In this guide we will discuss the issue of browser fingerprinting and how it can de-anonymize you based on a variety of different inputs – even if you are using a good VPN.
What is browser fingerprinting?
Luckily there are some easy steps you can take to protect yourself from this risk.
But first let’s cover some basics.
Whenever you go online, your computer or device provides the sites you visit with highly specific information about your operating system, settings, and even the hardware. The use of this information to identify and track you online is known as device or browser fingerprinting.
As browsers are becoming increasingly entwined with the operating system, many unique details and preferences can be exposed through your browser.
How accurate is browser fingerprinting?
Some researchers have found this method of identification to be extremely effective:
Why is this being done?
Browser fingerprinting is just another tool to identify and track people as they browse the web. Corporations can use this method to identify people, which is useful for targeted advertising, and other purposes.
Some websites also use browser fingerprinting to detect potential fraud, such as banks or dating websites (so it’s not all bad).
Government surveillance agencies could use this to identify people who are employing other privacy measures to cloak their IP address and location.
You can test how easy your device is to identify at the website amiunique.org, which has collected over thousands of different device fingerprints for research purposes. The site will render your device fingerprint and assess how “unique” you are based on the following inputs:
- the User agent header
- the Accept header
- the Connection header
- the Encoding header
- the Language header
- the list of plugins
- the platform
- the cookies preferences (allowed or not)
- the Do Not Track preferences (yes, no or not communicated)
- the timezone
- the screen resolution and its color depth
- the use of local storage
- the use of session storage
- a picture rendered with the HTML Canvas element
- a picture rendered with WebGL
- the presence of AdBlock
- the list of fonts
Another browser fingerprinting test is Panopticlick, which is a project run by the Electronic Frontier Foundation (EFF).
When using these test websites, keep in mind that test results should be taken with a grain of salt.
There is an ever-increasing test sample as more people use the sites, and people are constantly updating their browsers to newer versions. Therefore the test might show you as unique amongst a very large sample, but that is in fact misleading. This is because it is comparing you to a sample over time, which includes thousands of outdated browsers and old test results.
In other words, you are probably not as “unique” as these tests suggest…
Additionally, a test that shows you as being “not unique” may also be inaccurate. After all, the test tool is only as good as the sample size and the test inputs it uses.
How to mitigate your browser fingerprint
Before we jump into potential solutions, it’s important to note that implementing browser fingerprinting protection methods may break some websites. Be sure to research these different options carefully before adjusting your browser settings.
Another consideration is your threat model. How much privacy do you need or want? The answer to that question will be different for every user.
Here are some good ways to mitigate your browser fingerprint:
1. Firefox browser (recommended)
As explained in the Firefox privacy guide, Firefox is one of the best browsers for both privacy and security. It offers some great features to protect your privacy and is also very customizable. Here are a few modifications to consider making in about:config:
- privacy.resistFingerprinting = true – This will hide a number of unique settings when you browse websites, such as language preferences, timezones, dates, and more.
- webgl.disabled = true – WebGL is another tricky issue for privacy and security. Disabling this preference is generally a good idea – see some of the issues with WebGL here.
Check out the Firefox privacy guide for more information on modifying these settings, as well as the risks involved.
2. Brave browser
Another good browser with built-in privacy settings is the Brave browser. See this article discussing the Brave browser fingerprinting protection settings.
3. Virtual machines
You can also consider running a virtual machine of a completely different operating system on your computer. This can also be used to “chain” different VPNs together. VirtualBox is a free and easy way to do this – there are many different video tutorials online, depending on your operating system and the VM you are looking to use.
4. Tor Browser
Another option is to use the Tor browser, which is simply a hardened and protected version of Firefox. It includes numerous privacy and security modifications that are built into the default version:
- HTTPS Everywhere
- Anti-tracking features
- Canvas image extraction blocked
- WebGL blocked
- Operating system cloaking (shows as Windows 7 for all users)
- Timezone and language preferences blocked (plus many more…)
The key here is to use the default version – the developers do not recommend adding any plugins or extensions, because this would again make you stand out from all the other Tor browser users.
The default version of the Tor browser is configured to run with the Tor (anonymous/onion) network. While the Tor network does have added benefits in terms of privacy, it also has a number of disadvantages:
- Your internet speed will be reduced to around 2 Mbps, making streaming videos or music nearly impossible
- Tor is vulnerable to IP leaks, especially when used on Windows
- Tor is not safe to use when torrenting (see the Best VPNs for Torrenting guide, instead)
- Tor was created by the US government and is still funded largely by US government grants
- Some consider Tor to be compromised
While the Tor network has issues, you can still use the Tor browser with a virtual private network (VPN) with the Tor network disabled.
Tor browser with a VPN (Tor network disabled)
Some people like to opt for using the Tor browser with a VPN (Tor network disabled). This gives you the browser fingerprinting protections of the Tor browser, with the speed and anonymity offered through a VPN.
Disclaimer – While this may be good for some users, it comes with the risks of misconfiguring the Tor browser bundle, which could de-anonymize the user. If you still want to modify the Tor browser, proceed with caution, or just use a modified Firefox or Brave browser instead.
Here’s how to download the Tor browser and disable the Tor network (see images):
- Download the Tor browser for your operating system. After downloading, you should be prompted to connect to the Tor network, which you can do to get access to the settings.
- In the Tor browser go to the Menu button (three lines in the top right corner) and then select Options (Windows) or Preferences (Mac OS) – (image).
- Select Advanced > Network > Settings (image)
- Select No proxy > OK (image)
- Type about:config into the URL bar and hit the enter/return key. You will get some kind of warning message (“This might void your warranty!”) – just click continue or “I accept the risk!”.
- In the search box enter network.proxy.socks_remote_dns and then double click to disable; value = false (image)
- To completely disable the Tor network, go to the search box again and enter extensions.torlauncher.start_tor and then double click to disable; value = false (image)
- To ensure these changes don’t revert to the default settings when you close out the browser you need to disable TorLauncher. To do this go to Options > Add-ons > TorLauncher [Disable] and then restart the browser for the changes to be implemented.
You will need to restart the Tor browser for the changes to take effect.
Now, when you open the Tor browser, it will not connect through the Tor network. This will prompt a warning screen (“Something Went Wrong”), which you can just ignore.
Be sure to remember that your Tor browser is not configured to work with the Tor network.
Use a good VPN
Going through all the hassle to protect yourself against browser fingerprinting may be a waste of time if you aren’t using a good VPN that will encrypt your internet connection and conceal your IP address and location.
Check out the best VPN service report to see the latest testing results and recommendations.
For those who are seeking a higher level of online anonymity, you can also use a multi-hop VPN, which will encrypt your traffic across more than one server (multiple hops) before exiting onto the regular internet. Both Perfect Privacy and ZorroVPN offer self-configurable multi-hop VPN configurations.
Perfect Privacy also offers a NeuroRouting feature, which is very similar to the Tor network. It dynamically routes all traffic across multiple hops in the VPN server network, while using different exit servers corresponding to the physical server location of the website you are visiting. This can give you numerous IP addresses at the same time – further explained here.
Conclusion on browser fingerprinting
While browser fingerprinting may seem like a daunting issue to some, mitigating your browser fingerprint is relatively easy.
My general recommendation is to use the Firefox browser for privacy, which gives you lots of control over the settings and privacy features. A secure and modified version of Firefox, along with a good VPN service, will go a long way to protecting your privacy online.
Another issue to consider, which was not mentioned in this guide, is using a good ad blocker. Ads today basically function as tracking – they record your browsing habits so you can be hit with targeted advertisements. A good add-on is uBlock Origin, but there are other recommendations in the privacy tools guide.