Whether you’re looking at the whorls and loops of a fingertip or analogously unique browser information, using a fingerprint is a highly accurate way to identify someone. It’s a lot harder to get a person’s fingerprint without their knowledge, but all kinds of services on the Internet ID users by their browser “fingerprint” — and not always with your interests in mind.
A team at Bundeswehr University Munich has developed a browser extension that lets you track which websites collect your browser fingerprints and how they do it. The team also analyzed 10,000 popular websites to see what kind of information they collect. Team member Julian Fietkau’s presentation at the Remote Chaos Communication Congress (RC3) discussed the issue and the team’s work on it.
What is a browser fingerprint?
A browser fingerprint is an assembly of the data that a website can obtain about your computer and browser on request when a page loads. The fingerprint includes dozens of data points, from the language you use and the time zone you’re in to which extensions are installed and your browser version. It may also include information about your operating system, RAM, screen resolution, font settings, and much more.
Moreover, even using Incognito mode won’t stop your browser fingerprint from being taken; almost all browser and device parameters remain the same and can be used to determine that the person browsing is you.
How browser fingerprints are used and misused
The first purpose of a browser fingerprint is to confirm a user’s identity without any effort on their part. For example, if a bank can tell from your browser fingerprint that it’s you carrying out a transaction, they don’t need to bother sending a security code to your phone and can expend a bit more effort if someone — even you — logs in to your account with a different browser fingerprint. In this example, browser fingerprints improve your experience.
The second purpose is to show targeted ads. Read a guide on one website about choosing an iron, then go to another website that uses the same ad network and the network will show you ads for irons. Basically, it’s tracking without your consent, and users’ hatred and suspicion of the practice is quite understandable.
That said, many websites with built-in components from various ad networks and analytics services collect and analyze your fingerprints.
How to tell if a site is taking your browser fingerprint