 3. This probably true, but I know people who run pirated versions of Windows 10, so is clearly not perfect.

      A VPN does not provide anonymity, but it can provide a high level of privacy, and should prevent blanket government NSA-surveillance. If the NSA are out to get you in particular, then you are probably fucked. The usefulness of a VPN depends vey much on your threat model.

  8. It has been so long since I browsed the web without so many privacy plugins that my browsing experience is nearly as bad as using Tor that I really had no idea how significantly they affected my fingerprint.

    So last week (third week of April 2015) I decided to do the Panopticlick test again for the first time in at least three years. Only this time I did a comparison test.

    With my plugins enabled, I was identifiable as being one in some five thousand something users.

    With my pluginss disabled, on a linux machine with no special configuration beyond basic iptables. rules and ip6tables.rules setup, I was identified as unique amongst all browsers to have ever been tested.

    I’ll be ignoring the ‘vanilla browser’ recommendations from now on – my behavioural fingerprint (which pages I view, in which order, how long I dwell upon each, etc.) will uniquely identify me to my ISP (and hence anyone who subpoenas their data) anyway, so, I’ll take my chances and stick with the extra defences.

    1. See article above:
      * Use a freshly installed copy of Windows 7
      * Use an unmodified Chrome or Firefox browser

      1. Nice if you have windows 7 that you can install. But new copies are no longer being sold in stores.

        Palemoon or SRWare Iron browser are better out of the box than firefox or chrome.

        If you go to all that trouble installing anything then just get and use Linux. At least no known back doors. Linux is pretty good for most internet use.

        1. Hi anonymous,

          – Fair enmough, but SRWare is based on Chromium. I know Chromium is open source, but as far as I know, the code has not been fully audited. I would prefer to stick with something Firefox based…. I use Palemoon for a while, but abandoned it becasue a) it crashed a lot, b) many of the Firefox security add-ons I use were not compatible with it, and (most importantly) 3) its update cycle is well behind that of Firefox. This means that ff zero-days and other vulnerabilities go unpatched for much longer with Palemoon.

          – Indeed. Linux is the way to go if your care about privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *