Douglas Crawford

Douglas Crawford

December 6, 2013

‘[The internet] user seeking to avoid being followed around the Web must pass three tests. The first is tricky: find appropriate settings that allow sites to use cookies for necessary user interface features, but prevent other less welcome kinds of tracking. The second is harder: learn about all the kinds of supercookies, perhaps including some quite obscure, and find ways to disable them. Only a tiny minority of people will pass the first two tests, but those who do will be confronted by a third challenge: fingerprinting.’ Electronic Frontier Foundation, How Unique is your web browser.

The internet-using public is increasingly aware of the dangers to privacy posed by HTTP browser cookies – small text files stored on your computer by websites which can be used not only to identify you when visiting a particular website, but also by other websites so that you can be tracked as you surf around the World Wide Web – and are increasingly taking steps to control them, delete them regularly, or block them permanently.

In May this year (2013) the EU ‘cookie law’ came into force, requiring EU websites and all websites that serve an EU audience to ask permission from visitors before  leaving ‘non-essential’ cookies on their computers. In practice, implementation and enforcement of the law has been patchy and only partially effective at best (and not helped by some very vague wording), but it has helped to raise awareness about cookies among netizens everywhere.

Websites (and in particular third party analytics and advertising domains) however gain a great deal financially from the use of cookies, and have thus looked for new ways to uniquely identify and track website visitors by other means. One of these methods is the use of supercookies (including Flash cookies and zombie cookies), and another is browser fingerprinting (HTTP E-Tags, web storage, and history stealing are also lesser used methods which we will discuss in another article).

What is browser fingerprinting?

Whenever you visit a website your browser sends data to the server hosting that site. This data includes basic information, including the browser name, operating system, and exact version number of the browser. This information is known as passive browser fingerprint because it happens automatically.

However websites can also easily install scripts that ask for additional information, such as a list of all installed fonts and plugins, supported data types (so-called MIME types), screen resolution, system colors and more. Because this information has to be solicited from your browser, it is known as active fingerprinting.

Taken altogether, the various fingerprint attributes can be almost instantly (it takes just a few milliseconds to run algorithms that compare millions of fingerprints) combined to create a unique fingerprint that can be used to very accurately identify an individual user, no matter if cookies have been deleted or IP address changed between website visits.

How unique is your fingerprint?

The EFF’s research shows that ‘if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint.’ As part of its investigation it has created the Panoptoclick website, which actively fingerprints your browser, and tells you how unique it is.

panopto
We use a lots of privacy related plugins in our browser, which ironically makes us more unique, and therefore identifiable by fingerprinting

Can I change my fingerprint?

Every time you install a new font or plugin, or otherwise change one of the fingerprinted attributes, you change your fingerprint. The most important attributes in this regard are the list of installed plugins, supported MIME types, and installed fonts, which alone when combined with the browser’s User Agent (which provides information about the browser) allow unique identification with an 87 percent accuracy.

Unfortunately, the EEF determined that even when ‘fingerprints changed quite rapidly, … even a simple heuristic was usually able to guess when a fingerprint was an “upgraded” version of a previously observed browser’s fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%’

It is possible to change a browser’s User Agent, which has the most dramatic effect on changing your fingerprint, but many websites rely on being given correct User Agent to function properly, so this is not an ideal solution. In addition to this, by changing your User Agent you actually increase your browser’s uniqueness (we discuss this more below), but if you do want to try doing it then check out guides for doing so in desktop browsers, Android and iOS Safari.

user agentChanging our User Agent in Chrome

Be a sheep… baaa…

One of the most frustrating and paradoxical aspects of fingerprinting is that any measures you take to prevent tracking, such as blocking Flash cookies or changing your User Agent, actually make you more uniquely identifiable. The truth is that protecting yourself from being fingerprinted is currently difficult to the point of being impossible, but there are things that you can do to minimize the problem.

The most important of these is to use a popular browser that is as ‘plain vanilla’ (i.e. as unmodified) as possible, so that you blend in with the majority non-tech savvy internet users who never install additional plugins or otherwise tamper with their software. Firefox and Chrome are therefore good choices for desktop users (Safari isn’t too bad, but Microsoft Internet Explorer gives away more identifying information than the others do), while iOS Safari users are safer than Android users because iOS Safari is less customizable (and therefore less unique) than the stock Android browser. Ideally you should also use the plainest Operating System possible, so a freshly installed Windows 7 (the world’s most popular OS) with no additional software or fonts would be best, although admittedly totally impractical for most people.

While most privacy enhancing measures (which we cover in some detail in our Ultimate Privacy Guide) actually decrease your privacy when it comes to fingerprinting, the EFF noted that Torbutton (and the Tor network in general) gave ‘considerable thought to fingerprint resistance’, and that ‘NoScript is a useful privacy enhancing technology that seems to reduce fingerprintability.’ Commendable as these efforts are however, such measures are not perfect, as fingerprinting expert Henning Tillmann explained, ’Everyone using Tor has a similar browser fingerprint and if a website only has one visitor using Tor this makes him or her unique and identifiable.’

So what can I do to prevent tracking (in general)?

  • Use a freshly installed copy of Windows 7
  • Use an unmodified Chrome or Firefox browser
  • Use a VPN service to mask your IP address and encrypt your browsing data (or use Tor)
  • Clear browser cache and cookies after every session (working in the browsers ‘privacy mode’ should have a similar effect)
  • Disable or don’t install JavaScript (unfortunately though, many websites will not work properly without it)
  • Disable or (better yet) don’t install Flash. Unfortunately however again, Flash is responsible for a lot of the more user-friendly features and functionality found on the on the web, so if you must run it then see here for a guide to deleting Flash cookies and dealing with other supercookies, a subject we will deal with in another article soon)
  • Visit the EFF’s Panoptoclick website to see how effective your measures have been

Conclusion

Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability. Although fingerprints turn out not to be particularly stable, browsers reveal so much version and configuration information that they remain overwhelmingly trackable’ EFF.

As we internet users have become more aware of privacy and tracking issues, so have those who would track us become increasingly devious in their methods of doing so. With fingerprinting this has reached the point that it is almost impossible to prevent (although as noted above there are steps that can be taken to make it more difficult). The EFF therefore concludes its report by saying that the answer lies in government action and legislation, and that ‘policymakers should start treating fingerprintable records as potentially personally identifiable, and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms’.

Now it has to said that we have very limited faith governments’ will or ability to enact such changes (although the EEC ‘cookie laws’ at least show some positive intention in this direction), so in the meantime we will just have to take as many measures as we can live with (since all measures impact our user experience in some way), and hope for the best.

Douglas Crawford
March 8th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

22 responses to “Your browser’s fingerprint and how to reduce it

  1. Nice aticle. Very clear and interesting.

    Were did these nodes come from? How are they made….what are they? Why did someone in the Navy release this tech, and how it it poweree/whats it look like?

    I googled “does accessing you emails while using a vpn give you away stright away” and this was the first link.

    or using facebook? or using faceook to write a review or click a like on another site? Or using any login, in your name?

    Where did you learn all the infomation in your articles from? Really interested in that. You sound IT educated, if so, in what and how far?

    what are your thoughs on the TV series Mr Robot lol.

    Sorry for the grammar, im using microsoft notepad

    How is TOR not 100% safge, why is it no matter what you do its not actually 100% secure?

    I think you said there is always a security flaw in a system? – why?

    How long has TOR been around?

    I heard using TOR on a PC with windows installed is another privacy/security issue? Is that still true? And what was the issue with using windows?

    Is running tails on a USb key any safer then using a CD?

    Why cant these nodes be shutdown/logged/disrupted, again what the hell are they?

    With TOR dont you need an invite? And every message is encrypted and you need the other guys key to decypher things but itsnt it hard to get your own key or something, to begin even sending messaages, like a corect process to beginning?

    Looking foward to your reply,
    Ryan Paul
    138 arrow cresent
    Old Town State
    Franko-marko City

    1. Hi Ryan,

      I think most of these questions will be answered if you read through my Tor Review and the Wikipedia article.

      – I have a degree in philosophy, but have owned a computer since the early 80’s and have worked as a computer repair technician, web designer, sound engineer, and technology journalist.
      – Nothing is 100% “safe”, but Tor is as good as it gets.
      – Windows is Microsoft spyware *(and Microsoft has a history of cooperating with the US government).
      – Technically running TAILs on a non-rewritable CD (finalized CCR) is more secure, but this is not a major concern.

  2. Scaremongering seems to be the only thing some people are good at!

    Any legal authority can query (read legally force) your phone company to surrender your personal details if needed, and I doubt they’d opt to use “browser fingerprinting” which is nothing but a joke.

    1. Hi GR,

      Browser fingerprinting is not widely used by governmnet agencies (as far as we know), but it is widely used by websites to track visitors for advertising purposes. As for a legal authority being able to demand that your ISP surrender your personal details if needed – sure, but using a good no logs VPN (preferably based well outside the jurisdiction of your local legal authority) is a good defense against this.

  3. Not a bad suggestion but there is a problem or two.
    TOR will not give out bridge information without a fully traceable emails address like gmail, yahoo, bing, similar.And all those want your identity, including a cell phone number.

    Buying bitcoin can leave a trail too. The initial purchase usually is not in person but online and with the use of a credit/debit card with your identity attached to the transaction.

    There are many ways to be anonymous. The more private you want to be the more work you have to do and the more ‘they’ will watch you.

    Beware of the fourteen eyes countries….

  4. I saw no mention of web rtc and canvas fingerprinting to track and or identify you.
    Probably the easiest and best solution is to either not ever use the internet or perhaps use TAILS.

    Windows and MAC both have built in back doors to everyone under the sun to get in without your knowledge and consent.

    An example – google “nsa keys” and that was only ONE way they got in.

    Linux is better but still not perfect.

    Backtrack linux is excellent if you are a computer expert (far too difficult for most people to set up, use and know what and what not to do)

    Qubes-OS is very good too but again a PITA to set up and try to use.

    Liberte` ‘was’ good but the developer does not have the time and money to maintain it. Too bad. It showed great promise.

    Don’t think that the browser is the only way to track you.

    System UUID’s (makes fixed fingerprints) can track you.

    Heck, even your laptop battery can hide tracking software!

    So, ‘one use’ USED laptops running TAILS and being careful not to disclose any sort of identifying info is the closest you will have to any semblance of privacy.

    They ARE out to get you. Be paranoid or be a victim. Your choice.

    GRC dot com is a good place to learn a few things.

    You can use TOR and go to .onion sites. Yahoo.onion I think works.
    emails using .onion addresses can help too.

    But those are stop gap methods.

    1. Hi anonymous,

      – WebRTC has nothing to do with fingerprinting, but you can find out more details about it here. Canvas fingerprinting is indeed a refinement of browser fingerprinting. You can find out more about in a more recent article here.

      – The best solution to fingerprinting is probably to use a plain vanilla version of Windows 7 using the Tor Browser. That way you look just like every other Tor user. Using Tails will probably flag you up, as it is a very unique identifier.

      – I agree with you comments about Windows, Mac, and Linux. Note that even with the most secure Linux, your computer’s processor might betray you (ME/PSP).

      – That link doesn’t seem to be right (takes me to a hard drive recovery site

      – Tor is good, but lacks practicality for day-to-day use.

      1. I was looking into the issue. Web rtc is part of the fingerprinting process. It is like a key that opens a door of sorts.
        Of course other things are needed for an accurate fingerprint, but web rtc is just e pluribus unum.

        Regarding Win7. Ever try to buy a copy in a store?
        It is no longer offered for sale by Microsoft.

        Only way to get a new copy is a pirated one and that may involve certain undesirable risks.

        You could spoof your system under linux to appear like you are using win7 though.

        A long time ago there used to be a program called guard dog by cybermedia. Too bad they didn’t keep it developed and incorporate more anonymous features.

        Also a long time ago there were really great firewalls that would let you EASILY see what parts of which program were connecting to what other web sites, right click on that offending portion, and block it. I used one to block the ads that weatherbug used to spam me with.

        Perhaps there is a way to nullify the STUN protocol?

        I use TOR for emails and a few things. I use firefox, opera, srware, palemoon browsers for others things (get bored with the same old browser).

        Running several browsers at the same time using https can obfuscate some of your activities.

        Tor can be use for day to day activities to some degree. Obviously high bandwidth activities like online games and streaming will be problematic. But general surfing and such it usually works fine.

        1. Hi anonymous,

          – But WebRTC simply hands over your IP address when asked (even when using a VPN). No fingerprinting required!

          – I said Win7 because it remains by far the most commonly used OS in the world. With regards to fingerprinting, Win10 is probably also quite effective these days.

          – Spoofing your system under Linux to appear like you are using Win7 sounds very interesting, as is something I have not heard of. If you like to send me some links for doing this, that would be great!

          – Have you looked at Glasswire?

          – If it is WebRTC that you want to disable (WebRTC uses STUN), then please check out The WebRTC VPN “Bug” and How to Fix It. I am not aware of any way to disable STUN itslef.

          – Ha ha. Yeah, I can be quite geeky like that too! 🙂 I’m not sure how much it obfuscates your fingerprint, though.

          – Sure, but I don’t pay for a 50 Mbs broadband connection so I can surf the web at 2 Mbs…

  5. Hi Anonymous Nut,

    Yes, using the the Tor Browser with Tor turned off is considered the best way to defeat browser fingerprinting as all Tor Browsers should look identical. I have inclded this information in the newly updated Ultimate Guide, and will add it here when I have the time.

      1. Hi Tor User,

        Sorry! It’s not immediately obvious.

        1. Go to Options -> Advanced tab -> Network -> Settings, select “No Proxy” and hit OK.

        Then type “about:config” into the url bar. Search for “network.proxy.socks_remote_dns” and double-click to disable.

        At that point your browser won´t be using TOR proxy to access to the internet, but if you also want to disable the TOR service running in the background, type “about:config” into the url bar, go to “extensions.torlauncher.start_tor” and double-click to disable.

Leave a Reply

Your email address will not be published. Required fields are marked *