Digital fingerprinting is a computational process used to identify and track internet users and devices online.
Digital fingerprinting has become a hot topic in recent years as our collective internet privacy begins to fall through the cracks of an increasingly complex online environment.
From a technical perspective, digital fingerprinting is very impressive, a triumph of modern computer science, but in many ways, it also epitomises a force of technological good harnessed for more sinister motives.
So, what is a digital fingerprint?
What is a Digital Fingerprint?
A digital fingerprint is a unique digital identifier.
Our digital fingerprint contains a set of data that identifies our browser setup and device as unique.
Once our browser and/or device is analysed, the fingerprinting software saves the fingerprint data server-side, outside of the user’s control.
This allows internet users to be identified and tracked, even when they take evasive measures against cookies.
These identifiers mainly relate to our browser and device, but can be used to pry into our personal data and internet browsing habits.
Digital fingerprinting has made advanced user and device tracking without cookies a reality and has become extremely hard to control or regulate.
Are Digital Fingerprints the Same as Cookies?
No, but digital fingerprints serve a similar purpose to cookies.
Digital fingerprints are the natural progression from soon-to-be-extinct cookies.
Cookies or HTTP cookies are stored in the web browser itself and were initially designed to store information about the content and state of websites for retrieval.
Cookies can be either first or third-party. First-party cookies are downloaded to your browser from the site itself, e.g. to save your login details for when you next log into the site – seems reasonable enough.
But third-party cookies are downloaded to your browser from many other sites or ‘parties’. Advertisers, retargeting, analytics and tracking services use third-party cookies to track additional off-site behaviours. A website can use a variety of different third-party tracking cookies that collect your information. That information collected by cookies includes your browsing habits, device information and location.
Recently, users have been taking control of their cookies. Various privacy services such as AdBlock allow users to block cookies – this can also be done from within most modern web browsers.
Below – Global Ad-blocking Growth (Wikimedia Commons)
In short, cookies are pretty easy to control on the user side. They’re saved on the user’s PC, which means we have control of them and can shut them down easily if we wish.
Cookies are a dying breed – the dinosaurs of the tracking industry, soon to become extinct!
But digital fingerprinting is a different story altogether…
How Do Digital Fingerprints Work?
Digital fingerprints are saved server-side, so we cannot typically block them without taking considerable steps to do so, and many of these steps negatively impact our browsing experience.
Once this data is rendered, it’s processed, hashed and sent to a server for server-side storage.
The information the script has access to is very complex – far more complex than you might perceive.
There’s enough accessible information within your fingerprint to identify you with near-enough 100% certainty.
One experiment collected 3,615 fingerprints from 1,903 users over a three-month period, the technique was able to successfully identify 99.2% of users, even when they used more than one browser.
A single-browser fingerprinting technique named AmIUnique had a success rate of 90.8%.
Discover Your Digital Fingerprint
You can use the site Cover Your Tracks to evaluate your own browser fingerprint.
Here are some of my results:
So what data does a fingerprint tracker collect?
How is a Digital Fingerprint Created?
A digital fingerprint is created with various information extracted from your browser and device.
These data points are calculated to provide a digital fingerprint – a digital identifier that is unique to you.
- IP address
- Device MAC address
- User-agent string
- Clock information – used to cross-verify your location alongside your IP address
- Web browser plugins
- TCP stack variation
- Installed fonts on your device
- Internal application programming interfaces (API)
- Device information such as screen resolution, touch support, OS and language
- Flash data
- List of mime-types
- CSS information
- Hypertext Transfer Protocol (HTTP) headers
It’s just a matter of probability – the probability of another user having the same digital fingerprint as you skyrockets once the probability of these variables is combined.
Our browsers are more heavily personalised than ever and this provides fingerprints with a wealth of cross-examinable information. Ironically, even the use of an adblocker or ‘do not track’ services provides a fingerprinter with more data to calculate your identity.
After computing your digital fingerprint, operators will assign your value a rapidly-retrievable hash stored on their server.
Whenever your fingerprint is recognised online, tracking services can identify you and alter your browsing experience, e.g. by sending you personalised ads or restricting you from some services.
Fingerprinting Behind the Browser
Fingerprinting, like all forensic techniques, has its limitations.
Whilst digital fingerprints are powerful identifiers in the vast majority of situations, it can be difficult to class different browsers as being used on the same device.
The use of stock browsers with minimal plugin installations and settings changes can also lead a fingerprinter off the scent.
To combat this, digital fingerprinting services developed a new fingerprinting code that instructs browsers to perform a number of tasks. These tasks utilise operating system and hardware resources.
For example, by rendering graphics with WebGL, fingerprinting software can take calculations from our hardware devices from CPU cores to audio cards, graphics cards, etc.
This vastly extends the list of variables fingerprinting services can use to identify a device.
This form of digital fingerprinting works behind the browser, it can fingerprint devices across multiple browsers.
Below is a compilation of all variables an intelligent digital fingerprinting script can read and analyse:
Why Use Digital Fingerprinting?
There are two main reasons why digital fingerprints are used:
By Marketers and Advertisers
Digital fingerprints were developed largely as a more intensive, robust alternative to cookies.
Cookies are easily blocked and this makes cross-device tracking difficult.
People clear their cookies often and switch between different devices often, which both erode the ROI of cookie-based targeting and advertising.
Ad blockers are also clamping down on ads to prevent tracking via cookies.
With digital fingerprinting, once you use a new device, data from the accounts you’re using and the cookies you’re downloading combines with your new digital fingerprint and you can be personally identified.
But digital fingerprints offer an alternative that cannot be switched off as the fingerprints are not saved on your device.
The Advantages of Digital Fingerprinting in Marketing and Advertising:
- Data fingerprinting helps target ads and services without cookies
- More reliable for cross-device tracking
- Circuments typical security tools like adblockers
- Not controlled by the end-user, tough to switch off
For Anti-Fraud and Security Purposes
Let’s focus on a seemingly positive aspect of digital fingerprinting – security.
Digital fingerprinting is a powerful anti-fraud technique. For example, digital fingerprinting can discern when one device is logging into multiple payment accounts or using several pieces of personal information.
Inconsistencies in digital fingerprints can also reveal information behind a proxy or VPN, theoretically helping bust fraudsters who feel they’re operating from a safe environment.
Digital fingerprinting also works across multiple browsers and devices, e.g. if cybercriminals are using multiple browsers running from virtual machines.
Digital fingerprinting can also crackdown on spam and phishing scams. They can be used to ban scammers that set up thousands of fake profiles on social media, etc.
However, by manipulating the anti-fraud potential of digital fingerprinting, companies get away with collecting more data than they reasonably need to.
By veiling the wider, more sensitive remit of digital fingerprinting as a tracking method as an ‘anti-fraud technique’, trackers can also navigate privacy laws.
Advantages of Digital Fingerprinting in Anti-Fraud:
- See behind typical fraud strategies, e.g. VPNs and proxies
- Hard to manipulate
- Can single out and blacklist repeatedly malicious devices
- Reveal and ban bots, e.g. malicious or spammy social media bots
The Dark Side of Digital Fingerprinting
The dark side of digital fingerprinting is difficult to unravel because we:
- Can’t confirm how digital fingerprinting data is being used and by whom
- Can’t easily assert that our data is being used illegally or amorally
For example, many people would consider that digital fingerprinting for advertising and marketing purposes is benign or even encourage it, even though the use of adblockers is rising.
Paradoxical to the rise in the use of ad blockers;
- Marketing Tech News found that 78% of mobile users don’t mind ads when they’re properly relevant and targeted.
- Segment found that users were frustrated when their shopping experiences were too impersonal or untargeted.
- Google found that 63% of users were more likely to purchase items from sites that are able to recommend them based on their interests. 58% feel more favourable to sites that remember their past behaviour.
User desire for targeted ads has become a digital marketing mantra.
Are digital fingerprints not just another way of serving the users with the browsing experience that they desire?
The question is, what are we prepared to give away for an increasingly customised, personalised online experience? And what are the side-effects of that?
Case Study: Cambridge Analytica
The Facebook–Cambridge Analytica data scandal had far-reaching consequences for data security.
The scandal brought home how our personal data is not just used for seemingly benign marketing and other commercial purposes but can also be harnessed in deeper political and behavioural contexts.
Through a combination of social media analytics, content engineering and digital fingerprinting, Cambridge Analytica are alleged to have tangibly influenced the US 2014 midterm elections, 2016 Presidential Election and Brexit referendum at least.
In 2018, Cambridge Analytica’s executives said that the company had worked in more than 200 elections around the world.
One of the starkest criticisms of this activity is that it completely defies regulation.
“By regarding the internet as unregulable, we are giving companies the green-light to continue building technologies (like browser fingerprinting) that have the potential to manipulate the way in which people think and behave, setting society on a path mirroring a dystopian sci-fi.” – Nick Briz, Mozilla.
As digital fingerprinting becomes more reliable and widespread, operators like Cambridge Analytica will be able to track us across easily across multiple devices.
Case Study: IESnare
In 2017, the BBC revealed details of a Flash cookie ‘IESnare’ that is downloaded to our computers by sites for seemingly anti-fraud purposes.
IESnare is possibly used by PayPal, Adobe and many gambling operators including online bookmakers.
Allegedly, online gambling regulators have been using IESnare to spy on successful bettors, limiting their accounts before they’ve had a chance to place a bet.
IESnare sends information about ‘infected’ devices to companies for so-called ‘security’ purposes.
IESnare provides a potent example of how software masquerading as an ‘anti-fraud’ tool can be manipulated for other unsavoury corporate interests. This also raises the question of where our harvested information is stored and whether it can or will ever be deleted. Whilst this data is probably only held temporarily, it still contains sensitive information that can provide a backdoor into our PC, device or personal accounts.
Data breach, identity fraud and other forms of cyber criminality are constantly rising.
Weaponising our personal data against fraud has the unintended consequence of arming them with the sensitive data they need to commit their crimes.
Protecting Yourself From Digital Fingerprinting
Digital fingerprinting has the ironic strength of being best-able to track some users that take measures to increase their privacy.
For example, ‘do not track’ settings, the use of adblockers and even incognito mode can arm digital fingerprinting services with more data.
The installation of privacy-enhancing plugins is not effective against digital fingerprinting.
Even the stock Tor browser is frequently modified to allow WebGL, and that is all digital fingerprinters need to calculate your unique fingerprint from your hardware and software resources.
Take Control of Your Browser
Disabling Flash and Java in combination with the NoScript plugin may decrease rendering issues whilst preventing some scripts from running. Again, this has the opposite action of making your browser more unique via its mere presence.
Some plugins can request permission for page rendering or executing processes for transmitting data.
Disabling browser updates and using stock settings will prevent your browser from saving cookies once its updates.
Use Tor or Brave
Both the Tor and Brave browsers have in-built anti-fingerprinting measures.
“In the end, the approach chosen by Tor developers is simple: all Tor users should have the exact same fingerprint. No matter what device or operating system you are using, your browser fingerprint should be the same as any device running Tor Browser,” Pierre Laperdrix.
Tor or Brave combined with Tails could provide a near-100% fingerprint-secure browsing environment.
Digital fingerprinting is extremely intricate, going beyond the browser to analyse elements of your device’s software and hardware.
This allows various internet services to identify you and your device without cookies.
Whilst fingerprints have developed as a progression from the now-archaic cookie, they are perhaps more menacing in that our means of control and regulation are severely restricted.
Perhaps the most ironic thing about digital fingerprinting is that its effectiveness is enhanced by our own fight for internet privacy.
Privacy plugins, adblockers, ‘do not track’ and incognito mode all add another variable into the pool of data that fingerprinters can access.
You cannot easily protect yourself from fingerprints, but you take precautions to limit your browser’s uniqueness. Tor is the easiest way to protect yourself from standard fingerprinting, but it’s not a permanent solution for most people.
NoScript running from Mozilla provides a more practical means to tackle fingerprinting.
Whilst fingerprinting is certainly not wholly corrupted and does have many valid uses for internet security, we need to remain collectively vigilant and aware of how our data is exposed to nefarious operators.
Digital Footprint FAQ
What is digital fingerprinting and how does it work?
In computer science, digital fingerprinting is a technique that calculates a unique identifier from a large string of data. Our browser and device hardware and software has a unique configuration that can be distilled into a fingerprint from its many variables.
In the case of browser fingerprinting, our internet browser can be analysed by a script to produce a unique identifier – a digital fingerprint – from that data.
The digital fingerprint can be used to track our activity online.
Is my browser fingerprint unique?
Each browser contains enough data to calculate a unique digital fingerprint in some 90% to 99% of cases according to most studies. The more unique identifiers a browser has, the more easily it can be fingerprinted.
Fingerprinting software can read and analyse variables relating to your browser type, configuration, timezone, plugins and fonts to name but a few variables.
Can I prevent digital fingerprinting?
It’s very hard to prevent digital fingerprinting in a conventional browser. Digital fingerprinting techniques have become more advanced and can now look ‘beneath the browser’ at our devices’ hardware and software configuration.
Running NoScript from Mozilla or using the Tor or Brave browser is probably the best bet for preventing digital fingerprinting.