If you think that IP address, cookies and HTTP headers are the only factors used to uniquely identify and track users around the web… you are terribly wrong!
New, modern fingerprinting techniques rely on multiple factors:
- IP address
- HTTP headers (User agent, referer, etc)
- HTML5 APIs (WebRTC, Battery API, etc)
- HTML5 and CSS3 features detection
- CSS media queries
- Browser plugins (Flash, Silverlight, Java, etc)
- Browser add-ons
- Browser options (Do-Not-Track etc)
- Browser storage
- System fonts
- TLS/SSL Session IDs
- Hardware detection (Camera, Mic, Touch screen, etc)
- Screen (resolution, color depth, pixel density, etc)
- Audio and video codecs
- Accessibility features
Recent W3C additions to HTML standards allow developers to communicate with the user device for enhanced options in websites, apps or games. It is not surprising that many APIs are exploited to actually calculate a more precise user fingerprint.
What is a fingerprint?
Imagine you walk in a shop and at the entrance an advanced camera scans you and saves informations like: body type, height, skin color, clothes, shoes, walk style, tone of voice etc. All this data is then serialized and passed through a hashing function to calculate your unique fingerprint. Next time you visit the shop or a shop of the same franchise, even if you have different dressing style, with a quick analysis your fingerprint is still associable to the one of your previous visit.
The same happens visiting a webpage with a browser (without user explicit cooperation).
Doesn’t matter you are not logged in or you disable cookies. It is still possible to associate a user to a token, it is not 100% accurate technique (yet) but continues to evolve.
Electronic Frontier Foundation researched browser fingerprinting in the publication “How unique is your Web Browser?” (PDF). An accurate description of device fingerprinting is on WebKit Wiki and on Wikipedia.
When the browser visits a webpage with a canvas fingerprinting script, it is instructed to draw a hidden graphic that gets converted to a token. The uniqueness of the token depends by factors like browser, operating system and installed graphics hardware.
To avoid Canvas fingerprinting you can either:
- use NoScript, uMatrix or CanvasFingerprintBlock (Chrome only) extensions
- use Tor Browser
According to researches Battery Status API is able to get level, charging time and discharging time of device battery. All this data combined together is nearly unique for each device and battery status, potentially allowing the tracking of activities on the web.
A paper (PDF) titled “The leaking battery – A privacy analysis of the HTML5 Battery Status API” targets Firefox users on Linux systems. As result of the impressive study: ” We propose minor modications to Battery Status API and its implementation in the Firefox browser to address the privacy issues presented in the study. Our bug report for Firefox was accepted and a fix is deployed.”
On Chrome you can install the add-on Battery Info Blocker to prevent websites from accessing your battery info.
To avoid WebRTC leaks you should use Firefox and disable WebRTC opening about:config, find the value media.peerconnection.enabled and set it to false.
On Chrome you can install the add-on WebRTC Block but IP leaks might occur.
Developers can use this API to collect complete timing information related to resources on a document. Concerns involving privacy are expressed in the Working Draft: “Statistical fingerprinting is a privacy concern where a malicious web site may determine whether a user has visited a third-party web site by measuring the timing of cache hits and misses of resources in the third-party web site. “.
If you use Firefox you can disable this API opening about:config and setting to false the options dom.enable_resource_timing, dom.enable_user_timing and dom.performance.enable_user_timing_logging.
If enabled can reveal your physical location compromising your privacy. Modern browsers always ask permission to reveal geo location to websites and apps requesting it.
To disable this feature permanently on Firefox you should open about:config in the address bar, look for geo.enabled value and set it to false.
On Chrome go to Settings, then Show advanced settings, find Privacy block and click on Content settings, in this window look for Location and select the option Do not allow any site to track your physical location.
A paper (PDF) titled “Hardware Fingerprinting Using HTML5” shows new potential techniques that rely on the ability to communicate with device hardware to get a specific hardware fingerprint in addition to a software based one (browser, Os, etc).
The paper shows that hardware like GPU (modern browsers use hardware acceleration), camera, speakers and mic, motion sensors, GPS and battery can all be accessed with HTML5 (not always with user permission) and in particular GPU can effectively be used to fingerprint users.
What is fingerprinting?
EFF: How Unique Is Your Web Browser? (PDF)
EFF: Panopticlick tests your browser to see how unique it is
The Web never forgets: Persistent tracking mechanisms in the wild
A privacy analysis of the HTML5 Battery Status API
Resouces Timing API Working Draft
Hardware Fingerprinting Using HTML5
Browser leaks and web browser fingerprinting
Modern & flexible browser fingerprinting library