- ResourcesProduct TutorialOnline Tools
EN
While most internet users are familiar with cookies, a far more persistent and invisible tracking method is operating across the web. This technique, known as browser fingerprinting, can create a unique profile of you without storing anything on your computer, making it essential for any privacy-conscious individual to understand.
Device fingerprinting, more commonly known as browser fingerprinting, is the systematic collection of information from a web browser and device. The goal is to combine these details to create an identifier that is unique enough to single out, track, and build a detailed profile of the user.
This technique was developed as a more persistent tracking method, designed to overcome user-controlled privacy measures like deleting cookies. Unlike cookies, which a user can find and remove, fingerprinting often operates transparently, without storing any files on the user's device.
Digital fingerprinting techniques have been described in the specialised literature as “cookieless monsters” given that it is not necessary to install any type of cookie on the device to gather the information...
These "fingerprints" are constructed by combining many different pieces of information, which we will explore next.
The fundamental concept behind browser fingerprinting is that while any single piece of information about your device might be common, the combination of many such details is likely to be unique. A website gathers a set of these characteristics, effectively creating a "digital fingerprint" for your browser.
Here are some of the common characteristics that can be collected to form a basic fingerprint:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0).-120 minutes from UTC).1920x1080x24).While these basic data points can create a surprisingly unique identifier, trackers often employ even more sophisticated methods to increase accuracy.
To create more robust and precise fingerprints, trackers use advanced techniques that exploit modern web browser features.
This powerful technique uses the HTML5 Canvas element, a feature designed for drawing graphics and animations on a web page. The tracker instructs the browser to draw a hidden image or piece of text. The uniqueness comes from the fact that different combinations of hardware (like the Graphics Processing Unit, or GPU), software (graphics drivers), and operating systems will render this image in subtly different ways. The final rendered image is converted into a unique digital signature, known as a hash, which serves as a highly stable identifier.
This is a specialized variation of Canvas Fingerprinting. Instead of drawing a single complex image, it instructs the browser to render the same string of text multiple times, each time using a different font from the device's list of installed fonts. By measuring the subtle differences in how each font is drawn (its size, anti-aliasing, etc.), this method can generate an identifier that is highly specific to the user's unique collection of system fonts.
WebRTC (Web Real-Time Communication) is an API that enables real-time voice and video communication directly between browsers. A side effect of this functionality is that the WebRTC API can be used to reveal a user's local IP address—the address their device uses on a private network (like a home Wi-Fi network), which is normally hidden. By combining a user's hidden local IP with their public IP, a tracker can create a very consistent and effective identifier, even if the public IP changes.
This technique uses the AudioContext API, a tool for processing audio signals within the browser. It's important to note that this method does not listen to the user's microphone. Instead, it generates a standardized, inaudible sound wave (like a sine wave) and processes it through the browser's audio stack. The resulting digital signal is slightly different on every machine due to unique variations in device hardware and software drivers. A hash of this processed signal is then used as a unique identifier.
Now that we understand how fingerprints are created, let's look at how their uniqueness is scientifically measured.
The scientific way to measure the uniqueness of a fingerprint is through Information Entropy. In simple terms, entropy is a measure of uncertainty, calculated in "bits." The more "bits of identifying information" a characteristic provides, the rarer it is and the more it helps to uniquely identify a user.
For example, knowing that a European user is on Chrome (59% market share in May 2018) provides very little identifying information (about 1 bit). However, knowing they are using Internet Explorer (4% market share) provides much more information (about 4 bits) because it is far less common. By combining many such characteristics, the total bits of entropy can quickly add up to create a globally unique identifier.
The following table, based on data from a Panopticlick test, shows how different browser characteristics contribute varying amounts of identifying information.
Example: Bits of Identifying Information
| Browser Characteristic | Bits of Identifying Information |
|---|---|
| Hash of canvas fingerprint | 6.62 |
| Screen Size and Color Depth | 2.45 |
| Browser Plugin Details | 9.14 |
| Time Zone | 2.70 |
| System Fonts | 6.50 |
| Platform | 3.17 |
| User Agent | 7.68 |
This measurement of uniqueness isn't just theoretical; it has significant real-world applications and consequences.
In a 2018 study, the Spanish Data Protection Agency (AEPD) analyzed over 5,000 URLs to understand the prevalence of these techniques. The findings were revealing:
The study also confirmed the ineffectiveness of the "Do Not Track" (DNT) signal, a browser setting that asks websites not to track the user. The research found that websites using fingerprinting overwhelmingly ignored this request. In the case of Canvas fingerprinting, a staggering 96.12% of sites continued to compile the fingerprint even when the user had explicitly activated DNT. More alarmingly, the study found that the DNT signal itself can be used as another data point to make a user's fingerprint even more unique, turning a request for privacy into a tool for identification.
With such a widespread and persistent problem, it's natural to ask what can be done to protect one's privacy.
The AEPD study tested various mitigation measures to see how effectively they could prevent fingerprinting. The results show a clear difference between passive privacy features and active blocking tools.
| Method | How it Works | Effectiveness (Based on AEPD Study) |
|---|---|---|
| Private / Incognito Mode | Deletes local history, cookies, and site data after the session ends. | Not Effective. It does not alter the underlying device characteristics, so the fingerprint remains identical. |
| VPNs / Anonymization Networks | Hides the user's public IP address from the destination server. | Partially Effective. While they hide one key data point (public IP), they do not filter the collection of other device characteristics. |
| Browser Privacy Options (e.g., blocking 3rd-party cookies, enabling DNT) | Uses built-in browser settings to limit tracking. | Not a significant reduction. The study found these options had little effect, except for a notable reduction in WebRTC detections. |
| Browser Extensions (Blockers like uBlock Origin, Ghostery) | Actively identify and block scripts and connections known to be used for tracking. | Most Effective. These tools produced a "significant reduction of detections" across fingerprinting techniques. |
| Disabling Javascript | Prevents the scripts that collect fingerprinting data from running. | Effective, but impractical. This method breaks the functionality of many modern websites, making it an unrealistic solution for most users. |
These findings lead to several important conclusions for anyone concerned about their digital privacy.
