What is Device Fingerprinting?
A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification.
What are the sources of info?
Device fingerprinting is the process of reading and measuring various data about your device, such as screen size, installed fonts, and plugins, and calculating the degree to which the combination of them are unique. For example, the combination of your screen resolution, your Flash plugin and Decryption Module, as well as the fonts that are installed on your computer might be enough to identify you specifically.
Ironically, this also means that if you install a laundry list of add-ons in order to protect your privacy, you may actually be creating a larger, more identifiable fingerprint for trackers to read.
Applications that are locally installed on a device are allowed to gather a great amount of information about the software and the hardware of the device, often including unique identifiers such as the MAC address and serial numbers assigned to the machine hardware. Indeed, programs that employ digital rights management use this information for the very purpose of uniquely identify the device.
Even if they aren’t designed to gather and share identifying information, local applications might unwillingly expose identifying information to the remote parties with which they interact. The most prominent example is that of web browsers, which have been proved to expose diverse and stable information in such an amount to allow remote identification, see § Browser fingerprint.
Diverse and stable information can also be gathered below the application layer, by leveraging the protocols that are used to transmit data. Sorted by OSI model layer, some examples of such protocols are:
- OSI Layer 7: SMB, FTP, HTTP, Telnet, TLS/SSL, DHCP[28]
- OSI Layer 5: SNMP, NetBIOS
- OSI Layer 4: TCP (see TCP/IP stack fingerprinting)
- OSI Layer 3: IPv4, IPv6, ICMP, IEEE 802.11[29]
- OSI Layer 2: CDP[30]
Passive fingerprinting techniques merely require the fingerprinter to observe traffic originated from the target device, while active fingerprinting techniques require the fingerprinter to initiate connections to the target device. Techniques that require to interact with the target device over a connection initiated by the latter are sometimes addressed as semi-passive.
How does fingerprinting work?
Fingerprints are typically described according to their entropy, measured in bits. A fingerprint with 3 bits of entropy would translate to you being unique among 8 (2³) people. A fingerprint with 10 bits of entropy would mean only one in 1024 (2¹⁰) people share your fingerprint. Obviously, because these numbers are exponential, a fingerprint with 15 bits of entropy would be twice as unique as one with 14 bits of entropy, and four times that of 13 bits.
In terms of those elements that are typically most revealing, user agent (a formal description of what browser you’re using), plugins, and fonts tend to provide the most entropy. In fact, my own font list provides 18 bits of entropy, meaning that only one in 261,144 people’s browsers share my font list. You can test your own fingerprint by participating in the EFF’s Panopticlick project, which will give you an array of data showing what factors identify you most.
So how do you protect against fingerprinting?
Offering a simplified fingerprint[edit]
Typical Tor Browser notification of a website attempting a canvas read.
Users may attempt to reduce their fingerprintability by selecting a web browser which minimizes availability of identifying information such as browser fonts, device ID, canvas element rendering, WebGL information, and local IP address.
As of 2017 Microsoft Edge is considered to be the most fingerprintable browser, followed by Firefox and Google Chrome, Internet Explorer, and Safari. Among mobile browsers, Google Chrome and Opera Mini are most fingerprintable, followed by mobile Firefox, mobile Edge, and mobile Safari.
Tor Browser disables fingerprintable features such as the canvas and WebGL API and notify users of fingerprint attempts.
Offering a spoofed fingerprint
Spoofing some of the information exposed to the fingerprinter (e.g. the user agent) may allow to reduce diversity.The contrary could be achieved if the mismatch between the spoofed information and the real browser information differentiates the user from all the others who do not use such strategy.
Spoofing the information differently at each site visit allow to reduce stability.
Different browsers on the same machine would usually have different fingerprints, but if both browsers aren’t protected against fingerprinting, then the two fingerprints could be identified as originating from the same machine.
Blocking scripts
Blindly blocking client-side scripts served from third-party domains, and possibly also first-party domains (e.g. by disabling JavaScript or using NoScript) can sometimes render websites unusable. The preferred approach is to block only third-party domains that seem to track people, either because they’re found on a blacklist of tracking domains (the approach followed by most ad blockers) or because the intention of tracking is inferred by past observations (the approach followed by Privacy Badger).
The best protection comes with the Tor Browser, which is specifically built to provide as small a fingerprint as possible. Additionally, most fingerprinting techniques rely on the use of JavaScript, so disabling JavaScript completely would significantly mitigate your potential to be fingerprinted in the first place. This, however, would also break most of the sites you visit.
An adblocker would provide some protection by blocking the fingerprinting scripts from running in the first place, but it is likely that many could also slip through the cracks due to ad blockers’ dependency on blacklists (if it hasn’t yet been added to the blacklist, it won’t be blocked). I would not recommend using add-ons that claim to switch your user agent around constantly, as this (highly odd) activity alone would likely just add to your fingerprint.
Let's stay safe this pandemic.
