We have more tools to secure our identity online than ever before. You can ban cookies — the little pieces of information websites deposit in our browsers to identify us — block invasive trackers from tailing our machines, switch to incognito mode, opt out of cross-app tracking with Apple’s latest iOS update, or even go as far as to surf the web only through highly encrypted virtual private networks.
But there’s a tracking method that can still slip past these defenses and it’s growing in popularity: Fingerprinting.
The anatomy of a fingerprint
What makes fingerprinting so elusive and difficult to defend against is the fact that the data it exploits is essential to the web’s foundational functions.
Apps and websites look to collect all sorts of information from us (GPS coordinates, our personal details, etc.) that we pay attention to and usually have the option to keep to ourselves. But a cursory review of just about any tech company’s privacy policy will tell you that they also gather a range of other miscellaneous data that you don’t pay attention to and that you can’t easily stop them from tracking — such as what software your device runs on and to which network operator you subscribe.
“Fingerprinting is a threat to user privacy because it enables a nontransparent way for companies to track and identify users and devices.”
There’s a legitimate reason behind why companies need this data and why they can get it without even asking for your explicit permission. You see, all of us web users access the internet from a wide variety of different means, and in order to ensure that a website or app loads as intended for every user, no matter what browser or app or phone or computer they’re using, these sites need to know certain details about your method of access. But this seemingly innocuous data collection is also what powers fingerprinting.
Trackers stitch together your device’s properties like its display size, its operating system, your language preferences, and more to form your unique fingerprint. They match this pattern across sites and apps to identify you and target you with relevant ads.
Once a website captures your fingerprint, it’s possible for it to track you for up to 100 days — no matter how many safeguards you’ve put up on your browser.
Since all this takes place quietly in the background as you surf the internet, you can’t trace fingerprinting, nor is it possible for you to delete your fingerprints — like how you can in the case of third-party cookies. As your device’s fingerprint will always remain the same, this tracking method also can’t be limited through typical boundaries such as switching to a private window or clearing your browser’s cache.
“Fingerprinting is a threat to user privacy because it enables a nontransparent way for companies to track and identify users and devices,” says Patrick Jackson, the chief technology officer of Disconnect, a privacy app for iOS and Mac.
Finding a fix
There’s currently no great way to stop fingerprinting, but internet companies have started addressing the threat and looking for potential ways to deal with it. The Chromium-based browser Brave takes the most compelling shot at thwarting malicious fingerprinting that we’ve seen so far.
Brave’s solution is simple: Whenever a website requests the kind of data that could potentially enable fingerprinting, the browser obliges — but it also mixes in just enough noise or random information that it doesn’t end up crippling your web experience. This allows you to have a unique fingerprint for every session and every webpage. Therefore, trackers can no longer capture one single fingerprint of yours and match it across websites to follow you because your device will signal a different fingerprint every time.
In our tests, Brave was the only mainstream browser that passed the Electronic Frontier Foundation’s Cover Your Tracks test, which determines how effectively your browser can protect against practices like fingerprinting.
Other browsers including Safari, Google Chrome, and Mozilla Firefox have had limited success with their existing anti-fingerprinting mechanisms. Unlike Brave, which takes a more dynamic approach to tackle fingerprinting, these apps have a one-size-fits-all implementation that attempts to limit how much information your device’s data websites can access and relies on a list of known fingerprinting domains to block them.
Hitting a moving target
The reason these outdated efforts are no longer effective is that fingerprinting is a broad, evolving concept. It’s a practice that has gotten increasingly more complex with the internet’s advancements and that becomes more sophisticated every year.
Some trackers, for instance, force your browser to draw on an invisible canvas on a web page. When your computer does that, it releases information like its screen’s resolution. Similarly, trackers can determine your fingerprint by how your device processes acoustic signals when it plays an audio file online.
Benoit Baudry, a software technology professor at the KTH Royal Institute of Technology, Stockholm, believes it’s hard to mitigate fingerprinting “since its boundaries are fuzzy and keep changing.”
“A cookie has one single, specific purpose: To identify a user,” Baudry adds. “Meanwhile, browser fingerprinting ‘repurposes’ technology that is meant for something else. This is why it is much more difficult to grasp than cookies: there is not one specific script, object, or packet to intercept.”
In addition to capitalizing on essential web data, the other aspect that prevents browser makers from outright banning fingerprinting is because it’s also employed for positive purposes like fraud detection. When websites detect a user is attempting to sign in from a new fingerprint (which essentially means a new machine), they request additional data for authentication to make sure the source isn’t malicious.
However, experts like Zubair Shafiq, an associate computer science professor at the University of California, Davis, argue fingerprinting is “overkill for fraud detection use cases.”.
Several companies are, at the moment, working toward this exact goal — including Google, which is actively researching ways to curb fingerprinting.
Fingerprinting has largely flown under the radar so far since advertisers and tracking firms have had reliable and direct channels to profile users. Now, as the web’s biggest gatekeepers, including Google and Apple, crack down on traditional tracking frameworks like cookies, fingerprinting has been pushed into the spotlight and, if its adoption goes widespread, it might end up being the most significant threat to our privacy ever. And that’s where it seems to be headed.
The presence of fingerprinting trackers has doubled in websites since 2014 and Disconnect’s Jackson also mentions that in anticipation of cookie and Apple’s cross-app tracking ban, companies are “collecting vast amounts of device data to either compute (and collect) a fingerprint on the device or doing the computation on their servers with the raw data.”
Pierre Laperdrix, a researcher at the French National Centre for Scientific Research who’s been studying fingerprinting for over a decade, believes it will always remain a whack-a-mole game for internet companies. All they can do is stay a step ahead of trackers.
“In my opinion,” Laperdrix said, “I don’t think we can completely put an end to fingerprinting without a reengineering of the way browsers and servers work.”
