Even without Cookies or Web Beacons, Individuals Can Still Be Identified Online

Browser fingerprinting is a technique used to collect information about users of web browsers and utilize that information to identify individual users. Typically, various elements such as browser settings, environment, presence of plugins, screen resolution, installed fonts, and more are combined to create a unique identifier for each user. This allows tracking of online activities and profiling of users even when they are not logged in. Browser fingerprinting is primarily employed by advertisers and website operators to analyze user interests and behaviors, enabling targeted advertising delivery.

On this page, we will introduce the types of information used in browser fingerprinting and methods to prevent the identification of individuals through browser fingerprinting.

Elements Used in Browser Fingerprinting

The elements utilized in browser fingerprinting are diverse. Below are some common elements listed, along with brief introductions to each:

User Agent:

A string indicating the type and version of the browser.
The User Agent assists in identifying a user's browser since different rendering engines and features are utilized based on the type and version of the browser.

However, due to the ease of identifying individuals when combining the User Agent with other elements, the use of User Agents is gradually being phased out.
For example, for Google Chrome on Windows, starting from around April 2023, the following string has been fixed:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.0.0 Safari/537.36

However, in preparation for the necessity of handling branching based on browser types, the User Agent Client Hints API (UA-CH) has been implemented as an alternative attribute to the User Agent. Although UA-CH provides less information for identifying individuals compared to the User Agent, there still exists a risk of exploitation in browser fingerprinting.

Screen Resolution:

The number of pixels in width and height on a display.
The screen resolution of a user's device is a unique characteristic and is crucial in browser fingerprinting.

Particularly, altering the window size from the default setting makes it easier to identify individuals.
Thus, in privacy-focused browsers like Tor Browser, a warning message is displayed when the window size is changed to alert users of the risks of fingerprinting.

Installed Fonts:

A list of fonts installed on the user's device.
Since the types and versions of fonts differ from one device to another, they are utilized as part of browser fingerprinting.
The risk of fingerprinting through fonts increases if custom fonts are installed on the operating system.

Language Setting:

The browser's language and regional settings.
Identifying the language and region a user's browser is using is helpful in browser fingerprinting.
A user's browser language setting is easily determined through the navigator.languages property in JavaScript's standard API or the Accept-Language setting in the HTTP Request Header.

Moreover, the prioritization of languages also poses risks in fingerprinting.
Depending on the browser, language prioritization determines preference scores.

de,en-US;q=0.7,en;q=0.3
In this example, German is set as the first language (preference score 1.0), English (United States) as the second language (preference score 0.7), and standard English as the third language (preference score 0.3).

de,en;q=0.7,en-US;q=0.3
Here, German is set as the first language (preference score 1.0), standard English as the second language (preference score 0.7), and English (United States) as the third language (preference score 0.3).

While both examples have the same array of preferred languages, the setting of language priority provides hints for identifying individuals.

Plugin Information:

Information about plugins or add-ons installed in the browser.
The presence or absence of plugins and their versions vary for each user, making them unique elements in browser fingerprinting.
Extensions that execute user scripts like Greasemonkey or realize custom CSS like Stylus provide hints to websites for identifying users.

While each of these elements alone may not be sufficient to identify a user, their combination generates a more precise browser fingerprint.

Canvas Fingerprinting:

Canvas fingerprinting is a technique that uniquely identifies a user's browser and device by utilizing the Canvas API (an API for drawing 2D graphics).
Canvas fingerprinting exploits subtle differences when a browser performs specific drawing operations to generate unique identifiers for each user.

Canvas fingerprinting is highly accurate and difficult to track due to its reliance on the browser's drawing capabilities, graphics hardware, and rendering engine characteristics. For instance, even when drawing the same text or image in a browser, the generated Canvas fingerprint will differ due to subtle drawing differences.

ETag Tracking:

ETag Tracking is one method of tracking users by utilizing the caching mechanism of web browsers. ETag refers to an entity tag included in the HTTP header and is used to identify the version of a specific resource (usually a web page or image).

In ETag Tracking, when a website provides resources to a user, it assigns a unique ETag to those resources. Subsequently, when the user accesses the same resources again, the browser sends the ETag in the request to the server. The server then uses that ETag to verify whether the client's request matches the version of the previously provided resource.
The issue with ETag Tracking is that since ETags are unique to each user, there is a potential for tracking the user's behavior each time the user accesses resources with the same ETag. ETag Tracking persists until the browser cache is cleared.
ETag Tracking is conducted in a more concealed manner compared to cookie-based tracking, making it less noticeable to users. To counteract this, customizing browser privacy settings or utilizing privacy protection extensions can be effective.

For more details on ETag Tracking, please check here (Testing the behavior is also possible!)

Similar Technologies to Browser Fingerprinting

As demonstrated, Browser Fingerprinting is a mechanism to identify individuals based on various browser information. However, there are numerous other methods through which individuals can be identified.

Here are some examples:

1. Cookies: Small text files stored by web browsers that retain information such as a user's website visit history and settings. Similar to Browser Fingerprinting, cookies are used to identify users, but they can share information across browsers. The use of cookies as a means of identifying individuals is subject to increasing global regulation and is gradually being phased out.

2. Device Fingerprinting: Identifies users not only based on browser information but also on information about the entire device. This includes the device's IP address, hardware information, and operating system version. While the accuracy of identifying individuals using common devices may be lower compared to other methods, the risk of uniquely identifying users increases with unique devices or system configurations.

3. Tracking Pixels: Also known as web beacons, these are invisible 1x1 pixel image files embedded in web pages to track user behavior. Advertisers and website operators use these to track users' visit histories and movements for analysis. Since session information identifying individuals is linked when a request is made to the server, if a website implements tracking pixels on-premises, it can be challenging to mitigate.

Methods to Hide from Tracking on Websites

Browser Fingerprinting is a known risk for users, and therefore, there are numerous countermeasures available. Here are some examples:

anonymoX

https://anonymox.net/en

anonymoX is a free VPN service available as a browser extension.
By accessing websites through anonymoX's servers, it prevents the identification of individuals based on IP addresses.
Moreover, anonymoX disguises OS information, thus preventing fingerprinting based on OS versions.

CanvasBlocker

https://github.com/kkapsner/CanvasBlocker

CanvasBlocker blocks websites from performing fingerprinting using JavaScript APIs, thereby protecting against Canvas Fingerprinting.

CanvasBlocker includes features to prevent fingerprinting using canvas2d, WebGL, DomRect, and other methods.

PrivacyPossum

https://github.com/cowlicks/privacypossum

PrivacyPossum is a browser extension that prevents trackers from using user-identifying cookies and minimizes the impact of ETag Tracking.

This extension confuses trackers by obfuscating users' browsing information, making identification difficult.
PrivacyPossum, inspired by the Electronic Frontier Foundation's Privacy Badger, addresses the shortcomings of other extensions.

Advanced Privacy Protection

While using these browser extensions to make tracking difficult is important, achieving complete protection of personal information is challenging due to the cat-and-mouse game between users and analytics companies. One of the best options for privacy protection is to avoid entering identifiable information online whenever possible.

Here, we introduce SMSOnline, a service that provides free disposable phone numbers, as an excellent choice for protecting personal information.

By utilizing the disposable phone number service provided by SMSOnline, it's possible to mitigate the risks of identifying personal information and geo-blocking.

Mobile phone numbers are frequently used for purposes such as SMS-based verification to uniquely identify users. Obtaining a mobile phone number from another country is not easy, and websites often use this to restrict users to certain geographic areas. SMSOnline is useful for bypassing these restrictions.

https://www.smsonline.cloud/

SMSOnline is a website where you can view SMS messages received on phone numbers from around the world.

Using SMSOnline eliminates the need to expose your actual phone number online. The service provides access to phone numbers from over 20 countries, including Tier 1 countries such as Japan, China, Taiwan, South Korea, the United States, and Germany, with over 100 phone numbers available online at any given time. With easy access to international phone numbers, it's straightforward to bypass geo-blocking based on mobile phone number verification. By combining this service with the browser extensions introduced today, you can reduce your digital footprint and activity traces on the internet.

Thank you for reading.