Storage-based methods (described in the previous part) are the best-known and the most-used methods for identifying and tracking people online.

Why not only storage-based

However, these methods sometimes do not affect. Users can easily turn off or clear up browser storages. Browsers also develop methods to restrict the possibility of tracking.

Device or browser fingerprinting is to solve those issues.

Why the cashier needs my postal code

Do you know why cashiers often ask for postal code, when you pay using a credit card?

It happens because retailers want to attribute what shopping baskets are bought by a particular consumer. The shop does not obtain all digits of your credit card number, but only a few last digits. As they are not unique enough, these digits don’t allow us to recognize each consumer.

But shops can gather some additional characteristics by simply asking consumers. Postal code is nice, because:

• is a short number,
• in a combination with digits of credit card is unique enough,
• customers generally don’t mind sharing it.

The digits of credit card and postal code together will often uniquely identify a particular customer and allow basket attribution.

So, retailers have a method to attribute which purchases are from one particular customer.

What is fingerprinting?

Websites can adopt a similar strategy.

In short, fingerprinting is using observable characteristics to create a digital “fingerprint”, whereby websites can identify or re-identify a visiting user, browser, or device. A fingerprint, a unique identifier of a browser, device or user itself, consists of one or more values which can be read by the website from a user device.

Fingerprinting can be used also to:

• correlate a user’s activity within and across sessions,
• track users in cross-domain context,
• identify pseudonymous users (when browser fingerprint is correlated with email or other identifying information),
• fraud detection.

Cross-domain user tracking is possible because the fingerprint is relatively unique and the same for all origins. Therefore, different websites may be able to combine information about a single user, even where a cookie policy would block third-party cookies.

That’s the way the user can be tracked on multiple different websites (domains), which might be not possible using other methods. The tracking is transparent to the user and it works regardless of the browser accepts cookies or not, because no data is stored in storage- or session-based mechanisms.

The user does not even need to authenticate.

Passive fingerprinting

Every request contains many characteristics that could be used to differentiate users. These properties can be discovered passively, without code execution on the user device.

Passive fingerprinting could use:

• IP address,
• user-agent,
• version and operating system,
• preferred languages,
• HTTP Accept headers.

This data is almost always sent by the browser when the user visits websites.

For some populations, the user-agent and IP address are unique enough to identify a particular user (device).

Active fingerprinting

Active fingerprinting requires techniques where a website runs JavaScript client-side script to observe additional properties about the browser, device, user, or another context.

This includes:

• browser window size,
• installed fonts and plug-ins,
• enabled plug-ins,
• performance,
• data from device sensors,
• timezone,
• supported MIME types,
• enabled storage mechanisms,
• rendering graphical patterns.

Key to the distinction between passive and active methods is that active fingerprinting is potentially detectable by the user.

The big picture

The easiest way you can obtain some intuition about fingerprinting is to test your browser for its uniqueness.

Panopticlick is a research project of the Electronic Frontier Foundation. It will analyze your browser with popular online tracking techniques and also will check your system is uniquely configured — and thus identifiable.

Panopticlick

I encourage you to click “Show full results for fingerprinting”. It will show you a table with a list of popular fingerprinting techniques.

Now let’s see how to work some of them.

Browser fingerprinting

User-agent

The user-agent request header is a characteristic string that lets servers identify the application, operating system, vendor, and/or version of the requesting browser.

It can be acquired both server- and client-side.

On the server-side is attached to each HTTP request. On the client-side is available in variable navigator.userAgent.

The navigator object is interesting for fingerprinting also because it stores more information about the browser and device.

For example:

• the detailed version of the browser,
• supported formats of images and media files,
• preferred and accepted languages,
• CPU platform,
• enabled storages.

It is worth mentioning that, the detection of the browser vendor by the self-reported user-agent could be not reliable, as various browsers and web extensions can obfuscate this string or even impersonate another browser.

Canvas fingerprinting

HTML5 introduced an area of the screen — Canvas, which can be used to draw text or images with JavaScript.

A page can contain a canvas element in which JavaScript commands arrange simple shapes, colours, fonts and images into a pixel graphic. Animations are created by quickly changing these graphics; one of the most important areas of application are browser games. The browser can convert the pixel graphics generated by the canvas into formats such as JPEG or PNG.

You would expect that with the same input, all browsers produce the same result. But surprisingly, graphics created with canvas often show tiny differences. Created images depend on the operating system, installed fonts, graphics card, and the browser itself, due to font rasterization, antialiasing, smoothing, API implementations, and the physical display.

The result can be, for example, hashed using a toDataURL function. If a browser repeatedly renders the same image on the same device, the same hash value should remain the same.

A similar technique could be used with WebGL.

Network and location fingerprinting

IP address

As I mentioned before, the IP address is an important characteristic in fingerprinting. It is probably one of the easiest characteristics to obtain, from incoming HTTP requests.

But nowadays user’s IP changes relatively often, especially in mobile networks. However, IP remains static in the time long enough to use it as part of fingerprinting.

Check demo (by Cloudflare): https://www.cloudflare.com/cdn-cgi/trace

GPS

Mobile devices can determine their location by using GPS, WiFi or cellular towers. Many websites use this to display personalized information relevant to the current location of the user. Websites can access this data through the Geolocation API.

An interesting application for this knowledge is user identification based on geolocation history. There are studies that over 50% of users are uniquely identifiable from just two randomly chosen points.

Of course, geolocation isn’t enough to differentiate users, but in combination with other techniques, such as time correlation, might give a good result.

Operating System fingerprinting

Date and timezone

JavaScript also facilitates recognizing the system local timezone and the local datetime up to 1 millisecond.

Graphics

The colour depth, screen resolution and other display parameters can be detected by JavaScript by using window.screen global variable.

Font list

The list of installed fonts can be detected by JavaScript. One of the techniques is to set up two hidden texts.

One text is written with a test font (almost certainly present in most devices, e.g. Times New Roman), and the other with the font we want to locate.

If the width of both texts will be different, then we can assume that the font you are looking for is installed.

Fingerprinting libraries

fingerprintJS

Most of the methods described above are implemented in the free JavaScript library fingerprintJS.

fingerprintJS can perform browser fingerprinting using:

• user-agent,
• screen resolution,
• colour depth,
• installed plugins with supported mime types,
• time zone offset,
• local storage,
• session storage.

ClientJS

ClientJS is a JavaScript library that makes digital fingerprinting easy, while also exposing all the browser data-points used in generating fingerprints.

ClientJS can perform browser fingerprinting using:

• user-agent,
• screenprint,
• colour depth,
• current resolution,
• available resolution,
• device XDPI,
• device YDPI,
• plugin list,
• font list,
• local storage,
• session storage,
• timezone,
• language,
• system language,
• cookies,
• canvas print.

Takeaways and future directions

In this part, you have familiarized yourself with some fingerprinting methods.

Although in most cases user agent, IP address and canvas fingerprinting might be sufficient enough for identification, the catalogue remains open.

Future solutions, that will be developed in response to possible browsers limitations, should take into account what happens if a user changes a fingerprinted property (as updates the plugin or changes the screen resolution).

Studies show that current fingerprint can be matched to the earlier one by a heuristic algorithm with the accuracy of around 99 %

Ultimately, fingerprinting is just one more of many techniques for tracking individual users.

To develop a reliable tracking solution, you should combine fingerprinting with classic cookies, localStorage, Web Storage, WebSQL, FileWriter API or HTTP-ETag and constantly improve and discover new methods.

Thank you for reading. I hope you enjoyed reading as much as I enjoyed writing this for you.

If you would like to share feedback or simply say ‘hello’, you can connect with me: https://www.linkedin.com/in/rafalrybnik/?locale=en_US

If you enjoyed reading this, you’ll probably enjoy my other articles too: https://fischerbach.medium.com

Check also

References

W3C. “Mitigating Browser Fingerprinting in Web Specifications.”

Gain Access to Expert View — Subscribe to DDI Intel