paint-brush
The Sneaky Way Web Browsers Are Identifying You (Even When You Turn Off Cookies)by@rampageproxies
508 reads
508 reads

The Sneaky Way Web Browsers Are Identifying You (Even When You Turn Off Cookies)

by Rampage ProxiesDecember 19th, 2024
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

Are you aware you're being tracked? This article discusses the popular yet mostly silent browser fingerprinting and how it creates your perfect online persona.
featured image - The Sneaky Way Web Browsers Are Identifying You (Even When You Turn Off Cookies)
Rampage Proxies HackerNoon profile picture


Like humans, even a browser comes with its own set of fingerprints. Whether you like it or not, these make your browsing activities identifiable through various data collected. Fingerprints, used to track usage, for better or worse, are often used to create an online persona about your activities. Although not all bad, fingerprinting is becoming ever more present in day-to-day browsing. As web data becomes a gold mine, you're slowly contributing to it, for better or worse. A study in 2021 showed that over a quarter of the “Alexa Top 10,000” websites are using browser fingerprinting scripts. Sites such as:


  • Google

  • YouTube

  • Facebook

  • X (Twitter)

  • Amazon

  • Instagram

  • Reddit


If you’ve ever wanted to know how to hide your browser fingerprint and reclaim your anonymity while browsing the net- this one’s for you.

What is browser fingerprinting?

Browser fingerprinting, not to be confused with cookies, is a method of canvasing various metrics about your browsing session to build an “image” of your activity. Websites will collect a large variety of information on you, often without your knowledge. Unlike cookies, fingerprinting requires no consent from the user and has no “opt-out” function, which you’d commonly see when visiting a website for the first time with cookies.


Fingerprints are collected in the background, mostly using a small piece of JavaScript, scanning all available browser and system parameters to create an image of you and your behaviors. Growing to be somewhat invasive, fingerprinting has exploded in recent years in popularity due to its use in advertising and marketing. We're all aware of the price personalised and accurate data can fetch, and your fingerprints provide just that.


Your fingerprints are very unique, and are built over time from the activities you perform and the locations you visit on the web. The Electronic Frontier Foundation found here that only one in 286,777 other browsers will share the same fingerprint as another user."


Fingerprints are not just unique to a single platform, as they can be found on mobile and desktop devices. A study conducted in 2016 looked into 118,934 browser fingerprints and reported that 90% of desktop browsers and 81% of mobile browsers had unique fingerprints.


An easy way to break fingerprinting down is to start by identifying the main components. Like this:


Image Credit: https://hal.science/hal-03212726


Navigators: The browser and its environment

Canvas: HTML5 canvas to measure rendering

WebGL: Reveals GPU and driver information

Font: Systems available and active fonts

Bot: Any non-human-like activity

WebRTC: Network information

Audio: Any unique audio signals or outputsWebGL2: More advanced signals from GL1


However, fingerprinting is becoming more and more complex. Now built from over 70 data points, here’s a look at what typically contributes to a browser fingerprint:

Browser and network information

Websites can track details like your browser version, your device's platform or architecture (e.g., 32-bit or 64-bit), and even your connection type- whether it’s Wi-Fi, 4G, or Ethernet. They’ll also try to check your location through your IP address and examine settings like your timezone and supported encryption protocols during a TLS/SSL handshake. If you're using a proxy or VPN, that can also be detected.

Device-specific details

Through WebGL/GL2, fingerprinting tools look right into the hardware of your device, identifying your GPU (graphics card), CPU with its core count, available memory, and even battery levels. The type of device you're using, whether it's a mobile, desktop, or tablet, also becomes part of the equation.

Browser configuration

Websites will check which fonts you have installed, what extensions you’re running, and even the storage mechanisms available in your browser, such as IndexedDB or WebSQL. Media devices like your webcam or microphone are logged, along with whether you’ve enabled the “Do Not Track” setting.

Visual and rendering data

Visual and rendering data are major components of fingerprinting. From analysing your WebGL renderer to examining display properties like color depth and rendering speeds, every pixel matters- even your response to specific CSS media queries.

Also known as "canvas" fingerprinting, this is often the most common method of fingerprinting, using the HTML5 "canvas" of a browser to build your image.

Behavioral patterns

Your mouse movements, typing cadence, and scroll behavior are surprisingly revealing and personal to you. Websites track these interactions to supplement your fingerprint and make it even harder to avoid detection.

Advanced tracking techniques

Websites can gather data about your audio output settings and oscillator frequencies using the Web Audio API. Canvas fingerprinting is another sneaky trick; analysing how your browser renders an image to extract unique details. Finally, and although rare, sensor data from accelerometers and gyroscopes (often found in mobiles now)

Custom data points

In addition to all the points above, websites check for the use of ad blockers, autofill settings, clipboard access permissions, and even your referrer information (the URL of the page you came from).

Fingerprinting or cookies?

Cookies and browser fingerprints are tools used to track users online, but they operate in fundamentally different ways. Cookies are small pieces of data stored on your device by websites to remember information about your visit, like login details or shopping cart contents. They are transparent and manageable, allowing users to view, delete, or block them through browser settings. Fingerprints, however, are entirely passive; they collect data silently without needing storage on your device or any direct interaction from you.


The key difference lies in consent. Cookies often require user permission through those familiar "cookie consent" banners, allowing users to opt out or limit their use. Fingerprints, however, operate under the radar. There’s no prompt, no disclosure, and certainly none of the “accept all” button. This makes fingerprints far more invasive and harder to detect or counter.


Unlike cookies, which you can delete or block with relative ease, fingerprints are created dynamically by analysing your browser and system configuration, leaving you with little recourse to prevent their use.


Another difference is persistence. Cookies can expire or be manually deleted, meaning their tracking capability is temporary. Fingerprints, are built on data derived from your hardware, software, and behavior, which changes less frequently. This makes fingerprints a long-term tracking method- one that can follow you across sessions, devices, and even different networks, often bypassing traditional privacy tools like private browsing modes or VPNs. While cookies offer at least a method of control, fingerprints are designed to be nearly impossible to erase entirely.


Feature

Cookies

Fingerprints

Tracking

Stored on the user's device, often with explicit consent.

Passive data collection without user consent.

Transparency

Requires user consent; users can view, delete, or block cookies.

Operates silently, often without the user's knowledge or ability to opt out.

Persistence

Temporary; can expire or be deleted manually.

Long-term: built on hardware, software, and behavioral data that rarely changes.

Reach

Limited to a specific website unless shared explicitly.

Tracks users across websites, sessions, devices, and even different networks.

Ease of Avoidance

Can be easily blocked or managed using browser settings or extensions.

Requires advanced measures like anti-detect browsers or specialised tools to minimise exposure.

Disclosure

Openly disclosed via banners and privacy policies.

Almost never disclosed, making it difficult for users to understand when they are being fingerprinted.

How am I being detected?

If you've ever wondered what your browser fingerprints look like (not to be confused with device fingerprints), there's a few really simple ways to test this, using services such as:


These tools provide an easy way to analyse your browser's fingerprint and understand the unique identifiers being collected. They act as a "baseline" for tracking and can help you determine what information is being revealed on websites you visit. Fingerprinting can be a technical nightmare if you're an avid web scraper or automation specialist. As data becomes the most valuable currency on the planet, sites, and apps turn it into almost a vertical climb as you try to extract every ounce.

Here's what a browser fingerprint might look like:


Why am I being fingerprinted?

Fingerprinting, albeit with its privacy concerns, offers a variety of data points for legitimate use cases, often used to protect businesses against fraud, authentication methods, and protecting against various types of automation. Here's a few ways fingerprinting is used outside of tracking and advertising:


Fraud detection: Fingerprints provide an early warning metric to sites that might experience high levels of fraud. Not all who hide their fingerprints are the worried casual; some are more sinister. A scrambled or unauthentic fingerprint can be used to identify those with more harmful intentions and can be the first line of defense against those.


Account creation and recovery: Often, with large social networks, fingerprinting prevents the same user from generating/creating too many accounts. This protects against spam on their site (often written about in their T+C is a fair use clause about how many accounts one person can have) and provides greater protection. For example, fingerprinting is a great way of helping to prevent advertising spam on a social network or preventing mass registration for voting/competition manipulation. In addition to this, matching fingerprints can be a really useful tool for those who require account recovery after forgetting logins, used in authenticating the users’s presence.


Content Personalisation: Like it or not, content personalisation is heavily involved with fingerprinting. Advertising and the personalisation of web pages for you can be built on your usage history, steering you towards the things the sites you believe you'd like to see, hear, or even buy.

Privacy concerns about fingerprinting

The passive nature of browser fingerprinting poses significant privacy concerns. Fingerprinting continues to encroach on your browsing anonymity by the following:


  • Persistent Tracking: Fingerprints can be used to track users across different websites and sessions, even if cookies are cleared, or private browsing modes are used.
  • Lack of Transparency: Users are often unaware that their information is being collected, as fingerprinting operates without explicit consent. This catches a lot of users off guard; most are unaware of the level of tracks they leave behind. It's no longer as simple as using an "incognito" browsing tab. There's never a banner or announcement stating you're being tracked. Silently, the site you're browsing is slowly creating your portrait. Did you know Google Chrome's "incognito" offers zero protection against any fingerprinting or other tracking?
  • Difficulty in Avoidance: Unlike cookies, which can be managed through browser settings, avoiding fingerprinting requires more advanced measures. This creates an unfair playing field for certain groups, such as the elderly, children, and the technically challenged. Without prior knowledge, you'll never know you're being tracked. There's emerging evidence that fingerprinting is being used to create hyper-targeted advertising. Your browsing creates almost the perfect picture of an advertising profile.

Have I been fingerprinted?

Have you ever found yourself browsing online for a product only to notice ads for that item following you across different websites?


Fingerprinted.


When you browse products online, retailers can use your browser fingerprint to recognise you upon return visits, even if you've cleared your cookies. This allows them to tailor product recommendations, adjust pricing strategies, or target you with personalised ads based on your previous interactions. It even goes cross-device, where you might then find adverts on Facebook on your phone for something you looked at two hours ago on a desktop.


A similar concept can be seen when you browse travel websites, airlines, or booking platforms. Browser fingerprinting enables these services to track your unique trail, even if you clear cookies or use incognito mode. By recognising you as a returning visitor, they can use this data to tailor pricing strategies and create a sense of urgency. For instance, repeatedly searching for a specific flight or hotel may signal heightened interest, prompting dynamic price increases to encourage a quicker booking decision before prices rise further.


Browser fingerprinting can also reveal details like your location, device type, and browsing habits, which travel platforms use to personalise offers. If you’re accessing the site from a high-income area or using a premium device, you might be shown more expensive options or excluded from discounts, as the system infers a higher willingness to pay. On the other hand, localised deals or promotions might be presented based on your geographical fingerprint, offering region-specific incentives.


This is known as targeted demographic advertising, and fingerprinting and labeling people based on their online profiles can be seen as a major ethical concern. Here's a great study that explains this.


Additionally, fingerprinting powers cross-site retargeting, allowing travel services to follow you across unrelated websites. After viewing a flight or vacation package, you might notice ads featuring “exclusive discounts” or “limited availability” messaging for the same options. These tactics leverage your browsing behavior to nudge you toward making a purchase, often amplifying the pressure to act quickly.

Avoiding Fingerprinting

As sites scramble to collect all the data possible and track your activities within digital laws, fingerprinting becomes pretty invasive. This is not just for the average Joe, but also for anyone running any scraping or automation online. Fingerprinting becomes a golden sword in the arsenal of tools in the war against the bots.


Luckily for you, there's a few ways to help keep your activities private:

Using an anti-detect browser

Anti-detect browsers are designed to randomise or mask the unique signatures that fingerprinting tools rely on. These browsers typically emulate a variety of configurations for hardware, software, and network environments, making it difficult for trackers to generate a consistent fingerprint.


By creating different user profiles with real fingerprints, they begin to neutralise fingerprinting attempts. This can be particularly beneficial for individuals engaged in automation, scraping, or other activities where anonymity is crucial.


We've covered anti-detect/privacy browsers in great lengths and how to get started in the following posts:


Pairing an anti-detect browser with proxies is a great way to cover your tracks online. Residential proxies offer a method of concealing your IP address and play a key part in any large-scale online scraping or automation operation.


If you're unsure where to start with proxies, we'd recommend reading our residential quick start here, to help give you a good idea of what Rampage offers and the various providers we can arm you with for all your online adventures.

Using extensions/tools

Browser extensions and dedicated tools can also play a key role in preventing fingerprinting. Privacy-focused extensions, such as ad blockers, script blockers, or fingerprint-blocking tools, limit the information websites can extract from your system.

Popular tools and extensions available for this purpose are:


Ethical Concerns for Browser Fingerprinting

Browser fingerprinting raises significant ethical concerns due to its covert and invasive nature. Unlike cookies, fingerprinting operates without explicit user consent, undermining the principles of informed choice and privacy championed by others. The lack of transparency means users are often unaware of the data collected or its potential misuse.


Additionally, fingerprinting can contribute to unethical practices like demographic profiling or discriminatory pricing. For instance, users from specific locations or with high-end devices may face inflated prices, exacerbating inequality. Furthermore, the difficulty in avoiding fingerprinting disproportionately affects vulnerable groups, such as children or those less technologically savvy, increasing the digital divide.


Despite ethical concerns, fingerprinting remains legal in many territories and is used within the boundaries of existing digital laws. In regions like the EU, the General Data Protection Regulation (GDPR) dictates transparency and a lawful basis for data collection, but fingerprinting often exploits loopholes due to its passive nature. Similarly, in the U.S., regulations like the California Consumer Privacy Act (CCPA) provide some rights to users. However, enforcement against silent tracking, like what fingerprints provide, remains limited and rarely enforced.

Conclusion

Browser fingerprinting has emerged as a powerful but controversial tool in online tracking, blending sophisticated technology with deep privacy implications. Unlike using cookies, fingerprints collect data passively and resist traditional privacy defenses like "incognito", making them a frequent and somewhat invasive method of tracking you. While there are legitimate use cases, such as fraud prevention, the lack of user awareness and consent continues to raise ethical concerns as your data becomes more and more valuable each day.


Frequently Asked Questions

What is browser fingerprinting, and how is it different from cookies?


Browser fingerprinting is a method websites use to gather unique data about your browser, device, and online habits without asking for permission. Unlike cookies, which need consent and can be blocked or deleted, fingerprints are invisible and track you silently. They rely on details like your hardware and browsing patterns, making them more persistent and harder to avoid than cookies.


How do websites use my fingerprint, and why is it a concern?

Websites use fingerprints to personalise ads, detect fraud, or identify bots. However, the lack of transparency is worrying. Fingerprints allow persistent tracking across sites, even if you delete cookies or use private browsing. This can lead to targeted ads, price manipulation, and other privacy concerns—all without your consent.


How can I tell if I'm being fingerprinted?

You can check what websites see about your browser using free tools like Cover Your Tracks or Browserleaks. These tools reveal how unique your fingerprint is and show what makes you identifiable online. A highly unique fingerprint means you're easier to track.


How can I protect myself from browser fingerprinting?

Use privacy-focused tools like Privacy Badger, Ghostery, or uBlock Origin. Try anti-detect browsers like GoLogin/MultiLogin to randomise your fingerprint. Pair with residential proxies to hide your IP address. Use privacy-first browsers like Brave or Tor for added anonymity.