Browser Fingerprinting - Tracking Without Cookies
About 2 min read
A browser fingerprint is a technique that uniquely identifies individual users by combining browser settings, environment information, and hardware characteristics. Because it does not rely on data the user can delete, such as cookies, and tracking is possible using only the information the browser naturally sends during normal web access, it is also called a "cookie you cannot delete." While it is legitimately used for fraud detection and bot mitigation, it is also frequently abused for tracking without user consent, and tension with privacy regulations such as the GDPR continues.
Information Collected
Although a single piece of information has low identifying power, fingerprinting achieves high uniqueness by combining dozens of attributes. In a study by the EFF's Panopticlick project (now Cover Your Tracks), about 83% of typical browsers were reported to be uniquely identifiable by their fingerprint.
Draws text and shapes on an HTML5 Canvas and hashes the pixel data of the rendering result. Uniqueness arises from differences in the GPU and font rendering engine.
Obtains GPU-specific information such as the WebGL renderer name, vendor name, and shader precision. The hash of the 3D rendering result is also used for identification.
Detects the list of installed fonts using JavaScript. The combination of fonts added by the OS and the user varies greatly from person to person.
Time zone, language settings, screen resolution, plugin list, User-Agent string, AudioContext processing characteristics, Battery API values, and more.
Differences from Cookies
| Characteristic | Cookie | Browser fingerprint |
|---|---|---|
| Storage location | Browser storage | Computed and held on the server side |
| Deletion by the user | Possible | Impossible (it is the environment information itself) |
| Subject to consent banners | Yes (GDPR / ePrivacy) | Gray area (depends on jurisdiction) |
| Cross-browser tracking | Not possible | Partially possible (OS-level attributes) |
| Stability of accuracy | High (set explicitly) | May vary with environment changes |
Legitimate Use and Abuse
Fingerprinting has legitimate use cases. In banking and online payments, it is used to detect access from devices that differ from the usual ones in order to prevent fraudulent logins. Bot detection services also block unauthorized access by identifying fingerprint patterns characteristic of automation tools.
On the other hand, cases where advertising networks use it for cross-site tracking without user consent can be regarded as a kind of dark pattern. The GDPR interprets fingerprint-based tracking as also requiring consent, and it is increasingly becoming subject to regulation.
Countermeasures
Designed to make all users' fingerprints uniform. It restricts the Canvas and WebGL APIs and returns fixed values for screen size as well. It is the most powerful countermeasure, but speed is sacrificed.
Blocks known fingerprinting scripts using a block list. There is also an option to require user permission for access to the Canvas API.
Injects random noise into the return values of fingerprinting APIs. This approach reduces uniqueness without breaking site functionality.
For the balance between privacy and convenience, see Balancing Privacy and Convenience for a detailed explanation. For browser security settings in general, also refer to the Privacy Settings Guide and Browser Password Safety.privacy and security books on Amazon will let you learn even more deeply.
Common Misconceptions
There is a misconception that "using incognito mode (private browsing) can prevent fingerprinting," but incognito mode merely refrains from saving cookies and browsing history; the browser's environment information can be obtained just as in normal mode. From the perspective of privacy by design, the fundamental solution is for the browser itself to be resistant to fingerprinting.
Was this article helpful?