What is Browser Fingerprinting

Let’s stop kidding ourselves; privacy no longer exists on the internet.

Governments have created entire departments outlining what companies can and cannot track. These restrictions have only emboldened the hacking and online advertising community. Leadership is overwhelmed and ill-equipped to keep up with the advancements in technology and digital threats.

Most security software, apps, firewalls do not affect internet security. The pervasive, shady tactics of online stalking companies are growing at incredible rates. Millions of accounts are compromised daily. The widespread, shady tactics of online stalking companies are evolving.

William Saito, a security expert and proponent of tearing down the internet and reconstructing its security infrastructure, says; in the business world, there are two types of businesses, the ones that have been hacked, and the ones that don’t know they have been hacked.

As early as 1995, cookies were considered functional mechanisms for customizing websites and strengthening a customer’s online experience. Today, cookies are persistent pieces of code that are difficult to get rid of. JavaScript Evercookies identify consumers and remain on hard drives after being deleted by browser settings. Evercookies, super cookies, and cookies forever are monikers for the same devilish code.

The following research explores the little known condition of Browser Fingerprinting. Hackers no longer need the small pieces of code sitting on a computer; we are broadcasting our identity to any website that is listening. I sent my browser through the Panopticlick test, and the results are startling.

Topics of Discussion:

  1. Browser Fingerprinting
  2. What Information is My Browser Displaying?
  3. W3C and Fingerprinting
  4. Web Standards and the Threat
  5. What Now
  6. Conclusion

Browser Fingerprinting

The widely accepted explanation of browser fingerprinting; when you visit a webpage, your browser header is yielding a significant amount of identifying information to the site by way of your browser settings. This tracking method is supplanting the current IP address and cookie forms of identification.

Browser fingerprinting uses a considerable amount of information to compile a complete profile on you.

When the webpage loads into your browser, identifying information is automatically distributed to trackers embedded into the site you are visiting. JavaScript, Flash, and other software analyze the data. Information is used to create a profile.

Companies and individuals lacking a moral compass, harvest this data for use by internet advertisers and others.

There seems to be no practical way to combat browser fingerprinting and assuredly no way to eliminate the platform. Fingerprinting software does not exist on the host computer. Unlike cookies, there is no browser command to wipe fingerprinting away or limit their use.

Device, machine, or browser fingerprinting is a remarkably accurate means of securing consumer information. This approach is not restricted to an individual browser. Fingerprinting can exist on any browser installed on the computer and the major problem of any connected device.

Why is browser fingerprinting so dangerous? No one saw fingerprinting on the horizon, except for hackers. 1) There is no code on host machines to eliminate or control 2) Internet powers are playing catch up 3) Information is being compiled and accumulated by established web standards 4) Identifying information is easy to acquire

If you are convinced your system is impenetrable, test your browser. Panopticlick was conceived to search for browser fingerprints.

I made the plunge and ran my browser through the test, and here is what I found.

  • Is your browser blocking tracking ads? Yes, Under the guise of market research, the biggest companies in the world track your shopping and surfing habits. When you look for a family trip to London or new outdoor grill, suddenly trips to Europe and new grills are on every website you see. Canvas fingerprinting is the culprit or at least a part of it. More on this topic later.
  • Is your browser blocking invisible trackers? No, consumers continuously ask, how in the world am I being tracked? When a consumer visits a webpage, they leave behind a digital footprint. In most cases, a site will leave a cookie on your hard drive. When you come back, your browser sends the cookie back to your hosting server for processing and refurbishing.
  • Does your blocker stop trackers included in the so-called acceptable Ads Whitelist? Yes, Advertisers and marketers are in business to generate money. Non-intrusive ads are stored on your computer. The next visits to the site, ad-blockers access the whitelist, if the advertisement is there ads are displayed.
  • Does your browser unblock 3rd parties that promise to honor, Do Not Track? No, Modern browsers have a setting, telling advertisers, advertising networks, and social platforms not to track their activity. Browsers send out an HTTP request, asking websites Do Not Track or deliver a cookie. Browser fingerprinting can get around this request; tracking is not coming from a cookie. The promise to honor request is meaningless.
  • Does Your Browser Protect from Fingerprinting? My browser is Unique.

The 64,000 question. (Millennials have no clue what that means) The test asks the question, “is my browser unique?” The answer, Yes.

With this information, coupled with other unique browsers, advertisers have a dynamic new platform to identify your online surfing patterns.

What information is my browser displaying?

  • I have a browser fingerprint of 17.66 bits of information. Compared to 206,744 websites checked in the last 45 days.
  • My browser is telling advertisers; 1) I use Windows 10, 64 bit 2) Three browsers are present on my laptop; Chrome, Safari, and Edge 3) My time zone 4) Every font available to me 5) Cookie and super cookie tests 6) Hash code of Canvas fingerprint 7) hash code of WebGL fingerprint 8) Language 9) Enabled Touch support.

What is a bit?

Each question is resolved in terms of how many bits of information my computer browser is displaying. To figure out what a bit is, in this context, a brief lesson of Information theory is required. Bits of information refer to entropy (a measure of random errors) a value that captures the number of possibilities a value possesses. (Whew!)

Another way of reaching the meaning of bits: the information is used to measure certain known items, increases the probability of finding out someone’s identity. An example, knowing a person’s gender (two possibilities) carries one bit of information. Knowing gender allows us to rule out half of our control group and drill down further to identity.

What do the above tests mean for my privacy? I can be tracked across multiple websites without the need for specialized cookies. A stronger illustration would be; If a person wants to follow my surfing habits and all they have to go on is gender, that is not telling them much. However, if the same company has my gender, date of birth, or zip code, nationwide advertising campaigns have been created with less.

More ominous for privacy, fingerprinting technology includes the capacity for cross-browser tracking. The code instructs your browser to carry out a series of functions. The tasks utilize the operating system and hardware resources from CPU cores, audio cards, or graphics cards. Each task varies from one browser to the next, and each command is delivered from the embedded WebGL standard.

Bottom Line: Potentially, hackers have the resources to control countless sums of computers through the browser.

Yinzhi Cao, a Lead researcher at Lehigh University, suggests the new cross-browser technique has a significant success rate. Fingerprinting relies on JavaScript to rapidly access a user’s computer. The Lehigh script loading process was so sudden; it loaded while the user focused on reading the introductory text. Over three months, the test collected 3,615 fingerprints from 1,913 users. Over that period, the Lehigh research team was able to identify 99.2% percent of the browsers successfully.

W3C and Fingerprinting

Guidelines for web development are just starting to catch up to the fingerprinting threat. According to the W3C, (World Wide Web Consortium), there are three specific risks.

  1. Passive fingerprinting: Without any code-executed client-side, this type is based on observable characteristics with web requests.
  2. Active: code such as JavaScript is run on the local client to observe additional attributes to browser, user, or device.
  3. Cookie-like: This type is re-identification of user information to evade attempts to clear their computer of the code.

In a report posted to W3C, “Mitigating Browser Fingerprinting in Web Specifications” the consortium has thrown in the fingerprinting towel, at least for “active” browser fingerprinting. Here is the statement;

Advances in techniques for browser fingerprinting, particularly in active fingerprinting, suggest that complete elimination of the capability of browser fingerprinting by a determined adversary through solely technical means that are widely deployed is implausible.”

The consortium offers little breakthrough guidance, other than best methods. Here are a few of the web-development summaries from W3C.

  • Avoid unnecessary increases to fingerprinting surfaces.
  • Mark features which lead to fingerprintability.
  • Design APIs to access the necessary entropy.
  • Require servers to opt-in.
  • Limit persistent or permanent states

Why can’t the consortium do more? Everyone, including W3C, became too complacent with cookies, even the leading browser companies. The small fragments of code were simple to manipulate and destroy.

Web Standards and the Threat

The Panopticlick test displays browser characteristics exclusive to your machine. Two prominent web standards are adding to the burgeoning problem of browser fingerprinting, Canvas, and WebGL. My Panopticlick test reports that Canvas is issuing 17.66 bits of identifying information.

HTML is the voice of the internet, and HTML 5 is the latest interpretation. The current language consists of a host of additional elements and technologies for developing more engaging websites. HTML 5 spells out the rules of embedding Canvas, WebGL, and other software into webpages. Even though Canvas and WebGL seem to be the primary offenders in fingerprinting, other elements will be entangled soon.

Additional information my browser broadcasts to every webpage I visit.

JavaScript is the computing language tying HTML, WebGL, and the canvas element together.

  • Hash of Canvas fingerprint: The Canvas element started as an Apple creation in 2004. It developed into a fundamental part of the W3C HTML 5 code. Initially, the feature was used to give websites a more responsive workable design.

Canvas is the container within HTML code. The element holds graphics, animation, and visualizing data. This web standard is an ideal tool for hackers to manipulate HTML 5 and the canvas-fingerprinting portion.

Technical description of how the canvas element defines your browser:

“When you visit a web site, installed JavaScript writes text, add fonts, background colors, and requests the Canvas API. The Canvas API is a technique to obtaining the pixel data in URL format. The script takes the pixel data, which thus serves as the unique fingerprint for your browser.”

What the above statement suggests is twofold 1) Browser fingerprinting is going to be challenging to eliminate if it can be controlled or wiped out at all. 2) Profiles are made with accumulated data from an individual web site, and advertisers will give anything to have detailed fingerprint and analytical data.

Canvas fingerprinting requires your browser to run a unique identifiable script every time a web page loads. Differences in fonts, anti-aliasing means a network of computers will have profound differences with each image. The variations are further evidence of identifying a particular machine.

  • WebGL: The web graphics library is a JavaScript API that is solidly fused with HTML 5 and the canvas element. WebGL is needed for advanced interactive display in the browser. WebGL performs all of its functions without the need for compatible plugins. The code required to run WebGL is linked with the computer’s GPU. This factor means that hackers have a direct connection to a vital piece of the computer system.

The Panopticlick test says my browser and WebGL is yielding 4.69 bits of identifiable factors. There are two types of WebGL fingerprints;

  1. WebGL browser report; Listing of all WebGL capabilities and extensions.
  2. WebGL image; Pixels generated by drawings. Any of the WebGL drawings are part of the fingerprints library uniqueness percentage.

Looking at the two items above, it is obvious how integrated these factors are with the hardware and every separate system.

What Now?

Finding an efficient means to curtail browser fingerprinting and any future permutations calls for a “different thinking approach.” Browser fingerprinting is rapidly becoming so invasive companies and individuals do not have the time or the money to stop it.

The challenge then becomes, how do we battle Browser Fingerprinting? Every piece of intelligence gathered for this article established the point of disabling JavaScript or switch to a TOR browser. If we make each one of the steps, there is still no guarantee of getting rid of fingerprinting. Besides, it takes away what is great about the internet — streaming 3D gaming graphics, vivid web pages, incredible video, email, chatting, and on and on.

What are the solutions?

Disable JavaScript and Flash:

This solution is an adequate approach to control browser fingerprinting. With JavaScript disabled, any fingerprinting is meaningless because plugins, fonts, and cookies can no longer be controlled. Flash can be disabled with little to no consequence. Most platforms have ceased using Flash for some time now.

Disabling JavaScript is another matter. The programming language brings interactivity to the internet and is deeply embedded in the entire system. Shutting it down will cut off plenty of the functionality of any system and the user experience.

Private Browsing:

  • VPN: Virtual private networks are becoming increasingly attractive with growing threats like fingerprinting. Once, a VPN was consigned to a remote setting in Windows, and now there are VPN solutions for every budget and system.

VPNs are separate networks working within the public network of the internet. A VPN allows its users to connect to the internet in the same way as before, only through their encrypted network. A customers request is sent to the VPN companies server; the request is then encrypted and delivered along. The receiving website sees the connection as a reliable proxy and lets the request pass, therefore masking your IP address. Here are three VPN services worthy of recognition.

  1. Express VPN: This service supports all your devices and the ability to connect to a single account, no matter the device or platform. ExpressVPN boasts 260 data centers in 94 countries. The service receives a TrustPilot rating of 9.6 out of 10 stars.
  2. NordVPN: Affordability and feature rich is the basis of this VPN. NordVPN guarantees a hack-proof surfing experience. Standard features of every device and platform and a fast connection makes NordVPN a look.
  3. CyberGhost: The Company touts its VPN as one of the fastest throughputs on the market. Very affordable VPN plans and CyberGhost has a 9.4 TrustPilot rating.
    • TOR Browser: Across the board, the TOR browser is pointed out, as a solution for everyone needing to protect their privacy. When a user is surfing the web, requests are delivered through TOR servers. The traffic is randomly distributed through a listed node and through an intermediate relay. After all that transfer, it finally spits out the request. TOR is not a network; it is a protocol based on the TOR Project.

    TOR attempts to suppress your data by separating identification and routing. The TOR browser does not encrypt your data; you will require a plugin for that.

    There are a few elements that should be noted before going all in on the TOR browser. Even though the browser will hide all your identifiable information, there is an obvious decline in performance. If you prefer fast surfing, TOR browser may not be for you.

    While running the browser, I noticed there was a disproportionate number of a CAPTCHA request popping up. Cloaked browsers look suspicious to content networks like CloudFlare. There also may be an issue going to the correct website.

    One last thing, your connection looks precisely the same as thousands of other TOR users. If you log into secure websites, there may be temporary blocks on the account.

    • Incognito Mode and the Alternatives: Every major browser includes a separate browser setting that masks identities. Private mode browsers disable the history function and the web cache, along with disabling storage in flash and cookies. There are plenty of quality secure browsers in the marketplace; here are three, other than TOR, that standout.
  4. Mozilla Firefox; a team of non-profits builds this browser, and it is a terrific secure platform. Features are; protection from malware, phishing, and preventing attack websites. The browser allows for blocking all trackers with a good deal of add-ons to strengthen privacy and security.
  5. Brave: A newcomer to the browser landscape, the software includes plenty of security features. Brave has a built-in fingerprinting function, which blocks scripts from loading. Settings allow for any level of privacy and security. Brave also has a built-in ad-blocker.
  6. Chromium: Google’s open source code is at the heart of Chromium. However, this browser is adapted to a more protected environment on the internet. The browser and its companion operating system are secure by construction.

Plugins and Browser Extensions:

Within this category of defense for fingerprinting, there are thousands of choices available. Installing extensions to control browser fingerprinting does not guarantee success. However, technology is becoming more sophisticated at adapting the user experience.

It is recommended to research and install software specifically designed to combat fingerprinting. If developers tout their product as an all-encompassing solution, with the eradication of fingerprinting as a distant option, Keep Looking!

Software designed specifically for controlling browser characteristics is the goal.

Remember, as the dominant browsers like Chrome, Edge, and Firefox develop technology to thwart fingerprinting threats; most extensions will become antiquated. Look for solutions with staying power, meaning a company that adapts.

Users control their computers and not the websites they visit. When you are researching the right solution, look for software that blocks scripts, not only masks identities.

  • Plugins: Third-party ad/tracking blockers are popping up everywhere. This rise in the number of plugins gives a reliable signal of the growing problem with browser fingerprinting. The extension you choose should be adequate to block the bulk of, not only ad scripts but also any analytics software and social media scripts. Choose an extension with as many options as feasible. Download the software and turn-on every blocker available, work backward to discover a happy medium. It may take a few downloads to find the appropriate extension for your system. Here are five worth a look and each one has an option to control browser fingerprinting.
  1. Avast Anti-Track: Avast is a company with staying power. As threats emerge, the company recognizes these technologies quicker and develops a defense against them. Anti-Track is specifically designed to combat browser fingerprinting. The extension is a premium addition to its overall platform. Anti-Track controls several factors of your online privacy. 1) Automatically blocks and sandboxes advertising scripts 2) Browsing history erased 3) Online behaviors and shopping disguised.
  2. TrackOff: If you want complete command of what your browser displays to websites, this software controls it. TrackOff offers two separate products and a yearly subscription to keep your identity confidential. The platform works with Windows, Mac/IOS, and Android and is suitable with all the leading browsers. The software provides a host of features to defend your browser from fingerprinting. Locations masks, real-time threat detection, encrypted internet shields are a small part of the platform. Full reporting and browser integration are options. TrackOff is one of the most solid pieces of software available.
  3. AdBlock Plus: This venerable example of software identified the threat of browser fingerprinting early and developed a weapon. AdBlock Plus will continuously be in the top position of any list in this category. The platform is open-source and free. It provides certain ads by default to help in the development of the extension. The platform extends to mobile devices along with the desktop.
  4. NoScript: Firefox by composition is a secure system, and with NoScript, it becomes almost impenetrable. The open source software is developed exclusively for Firefox and any Mozilla based browser. Any scripts are regulated by preference with trusted websites. The software has a unique approach to script blocking that may soon be adopted by other extensions. NoScript also serves for developer mistakes in programming and similar vulnerabilities. NoScript is a complete extension for blocking advertising scripts.
  5. Disconnect: This is more of a VPN than a browser extension. Disconnect provides encrypted browsing technology to cut off any type of tracking scripts effectively. Invisible trackers are controlled with this platform. The application does not slow down your surfing. Disconnect offers three levels of protection from free to premium. The top tier provides full VPN protection across all platforms. The software provides encryption for all HTTP and DNS connections, thereby masking identifies at the source.

Anti-malware software

Initially, malware was created to break large IT systems, and later it moved to individual computers. Malware deposited code or scripts on the intended system, which then physically damaged a component. Other proposed uses, steal software from a target, infect networks with malicious code, or merely an examination of the network.

Anti-malware software scans a system and uses an archived list of malware signatures. The software then compares any suspicious files against the list and sandboxes it for later inspection.

Malware threats have evolved just like the software to safeguard your privacy. The malicious software can generate data gaps in a network; exploit driver weakness in a specific PCI card or a developer issue with a browser plugin. These violations by malware only improve hackers access to your identity. If you are choosing one piece of software to install, anti-malware should be the one.

Two of the very best anti-malware applications:

  • AVG Technologies: A part of Avast, AVG is a full-featured product with plenty of controls and options. An outstanding feature; if a piece of malware is on a protected system, call support 24/7 to find a solution. Support will connect to your computer remotely and walk you through eliminating the threat. At the heart of the system is an entirely integrated and customizable scanning system. The software will automatically download current threats; deep scan all drives at the heuristic level. Use the free edition to make certain the product fits your needs.
  • Malwarebytes: There is no better virus and malware protection than this piece of software. Malwarebytes prides itself on being at the forefront of technology when it comes to privacy and security. The software continually updates itself to encompass all types of advertising scripts and codes. Plenty of controls and customizations will effectively shut down any attack. Malwarebytes is compatible across every device and platform. Again, there is no better application for cyber-attacks.

Identity Management:

Identity management is a relatively new means of combatting the browser fingerprinting threat. At first look, this seems to be a workable option; however, more work needs to be done. The solution is perfect for a business environment, and there are plenty out there, unfortunately, not so much for a personal computer.

Some platforms allow a user to create multiple profiles, but these are not designed to combat browser fingerprinting. With Chrome, it is adding a unique user, and Firefox is similar to Chrome. The problem becomes, a user must set up a thoroughly new personality with all new connections. Not very sensible at this time; however, this is a promising new technology that could someday curtail fingerprinting.

Conclusion

The Browser fingerprinting threat is a new malicious way of identifying and harming users on the internet. The web is a wonderful mechanism for enjoyment and function. As a planet, we can accomplish so much more together than apart.

The test and the research above prove my browser, and potentially, my computer was completely vulnerable to hackers and attack. After downloading the recommended software, I retook the test and became much more secure.

It is now evident to everyone; the threats to harm will continue and become more dangerous. It is up to each person who uses the internet to protect his or her privacy. New technologies are happening every day to create a better world, and the same can be said for individual protections.

It is essential to realize that the tools are available, and we only need to search.