Fingerprint collection is a popular form of criminal forensic investigation whose results are matched against a database of known personalities to identify a particular person. Browser fingerprinting uses a similar technique to capture the identity of a specific person. An entire collection of browser identification points are matched against the browser’s characteristics of recorded people.
The underlying fact is that both forensic fingerprinting and browser fingerprinting are not capable of showing the real identity of a person, but are sure to reveal that a specific person performed certain similar activities. You can also refer to browser fingerprinting as canvas fingerprinting.
The traditional way of finding out online identity was through surveillance of IP addresses. It follows that the TCP/IP protocol suite used by the internet requires every connection request to be sent with an IP address so that the webserver easily locates where to send the requests.
Virtual Private Networks were born out of the need to conceal real IP addresses and have them replaced with an address borrowed from the VPN. The acquired IP address is shared among a large pool of users hence effectively maintaining online anonymity.
Therefore, internet web-server stores connection logs for the VPN IP address. However, as with the shifting developments of technology; privacy penetrators noted that it was possible to track other information from a user’s browser apart from the IP address that had the potential to create identity leads.
What’s the Browser data be Collected?
So how is the tracking of surfer identity through unique browser activity even possible?
Much of what a browser sends out to the web server cannot be hidden or cleared. Matching the correlation between a specific user’s browser activity with one particular unique pattern of browser request could quickly reveal the user’s identity even while browsing on a VPN.
Corporates are also prevalent users of browser fingerprinting while identifying various audience segments that are useful for targeted advertising. Some websites also make use of the technique while detecting potential fraud. Such websites would be dating sites or banks.
Browser fingerprinting identifies someone’s unique site identity by analyzing each of the following inputs.
- Encoding header
- Language header
- User-agent header
- Accept header
- Connection header
- Plugins list
- Cookie settings
- No/yes tracking of preferences
- Use of session storage
- Use of local storage
- Images rendered with WebGL or HTML canvas element
- Time zone
- Adblock present or not
- List of fonts used
The method is however limited to surfers changing into new browser versions. Therefore testing against a sample of browsing activities can be misleading because the results would test unique.
The record of test samples increases every day with increasing web traffic. Therefore, comparing the samples with shifting developments from old browsers and outdated test results is difficult. Additionally, a test result that would not show a user as unique is also a failed and misleading test. Any user’s test inputs are as unique as the sample size.
As earlier mentioned, fingerprinting can be done in two ways through the server-side collection or client-side collection.
Server Side Collection
Web access server logs can be used to record data sent by a user browser. The logs include data like requested URLs and protocols and requesting user IP address, user agent string and the referer (SIC).
On the request end, the operating system, IP address and browser details will be included inside the user agent string.
Chrome/5.0 (Windows; Intel Windows 10_12_4) WindowsWebKit/603.1.30 (KHTML, like Gecko) Version/10.1 Chrome/603.1.30
When the user changes into a different browser, the standard Nginx format will be maintained plus all details except for the browser name. Therefore, when a user logs into a connection, it is easy to determine their specific identity.
Since no two requests can come from different persons with the same IP address and the same browser version and operating system, additionally, the web server can be reconfigured to add more information to the browser logs through log format specifiers.
Cookies and type of content request are exchanged between the browser and the webserver. It is such information plus headers that reveal information to the public and places internet users at the risk of browser fingerprinting.
This method follows that the fingerprinting process takes into consideration the following factors; fonts available, list of plugins, screen resolution, system language, whether the browser accepts cookies and other items listed on the above list of inputs.
The client-side collection is useful in identifying a person who is using a VPN to hide their identity. VPNs make it difficult for intelligence to use the IP address as a favorable identification point. The client-side collection will avail a set of data that could help trace unique user information except for the IP address. Therefore, the client-side browser fingerprinting makes it easier to track identity without the need for an IP address.
Fingerprinting software can collect almost reveal 21 subsets of unique data identifiers. It is not possible for different people to share such a diverse range of data points. Although the law has not enforced any browser fingerprinting, evidence of more than ten identifying data sets can work as a substantial proof for conviction.
Browser Fingerprinting is your online identification
Privacy Techniques that can help you Mitigate Browser Fingerprinting
When individuals find the need to be more private, they opt always to provide less or no private information. But is this a practical solution? Like how would you live holding back your truths in this world of global communication sophistication?
Take for instance the need for Facebook, WhatsApp, emails and a plethora of social sites that demand of you to fill in forms. These forms are meant to request from you certain specific information. Therefore, it means it is impossible to avoid leaving behind browser fingerprints at all.
The only option lies in privacy habits that would make it difficult for your browsing data points to correlate. Doing so means intelligence agencies would not be able to separate your identity from a pool of data sets. Hence, maintaining varying browsing identities.
You should note that internet privacy identifying sites are few online. Take for instance Panopticlick which keeps a record 470,161+ data sets,
And I am Unique with a record 352, 000+ data sets.
Note the figures are just meagre reflections of millions of daily internet users whose browsing activities are not sampled.
It therefore means, the amount of data for fingerprinting is minimal compared to the need for privacy surveillance. The data from both sites are only indicative of a measly reflection of the general population of internet users. However, large technology firms like google and facebook that own massive data centers have the potential to amass billions of private user information.
It is a fact that Facebook has a threshold of more than one billion regular visitors who at one point have provided Facebook with their private information. When such substantial data points amassed by the big firms is used to compile browser fingerprinting, the threat to personal privacy becomes real and potentially harmful.
Tips to protect your Online Browser Fingerprinting
How do you protect yourself from all these potential intrusive points to your private data?
If you opt for a unique browser that does not submit your logs, your identity becomes even more unique and clear to trace. On the other side, when you decide to go for traditional browsers, they are insecure and risky. Then what is the best alternative to protect yourself from the privacy dilemma narrative?
Yes! You can Protect Yourself from Browser Fingerprinting.
Good privacy behavior would entail filtering between your private internet activities and public internet activities. The moment you learn how to dedicate one system for high secretive activities and another for regular activities, that’s the moment you will find yourself protected from risky data miners. You could even go to a larger extent and subscribe to an anonymity tool like Tails or Qubes. That would enable you to step up your private and public activity separation.
The following are tips to help you separate your private activities from your public activities;
- Private internet usage should strictly not access sites that you use for your public internet browsing. For instance, logging into your twitter or facebook from a private connection or Tor browser.
- Private internet usage should be through a different computer system, installed with a working anonymity tool or a Virtual Private Network
- Use two separate VPNs in case you will need a VPN connection. The two VPNs should be for your private and public internet usage respectively.
- Do not reuse usernames, email addresses and account logins that correlate between your private internet life and your public internet life.
Of course, it is possible that surveillance could point out characteristic traits of a unique user on the private internet user but would not be possible to trace that identity to the user’s public identity.
Browser Choice and Tips
The following browsers are essential when it comes to configuring your browsing environment to achieve full internet privacy.
- Tor Browser
- Brave Browser
- Virtual Machines
- Firefox browser
The above browsers require that a user sets up unique customization to help protect their identity. Therefore you should check privacy user guides for browsers that protect you from Browser Fingerprinting. Additionally, you should also opt for a good VPN with strong encryption and the ability to conceal your IP address.
Analyzing unique browser fingerprints is a technology in its development stages. You have an upper-hand in the direction your privacy should take.
An excellent browsing environment, for instance, firefox browsing avails a unique set of privacy features that place your private information under your control. Leveraging the above information with the kind of privacy you wish for will give you an opportunity to mitigate browser fingerprinting.