Storage-based methods (described in the previous part) are the best-known and the most-used methods for identifying and tracking people online.
Why not only storage-based
However, these methods sometimes do not affect. Users can easily turn off or clear up browser storages. Browsers also develop methods to restrict the possibility of tracking.
Device or browser fingerprinting is to solve those issues.
Why the cashier needs my postal code
Do you know why cashiers often ask for postal code, when you pay using a credit card?
It happens because retailers want to attribute what shopping baskets are bought by a particular consumer. The shop does not obtain all digits of your credit card number, but only a few last digits. As they are not unique enough, these digits don’t allow us to recognize each consumer.
But shops can gather some additional characteristics by simply asking consumers. Postal code is nice, because:
- is a short number,
- in a combination with digits of credit card is unique enough,
- customers generally don’t mind sharing it.
The digits of credit card and postal code together will often uniquely identify a particular customer and allow basket attribution.
So, retailers have a method to attribute which purchases are from one particular customer.
What is fingerprinting?
Websites can adopt a similar strategy.
In short, fingerprinting is using observable characteristics to create a digital “fingerprint”, whereby websites can identify or re-identify a visiting user, browser, or device. A fingerprint, a unique identifier of a browser, device or user itself, consists of one or more values which can be read by the website from a user device.
Fingerprinting can be used also to:
- correlate a user’s activity within and across sessions,
- track users in cross-domain context,
- identify pseudonymous users (when browser fingerprint is correlated with email or other identifying information),
- fraud detection.
That’s the way the user can be tracked on multiple different websites (domains), which might be not possible using other methods. The tracking is transparent to the user and it works regardless of the browser accepts cookies or not, because no data is stored in storage- or session-based mechanisms.
The user does not even need to authenticate.
Every request contains many characteristics that could be used to differentiate users. These properties can be discovered passively, without code execution on the user device.
Passive fingerprinting could use:
- IP address,
- version and operating system,
- preferred languages,
- HTTP Accept headers.
This data is almost always sent by the browser when the user visits websites.
For some populations, the user-agent and IP address are unique enough to identify a particular user (device).
- browser window size,
- installed fonts and plug-ins,
- enabled plug-ins,
- data from device sensors,
- supported MIME types,
- enabled storage mechanisms,
- rendering graphical patterns.
Key to the distinction between passive and active methods is that active fingerprinting is potentially detectable by the user.
The big picture
The easiest way you can obtain some intuition about fingerprinting is to test your browser for its uniqueness.
Turn data privacy to your advantage and rebuild consumers' trust: the next investment frontier |…
TikTok usage has skyrocketed during the pandemic, with roughly 800 million users around the world using the platform to…
Panopticlick is a research project of the Electronic Frontier Foundation. It will analyze your browser with popular online tracking techniques and also will check your system is uniquely configured — and thus identifiable.
I encourage you to click “Show full results for fingerprinting”. It will show you a table with a list of popular fingerprinting techniques.
Now let’s see how to work some of them.
The user-agent request header is a characteristic string that lets servers identify the application, operating system, vendor, and/or version of the requesting browser.
It can be acquired both server- and client-side.
On the server-side is attached to each HTTP request. On the client-side is available in variable navigator.userAgent.
The navigator object is interesting for fingerprinting also because it stores more information about the browser and device.
- the detailed version of the browser,
- supported formats of images and media files,
- preferred and accepted languages,
- CPU platform,
- enabled storages.
It is worth mentioning that, the detection of the browser vendor by the self-reported user-agent could be not reliable, as various browsers and web extensions can obfuscate this string or even impersonate another browser.
You would expect that with the same input, all browsers produce the same result. But surprisingly, graphics created with canvas often show tiny differences. Created images depend on the operating system, installed fonts, graphics card, and the browser itself, due to font rasterization, antialiasing, smoothing, API implementations, and the physical display.
The result can be, for example, hashed using a toDataURL function. If a browser repeatedly renders the same image on the same device, the same hash value should remain the same.
A similar technique could be used with WebGL.
Network and location fingerprinting
As I mentioned before, the IP address is an important characteristic in fingerprinting. It is probably one of the easiest characteristics to obtain, from incoming HTTP requests.
But nowadays user’s IP changes relatively often, especially in mobile networks. However, IP remains static in the time long enough to use it as part of fingerprinting.
Check demo (by Cloudflare): https://www.cloudflare.com/cdn-cgi/trace
Mobile devices can determine their location by using GPS, WiFi or cellular towers. Many websites use this to display personalized information relevant to the current location of the user. Websites can access this data through the Geolocation API.
An interesting application for this knowledge is user identification based on geolocation history. There are studies that over 50% of users are uniquely identifiable from just two randomly chosen points.
Of course, geolocation isn’t enough to differentiate users, but in combination with other techniques, such as time correlation, might give a good result.
Operating System fingerprinting
Date and timezone
One text is written with a test font (almost certainly present in most devices, e.g. Times New Roman), and the other with the font we want to locate.
If the width of both texts will be different, then we can assume that the font you are looking for is installed.
fingerprintJS can perform browser fingerprinting using:
- screen resolution,
- colour depth,
- installed plugins with supported mime types,
- time zone offset,
- local storage,
- session storage.
ClientJS can perform browser fingerprinting using:
- colour depth,
- current resolution,
- available resolution,
- device XDPI,
- device YDPI,
- plugin list,
- font list,
- local storage,
- session storage,
- system language,
- canvas print.
Takeaways and future directions
In this part, you have familiarized yourself with some fingerprinting methods.
Although in most cases user agent, IP address and canvas fingerprinting might be sufficient enough for identification, the catalogue remains open.
Future solutions, that will be developed in response to possible browsers limitations, should take into account what happens if a user changes a fingerprinted property (as updates the plugin or changes the screen resolution).
Studies show that current fingerprint can be matched to the earlier one by a heuristic algorithm with the accuracy of around 99 %
Ultimately, fingerprinting is just one more of many techniques for tracking individual users.
To develop a reliable tracking solution, you should combine fingerprinting with classic cookies, localStorage, Web Storage, WebSQL, FileWriter API or HTTP-ETag and constantly improve and discover new methods.
Thank you for reading. I hope you enjoyed reading as much as I enjoyed writing this for you.
If you would like to share feedback or simply say ‘hello’, you can connect with me: https://www.linkedin.com/in/rafalrybnik/?locale=en_US
If you enjoyed reading this, you’ll probably enjoy my other articles too: https://fischerbach.medium.com