The fingerprinting is the technique of tracking and monitoring users most commonly used web pages behind the cookies . Did you know that, without the need for the latter, you can create a fingerprint of your passage through the network? In this article we will explain how the fingerprint of your browser can “give you away”, and that you know how a website can identify you without the need to use any cookie. We started!
Index of contents
- How a cookie works: why look for alternatives?
- Fingerprinting: do you know all the information you leave when visiting a website?
- HTTP header parts
- JavaScript information
- Network information
- Huella canvas, a very specific type of fingerprinting
- What can be done with so much information?
- Discover your vulnerability to fingerprinting with AMIUnique
- How to avoid fingerprinting tracking
- Conclusions
How a cookie works: why look for alternatives?
First of all, it is necessary that you know what is the basic mechanism of operation of a website that uses cookies.
On your first visit to that website, the page’s server will give your browser a very small file (the cookie) that will contain an identifier along with other data. Then, in the successive visits you make to the web (while the cookie lasts, which has a specific expiration) the browser will deliver that file to the server, which will generally use the identifier to access a database with all the information they have. saved.
Diagram of how a cookie works.
This is a great mechanism to save all kinds of information on a user’s preferences on a website, but as you know it is also used for tracking purposes that are sometimes unethical. For this reason, for years there has been a great effort against cookies on the part of governments, and in particular the European Union, whose data protection regulation (GDPR) obliges to put the well-known cookie notice, which users can reject .
From there, new methods of tracking people on the Internet emerge, which are an easy and powerful complement to cookies.
Fingerprinting: do you know all the information you leave when visiting a website?
The basis of fingerprinting is to take advantage of all the metadata about your device that you leave when accessing a web page. These can be divided into three groups: parts of the HTTP header, JavaScript information, and network information. Let’s give them a review.
HTTP header parts
When we access a web page, what the browser does is send an HTTP request to the destination server. These requests have a header with all the information necessary to obtain the required page. In addition, they also include basic browser data, such as the following:
- User agent, that is, the browser and operating systemused: browser, version, OS, OS architecture, and browser engine.
- Media type acceptable for response.
- Compression methods supported by the browser.
- Browser language preferences to get the answer.
- Preference to obtain secure page or not.
- …
All this sets the first precedent for identification, although it is obviously not extremely varied data.
JavaScript information
In addition to all the information integrated into the HTTP protocol, which is not too much for a fingerprinting action, we have to mention everything that can be obtained through JavaScript, taking advantage of the potential of browser engines. Without JS the web would not exist as we know it, and many interesting services would disappear. But of course it can also be used maliciously or, at least, questionable.
In this case we are going to give you a list of some of the attributes that the AMIUnique website gets us about , which we will talk about below:
- Cookies activated or not.
- User’s time zone.
- Preferred languages of the user’s browser.
- List of team fonts.
- Using the AdBlock extension
- Indication “do not track” of the browser.
- Browser properties.
- Hardware concurrency (number of threads on the computer).
- Approximate memory of the equipment.
- Activated plugins.
- Screen resolution.
- Permissions granted.
- WebGL renderer, to reveal the computer’s graphics card.
There is still more data, and it certainly allows us to give a fairly clear image of user identification based on crossing all this information through methods that are obviously not simple, but that a company with great capabilities in terms of data mining will be able to exploit well.
Network information
Apart from the information that can be found by the browser’s JavaScript features, it is clear that a lot of information can also be extracted in relation to the network used to access the site.
Starting from our public IP address, the web server can easily know an estimate of our geolocation, obviously everything will depend on how good the system used is and if our IP is prone to being well geolocated or not. It may be the case that they guess the city or even the small town in which we live, but we can also see other services identifying ourselves in a totally different region from the one we inhabit.
Other characteristics of the network that are easily detectable include, for example, the autonomous system or ASN used, which basically has to do with the IP addresses assigned to it. Here what they would get would be a good determination of our Internet service provider, for example in my case a simple check in WhatIsMyASN would reach one of the ASNs assigned to Vodafone Spain.
Huella canvas, a very specific type of fingerprinting
Within this context, another very important form of tracking is the canvas fingerprint, also called canvas fingerprinting, which consists of using the HTML5 canvas element instead of the cookies or other data that we have taught you.
How does this method work? Basically, when a user enters the page, they try to draw a hidden 3D canvas element ( a canvas in HTML5 is used to draw graphics ), from which certain data such as the rendering time of the GPU can be extracted, which allows converting all small variations between browsers and computers to a single “token” that acts as a fingerprint.
To what extent can it help follow-up? In a study with about 300 participants, a variability of about 5 or 6 bits was found in the fingerprint obtained in the same user. For this reason, it is not a method that in itself will provide great identification potential, but it is one more tool for monitoring advertising.
What can be done with so much information?
A big question is to what extent we can take advantage of so much information, with the economic purposes to which we are accustomed. And it seems that we cannot get too much out of here, since the implicit personalization in cookies is lacking. But through the use of big data and data mining, and the power of giants like Facebook and Google, you can create a fairly faithful anonymous profile of a user and show them personalized advertising, or even take advantage of logins or other cookies to determine the reliable way that who is browsing is a specific person.
A large company with a high and varied volume of traffic, and where millions of other pages also inject their code, has good potential for fingerprinting.
Discover your vulnerability to fingerprinting with AMIUnique
One of the most interesting web pages to demonstrate the existence of this technique is AMIUnique (“Am I unique?”), Where upon entering all the aforementioned data will be recorded, in order to determine to what extent our footprint is unique in its base of data.
For each piece of information, they will give us the% of users who share that characteristic, which can give us a very interesting idea of which aspects give us away the most. Let’s go with an example, where I will compare myself with some 120,000 different fingerprints collected in the last 30 days:
Of course, the system does not give us away and neither does the browser, but the specific version or in this case also the language, because I have selected Galician, Spanish and English, something that the web knows perfectly.
We continue to see how my canvas footprint is effectively checked , and even the server can get a list of more than 200 fonts installed on my system, or 40 specific properties of the browser. The key is clearly in a correct triangulation of all this data, and obviously in analyzing all the other traces that we leave when navigating. Taking into account that cookies are often used, the combination of this with fingerprinting and other small residual clues that we leave when browsing can favor our identification.
How to avoid fingerprinting tracking
It is evident that the majority of users do not take action against these forms of monitoring, even if they know all the methods used by large companies such as fingerprinting. It is a question that each one must value. For example, I personally take no action against this, but surely many people see more risks than benefits. So what are the most reasonable methods to avoid fingerprinting? Let’s quickly list some ideas:
- Check your browser extensions. If they have excessive permissions, they could be taking advantage of your browsing to do fingerprinting. Ideally it is recommended not to use any extensions.
- If you can’t help being unique, do it multiple times. It could be more difficult to follow you if you use multiple browsers or networks for the different tasks you do on the Internet.
- Use a privacy-friendly browser. We will not go into great detail, beyond indicating that for example Firefox claims to block requests from servers associated with companies known to use fingerprinting techniques.
- Use more privacy-friendly services. It is clear that in addition to the browser there are the services we use themselves. Although it is difficult to completely get rid of Facebook or Google, you can try looking for alternatives, such as doing searches with DuckDuckGo. This is perhaps the most difficult to accomplish as many are not willing to go for a worse service in exchange for more privacy. You can also try to disable all the tracking settingsthat the services you use let you change, or reject the use of cookies, but there will always be inevitable things.
- Maybe use a VPN? Theoretically these services avoid tracking tactics, but there is a great debate about whether they really take care of users’ privacy, so we leave that as a question mark. What would certainly help would be to use Tor,whose browser tries very hard to make all users appear the same, although the disadvantage will be the speed of the network.
Many more techniques could be mentioned that could help make monitoring difficult, but we are not sure enough of their usefulness.
In general, it is quite difficult to escape the clutches of the technological giants, but it is certainly not impossible if we insist on doing it. Everything will depend on the decision of each one, since it is clear that a good part of the people who know these practices decide to surrender or simply ignore their existence. It is undoubtedly an interesting subject for discussion that goes beyond the purposes of this article, but for this there is also the comment box.
Conclusions
The Web has come a long way in recent years. Not only do we have a greater number of services and utilities available, more detailed and unique designs, previously unthinkable functionalities, security improvements… But many bad things have also surfaced. And we are not talking about sites insisting on activating notifications and subscribing to newsletters, but about user tracking techniques that are used for commercial or even malicious purposes.
The tracking technique par excellence are cookies, where an “agreement” between the browser and the web server, with the implicit consent of the user, leads to the storage of a small file on our computer that will serve as an identifier on subsequent visits to the website. Something that allows us to save preferences, sessions or other important information, but also allows them to follow our trail around the page. In the case of technological giants such as Facebook or Google, they also manage to follow us on thousands of websites thanks to the integration of their services with them, and thus they show us all kinds of personalized advertising.
We have more guides that might interest you:
- Starlink network: everything you need to know | Internet for everyone
- What is a portable WiFi and how does it work? Connect wherever you are
- IPv4 vs IPv6 – What is it and what is it used for in networks
With cookies in the spotlight, alternative tracking techniques also emerge. The fingerprinting is the most important because it will have dedicated this article. It is based on something as simple as collecting all the possible metadata that we leave when accessing the web, with trivialities such as the preferred language, browser used, preferences, and dozens of other small details. When all of them are combined, they manage to identify us in a unique way. They will not know our name, but it does not matter: with techniques similar to cookies they can get to know it, and in any case they will know hundreds of preferences and interests that they can use for commercial purposes.
It is important to know that this exists, and from there each one can decide whether to take action on it or not. This question would already go beyond the original purposes of the article, which do not go beyond informing, but of course it is a very interesting matter of debate, and as always the comment box remains open ?