How to tell if a website is taking your (browser) fingerprints

Whether you’re looking at the whorls and loops of a fingertip or analogously unique browser information, using a fingerprint is a highly accurate way to identify someone. It’s a lot harder to get a person’s fingerprint without their knowledge, but all kinds of services on the Internet ID users by their browser “fingerprint” — and not always with your interests in mind.

A team at Bundeswehr University Munich has developed a browser extension that lets you track which websites collect your browser fingerprints and how they do it. The team also analyzed 10,000 popular websites to see what kind of information they collect. Team member Julian Fietkau’s presentation at the Remote Chaos Communication Congress (RC3) discussed the issue and the team’s work on it.

What is a browser fingerprint?

A browser fingerprint is an assembly of the data that a website can obtain about your computer and browser on request when a page loads. The fingerprint includes dozens of data points, from the language you use and the time zone you’re in to which extensions are installed and your browser version. It may also include information about your operating system, RAM, screen resolution, font settings, and much more.

Websites collect varying amounts and types of information, using it to generate a unique identifier for you. A browser fingerprint is not a cookie, although it can be used similarly. And, though you have to consent to the use of cookies (you’re probably already tired of closing “our site uses cookies” notifications), taking browser fingerprints does not require consent.

Moreover, even using Incognito mode won’t stop your browser fingerprint from being taken; almost all browser and device parameters remain the same and can be used to determine that the person browsing is you.

How browser fingerprints are used and misused

The first purpose of a browser fingerprint is to confirm a user’s identity without any effort on their part. For example, if a bank can tell from your browser fingerprint that it’s you carrying out a transaction, they don’t need to bother sending a security code to your phone and can expend a bit more effort if someone — even you — logs in to your account with a different browser fingerprint. In this example, browser fingerprints improve your experience.

The second purpose is to show targeted ads. Read a guide on one website about choosing an iron, then go to another website that uses the same ad network and the network will show you ads for irons. Basically, it’s tracking without your consent, and users’ hatred and suspicion of the practice is quite understandable.

That said, many websites with built-in components from various ad networks and analytics services collect and analyze your fingerprints.

How to tell if a site is taking your browser fingerprint

To obtain the information to compile a browser fingerprint, a website sends several requests through embedded JavaScript code to the browser. The aggregate of the browser’s responses makes up its fingerprint.

Fietkau and his colleagues analyzed the most popular libraries with this kind of JavaScript code, compiling a list of 115 distinct techniques most frequently used to work with browser fingerprints. They then created a browser extension called FPMON that analyzes Web pages to see if they use those techniques and tells the user exactly what data

Continue reading

This post was originally published on this site