Digital security in 2021: We have more tools to protect our identity online than ever before. You can forbid cookies — the little bits of information that Web sites put in browsers to identify us — block invasive trackers from tracking our machines, switch to incognito mode, opt out of cross-app tracking with Apple’s latest iOS update, or even go so far as to only access the Internet through highly encrypted virtual private networks.
But there is a method of tracking that can still slip past these protections, and it’s becoming increasingly popular: fingerprinting.
Digital security: The anatomy of a fingerprint
What makes fingerprints so elusive and difficult to protect is the fact that the data they use is important to the fundamental functions of the Internet.
Apps and websites tend to collect all sorts of information from us (GPS coordinates, our personal information, etc.) that we pay attention to and usually have the ability to keep to ourselves. But a cursory look at the privacy policies of almost any technology company will show you that they also collect a number of other miscellaneous data that you don’t pay attention to and that you can’t easily prohibit them from tracking – like what software is running on your device and what service provider you’re connected to.
“Fingerprinting is a threat to user privacy because it allows companies to track and identify users and devices in an opaque way.”
There is a legitimate reason why companies need this data and why they can get it without even asking for your explicit permission. All of us users access the Internet by a variety of means, and in order to ensure that a site or app loads as it should for every user, no matter what browser, app, phone or computer they use, those sites need to know certain data about the way they access it. But this seemingly innocuous data collection is also the basis of fingerprinting.
Trackers combine properties of your device such as display size, operating system, language preferences and more to form your unique fingerprint. They match that fingerprint to all websites and apps to identify you and offer you relevant ads.
Once a Web site captures your fingerprint, it can track you for 100 days — no matter what security measures you have set in your browser.
Because all of this happens invisibly in the background while you’re surfing the Internet, you can’t track your fingerprints, nor can you delete them – as with third-party cookies. Because your device’s fingerprint always stays the same, this tracking method also cannot be restricted by typical restrictions, such as going to a private window or clearing your browser cache.
“Fingerprints are a threat to user privacy because they allow companies to track and identify users and devices in an opaque way,” said Patrick Jackson, CTO of Disconnect, a privacy app for iOS and Mac.
Finding a solution
There is currently no effective way to stop fingerprinting, but Internet companies have already begun to combat the threat and look for potential ways to eliminate it. The Chromium-based Brave browser is the most convincing way to combat malicious fingerprinting we’ve seen so far.
Brave’s solution is simple: Whenever a Web site asks for data that could potentially allow fingerprinting, the browser commits to doing so, but it adds enough noise or random information so that it doesn’t ruin your Web experience. This allows you to have a unique fingerprint for every session and every Web page. This way, trackers can no longer capture a single fingerprint of yours and match it across all websites to follow you, since your device will signal a different fingerprint every time.
In our tests, Brave was the only major browser that passed the Cover Your Tracks test from the Electronic Frontier Foundation, which determines how well your browser can protect against practices like fingerprinting.
Other browsers, including Safari, Google Chrome and Mozilla Firefox, have had limited success with existing mechanisms to protect against fingerprinting. Unlike Brave, which takes a more dynamic approach to fighting fingerprinting, these apps have a generic implementation that attempts to restrict sites from accessing your device’s data and relies on a list of known fingerprinting domains to block them.
Hitting a moving target
The reason these outdated measures are no longer effective is because fingerprinting is a broad, evolving concept. It is a practice that has become more complex as the Internet has evolved and is becoming more sophisticated every year.
Some trackers, for example, make your browser draw on an invisible canvas of web pages. When your computer does this, it transmits information such as screen resolution. Similarly, tracking devices can detect your fingerprint by the way your device handles acoustic signals when you play an audio file on the Internet.
Benoit Baudry, professor of software technology at the Royal Institute of Technology at KTH, Stockholm, says it’s hard to mitigate the fingerprint problem, “because its boundaries are fuzzy and constantly changing.”
“Cookies have one single, specific purpose: to identify the user,” Beaudry adds. Meanwhile, browser fingerprinting “repurposes” technology designed for something else. That’s why it’s much harder to intercept than cookies: there isn’t a single specific script, object, or packet that can be intercepted.”
In addition to capitalizing on important web data, another aspect that prevents browser makers from banning fingerprints entirely is that they are also used for positive purposes, such as fraud detection. When Web sites detect that a user is trying to log in with a new fingerprint (which essentially means a new machine), they ask for additional authentication data to make sure that the source is not malicious.
However, experts such as Zubair Shafiq, assistant professor of computer science at the University of California, Davis, argue that fingerprinting is “redundant for fraud detection.”
Several companies are currently working toward that very goal — including Google, which is actively exploring ways to combat fingerprinting.
Until now, fingerprinting has gone largely undetected because advertisers and tracking firms have had reliable and direct channels to profile users. Now that the Internet’s biggest “gatekeepers,” including Google and Apple, are restricting traditional tracking mechanisms like cookies, fingerprinting has come under the spotlight, and if it becomes widespread, it could become the most significant threat to our privacy. And that seems to be where it’s headed.
The number of fingerprint trackers on websites has doubled since 2014, and Disconnect’s Jackson also mentions that in the run-up to Apple’s cookie and cross-app tracking ban, companies are “collecting huge amounts of device data to either calculate (and collect) the fingerprint on a device or to do calculations on their servers using the raw data.”
Pierre Laperdricks, a researcher at France’s National Center for Scientific Research who has been studying fingerprints for more than a decade, believes that this will always remain a game of pinch-hitting for Internet companies. All they can do is stay one step ahead of tracking devices.
“In my opinion,” Laperdricks said, “I don’t think we can completely do away with fingerprints without changing the way browsers and servers work.