{"id":14603,"date":"2021-05-31T09:52:00","date_gmt":"2021-05-31T13:52:00","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=14603"},"modified":"2023-03-31T12:51:50","modified_gmt":"2023-03-31T16:51:50","slug":"browser-fingerprinting-the-good-bad-ugly","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/browser-fingerprinting-the-good-bad-ugly\/","title":{"rendered":"Browser Fingerprinting: The Good, Bad &#038; Ugly"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-browser-fingerprinting-is-a-controversial-user-data-tracking-technique-on-the-one-hand-companies-like-it-for-security-on-the-other-it-can-be-a-data-privacy-issue-for-users-and-compliance-concern-for-organizations-let-s-see-how-device-fingerprinting-works-and-why-it-s-such-a-divisive-topic\">Browser fingerprinting is a controversial user data tracking technique. On the one hand, companies like it for security. On the other, it can be a data privacy issue for users and compliance concern for organizations. Let\u2019s see how device fingerprinting works and why it\u2019s such a divisive topic<strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Editor\u2019s Note: This is a guest blog contribution from Tamas Kadar, CEO at SEON, who shares his expert perspective on browser fingerprinting.<\/em>  <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Did you know that someone could identify who you are without cookies and without you entering any information about yourself? Yes, it\u2019s entirely possible to get an idea of who you are simply by using a technique called browser fingerprinting.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what is browser fingerprinting and how does it work? Why do companies like using it? And what data privacy-related issues and compliance concerns does this method pose for users and businesses?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n<span style=\"--tl-form-height-m:140.667px;--tl-form-height-t:118.1042px;--tl-form-height-d:118.1042px;\" class=\"tl-placeholder-f-type-shortcode_12779 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-browser-fingerprinting\">What Is Browser Fingerprinting?<strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Browser fingerprinting, or what\u2019s also known as device fingerprinting, is a set of data collection techniques that uniquely identifies users by their devices\u2019 specific attributes. The combination of these attributes allows companies to identify unique users based on seemingly innocuous data such as their device settings or operating systems.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Much like the name implies, browser fingerprinting is reminiscent of how your physical fingerprints uniquely identify you from other people. That\u2019s because everyone has unique physical fingerprints \u2014 the unique ridges, lines and swirls that make your fingerprints your own. Even identical twins, whose genes are identical, have unique fingerprints. Similarly, companies can use this data to track unique users\u2019 browsing habits and create individual profiles that they can use for various purposes (such as advertising or cybersecurity functions).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike traditional web cookies, which place one or more files within users\u2019 browsers, browser fingerprinting is done by website or app owners by adding specific JavaScript to their websites.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Essentially, browser fingerprinting doesn\u2019t look at what you do online or what kind of information you provide. It only looks at <strong><em>how<\/em> you connect to a website<\/strong> by looking at the configuration of software and hardware you use, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Operating system,<\/li>\n\n\n\n<li>Browser version,&nbsp;<\/li>\n\n\n\n<li>Active plugins,<\/li>\n\n\n\n<li>Time zone and language settings,<\/li>\n\n\n\n<li>Screen resolution, and<\/li>\n\n\n\n<li>HTML5 canvas properties.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This list is just a handful of examples. There are hundreds of other data points that browser fingerprinting techniques can detect to help create a unique ID that can be linked to you and you only.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-common-browser-fingerprinting-methods\">4 Common Browser Fingerprinting Methods<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Not sure what sorts of browser fingerprint detection methods exist? A few of the common browser fingerprinting techniques include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Canvas fingerprinting:<\/strong> Websites written in HTML5 contain a code element called the canvas, which draws graphics on a web page. It also generates data such as the font size or active background colour setting, which come into play when creating a unique user ID for tracking.<\/li>\n\n\n\n<li><strong>iOS or Android fingerprinting:<\/strong> A piece of JavaScript code in a web app can also return useful data such as the device\u2019s local language, screen brightness setting, MAC address, etc.<\/li>\n\n\n\n<li><strong>Audio fingerprinting: <\/strong>The complexity of the Web Audio API allows fingerprinting tools to look at values such as the AudioBuffer, Oscillator or Compressor to help identify users.<\/li>\n\n\n\n<li><strong>WebGL fingerprinting: <\/strong>WebGL is a JavaScript API that also renders on-screen images and graphics. How it does this can point to information about a device\u2019s graphic system.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">And browser fingerprinting works. According to Panopticlick, a website that helps audit online protection, only <a href=\"https:\/\/coveryourtracks.eff.org\/static\/browser-uniqueness.pdf\">1 in 286,777 connections will share the same browser fingerprint as another user<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In short: it\u2019s a lot easier for websites to track you and your online activities than you may think. But is it always bad? And what happens when the technology falls into the wrong hands? Let\u2019s explore those questions in the sections below.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-good-browser-fingerprinting-is-a-useful-cyber-security-fraud-protection-method\">The Good: Browser Fingerprinting Is a Useful Cyber Security &amp; Fraud Protection Method<strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There is one area where the technology is undeniably useful: <a href=\"https:\/\/seon.io\/resources\/browser-fingerprinting-good-for-fraud-detection-but-is-it-enough\/\">browser fingerprinting in the context of fraud detection<\/a>.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Browser fingerprinting becomes a security tool. Companies can use your device information to get an idea of who you are without necessarily tying it to real-life personal data. They only look at your software and hardware, so you\u2019re not actually identified as an individual person.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Identifying a browser fingerprint is useful when looking at suspicious activity on your account, for example, to flag an attempt to hack your account or to purchase something without your authorization.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here\u2019s a quick example of how it would work from a fraud prevention perspective:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You connect to a website.<\/li>\n\n\n\n<li>A JavaScript code captures all your hardware and software data.<\/li>\n\n\n\n<li>The unique configuration is assigned an ID.<\/li>\n\n\n\n<li>The ID is tracked, in combination with an IP address, to check for suspicious activity<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">It\u2019s worth noting that there are limitations to how precise browser fingerprinting can be. For instance, the default Android web browser identifies itself as Safari to make compatibility easier. So, only focusing on the browser version, in that case, could lead to false assumptions about a user\u2019s device.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While fingerprinting works with incognito or private browsing, fraud protection and cybersecurity vendors do have to combine it with other analysis techniques to get a clearer picture of who the visitors truly are.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-bad-concerns-regarding-loss-of-privacy\">The Bad: Concerns Regarding Loss of Privacy<strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Browser fingerprinting for security is completely legal (so long as companies abide by <a href=\"https:\/\/www.thesslstore.com\/blog\/10-data-privacy-and-encryption-laws-every-business-needs-to-know\/\">data privacy and security regulations<\/a>). In fact, the European Union\u2019s General Data Protection Regulation (GDPR) <a href=\"https:\/\/gdpr-info.eu\/recitals\/no-47\/\">Recital 47<\/a> specifically states:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cThe processing of personal data strictly necessary for the purposes of <strong>preventing fraud<\/strong> also constitutes a legitimate interest of the data controller concerned. The processing of personal data for <strong>direct marketing<\/strong> purposes may be regarded as carried out for a legitimate interest.\u201d<\/em>&nbsp;<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Just like web cookies, tracking is allowed as long as businesses are transparent about their policies (i.e., how they collect and use the information). This responsibility falls on the shoulders of businesses who have to ensure their tracking remains compliant and that users give their informed consent. Using the GDPR as an example once more, this is how <a href=\"https:\/\/gdpr-info.eu\/art-4-gdpr\/\">GDPR Article 4(11)<\/a> defines user consent:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cAny <strong>freely given, specific, informed<\/strong> and <strong>unambiguous<\/strong> indication of the data subject\u2019s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her[.]\u201d&nbsp;<\/em><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">This isn\u2019t to say that users will be happy about being tracked. There is definitely a trade-off between security and privacy online. Users concerned with how their devices are tracked may wish to opt out of browser fingerprinting manually.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But a growing number of anti-fingerprinting browsers are also gaining popularity worldwide. There is no shortage of extensions designed to block fingerprinting JavaScripts. Tor browser usage is booming, and companies like Mozilla Firefox, who have always put privacy front and centre, now offer <a href=\"https:\/\/www.mozilla.org\/en-GB\/firefox\/features\/block-fingerprinting\/\">built-in fingerprinting blockers within their browser:<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"741\" height=\"494\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/browser-fingerprinting.png\" alt=\"A screenshot of the FireFox browser Privacy settings that shows the tracking protection enabled for browser fingerprinting\" class=\"wp-image-14605\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/browser-fingerprinting.png 741w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/browser-fingerprinting-300x200.png 300w\" sizes=\"auto, (max-width: 741px) 100vw, 741px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Developers who need to test multiple browser configurations can also use tools like a Chrome User-Agent (UA) spoofing extension that lets you change your user agent manually. A user agent is an HTTP header that provides information about a user\u2019s web browser to the site or web app they connect to.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>(One quick note about Chrome and data collection: Google is currently implementing changes to how it tracks user data with its new Federated Learning of Cohorts (FLoC) technology and attempting to reduce reliance on User Agents. <a href=\"https:\/\/developer.chrome.com\/blog\/privacy-sandbox-update-2021-jan\/\">You can read more about it on Google\u2019s Developer blog<\/a>).<\/em><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"778\" height=\"688\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/UA-dev-tool-chrome-extension.png\" alt=\"A screenshot of a Google Chrome extension that allow users to change their site UAs\" class=\"wp-image-14606\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/UA-dev-tool-chrome-extension.png 778w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/UA-dev-tool-chrome-extension-300x265.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/UA-dev-tool-chrome-extension-768x679.png 768w\" sizes=\"auto, (max-width: 778px) 100vw, 778px\" \/><figcaption class=\"wp-element-caption\">Image source: <a href=\"https:\/\/seon.io\/resources\/3-examples-of-browser-spoofing-and-how-to-detect-them\/\">Seon<\/a>: a Google Chrome extension allowing developers to quickly switch User Agents to test sites as seen from other browsers<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">For a browser to connect with the website, that HTTP header (i.e., the UA or UAS browser agent string) must be present for each request header. And not all UA strings look the same \u2014 the specific format varies from one browser to the next. So, being able to change it is a useful tool for users and web developers alike. For the former group, it may improve user privacy; for the latter, it has very tangible uses and applications in web development.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Even more advanced: you can use browser extensions such as Trace to protect you against multiple advanced tracking techniques. Otherwise, you can use the Tails browser, which is designed to access Tor from an external hard drive to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protect yourself from canvas fingerprinting,&nbsp;<\/li>\n\n\n\n<li>Remove Google headers,<\/li>\n\n\n\n<li>Hide JavaScript plugins,<\/li>\n\n\n\n<li>Disable the battery status API, and<\/li>\n\n\n\n<li>Spoof a MAC address.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">These are more sophisticated solutions, often favoured both by privacy enthusiasts and, sadly, cybercriminals as we\u2019ll see in the next section.<\/p>\n\n\n<span style=\"--tl-form-height-m:966.781px;--tl-form-height-t:989px;--tl-form-height-d:989px;\" class=\"tl-placeholder-f-type-shortcode_12768 tl-preload-form\"><span><\/span><\/span>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-the-ugly-device-fingerprint-spoofing-tools-cybercriminals-love-to-use\">The Ugly: Device Fingerprint-Spoofing Tools Cybercriminals Love to Use<strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Another trend we\u2019ve witnessed is the rise in advanced anti-device fingerprinting software tools. These programs take browsers spoofing to the next level, allowing users to inject JavaScript code snippets into visited websites to modify the behaviour of a page. They tend to be sold as browser extensions, but can also be shipped into modified browsers where the extensions come pre-installed. They can still be detected with a string comparison.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"742\" height=\"450\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/fraudfpx-anti-browser-fingerprinting-browser.png\" alt=\"A screenshot of code strings for comparison\" class=\"wp-image-14607\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/fraudfpx-anti-browser-fingerprinting-browser.png 742w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/fraudfpx-anti-browser-fingerprinting-browser-300x182.png 300w\" sizes=\"auto, (max-width: 742px) 100vw, 742px\" \/><figcaption class=\"wp-element-caption\"><em>Image source: <\/em><a href=\"https:\/\/seon.io\/resources\/3-examples-of-browser-spoofing-and-how-to-detect-them\/\"><em>Seon<\/em><\/a><em>. The FraudFox anti-fingerprinting browser can be identified with a string comparison<\/em><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Then there are native tools, which let you modify the JavaScript functions to such a deep level that even string comparison won\u2019t work. Browsers like Mimic will even add noise creation. This is a feature that modifies values at run-time to confuse the tracking. In the Mimic browser, this is allied canvas poisoning, which can fool canvas fingerprinting.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Need even more advanced features? Then you\u2019ll have to simulate a fake user environment. This is possible with a research tool called Blink, which recreates a whole virtual machine stack every time it launches. This allows you to change fonts, plugins, browsers, user agent strings, time zones, or even operating systems.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The question is: why would anyone purchase these tools, which aren\u2019t cheap or easy to set up? They are clearly targeted and marketed to a specific clientele that needs to spoof various environments quickly and at scale. It\u2019s no secret that the only real use case is for online fraud or cybercrime such as money laundering.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-fingerprinting-spoofing-privacy-it-s-an-arms-race\">Fingerprinting, Spoofing &amp; Privacy: It\u2019s an Arms Race<strong><\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Regardless of which side of the fence you\u2019re on when it comes to browser fingerprinting, the fact of the matter is that the tool sophistication on both sides increases by the day.&nbsp;Every new method for fingerprinting is soon thwarted by a new technology that\u2019s designed to protect identity. But companies have very little incentive to stop knowing who their users are, whether it\u2019s for advertising or for cybersecurity reasons.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There is simply no way of knowing where the technology is headed, but it\u2019s important to understand where we are at now and how browser fingerprinting is used today. We hope this article was a good primer on the topic and will make you think about how your information is shared online.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Browser fingerprinting is a controversial user data tracking technique. On the one hand, companies like it for security. On the other, it can be a data privacy issue for users&#8230;<\/p>\n","protected":false},"author":43,"featured_media":14609,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[13107,16,10200],"tags":[13122],"class_list":["post-14603","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-hashed-out","category-hashing-out-cyber-security","category-monthly-digest","tag-browser-fingerprinting","post-with-tags"],"views":18486,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2021\/05\/browser-fingerprinting-feature.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=14603"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/14603\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/14609"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=14603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=14603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=14603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}