Current web fingerprinting solutions can still bypass most privacy protections offered in modern web browsers, persistently tracking users and identifying them.
This applies even in cases where the user has wiped their browser’s cache and restarts them or when they use a VPN connection.
A software developer using the moniker “Bitestring” tested an open-source tool released by a company that offers “fingerprinting as a service” to websites against Chrome, Firefox, and Tor, and the results are worrying.
What Is Web Fingerprinting?
Web fingerprinting is a sophisticated tracking method that can identify users across multiple sessions and websites without using cookies or other persistent storage.
Because this data does not need cookies to collect, existing protection systems are weak against fingerprinting. Moreover, there are enough data points that can be freely collected to help websites create unique visitor IDs with high confidence.
The main problem with web fingerprinting is privacy invasion, as it allows websites, online services, and third parties to profile, track, and identify users across multiple browsing sessions and websites without their consent.
If a user visits multiple websites that use common fingerprinting technologies, third parties could create detailed profiles about their interests, preferences, and habits, deliver personalized ads across the sites, and deanonymize them even when the user actively tries to avoid that by using a VPN, for example.
Browser Test Results
In this case, the software developer tested the solution of FingerprintJS Inc., which offers a live fingerprinting demo on its website, claiming accuracy of 99.5%.
The service claims that it can persistently track website visitors for years, even after multiple browser upgrades using a combination of fingerprinting, fuzzy matching, and server-side techniques.
The researcher visited the test page and got a tracking ID. Then he cleared the cache and browsing data and revisited the test page, which counted this as a second visit, although that shouldn’t be theoretically possible.
Next, he cleared the browser cache and all data and launched the browser on private mode (incognito), and yet FingerprintJS’s tool still assigned the same visitor ID, counting this as the third visit.
This applies to both Firefox and Chrome but not to Tor, for which the fingerprinting tool generates a new ID on each new visit.
This is because Tor relays user traffic via network nodes, so each time, the exit node is different, and the real user’s IP address and hardware data remain adequately masked.
How to Protect from Fingerprinting
The apparent solution to fingerprinting is to use the Tor browser, however, this may not be for everyone, as regular browsing with Tor is rather slow and cumbersome.
Another solution would be to enable the “resistFingerprinting” feature on Firefox, which yielded good results in the test, tricking FingerprintJS’s tool into generating a different visitor ID on each visit.
This feature, which is also available for Firefox for mobile, was initially contributed to Firefox by the Tor Project. It works by masking most of the data points websites collect to achieve fingerprinting, like CPU core count, timezone, screen resolution, user agent, etc.
If you’d rather use a Chrome-based browser, Brave would be the best bet. The browser randomizes the fingerprint for each session, making persistent tracking harder, although not impossible.