Browser fingerprinting was invented to help keep our online data safe, but in many cases, it does the exact opposite. Here, we take a deep dive into this covert online tracking technique

Online user privacy has been a much-discussed topic in recent years, with a slew of news stories revealing the misuse of sensitive data by some of the biggest names in the tech business.

The result has been an almost universal rejection of the third-party cookie, which to date has been the most prevalent online tracking tool. However, the third-party cookie is not the only way to track a user’s online behavior.

In this article, we explore browser fingerprinting, which is an accurate form of online tracking that is highly evasive, difficult to trace, and, as yet, unregulated. 

What is browser fingerprinting?

Browser fingerprinting is a term used to describe the act of discreetly gathering software and device settings data through an internet user’s browser when they’re online. This combination of settings is then used to build a unique identity – or ‘fingerprint’ – for that individual. It’s also sometimes referred to as ‘device fingerprinting’ or simply ‘fingerprinting’.

How does browser fingerprinting work?

Every time you visit a website, your browser has to provide the hosting server with a certain amount of essential information to ensure the website works properly for your individual machine.

These pieces of information could include device model and spec, language and keyboard layout, location, time zone, installed hardware, software versions, and much more.

Individually, these settings and configurations might seem innocuous – and they are. But when put together, they can create a unique combination or ‘fingerprint’.

Considering the number of connected devices worldwide (projected to hit 38.6 billion in 2025), browser fingerprinting can be surprisingly accurate. This study, for example, found that 83.6% of tested browsers were unique.

What is browser fingerprinting used for?

Fingerprinting is reportedly used by over a quarter of the top 10,000 websites online.

Many of these sites use device fingerprints to maximize the user experience for their audience or to keep accounts secure. However, many others use it to track user activity and then pass that information on to data brokers who will sell it to various ends.

Security

Browser fingerprinting was originally developed to track and block devices associated with suspicious activity. These could be botnets using multiple devices and locations to access online accounts, phishing scammers creating numerous social media profiles, or bad actors using repetitive trial-and-error tactics.

Fingerprinting is such an efficient identifier that it can bypass private browser windows, virtual private networks (VPNs), and other evasion measures to track this activity, making it harder for fraudulent internet users to conceal their actions. 

While it is not foolproof, browser fingerprinting can form an integral part of a robust security strategy when combined with other anti-fraud measures.

Marketing

Such an effective way to identify and track user activity has inevitably drawn the attention of the digital advertising industry.

Global digital ad revenue totaled $378.16bn in 2020 and much of this relied on targeted advertising. In an industry of this size, data is considered to be extremely valuable because it enables marketers to accurately personalize their campaigns.

For example, if a global tour company can see from your online activity that you have booked a holiday to Paris, it will know to serve you advertising that specifically promotes its Paris tours. Furthermore, if it can see that you also have an interest in art because of the websites you have visited, it could be even more specific by promoting its ‘Paris Gallery Tour’.  

By working with websites, ad tech companies can recognize a user’s fingerprint when they arrive on a web page and, in a split second, serve an ad that matches their behavior profile.

Privacy concerns

While personalized digital advertising may not be a huge issue for many – research suggests it is even welcomed by some – there are other, more concerning possible uses.

It is very hard to cite specific cases due to the lack of transparency surrounding the practice, but they could include fingerprinting data being used to pre-qualify a user for certain services or to inform dynamic pricing.

An example of the latter is the aforementioned tour company charging you more than others after using your device fingerprint to see that you are located in an affluent area and recently shopped for designer clothing.

While there may never be a specific name associated with a user’s digital fingerprint, there are undoubtedly potential privacy issues to be considered.

Browser fingerprinting vs cookies

While essentially used for the same purpose – identification and tracking – there are some big differences between cookies and fingerprinting.

Storage

Cookies are stored on a user’s device, which means they can be easily blocked or deleted. Device fingerprints are stored remotely, which makes them very difficult to control.

Regulation

The General Data Privacy Regulations (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US have both imposed rules that regulate the use of cookies for the protection of user privacy, with hefty fines for those who break them.

Fingerprinting, on the other hand, is unregulated, which gives more freedom to those who collect this data.

Transparency

The above regulations have brought transparency to the use of cookies, whereby websites must notify a user that they will be capturing data, explain what it will be used for, and offer them the opportunity to opt out.

Fingerprinting takes place covertly using data that is necessary for websites to work properly. This makes it very difficult for a user to even detect the activity, let alone opt out.

Reliability

Cookies are unique pieces of tracking code that are placed directly onto a user’s device, which makes them very reliable.

Conversely, fingerprinting relies on probability rather than certainty. While it can be very accurate, it inevitably leaves some room for error.

Browser fingerprinting methods

Aside from recording top-level configurations such as software versions, extensions, cookie settings, and languages, to name a few, there are additional more intricate fingerprinting techniques that can be used. Some examples of these are below – and the more of these that are used together, the more accurate the fingerprint will be.

Canvas fingerprinting

Most websites are constructed using HTML coding, which features an element called canvas. Using this element, websites are able to force browsers to draw a picture and text behind the scenes during a user’s visit.

When devices are configured differently, they render this image and text in a slightly different way, which reveals a whole host of information about a device’s graphics hardware, such as its graphics processing unit (GPU), graphics driver, or graphics card.

Using this information, the device is assigned a unique hash that serves as an identifier (or ‘canvas fingerprint’).

WebGL fingerprinting

Web Graphics Library (WebGL) is a JavaScript Application Programming Interface (API) that works alongside HTML Canvas to render 2D and 3D images.

The WebGL fingerprinting process is the same as canvas fingerprinting in that it forces a user’s device to draw an image in the background without their knowledge, records its graphics hardware information, then assigns it an identification hash.

Audio fingerprinting

In a similar way that canvas fingerprinting uses HTML Canvas to measure how a device renders an image, audio fingerprinting uses the Web Audio API to measure how a device produces sound.

Connected device fingerprinting

Connected device fingerprinting is a technique that gathers information about the media devices connected to a user’s machine. This could include external devices such as headphones or speakers, together with internal devices like sound cards or video cards.

What data makes up a device fingerprint?

There is a wide range of different data that’s gathered using various methods, and this all comes together to create a device fingerprint. Here is a list of some of the most common types.

IP address User-agent string
Installed fonts Installed hardware
Cookie settings Screen resolution
OS version HTTP header attributes
Language settings Browser extensions
Keyboard layout Audio fingerprinting data
Browser privacy HTML canvas fingerprinting data

Is browser fingerprinting illegal?

No, browser fingerprinting is not illegal. While it has raised concerns and opposition from privacy advocates, there is nothing to stop a website from fingerprinting users as they visit.

The GDPR and CCPA regulations imposed strict rules to protect online privacy, although the main focus is cookies and therefore they do not apply to data obtained through fingerprinting.

The reason fingerprinting can dodge these regulations is that it only uses what is considered to be public information. No personal data is gathered during the fingerprinting process, therefore no current laws are being broken.

There are, however, plans to regulate browser fingerprinting in the EU, which – as GDPR did with cookies – could spark momentum towards a global standard.

The proposed ePrivacy Regulation is set to apply the same rules to fingerprinting that currently govern the use of cookies. However, at the time of writing it is still in the trilogue process and is therefore subject to change.

How to prevent browser fingerprinting

Fingerprinting is difficult to prevent – and there are two main reasons for this.

  1. The data gathered is essential for websites to work properly, so preventing them from taking it would significantly diminish a user’s browsing experience.
  2. Fingerprinting data is stored off-device, which makes it very difficult to find, control, and remove.

Ad blockers, private browsing windows and VPNs

The use of ad blockers, private browsing windows, and VPNs can help by hiding certain data such as a user’s real IP address and location. However, their use does nothing to hide the more detailed information covered earlier in this article.

In fact, using any of these tools could actually add a whole new facet to a device’s configuration that would not have been there before.

Privacy-focused browsers

Aside from making a device less unique by using default settings wherever possible, the most effective defense against fingerprinting is to use a privacy-focused browser such as Firefox, Brave, or Tor.

Firefox, for example, combats fingerprinting by blocking third-party requests from websites known to partake in the activity. While this is a positive step, it is limited to the websites its provider (Mozilla) is aware of and is therefore not a watertight solution.

Brave’s protection against fingerprinting also makes use of a blocking technique, but this is complemented by randomization. This means it attempts to make a user’s device appear different to a fingerprinting tool each time it visits a website. While this combination certainly bolsters protection, it is unable to stop the most determined of fingerprinting tools.

Tor’s technique, on the other hand, is to make every user’s browser fingerprint the same, which provides a level of anonymity among the crowd.

While this protection is considered to be strong, there are some downsides. The most significant of these is relatively slow loading speeds, which occur as a result of the software working hard to disguise a user’s identity.

Also, because of Tor’s popularity with users who do not want to be tracked, it is regarded with suspicion by many authorities. Therefore, somewhat ironically, it could actually end up attracting attention from parties that are arguably more concerning than the marketing executives most users are trying to avoid.

Reluctant acceptance

There’s no doubt that combining these measures with efforts to make a device less unique by using default settings wherever possible can make fingerprinting more difficult.

However, the bottom line is that complete prevention is impossible. Therefore, at least for the time being, fingerprinting is something that goes part-and-parcel with internet usage.

Until relevant regulations are introduced, it’s worth considering whether the risk of fingerprinting is a price you are prepared to pay for the content you are consuming.

Will fingerprinting replace third-party cookies?

With the EU’s ePrivacy Regulation still in progress, it is impossible to predict exactly what the future holds for browser fingerprinting. However, considering the general public’s increasing awareness of personal data collection and misuse, coupled with a lack of transparency around how fingerprinting is being used, it is probably safe to expect some attempt at regulation in the future.

For example, one academic study found that 85.5% of users were concerned about browser fingerprinting and 78.5% felt that being protected from it was important to them.

With overwhelming majorities like this, some form of change is likely. But to what extent these regulations will go – and indeed how effective they will be – remains to be seen.

Regardless of the efficacy of these potential regulations, with such low user opinion, it would be remiss of brands and marketers around the world to rely on fingerprinting as a replacement for the third-party cookie. Instead, investment in alternative forms of targeting such as contextual advertising – which is regarded by many as having a big role in the future of the industry – would be a better alternative.

Find out more about contextual targeting, as well as SmartFrame’s innovative image-streaming technology

Related articles