Browser fingerprints, and why they are so hard to erase

Fingerprinting is an increasingly common yet rarely discussed technique of identifying individual Web users

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Web advertisers and many others have long appreciated the volumes of information they can collect on us based only on our web browsing patterns. The data can be quite telling, revealing our locations, incomes, family status, interests and many other facts that advertisers can use to target you.

Understandably, most of us would prefer that "big brother like" advertising networks aren't always watching over our shoulder, while going about regular activities including product research and purchase option exploration and especially not while investigating medical or other highly sensitive topics.

With this in mind, it only makes sense to spend a little extra time to remain anonymous while browsing. In addition to tracking, identification can result in sites blocking access to pertinent data, showing higher prices, or in the worst-case scenario intentionally directing you to inaccurate or misleading information capable of completely derailing your efforts.

As such, most users concerned with their Internet privacy commonly delete browser cookies. However, as tracking technologies continue to evolve, the practice of deleting cookies has become much less effective at shielding a user who is trying to avoid detection. This has understandably led to users embracing a host of other solutions including "Incognito" or "Private Browsing" modes to automatically stop cookies and using VPNs or other IP masking tactics.

Most of these attempts at anonymity fail to fully shield a user for one reason: the growing power of the frustratingly sticky browser fingerprint.

What's in a Fingerprint?

Browser fingerprinting is an increasingly common yet rarely discussed technique of identifying an individual user by the unique patterns of information visible whenever a computer visits a website. The information collected is quite comprehensive and often includes the browser type and version, operating system and version, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations. These identifiers may seem generic and not at all personally identifying, yet typically only one in several million people have exactly the same specifications as you.

A quick look here (https://panopticlick.eff.org) provides a glimpse of the type of information any website can see about you, and also shines a light on the uniqueness of your individual configuration.

The browser fingerprint technique took another big step in 2012 with the release of the Mowery and Shacham paper, which focused primarily on the effectiveness of the canvas fingerprint. The technique for creating the canvas fingerprint is to give the browser a somewhat complex image to render, capture the actual pixel values produced, which is then hashed down to make the actual fingerprint. This study determined that "fingerprints are inherent when the browser is-- for performance and consistency-- tied closely to operating system functionality and system hardware." They also summarized the possibility of distinguishing between systems with seemingly identical fingerprints by rendering scenes that stress the underlying hardware.

The end result is the ability to track users even if they are deleting all their cookies and hiding their IP addresses with tools. While fingerprints are not identifying in the same way as an IP address, they do enable user recognition whenever revisiting a website. Even when deleting cookies, the browser fingerprint allows organizations to re-identify and re-cookie your system, essentially rejecting your efforts to remain private.

Growing pattern

A joint research project conducted by the Princeton University in the US and University of Leuven in Belgium analyzing the tracking techniques of 100,000 websites, showed that over 5% utilize the canvas fingerprinting process to identify visitors.

In a University of California report presented at the 2013 IEEE Symposium on Security and Privacy, Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting, the authors found that fingerprinting is already part of some of the most popular sites of the Internet, meaning hundreds of thousands of their visitors are fingerprinted on a daily basis.

According to UC Study, Skype.com surfaces as the most popular website utilizing fingerprinting, while the most popular categories of websites were pornography and dating sites. Specifically, for pornographic sites, the authors see a reasonable explanation being that fingerprinting is used to detect shared or stolen credentials of paying members, whereas for dating sites it ensures that attackers do not create multiple profiles for social-engineering purposes.

Circumventing the Fingerprint

Since the fingerprint is derived from a host of system-based characteristics, circumvention is far more complex than the historical process of deleting cookies. While its possible to make system changes by hand, doing so after each browsing session could prove laborious and annoying at best.

Specifically, the manual process of protecting against the fingerprint involves changing monitors or screen resolutions; installing or uninstalling fonts, extensions and plugins; as well as switching between different browsers and browser versions.

However, even after exerting all the effort to make changes, it's hard to know if you have done enough or have done it right without a detailed analysis.

A better approach is to make your browser fingerprint as common and generic as possible. You can do that by running the browser inside a clean and un-customized virtual machine. It's only in this kind of environment that it's feasible to revert to the clean state at the end of every use, preventing the accumulation of identifying changes. This approach gives the browser a truly generic identifier, while eliminating all other kinds of tracking techniques.

The virtual machine solution works because an out of the box installation is very standard. There will be many people with brand new computers who would have very similar or identical configurations. The more people who do this, the less identifying it becomes. It also ensures complete elimination of any other tracking tools like cookies other than user's IP address, which still requires a VPN for protection.

Smart phones and tablets also provide some protection against browser fingerprinting because they have very limited support for plugins or customization. This is particularly true in iOS where fingerprints are much less varied and so are less identifying.

Security expert Lance Cottrell founded Anonymizer in 1995, which was later acquired by Ntrepid. Anonymizer's technologies form the core of Ntrepid's Internet misattribution and security products. More information can be found at www.ntrepidcorp.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags Web browerssecurity

More about AnonymizerIEEELanceMonsterSkypeSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Lance Cottrell, chief scientist, Ntrepid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place