How to Reduce Your Browser's Fingerprint

The internet-using public is increasingly aware of the dangers to privacy posed by HTTP browser cookies - small text files stored on your computer by websites which can be used not only to identify you when visiting a particular website, but also by other websites so that you can be tracked as you surf online.

In May this year (2013) the EU ‘cookie law’ came into force, requiring EU websites and all websites that serve an EU audience to ask permission from visitors before  leaving ‘non-essential’ cookies on their computers. In practice, implementation and enforcement of the law has been patchy and only partially effective at best (and not helped by some very vague wording), but it has helped to raise awareness about cookies among netizens everywhere.

Websites (and in particular third party analytics and advertising domains) however gain a great deal financially from the use of cookies, and have thus looked for new ways to uniquely identify and track website visitors by other means. One of these methods is the use of supercookies (including Flash cookies and zombie cookies), and another is browser fingerprinting (HTTP E-Tags, web storage, and history stealing are also lesser used methods which we will discuss in another article).

What is browser fingerprinting?

Whenever you visit a website your browser sends data to the server hosting that site. This data includes basic information, including the browser name, operating system, and exact version number of the browser. This information is known as passive browser fingerprint because it happens automatically.

However websites can also easily install scripts that ask for additional information, such as a list of all installed fonts and plugins, supported data types (so-called MIME types), screen resolution, system colors and more. Because this information has to be solicited from your browser, it is known as active fingerprinting.

Taken altogether, the various fingerprint attributes can be almost instantly (it takes just a few milliseconds to run algorithms that compare millions of fingerprints) combined to create a unique fingerprint that can be used to very accurately identify an individual user, no matter if cookies have been deleted or IP address changed between website visits.

How unique is your browser fingerprint?

The EFF’s research shows that ‘if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint.’ As part of its investigation it has created the Panoptoclick website, which actively fingerprints your browser, and tells you how unique it is.



We use a lots of privacy related plugins in our browser, which ironically makes us more unique, and therefore identifiable by fingerprintingpanopto

Can I change my fingerprint?

Every time you install a new font or plugin, or otherwise change one of the fingerprinted attributes, you change your fingerprint. The most important attributes in this regard are the list of installed plugins, supported MIME types, and installed fonts, which alone when combined with the browser’s User Agent (which provides information about the browser) allow unique identification with an 87 percent accuracy.

Unfortunately, the EEF determined that even when ‘fingerprints changed quite rapidly, … even a simple heuristic was usually able to guess when a fingerprint was an “upgraded" version of a previously observed browser's fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%’

It is possible to change a browser’s User Agent, which has the most dramatic effect on changing your fingerprint, but many websites rely on being given correct User Agent to function properly, so this is not an ideal solution. In addition to this, by changing your User Agent you actually increase your browser’s uniqueness (we discuss this more below), but if you do want to try doing it then check out guides for doing so in desktop browsers, Android and iOS Safari.


Changing our User Agent in Chromeuser agent

One of the most frustrating and paradoxical aspects of fingerprinting is that any measures you take to prevent tracking, such as blocking Flash cookies or changing your User Agent, actually make you more uniquely identifiable. The truth is that protecting yourself from being fingerprinted is currently difficult to the point of being impossible, but there are things that you can do to minimize the problem.

The most important of these is to use a popular browser that is as ‘plain vanilla’ (i.e. as unmodified) as possible, so that you blend in with the majority non-tech savvy internet users who never install additional plugins or otherwise tamper with their software. Firefox and Chrome are therefore good choices for desktop users (Safari isn’t too bad, but Microsoft Internet Explorer gives away more identifying information than the others do), while iOS Safari users are safer than Android users because iOS Safari is less customizable (and therefore less unique) than the stock Android browser. Ideally you should also use the plainest Operating System possible, so a freshly installed Windows 7 (the world’s most popular OS) with no additional software or fonts would be best, although admittedly totally impractical for most people.

While most privacy enhancing measures (which we cover in some detail in our Ultimate Privacy Guide) actually decrease your privacy when it comes to fingerprinting, the EFF noted that Torbutton (and the Tor network in general) gave ‘considerable thought to fingerprint resistance’, and that ‘NoScript is a useful privacy enhancing technology that seems to reduce fingerprintability.’ Commendable as these efforts are however, such measures are not perfect, as fingerprinting expert Henning Tillmann explained, ’Everyone using Tor has a similar browser fingerprint and if a website only has one visitor using Tor this makes him or her unique and identifiable.’

Tips to prevent tracking

  • Use a freshly installed copy of Windows 7
  • Use an unmodified Chrome or Firefox browser
  • Use a VPN service to mask your IP address and encrypt your browsing data (or use Tor)
  • Clear browser cache and cookies after every session (working in the browsers ‘privacy mode’ should have a similar effect)
  • Disable or don’t install JavaScript (unfortunately though, many websites will not work properly without it)
  • Disable or (better yet) don’t install Flash. Unfortunately however again, Flash is responsible for a lot of the more user-friendly features and functionality found on the on the web.
  • Visit the EFF’s Panoptoclick website to see how effective your measures have been

Conclusion

Browser fingerprinting is a powerful technique, and fingerprints must be considered alongside cookies, IP addresses and supercookies when we discuss web privacy and user trackability. Although fingerprints turn out not to be particularly stable, browsers reveal so much version and configuration information that they remain overwhelmingly trackable’ EFF.

As we internet users have become more aware of privacy and tracking issues, so have those who would track us become increasingly devious in their methods of doing so. With fingerprinting this has reached the point that it is almost impossible to prevent (although as noted above there are steps that can be taken to make it more difficult). The EFF therefore concludes its report by saying that the answer lies in government action and legislation, and that ‘policymakers should start treating fingerprintable records as potentially personally identifiable, and set limits on the durations for which they can be associated with identities and sensitive logs like clickstreams and search terms’.

Now it has to said that we have very limited faith governments’ will or ability to enact such changes (although the EEC ‘cookie laws’ at least show some positive intention in this direction), so in the meantime we will just have to take as many measures as we can live with (since all measures impact our user experience in some way), and hope for the best.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

23 Comments

  1. Not Sure

    on January 10, 2019
    Reply

    Hi There! I think the best idea is using TENS OS created by Air Force Research Laboratory or TAILS OS. Also Parrot OS Live Mode is very secure but we have to make some changes inside the browser Firefox in about:config. Furhermore, the best User Agent is so-called Tor Browser Bundle i.e.(Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0) With a good browser setting, your system information should not exceed 8 bits, referring to panopticlick. And don't use Google Chrome browser, never ever. During the meetings with Black Hat representatives, I received many useful tips and tricks on how to hide from any web page. Of course, this is not my goal, but sometimes it helps especially if the admins of the webpage are not honest people. Mr. Assen Kirilov

  2. Ryan Paul

    on October 31, 2017
    Reply

    Nice aticle. Very clear and interesting. Were did these nodes come from? How are they made....what are they? Why did someone in the Navy release this tech, and how it it poweree/whats it look like? I googled "does accessing you emails while using a vpn give you away stright away" and this was the first link. or using facebook? or using faceook to write a review or click a like on another site? Or using any login, in your name? Where did you learn all the infomation in your articles from? Really interested in that. You sound IT educated, if so, in what and how far? what are your thoughs on the TV series Mr Robot lol. Sorry for the grammar, im using microsoft notepad How is TOR not 100% safge, why is it no matter what you do its not actually 100% secure? I think you said there is always a security flaw in a system? - why? How long has TOR been around? I heard using TOR on a PC with windows installed is another privacy/security issue? Is that still true? And what was the issue with using windows? Is running tails on a USb key any safer then using a CD? Why cant these nodes be shutdown/logged/disrupted, again what the hell are they? With TOR dont you need an invite? And every message is encrypted and you need the other guys key to decypher things but itsnt it hard to get your own key or something, to begin even sending messaages, like a corect process to beginning? Looking foward to your reply, Ryan Paul 138 arrow cresent Old Town State Franko-marko City

    1. Douglas Crawford replied to Ryan Paul

      on October 31, 2017
      Reply

      Hi Ryan, I think most of these questions will be answered if you read through my Tor Review and the Wikipedia article. - I have a degree in philosophy, but have owned a computer since the early 80's and have worked as a computer repair technician, web designer, sound engineer, and technology journalist. - Nothing is 100% "safe", but Tor is as good as it gets. - Windows is Microsoft spyware *(and Microsoft has a history of cooperating with the US government). - Technically running TAILs on a non-rewritable CD (finalized CCR) is more secure, but this is not a major concern.

  3. GR

    on April 3, 2017
    Reply

    Scaremongering seems to be the only thing some people are good at! Any legal authority can query (read legally force) your phone company to surrender your personal details if needed, and I doubt they'd opt to use “browser fingerprinting” which is nothing but a joke.

    1. Douglas Crawford replied to GR

      on April 4, 2017
      Reply

      Hi GR, Browser fingerprinting is not widely used by governmnet agencies (as far as we know), but it is widely used by websites to track visitors for advertising purposes. As for a legal authority being able to demand that your ISP surrender your personal details if needed - sure, but using a good no logs VPN (preferably based well outside the jurisdiction of your local legal authority) is a good defense against this.

  4. anonymous

    on March 31, 2017
    Reply

    Not a bad suggestion but there is a problem or two. TOR will not give out bridge information without a fully traceable emails address like gmail, yahoo, bing, similar.And all those want your identity, including a cell phone number. Buying bitcoin can leave a trail too. The initial purchase usually is not in person but online and with the use of a credit/debit card with your identity attached to the transaction. There are many ways to be anonymous. The more private you want to be the more work you have to do and the more 'they' will watch you. Beware of the fourteen eyes countries....

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.