What is Fingerprinting?
As the United Kingdom announces the death of cookies, in much of the world, online advertisers still have a way of tracking your digital footprint.
Add bookmarkIn short, digital fingerprinting is the process where a remote site or service gathers little bits of information about a user's machine and puts those pieces together to form a unique picture, or "fingerprint," of the user's device.
It does this in one of two ways: either the third party tracks a user through remote sites and collates information about which websites they have visited, or alternatively, it analyzes the makeup of the apps installed on their devices.
This is where fingerprinting gets its name. For as the lines and swirls on your fingertips are unique to you, so too is the configuration of apps on your device, or the sequencing of websites you access online. This data can include the language you use, keyboard layout, your time zone, whether you have cookies turned on (where this is still viable), and even the version of the operating system your device runs.
From this, advertisers can recognize you as you browse online. The method has been shown from multiple studies to be highly effective, with some concluding your browser fingerprint is around 80 to 90 percent unique to you.
There are several fingerprinting techniques which advertisers use to track users:
- Canvas fingerprinting: Canvas fingerprinting uses the HTML5 canvas element to force your browser to draw an image or some text. This occurs invisibly in the background, so you won’t see it happening. But the precise way your browser renders the image/text provides detailed information about your font style, graphics card, drivers, web browser, and OS. Canvas fingerprinting is one of the most widely used digital fingerprinting techniques.
- WebGL fingerprinting and rendering fingerprinting: Like canvas fingerprinting, these two techniques force your browser to render images off-screen and then use these images to infer information about your device’s hardware and graphics system.
- Device fingerprinting: While device fingerprinting is often used synonymously with browser fingerprinting, it also refers to a particular technique that uncovers a list of all the media devices (and their IDs) on your PC. That includes internal media components such as your audio and video card, as well as any connected devices like headphones.
- Audio fingerprinting: Rather than forcing your browser to render an image, audio fingerprinting tests the way your device plays sound. The resulting sound waves provide information on your device’s audio stack, including specifications about its drivers, sound hardware, and software.
However, fingerprinting relies heavily on consistency, and if a user’s fingerprint changes rapidly, there would be no way for the tracker to tell one visit of a user from the next visit. This ability to link visits is essential to determine that it is the same user visiting websites or using apps over time. This persistent identifier is used as a substitute for a cookie, which can be easily deleted by the user. A fingerprint cannot be removed since it does not store anything on the users' machine.
How Can You Prevent Fingerprinting?
There are ways for users to combat fingerprinting. Randomization tools that scramble the user’s fingerprint are available, but these in themselves can be a deterministic fingerprinting characteristic. Alternatively, certain browsers can combat fingerprinting by making all instances of the browser look the same. In this case, the browser cannot be uniquely fingerprinted by trackers, because to them, all users look the same.
Then there is a medley of extensions which allow users to protect themselves against fingerprinting. However, many of these fingerprinting services are yet to be identified, meaning that while some fingerprinting trackers can be blocked, many more cannot.
There is, however, some good news. While fingerprinting is not directly covered by the European Union’s GDPR laws, such regulations are flexible and neutral enough in tone that it does cover such practices indirectly. That said, any company operating outside of the European Economic Area has no obligations to GDPR, and as such, fingerprinting won't be going away anytime soon.