Most websites you run across while browsing the Web include content which tracks your online activity. This practice has multiple goals: advertising is the most common, with tracking companies generating digital profiles based on users’ interests to propose targeted ads. Then, analytics and security services leverage tracking for their purposes. Finally, unfortunately, also malicious actors such as phishers and scammers exploit web tracking to increase attack success probability.
Conventional tracking tools (HTTP cookies, local storage, IndexedDB, etc.) allow trackers to store unique identifiers in browsers to re-identify users during the browsing activity. As privacy concerns have grown among users, the most tech-savvy of them started adopting tools to prevent trackers to install such identifiers. Hence trackers have evolved to bypass these blocks and developed a new technique to precisely identify users in multitudes without relying on cookies or other kinds of client-side storage: this is the case of browser fingerprinting.
In this article we describe this pervasive tracking technique, explain how it invalidates most existing anti-tracking systems and present our solution to the problem.
What is browser fingerprinting?
Browser fingerprinting, similarly to conventional tracking techniques, allows trackers to assign identifiers to users’ browsers and track them while they are being used to surf the web. The difference with older tracking techniques stands in how these identifiers are generated and handled.
By collecting this impressive amount of information, trackers can produce a signature of the browser and use it to recognize it in millions.
Visual examples and demos
EFF’s Panopticlick and AmIUnique provide online tools to show how the visitor’s browser can be easily fingerprinted and how unique its fingerprint is. By testing both tools with vanilla versions of Mozilla Firefox 82.0.3 and Google Chrome 86.0.4240.183, it is easy to result unique among the respective user bases.
As shown, local differences in the waveform’s channel data are quite significant and easy to notice in this case. However, even tiny differences between waveforms are enough to build unique identifiers.
Why is fingerprinting more pervasive than legacy tracking?
Fingerprinting is noiseless by design and prevents the user to control her exposure to tracking. This is why it represents a real threat for privacy and security.
What can users do?
This technology has been integrated in Ermes For Enterprise and Ermes for SMEs. Get our product to protect your business against fingerprinters of the web!