top of page
  • Writer's pictureESET Expert

Fingerprints all over: Can browser fingerprinting increase website security?



Browser fingerprinting is supposedly a more privacy-conscious tracking method, replacing personal information with more general data. But is it a valid promise?


Convenience is king today – shopping has never been easier; one can basically order goods from any part of the world and have them delivered right up to their doorstep. However, this all requires sharing seemingly confidential or previously seen as more private information, like your address or phone number.


And while such information is provided to acquire the convenience of couch shopping, the security considerations are still real. Data breaches can and do happen, so websites as well as shoppers must always be on the lookout for security incidents. The truth is that security measures, put in place, often inconvenience the users and cause privacy concerns – perhaps except for one, which is browser fingerprinting, a unique, seemingly less privacy-intrusive method to track and secure users. But is that assumption, correct?


What is browser fingerprinting?


Browser fingerprinting is a way through which websites can acquire data about you – such as which web browser you are using, what device, what screen resolution, which operating system, your language or location and other browser settings. This data should then be used to make websites work properly, among other uses.


It is also a way to identify individual website visitors to track their activity. While the data described above could be seen as redundant, perhaps even useless at first glance, the opposite is true. Websites can use this data to personalize their adverts and the information they might offer their users.


Fingerprinting for business gains and security


Websites, especially online shops, use fingerprinting to identify and track their users in order to acquire data on their behavior. For example, an online shop could track the items you browse and then, upon your next visit, offer a discount to entice you to make a purchase.


A online shop might notice that you often browse TVs; it then combines this behavior with your presumed location and device info, and voilà – it could suggest a particular brand, a discount, or in some cases, even raise or lower the prices on certain items.


It works a lot like a social media algorithm, suggesting content based on what it would see as relevant to you, to entice a longer stay on the webpage and in this case, with the end goal of a purchase.


That was the sales perspective, but there are also security considerations such as fraud prevention, since this is key for websites and online shops. They do it firstly by improving detection, which fingerprinting supports by highlighting unusual website access (connecting from a different location and device), prompting the user to verify themselves.


So, let’s say you usually connect to a website from a Wi-Fi in London – if you try to repeat that same activity in Paris, the website will ask you to re-input your login information, to make sure that it is really you, who is trying to establish a connection again. You might have encountered this, if you´ve ever tried logging into your email account from a foreign country.


Fingerprinting can also identify botnets, as each connection is established by a different device upon every visit. And the more data an online business has available, the more likely it is to entice you to purchase. But at the same time it also strongly improves the security perspective, preventing unauthorized access to your account, which might have confidential financial or personal information saved on it. However, from a privacy perspective, does it not feel like too much tracking ?


Privacy – less intrusive tracking?


Especially since the introduction of GDPR in the European Union, people now often see cookie-tracking information upon their first visit to a website. This serves a legal purpose since cookies track your online activity for similar purposes as fingerprinting, but they often go a bit deeper, so the EU has decided that when it comes to privacy, the customer is always right – they should always be the ones deciding on the provision of their personal data to other parties.


With browser fingerprinting, one might ask whether the tracking differs from your usual cookie practices – and it does. It is so efficient that it is able to bypass incognito mode on browsers, or even VPNs, making it harder for fraudsters to conceal their actions, for example.


In contrast with other tracking methods, browser fingerprinting does not associate a specific name with a user’s online activity, and it is also more inaccurate. In a broader sense, fingerprinting does not read or collect unique personal data. Therefore, there is less of an intrusion into personal privacy. At least, that’s what they would want you to think.


Your device, or your connection, is theoretically represented by your IP address, and your device settings and information is often tailored according to your own choices. However, you still have a very unique device identifier, which websites know about, and some could even track other websites you visit, or your location. Therefore, instead of personal data, device data is collected – and then it starts to make more sense why fingerprinting has become so widespread.


A digital fingerprint – You = Your device


All of the previously discussed information coalesces into a digital fingerprint represented by your device, so in a way, your privacy is still being intruded. Your device, in a sense, represents you; hence fingerprinting can be used for much more than just making your life more secure and the browser more stable.


As Mozilla representatives say, the more unique settings, add-ons, or fonts you have, the easier it is to find you. Companies can then use this data, which is why more privacy-conscious people have opted to block browser fingerprinting, as this sort of tracking can last for months. Since it is done from the server side, an individual has a harder time deleting or blocking it on a whim.

If interested, check your browser fingerprint with Am I Unique?, an online tool highlighting how much data a website can read about you.


Here are some ways you can block fingerprinting:

  • Block trackers – Some web browsers like Firefox or Tor block trackers as a standard, but plugins or browser extensions also exist, like EFF’s Privacy Badger or uBlock Origin, which not only give you additional privacy, but they also work as malware prevention.

  • Block scripts – Disabling JavaScript is one way to prevent tracking, as many trackers use scripts to track you across sites – an extension like NoScript could help that but beware, script blocking often makes websites glitchy and unusable, so there is a trade-off.

  • Use a VPN – A virtual private network (VPN) masks your IP address by connecting you to a VPN server before accessing a website. This way your IP address becomes unknown to the website. However, since device information is also collected, this only solves one part of the problem.

  • Ask not to track – Certain browsers or devices offer a setting called “Ask not to track,” telling websites and third parties that you wish to not share your personal interactions with an app or a website.

Also, remember to use a strong cybersecurity solution to prevent further mischief. Of course, there are many more methods, but these are just some to give you an idea of how you can protect yourself.

Comments


bottom of page