Fingerprinting: The Digital Signature of Online Presence

We are all familiar with how cookies work, but fingerprinting is another data collection technique worth exploring.

In late 2016, fingerprints were collected with a browser restriction, meaning that by switching browsers, a user could visit any online resource and be identified as a new visitor. 

What is Fingerprinting?

Fingerprinting is a method to identify users by collecting and analyzing unique overt characteristics of their device or browser behavior. This consists of the user's operating system, browser type and version, installed fonts, screen resolution, and other technical data.

JavaScript can collect significant data about a user's browser and device. Combining this data creates a unique 'digital fingerprint' for each user, which can be used to track their online activities across different sites and platforms.

Notably, the fingerprint can be tracked across all browsing sessions, even if the user enters incognito mode or uses a VPN to access the site.

Browser fingerprinting is more difficult to bypass than cookies because the user's fingerprint remains the same between incognito browsing sessions or when the browser data is cleared. This makes it an effective method to prevent fraudsters from attempting to hack and spam website owners by accurately identifying website visitors.

How can fingerprinting benefit ordinary users? A digital fingerprint can help detect identity theft or bank account fraud incidents. By using fingerprinting to understand your profile and behavior, the chances of successfully predicting the likelihood of fraud increase. You can identify your unique fingerprint on this service.

However, fingerprint collection is controversial because many users consider it a violation of their privacy.

Fingerprinting Types

Each method of browser fingerprinting can collect one or more pieces of information, which can be used to distinguish one user from another.

1. Canvas Fingerprinting. This technique uses the HTML5 canvas element to create a unique fingerprint based on how the user's browser displays text, images, and other components.
2. Font Fingerprinting. A website owner can identify the fonts installed on a user's device by embedding invisible text in a web page and analyzing how the browser displays it.
3. Audio fingerprints. A fingerprint is created based on audio characteristics after recording and analyzing a user's device's audio output.
4. WebGL Fingerprinting. Using the WebGL API, this technique collects information about the user's video card and driver.
5. HTTP Header Fingerprinting. Analyzing the HTTP headers sent by the user's browser can obtain information such as IP address, language preferences, and browser version.

Using multiple fingerprinting techniques simultaneously and combining the resulting data makes it possible to gather enough information to compile website visitors' fingerprints. The difference between fingerprinting services and cookie collection allows a more complete understanding of users.

Pros and Cons of Fingerprinting

Like any user-tracking technology, fingerprinting services have their advantages and disadvantages.

How Does Fingerprinting Work?

In brief, the process of collecting fingerprints can be described as follows:

1. JavaScript and other scripting languages are frequently utilized to gather raw device data and compile fingerprints. Code is injected into websites to execute the fingerprint collection process in the background, unbeknownst to the user.
2. When a device connects to an online resource, the server obtains access to various information about the device, including its operating system, browser version, installed fonts, plugins, language settings, screen resolution, and more.
3. The data is analyzed by the server, which generates a fingerprint. While settings like IP addresses can change and are not unique, fingerprints are more reliable.
4. The server stores fingerprints along with a cookie or unique identifier. When the same device visits again, the server can recognize it by matching the new fingerprint to the stored one.
5. Factors such as the time interval between visits, IP address, and browser characteristics are analyzed to improve identification accuracy when fingerprints are not unique.

Measuring Fingerprint

Entropy measures the information provided by each data point in bits. A feature with numerous possible values, like a list of installed fonts, contributes significantly to the overall entropy. In contrast, a feature with few differences, such as the operating system used, may only add a few bits.

Existing fingerprint libraries automate combining data from multiple APIs into a 'hash' to identify a small group or even a single user.

Active and Hidden Fingerprinting

Active fingerprinting involves examining a user's device or browser to gather information and create a unique fingerprint.

This is done by executing JavaScript code or loading specific resources on a web page that collects data about the user's device and browser behavior. A fingerprinting code can access more inaccessible parameters, such as MAC addresses and unique hardware serial numbers.

Passive (hidden) fingerprint collection methods are less intrusive and collect a narrower range of information than active methods.

Hidden fingerprinting, or passive fingerprinting, involves collecting information about a user's device and browser behavior without actively examining the device or browser.

Covert fingerprinting is most commonly performed by analyzing information passively transmitted by the user's browser during typical browsing activities. These techniques rely on accurately classifying client parameters such as TCP/IP configuration, OS digital fingerprint, IEEE 802.11 (WiFi) settings, and time offset. Stealthy fingerprinting methods are less intensive and more challenging to detect or block than active methods.

Both active and passive fingerprinting methods can be used for various purposes. However, the choice of method depends on specific requirements, such as confidentiality, accuracy, and reliability.

Fingerprinting with Canvas

Canvas digital fingerprinting uses the HTML5 Canvas element without cookies or other tools.

Combining multiple sources of information is necessary to identify a particular user, as a single digital fingerprint may be required. Research has shown that the graphics processor can affect the fingerprint.

The image display may vary depending on the browser, operating system, video card, font rendering settings, anti-aliasing algorithms, and other factors. These variations create a unique image that can be used to create a fingerprint. The Canvas fingerprinting service is based on these differences in image display across various web browsers and platforms.

By January 2022, the concept had been expanded to characterize the performance of graphics hardware, which the researchers called DrawnApart.

Website Fingerprinting

Fingerprints can uniquely identify users returning to a site without relying on cookies or login credentials. This allows for passive authentication based on the user's device without requiring explicit login each time.

Features such as shopping cart recovery, personalized recommendations, pre-filling payment cards, etc., will be automatically recovered based on a user's past behavior.

Fingerprint SDKs offer APIs to integrate this capability into existing authentication workflows. Digital fingerprints can complement conventional forms of entry for a second authentication factor.

Why fingerprinting is essential for websites:

• It improves user experience by reducing the complexity of the authentication process.
• It enhances security by making it harder to access accounts without a device.
• It can provide a more personalized experience across sessions and devices.

In doing so, developers must ensure that fingerprints are securely stored and shared with partners to avoid leaks.

Thanks to GDPR, users often see cookie tracking information when they first visit a website and can make more informed decisions about transferring their data. However, fingerprinting differs from cookies because the former collects data about the device, and the latter collects data about the user. The invasion of privacy by tracking services is becoming less profound, but it still persists.

How to Use Fingerprinting on a Website?

The following steps are required to connect the Fingerprinting services on the site:

1. Select a fingerprint/SDK service provider. Popular options include Fingerprint.com, Shield, etc.
2. Register an account and receive a JavaScript SDK code snippet. It needs to be integrated into your website code.
3. Add the SDK code snippet right before your website code's closing </body> tag.
4. Configure the SDK with the API key/account data and specify where to send the fingerprint data.
5. Configure a server-side endpoint, such as a PHP file, to receive the fingerprint payload sent by the JS code.
6. Securely store the received fingerprints in your database, labeling them with user IDs.
7. Send the fingerprints and other identifiers, such as cookies, in requests to your server for matching.
8. Develop logic to recognize returning users based on fingerprint matches and enable personalized features.
9. Clearly state your fingerprint practices in your privacy policy. Obtain consent for data collection depending on the laws in your region.

Hosting and Fingerprinting

A fingerprinting SDK can be embedded in a server infrastructure to detect anomalies and protect its users from attacks. Fingerprinting helps see bot traffic, fraudulent account access, and compromised accounts in the shared infrastructure.

This technique allows hosts to optimize resource allocation and ensure high-speed performance by identifying individual devices/browsers, not just IP addresses.

How to Block Fingerprinting as a User?

Since the collection of information by fingerprinting services can be done either covertly or with the user's consent, the most effective ways to prevent this collection are:

• Tracker blocking is a technique used to prevent websites from tracking user activity. Some web browsers, such as Firefox or Tor, use block trackers as a standard. Additionally, plugins or browser extensions can provide additional privacy and work as a defense against malware.
• Script blocking is another method that can be used to prevent tracking. Disabling JavaScript and using extensions like NoScript or ScriptSafe can help prevent tracking, but it may also make some sites unusable. It is important to note that blocking scripts can affect the functionality of some websites.
• Reviewing the settings on websites to ensure that they align with your privacy preferences is recommended. In some browsers, such as Firefox, Chrome, and Safari, you can adjust settings to prevent tracking by requesting that site owners and third parties not collect information about your interactions with a website or application. This can be done by enabling the 'Do Not Track' feature.

A VPN can hide your actual IP address from the online resources you visit. However, keep in mind that your device data may still be collected without your knowledge through fingerprinting.