Worried about your online privacy? If not, you should be: there's big money to be made in understanding where people go on the web, when, and why, and companies are falling over themselves to find new and sneakier ways to track everything you do.
And don't think you're necessarily safe because you've installed some cookie-blocking browser extension, antivirus software or the best VPN, either. Cookies were recognized as a privacy threat more than 25 years ago, and tracking companies have been developing more stealthy privacy-busting technologies for a very long time.
Browser fingerprinting is probably top of the ‘most dangerous’ tracking charts right now, because it's accurate, hard to spot, and many browsers do almost nothing to keep you safe. In this article we'll explain how the technology works, show you how to test it for yourself, and point you to free tools that will help keep you safe.
What is browser fingerprinting?
Tracking users online is all about finding and assigning them a unique ID - a tag that ensures the advertiser (or whoever) can recognize them as they move around the web.
This could involve setting a cookie, checking your IP address or just persuading you to stay logged into a social media or other accounts. But users are increasingly aware of this, and know how to fight back. They might tweak their browser settings to control or block cookies, for instance; install a VPN to mask their IP address, or use private browsing to limit what others can see about them.
Browser fingerprinting takes a very different approach. The core idea is that although you might think your setup is very, very common - you're using Chrome on a Windows 10 laptop, for instance - in reality your device differs from others in many ways (precise browser and OS version, time zone, installed apps, precise hardware details, etc.). Combine enough of these details and it’s often possible to build a fingerprint which is unique to your device.
It's a stealthy technology which has a lot of appeal to tracking companies, not least because it's so difficult to block. You can use a VPN, turn off cookies or use private browsing 100% of the time, and still be tracked. And most browsers don't have any obvious settings to help keep you safe.
Don't panic: there are useful steps you can take. But to understand those, we must first take a closer look at what fingerprinting really involves.
How browser fingerprinting works
Visit a website and it's easy to think your device looks much like any other. If you're using Chrome, for example, then you're one of countless millions, and it's tempting to think you'll appear to be one of the crowd.
For example, after collecting your details, a website might go beyond identifying you as ‘a visitor using Chrome’ to see you as 'a visitor using Chrome... whose preferred language is US English; and is in the PST time zone; and has cookies disabled; and is running Windows, on a device with 8 browser cores, 16GB RAM and a 1920x1060 screen size; and uses a certain graphics card and driver; and has these specific system fonts installed.' It's likely there will be others with the same fingerprint as you, but not 'countless millions' any more, and employing more advanced techniques can get even closer to delivering a unique ID.
Canvas fingerprinting, for instance, sees the tracker draw a complex pattern of shapes, colors and text (invisible to the user), then do a pixel-level analysis of the result. This may vary depending on your graphics card, firmware, operating system, drivers and more, and we've seen it claimed that canvas fingerprinting can help identify users with a 99.5% probability.
Similar technologies include WebGL tracking (more graphics trickery) and Audiocontext, where a tracker plays a tiny sound sample and measures the results. None of these will necessarily identify you precisely, but put enough of them together and it's likely you'll have a unique (and very trackable) browser fingerprint.
How can I test browser fingerprinting?
Browser fingerprinting can seem complicated, but you don't have to be an expert to understand the key details. Just visit a fingerprint testing site or two and you'll quickly get a feel for how it works, and how effective it can be.
Cover Your Tracks (opens in new tab) is a free service run by the digital rights group Electronic Frontier Foundation. Visit the site, click Test Your Browser, and within a few seconds it'll show you the various details that make up your fingerprint and explain what they mean.
Look for the site's 'Protecting you from fingerprinting?' verdict at the top of the page. This claimed our browser fingerprint was unique 'among the 217,097 tested in the past 45 days', showing fingerprinting could be used to effectively track our browser online.(opens in new tab)
Am I Unique (opens in new tab) collects and displays many more fingerprinting details, handy to show just what the technology can do. Like Cover My Tracks, it'll also tell you if you're vulnerable to being tracked. And once again, we were, with the site saying our fingerprint was unique out of the 561,688 in its database.
Some fingerprinting techniques are so smart that they can detect when you're trying to bypass them. When we visited GoLogin's (opens in new tab) site, it didn't just collect and display details on our setup, it also detected our VPN use, warning: 'looks like you are spoofing your location.' Although VPNs can deliver real benefits in many areas, this shows sites may be able to recognize that you’re using them, and that in itself could make you stand out from the crowd.
How to block browser fingerprinting
Preventing browser fingerprinting entirely is difficult, because the technology can use so many different pieces of information about your system to create a unique ID. But there are many ways you can reduce the risk:
- Use Firefox, for instance, and you'll immediately benefit from its Enhanced Tracking Protection which prevents known fingerprinters from querying your system. And although it's still labeled as 'experimental', its Fingerprinting Protection (opens in new tab) feature adds extra functionality by changing how your fonts, time zone, browser version, language and other details are reported to websites.
- The Brave browser has even more sophisticated tools, with a Shields (opens in new tab) feature that can block canvas, WebGL and many other fingerprinting types (the company explains all in its Fingerprinting Defenses (opens in new tab) page).
- Chrome doesn't have the same built-in functionality, but as ever, there are browser extensions to fill in the gaps. Canvas Fingerprint Defender (opens in new tab) adds a tiny amount of random noise to canvas results, for instance, ensuring sites can't get a consistent fingerprint. It's ultra-simple, there's nothing to configure, it just works.
- Canvas Blocker - Fingerprint Protect (opens in new tab) does something similar, but it’s technically smarter, and has more features, including the option to allow fingerprinting on specific domains (handy if canvas blocking breaks a legitimate site). To see this in action, install Canvas Blocker - Fingerprint Protect and revisit the BrowserLeaks (opens in new tab) canvas fingerprinting site. We found the page reported a new and random fingerprint every time we refreshed it, ensuring we couldn't be tracked. The extension even warned us about the tracking attempt, a nice touch while you're testing.
- Blocking canvas fingerprinting is a good start, but it won't protect you from trackers using other technologies. Trace (opens in new tab) is a powerful Chrome extension which blocks canvas, WebGL, audio and hardware fingerprinting, along with many other privacy threats. There's a lot here for a free extension, but it can be complex and is best for more technical users.
- Avast AntiTrack Premium (opens in new tab) is a comprehensive Windows and Mac app which works to block fingerprinting and web tracking on all your browsers. It has stacks of features and is very easy to use, but is on the pricey side.
If you're unsure what to do next, we'd recommend starting with a free browser extension. Search your store for the keyword fingerprinting, install anything that looks promising, and use the testing sites we list above to confirm they're now giving you a random fingerprint.
This may lead to issues later, if your anti-fingerprinting tool blocks a feature that a legitimate website needs. Keep that in mind, and add 'disable the fingerprinting blocker and try again' to your standard list of web troubleshooting steps.
If you're only taking simple steps, though, such as with the canvas fingerprinting extensions above, you're unlikely to have problems. You'll be able to get on with your regular web business, while your new tools go to work, automatically blocking at least some web fingerprinting, and helping to preserve your privacy online.