Just like fingerprints at a crime scene, your browser leaves its fingerprints on every website you visit – and those fingerprints may identify you as easily as the ones on the ends of your digits.
In the early days of the web, cookies were the favoured method of tracking users, but as awareness of their nefarious uses grew – along with a proliferation of add-ons like Ad Block Plus – advertisers looked around for new ways to track people. Browser fingerprinting was the answer. Not only is it invisible, but it also leaves no trace of its presence on users’ computers because, unlike cookies, the spying happens at the server.
Every web browser provides a certain amount of information about itself and its operating environment to every website it visits. It’s useful, for example, for sites to know your screen size so they can adjust their output depending on whether you’re coming from a mobile phone or desktop PC. However, the range of data delivered by your browser is surprising. Browser name and version number, your computer’s operating system, your language, time zone, screen size, acceptable video and audio formats, the fonts installed, the address of the webpage you just came from, and details of all the plug-ins your browser uses. Individually, the data points aren’t significant, but in combination, they can provide a unique ID.
This kind of tracking isn’t necessarily evil. Banks and financial institutions use fingerprinting as a rudimentary part of their security procedures. Having an idea of where you usually sign-in from is useful because if it changes suddenly it may indicate an unauthorised access attempt. It might prompt them to ask for an extra confirmation of your ID or insist on sending a code to your mobile phone before letting you log in.
However, most users of browser fingerprints aren’t so benign ...
While trackers won’t necessarily match your activity with a face or a name, the data they derive from websites you visit, social platforms you use, searches you perform, and content you consume, can be considered personally identifiable. With this data, brokers build a general profile of who you are (age range, location, language, interests, etc.) and sell this insight to advertisers and marketers who use it to relentlessly serve you personalized ads and content recommendations across the web.
Nick Briz, This is Your Digital Fingerprint
Those ubiquitous ‘like’ and ‘share’ buttons often contain a script that collects a browser fingerprint that allows you to be tracked from one site to the next. That way they can target you with ads for something you searched for yesterday.
How accurate is browser fingerprinting?
For a chilling look at what your browser tells the world, visit Device Info and scroll down its extensive readout. It’s astonishing how promiscuous browsers can be, even detailing what accounts you’re currently logged into; Facebook, Twitter, PayPal, Pinterest, Spotify, etc.
Not hugely encouraging. What can be done?
Enter the badger
The Panoticlick project is part of the Electronic Frontier Foundation, and in addition to providing browser fingerprint tests, they also have a free browser extension called Privacy Badger.
Once installed, Privacy Badger adds an icon to your browser toolbar giving you a quick indication of the site’s privacy status.
Privacy Badger does provide a modicum of protection right away. Here’s a before and after shot from a fresh install of Firefox ...
... but things get better the longer you use it. Instead of keeping lists of blockable sites, PB automatically discovers trackers as you browse. The longer you use it, the better it gets. For example, the Do Not Track mechanism is now part of many browsers, but not all trackers honour the request. Badger will spot them. Once it sees the same tracker on three different websites, that’s it. Blocked!
If you do find Badger breaks a page – say, a video doesn’t play – just click its icon on the toolbar and disable it for that page. And don’t forget to let the badger-meisters know by clicking on 'Did Privacy Badger break this site?' The EFF respect your privacy so don't send out automatic reports.
(If you’re sceptical about just how many third-party trackers are actually looking over your shoulder, check ‘em out here!)