By Matt Burgess
Cookies are on the way out—but not enough is being done about browser fingerprinting. So what is it?
Creepy cookies that track all your online activity are (slowly) being eradicated. In recent years major web browsers, including Safari and Firefox, have restricted the practice. Even Chrome has realized that cookies present a privacy nightmare. But stopping them ends only one kind of online tracking—others are arguably worse.
Fingerprinting, which involves gathering detailed information about your browser’s or your phone’s settings, falls into this category. The tracking method is largely hidden, there’s not much you can do to stop it, and regulators have done little to limit how companies use it to follow you around the internet.
The exact configuration of lines and swirls that make up your fingerprints are thought to be unique to you. Similarly, your browser fingerprint is a set of information that’s collected from your phone or laptop each time you use it that advertisers can eventually link back to you.
“It takes information about your browser, your network, your device and combines it together to create a set of characteristics that is mostly unique to you,” says Tanvi Vyas, a principal engineer at Firefox. The data that makes up your fingerprint can include the language you use, keyboard layout, your timezone, whether you have cookies turned on, the version of the operating system your device runs, and much more.
By combining all this information into a fingerprint, it’s possible for advertisers to recognize you as you move from one website to the next. Multiple studies looking at fingerprinting have found that around 80 to 90 percent of browser fingerprints are unique. Fingerprinting is often done by advertising technology companies that insert their code onto websites. Fingerprinting code—which comes in the form of a variety of scripts, such as the FingerprintJS library—is deployed by dozens of ad tech firms to collect data about your online activity. Sometimes websites that have fingerprinting scripts on them don’t even know about it. And the companies are often opaque and unclear in the ways they track you.
Once established, someone’s fingerprint can potentially be combined with other personal information—such as linking it with existing profiles or information murky data brokers hold about you. “There are so many data sets available today, and there are so many other means to connect your fingerprint with other identifying information,” says Nataliia Bielova, a research scientist at France’s National Institute for Research in Digital Science and Technology, who is currently working at the French data regulator, CNIL.
Fingerprinting evolved alongside the development of web browsers and is intertwined with the web’s history. As browsers have matured they have communicated more with servers—through APIs and HTTP headers—about people’s device settings, says Bielova, who has studied the development of fingerprinting. The Electronic Frontier Foundation (EFF) first identified fingerprinting back in 2010. Since then fingerprinting has become increasingly common as advertisers have tried to get around cookie blocks and limits put on ad tracking by Google and Apple.
While there’s little transparency around the companies that run fingerprinting scripts, the practice is verifiably widespread across the web. Many of the websites you visit will fingerprint your device; research from 2020 found a quarter of the world’s top 10,000 websites running fingerprinting scripts.
New ways of fingerprinting are being created too. “The existing fingerprinting algorithms are not the upper boundary in terms of trackability,” says Gaston Pugliese, a research fellow at Friedrich-Alexander-Universität in Germany, who has studied the long-term impact of fingerprinting. For instance, earlier this year researchers proved they could create fingerprints of GPUs to identify people. Tracking people across different browsers is also possible.
But not all fingerprinting is bad. David Emm, a principal security researcher at Kaspersky, says the technique can often be used as a way to spot potential fraud, such as banks using it to identify suspicious behaviour.
However, the widespread use of fingerprinting for targeted advertising and tracking people’s online movement raises legal problems. Across Europe regulators have been calling for a clampdown on cookie banners, which appear on websites asking people if they give their permission to be tracked. The banners are so ubiquitous (and frustrating) that people largely click Accept and don’t understand how they are agreeing to be tracked—that’s leaving aside the fact that many cookie banners may not even do what they claim.
In Europe fingerprinting falls under the same General Data Protection Regulation and marketing rules as cookies, says Elle Todd, a partner specializing in data and tech at law firm Reed Smith. European regulators have warned since 2014 that fingerprinting “presents serious data protection concerns,” and Todd says many websites don’t tell consumers that they may track people with fingerprinting. “I think that a lot of companies don’t realize, and they think that this is a nice way to get around the cookie rules,” she says.
Unlike cookies, it’s hard to stop fingerprinting. Cookies are stored in your browser, and it’s possible to delete your cookie history, block them, or turn them off entirely. “With the fingerprinting, it’s all invisible,” Emm says. “People don’t know about it; they don’t see it.” When the EFF first detailed fingerprinting in 2010, it said it was “akin to a cookie that cannot be deleted.”
Various browser plugins claim to help reduce or stop fingerprinting, but there’s a mix in quality. A 2019 study by a researcher from Snap and two US academics found many anti-fingerprinting tools aren’t that useful. The biggest thing you can do to stop fingerprinting is pick a browser that limits tracking and increases privacy.
“The most promising approach that is also built into browsers nowadays is the approach of the Tor browser,” Pugliese says. To prevent fingerprinting, Tor tries to standardize all the parts of its browser so everyone appears to have the same fingerprint. Tor isn’t always practical, though; some websites will break, and many companies don’t allow it on corporate networks. Other browsers, including Firefox and Brave, have their own anti-fingerprinting methods. Firefox blocks third-party requests to companies that fingerprint, while Brave adds noise by randomizing fingerprints.
“In the fingerprinting space, browsers are going to have to evolve,” says Firefox’s Vyas, adding that anti-fingerprinting technology needs to change in a way that doesn’t break parts of the web. More action from regulators would also help to stamp out the tracking. “If we had legislative support that said ‘these fingerprinting technologies and scripts are unlawful,’ then that would help us.”
Feature Image Credit:
By Matt Burgess
Matt Burgess is a senior writer at WIRED focused on information security, privacy, and data regulation in Europe. He graduated from the University of Sheffield with a degree in journalism and now lives in London. Send tips to Matt_Burgess@wired.com.
Sourced from WIRED