Fingerprinting harms privacy

Privacy issues are everywhere these days, and it’s not just Facebook’s fault with its legendary data leaks.

There are various ways to protect your privacy, including hardening privacy settings and blocking online tracking and ads.

You should probably opt out of broken platforms too, but let’s be way more specific here. If you’ve never heard about browser fingerprinting or device fingerprinting, this post is for you.

Websites collect fingerprints

Do you hide your IP address? If not, consider protecting your location unless you don’t care at all, but, IMHO, you should, as your IP points to your device directly.

Still, it does not make you truly anonymous, whatever the most shameless VPN providers are promising to their customers.

There are more subtle ways to identify your machines. Every time you browse the web, you leave fingerprints behind you. Some techniques use those tracks to identify specific devices and browsers, even when cookies are completely turned off.

Websites can collect data such as your operating system, browser, language, screen resolution, and many more that can partially identify you.

It’s called browser fingerprinting and it’s been heavily used for advertising purposes over the past years, allowing to group people with the same interests.

Big companies don’t care who you are or where you leave (not your home address, but location matters). They need to target profiles.

Fingerprinting help detect criminal activities

There are gigantic databases that store millions of fingerprints for analysis purposes. It can help detect botnets and even hackers.

Authorities and forensic teams can use fingerprints to catch attackers, like investigators hunt criminals with fingerprints collected at a crime scene.

Indeed, a user generates pretty unique fingerprints with the browser. There’s very little chance somebody else has the same combination of these generic data.

Javascript can be used to leverage specific browser’s APIs to collect those precious anonymous data. Just open the browser console and type navigator. You’ll see an extensive range of information about your configuration.

Even legitimate HTML5 elements such as <canvas> generate data in the user’s browser.

Browsers and devices

Device fingerprinting is beneficial to detect unusual activities. Many apps and services record the user’s devices.

Any sign of fraud can trigger investigations that can lead to suspending suspicious accounts, for example, when the attacker uses a non-registered device to log in.

However, this technique is a severe threat to privacy. Installed applications are often allowed to collect nothing less than the MAC address or the device ID.

Fingerprinting can completely identify a user, especially with mobile phones, as these devices are often tied to a real identity (e.g., wallets, Apple Pay, G-Suite, etc.).

Raw fingerprints are called PII, which stands for Personally Identifiable Information. Marketers and advertisers love them, but threat actors too.

In another perspective, there’s a deanonymization threat, which can be nasty for whistleblowers and activists.

The math behind fingerprinting

It’s not always clear how fingerprints can be so unique. To generate accurate fingerprints to identify users, websites often combine various fingerprinting techniques.

The final result is a collection of signals. The fingerprint is measured in bits of entropy.

For example, if a fingerprint has 15 bits of entropy, 1 in 32768 (2¹⁵) devices has the same fingerprint. There are lots of device specs, and their combination increases the entropy level.

How to fight against fingerprinting

Forget about the incognito mode and test your fingerprints. Use plugins such as Ad block.

Besides, there are privacy-focused browsers, such as DuckDuckGo, which can be installed as a browser extension on desktop and a mobile app on Android and iOS.

However, the Tor Browser is IMHO the most efficient way to block fingerprinting if you configure it correctly. Security hardening is not enabled by default, though.

Many people believe it has the highest security level by default because it’s Tor, but it’s just wrong.

Wrap up

While fingerprinting can help prevent fraud, it’s a massive threat to privacy, and many techniques are off the radar of the GDPR.

Photo by Immo Wegmann on Unsplash