Whether you\u2019re looking at the whorls and loops of a fingertip or analogously unique browser information, using a fingerprint is a highly accurate way to identify someone. It\u2019s a lot harder to get a person\u2019s fingerprint without their knowledge, but all kinds of services on the Internet ID users by their browser \u201cfingerprint\u201d \u2014 and not always with your interests in mind.<\/p>\n
A team at Bundeswehr University Munich has developed a browser extension that lets you track which websites collect your browser fingerprints and how they do it. The team also analyzed 10,000 popular websites to see what kind of information they collect. Team member Julian Fietkau\u2019s presentation at the Remote Chaos Communication Congress (RC3)<\/a> discussed the issue and the team\u2019s work on it.<\/p>\n A browser fingerprint is an assembly of the data that a website can obtain about your computer and browser on request when a page loads. The fingerprint includes dozens of data points, from the language you use and the time zone you\u2019re in to which extensions are installed and your browser version. It may also include information about your operating system, RAM, screen resolution, font settings, and much more.<\/p>\n Websites collect varying amounts and types of information, using it to generate a unique identifier for you. A browser fingerprint is not a cookie, although it can be used similarly. And, though you have to consent to the use of cookies (you\u2019re probably already tired of closing \u201cour site uses cookies\u201d notifications), taking browser fingerprints does not require consent.<\/p>\n Moreover, even using Incognito mode<\/a> won\u2019t stop your browser fingerprint from being taken; almost all browser and device parameters remain the same and can be used to determine that the person browsing is you.<\/p>\n\n The first purpose of a browser fingerprint is to confirm a user\u2019s identity without any effort on their part. For example, if a bank can tell from your browser fingerprint that it\u2019s you carrying out a transaction, they don\u2019t need to bother sending a security code to your phone and can expend a bit more effort if someone \u2014 even you \u2014 logs in to your account with a different browser fingerprint. In this example, browser fingerprints improve your experience.<\/p>\n The second purpose is to show targeted ads. Read a guide on one website about choosing an iron, then go to another website that uses the same ad network and the network will show you ads for irons. Basically, it\u2019s tracking without your consent, and users\u2019 hatred and suspicion of the practice is quite understandable.<\/p>\n That said, many websites with built-in components from various ad networks and analytics services collect and analyze your fingerprints.<\/p>\n To obtain the information to compile a browser fingerprint, a website sends several requests through embedded JavaScript code to the browser. The aggregate of the browser\u2019s responses makes up its fingerprint.<\/p>\n Fietkau and his colleagues analyzed the most popular libraries with this kind of JavaScript code, compiling a list of 115 distinct techniques most frequently used to work with browser fingerprints. They then created a browser extension called FPMON<\/a> that analyzes Web pages to see if they use those techniques and tells the user exactly what data a particular site is trying to collect to compile a browser fingerprint.<\/p>\n Users with FPMON installed will receive a notification when a website requests such and such information from the browser. Moreover, the team divided the types of information into two categories: sensitive<\/em> and aggressive<\/em>.<\/p>\n The first category includes information that a website may request for legitimate reasons. For example, knowing the browser language enables a site to appear in your preferred language, and information about your time zone is required to show you the correct time. However, that information still might say something about you.<\/p>\n Aggressive<\/em> information is irrelevant to the site, most likely used for the sole purpose of putting together your browser fingerprint. It might include the amount of device memory or a list of plugins installed in your browser, for example.<\/p>\n FPMON can detect requests for 40 types of information. Almost all websites ask for at least some information about the browser or device. At what point should we assume that a website is actually trying to take a fingerprint? At what point should you worry?<\/p>\n The researchers used existing sites such as the EFF\u2019s Panopticlick (aka Cover Your Tracks)<\/a> project, which the privacy advocacy group created to demonstrate how browser fingerprinting works. Panopticlick requires 23 parameters to work and can identify a user with greater than 90% confidence. Fietkau and his team made 23 parameters their minimum value; at or above that, we can assume a website is tracking users.<\/p>\n The researchers went through the top 10,000 websites (as ranked by Alexa) and found that most of them \u2014 nearly 57% \u2014 ask for 7 to 15 parameters, with a median value of 11 parameters for the entire sample. Approximately 5% of the websites didn\u2019t collect a single parameter, and the maximum number collected was 38 out of a possible 40. However, only three out of the 10,000 requested that many.<\/p>\n The websites in their sample used more than a hundred scripts to collect the data, and although very few scripts collected a lot of information from the aggressive category, they\u2019re used on some very popular websites.<\/p>\n Two approaches can prevent website scripts from taking your browser fingerprint: blocking them and giving them incomplete or incorrect information. Privacy software uses one method or the other. On the browser side, Safari recently<\/a> began providing only basic, impersonal information, thus protecting users from tracking through fingerprinting.<\/p>\n Some organizations have stepped in with browser extensions as well. For example, Privacy Badger, a privacy plugin developed by the EFF, tries to block scripts, although not all of them. For example, the plugin doesn\u2019t affect scripts that request data that may be needed for a page to display correctly or for some of its functions to work (but that can also contribute to a fingerprint).<\/p>\n We use the same approach in our Kaspersky Protection browser extension, preventing websites from collecting too much user information and, thus, assembling a fingerprint. Kaspersky Protection is part of our main consumer security solutions<\/a>. Just don\u2019t forget to enable it<\/a>.<\/p>\n\n","protected":false},"excerpt":{"rendered":" Researchers have created an extension to learn about the information websites collect to \u201cfingerprint\u201d browsers.<\/p>\n","protected":false},"author":675,"featured_media":22166,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1622],"tags":[2106,2090,2091,1171,43,3103,788],"class_list":{"0":"post-22165","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"tag-browsers","9":"tag-ccc","10":"tag-chaos-communication-congress","11":"tag-fingerprints","12":"tag-privacy","13":"tag-rc3","14":"tag-tracking"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/rc3-fpmon-browser-fingerprinting\/22165\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/rc3-fpmon-browser-fingerprinting\/22406\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/rc3-fpmon-browser-fingerprinting\/17894\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/rc3-fpmon-browser-fingerprinting\/24084\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/rc3-fpmon-browser-fingerprinting\/20859\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/rc3-fpmon-browser-fingerprinting\/24529\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/rc3-fpmon-browser-fingerprinting\/23722\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/rc3-fpmon-browser-fingerprinting\/29947\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/rc3-fpmon-browser-fingerprinting\/9232\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/rc3-fpmon-browser-fingerprinting\/38369\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/rc3-fpmon-browser-fingerprinting\/16246\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/rc3-fpmon-browser-fingerprinting\/16828\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/rc3-fpmon-browser-fingerprinting\/14373\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/rc3-fpmon-browser-fingerprinting\/26075\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/rc3-fpmon-browser-fingerprinting\/29879\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/rc3-fpmon-browser-fingerprinting\/26586\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/rc3-fpmon-browser-fingerprinting\/23449\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/rc3-fpmon-browser-fingerprinting\/28782\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/rc3-fpmon-browser-fingerprinting\/28593\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/rc3\/","name":"RC3"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/22165","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/675"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=22165"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/22165\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/22166"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=22165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=22165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=22165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What is a browser fingerprint?<\/h2>\n
How browser fingerprints are used and misused<\/h2>\n
How to tell if a site is taking your browser fingerprint<\/h2>\n
How aggressively do sites collect browser fingerprints?<\/h2>\n
How to protect against fingerprinting<\/h2>\n