Device or browser fingerprinting is an advanced technique used to identify and track users online. It goes beyond traditional methods like cookies and IP addresses, creating a unique identifier based on the device and browser's specific characteristics. Let's delve deeper into this technology, how it persists even with VPNs and without cookies. Above all else we will discuss how websites use device fingerprinting to identify you even if you don’t fill out a form or sign up for their service.
Understanding Device/Browser Fingerprinting
Fingerprinting is akin to taking a detailed snapshot of a device and its settings. When you connect to a website, your device and browser automatically share information, such as your operating system, screen resolution, language, time zone, and more. By collecting and analyzing this data, a website can create a 'fingerprint' or unique profile of your device.
Let's look at the components of this fingerprint:
These include attributes such as the device model, screen resolution, CPU class, number of CPU cores, GPU information, and the amount of RAM. While these might seem generic, the combination of these elements can make a device identifiable.
Browser attributes are extensive and can vary significantly between users. They include information like the browser type and version, a list of installed plugins and their versions, whether cookies are enabled, and the preferred language.
Advanced fingerprinting techniques can pull even more specific data to create a fingerprint. This includes:
- Canvas Fingerprinting: Websites can use the HTML5 canvas element to send a hidden image to your browser to be rendered, then they analyze how your device renders it. Even tiny differences in rendering can help create a unique fingerprint.
- WebGL Fingerprinting: Similar to canvas fingerprinting, WebGL fingerprinting analyzes how your device renders 3D graphics.
- AudioContext Fingerprinting: This technique captures the audio processing capabilities of your device.
- Battery API: Some browsers allow websites to access the status of a device's battery, which can provide more information for a fingerprint.
- WebRTC: This can reveal the real IP address of a user, even when using a VPN or proxy.
Fingerprinting vs. Cookies and IP Addresses
- Cookies - Cookies are small data files that websites store on your device to remember your activities or preferences. While they have been the standard for online tracking, users can clear, disable, or manage cookies, significantly reducing their tracking potential. Furthermore, laws like the EU's GDPR require websites to obtain user consent for cookies, making them less attractive for stealthy tracking.
- IP Addresses - IP addresses can also provide a degree of user tracking. However, they can change (especially for mobile devices), and users can mask them using VPNs or proxies. Thus, IP addresses are not a reliable tracking method.
How Fingerprinting Overcomes VPNs and Cookie Restrictions
Unlike cookies, device/browser fingerprints can't be cleared with a button click. And while VPNs can disguise a user's IP address, they don't alter a device and browser's unique characteristics. Even with a VPN, your device still shares the same information with websites, allowing fingerprinting to take place.
Cross-browser fingerprinting is another advanced technique that can identify users even when they switch browsers. It leverages machine-level attributes (like installed fonts or hardware attributes), which are consistent across all browsers on a device.
How can websites know I’m on their site if I don’t fill out a form?
Many data companies out there provide the service of fingerprint matching. What does this mean? Well, simply put, many data companies have developed identity graphs that enable them to make a one-to-one match between your unique browser fingerprint and your personal information, such as name, address, email, and phone number. These data companies, in turn, provide services to companies allowing them to get the names and contact information of people visiting their websites even if they never filled out a form.
How do data companies collect this information?
Many data companies offering this service partner with thousands of large websites called publishers and give them monthly money for collecting this information. These data companies have publisher websites that put a collection pixel on their site, which collects browser fingerprints and other contact information you offer when you fill out a form. Once you enter your information in an online form on a publisher's site, the one-to-one match is made to your browser fingerprint, and the data company will index this. In turn, the next time you land on a website that uses this data company's services, they can tell the company who you are and your personal information without you filling out a form.
Implications for Privacy
Device/browser fingerprinting raises critical privacy concerns. Since it operates covertly, users often have no knowledge or control over it. It can track users across different websites and build a comprehensive profile of their online behavior. Fingerprinting allows for persistent, stateful tracking, enabling extensive profiling over time.
Another resource to check out is the website AmIUnique.org, which will tell you how unique your browser fingerprint is.