Many believe unique browser fingerprinting is a silver bullet to single-handedly and anonymously identify users. Sadly or luckily (depending upon your perspective), browser fingerprints are far from unique. But as I’ll explore in this post, there are better ways to use browser fingerprinting to make it more unique/useful and there are also ways to hide amongst common fingerprints or at least make it difficult to be tracked (as a user).
This post tests which browsers are most susceptible to unique browser fingerprints and configurations you can hide behind.
First, let’s re-visit what a browser fingerprint is
Browser fingerprints as I captured them, contain the following information which is then stored as an MD5 hash in Google Analytics (alongside no other unique IDs, except country, city and ISP/service name):
- User agent
- Screen resolution & depth
- Timezone offset
- Local & session storage
- Browser plugins (Skype, MS Office, Adobe software, Steam etc)
Here is what my browser fingerprint roughly consists of:
“Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31###1080x1920x32###-600###true###true###Shockwave Flash::Shockwave Flash 11.7 r700::application/x-shockwave-flash~swf,application/futuresplash~spl;Chrome Remote Desktop Viewer::This plugin allows you to securely access other computers that have been shared with you. To use this plugin you must first install the Chrome Remote Desktop webapp.::application/vnd.chromium.remoting-viewer~;Native Client::::application/x-nacl~nexe;Chrome PDF Viewer::::application/pdf~pdf,application/x-google-chrome-print-preview-pdf~pdf;Google Update::Google Update::application/x-vnd.google.update3webcontrol.3~,application/x-vnd.google.oneclickctrl.9~;Intel® Identity Protection Technology::Intel web components for Intel® Identity Protection Technology::application/x-vnd-intel-webapi-ipt-2.1.42~;Intel® Identity Protection Technology::Intel web components updater - Installs and updates the Intel web components::application/x-vnd-intel-webapi-updater~-2-0;Microsoft Office 2013::The plugin allows you to have a better experience with Microsoft SharePoint::application/x-sharepoint~,application/x-sharepoint-uc~”
Under an MD5 hash, it could resemble the following:
I then store it in Google Analytics as a custom variable and then I mash it together with IP information available in Google Analytics (hostname, city and country). So, given the following fingerprints, I count all three as being unique:
3c674d0f6ccce277b37370bc8ca6b878 (Brisbane, Australia, ISP: Telstra)
3c674d0f6ccce277b37370bc8ca6b878 (Brisbane, Australia, ISP: ACME Internet)
3c674d0f6ccce277b37370bc8ca6b878 (Gold Coast, Australia, ISP: ACME Internet)
Again, it’s possible this visitor IS travelling between access points and cities (particularly for mobile users) but let’s save that for another day. With the methodology out of the way, now you know to take the data with a healthy dosage of salt.
But it’s not all that unique or reliable…
Certain configurations are simply too common to be able to accurately pin down (e.g. iPhone). Secondly, so many factors can alter your browser fingerprint that it’s simply unfeasible to use alone as a method to reliably and uniquely identify users to your site. For instance, the following things can alter your browser fingerprint:
- Updating your browser to the latest version
- Installing new plugins
- Using multiple browsers (sorry porn browsers, incognito/private mode is not a different browser)
- Changing your screen resolution (or using a laptop to plug and play monitors all day)
- Enabling and disabling cookies or other browser functionality
- Switching timezones (including daylight savings)
Every time Chrome updates, your fingerprint will change
Just look at how often Google releases new versions of Chrome! Thanks to Andre Mafei for this excellent visualization of Chrome updates:
Browser fingerprints for browsers are surprisingly unique for desktop based browsers. For mobile devices, particularly those on iOS (thanks to Apple’s iron grip), are not very unique when you look at the variety of browser fingerprints. Don’t get too giddy Apple users, as you will soon see this doesn’t matter much at all:
Look what happens wen you mash it together with IP information…
Boom! Unfortunately (or fortunately for that matter), mashing fingerprints together with geo IP and network information available in GA (network domain, city, country) paints a very different picture:
All browsers that were once considered relatively anonymous are now >99% uniquely identifiable.
Operating system uniqueness
No surprises here that you have virtual anonymity when using an iOS based device.
Now let’s add a dash of IP related information into the mix
Muahaha… Once more, the moment you pass in IP information, the playing field is leveled:
One application: Plausible solution for cookie-less tracking
One of the more prominent web analytics vendors, Adobe has introduced cookieless identification of unique browsers which it achieves through a combination of browser fingerprints and a user’s IP address. I’m not certain how they perform this, but I would imagine they use something similar. Even if it’s not 100% accurate across sessions, it should give marketers a clear picture 90% of the time. And this is OK - remember, no web analytics tool is ever going to be completely accurate.
If you have a high proportion of visitors who do not allow cookies (a 2009 study revealed roughly ~5% of users do not allow first party cookies), then you may also have a use for this.
I would also be surprised if Google and other big ad networks WERE NOT testing or using fingerprinting to track visitors throughout the web.
Future exploration of fingerprinting
There are a number of things which I would really like to explore further in the realm of browser fingerprinting, even though I have essentially sidelined it as a useless dimension.
Using data in GA to develop your own fingerprints
I haven’t tried, but it may be possible to use GA data to generate fingerprints. E.g. combine all the browser configuration information and count the unique instances.
Tracking it alongside Google Analytics visitor IDs
This would allow you to see if visitors are clearing cookies and what proportion of them do this. Alternatively it may provide insight into how unique fingerprints actually are.
Tracking IP address and Browser Fingerprint together
Even more granular than network domain in GA is the specific IP address. Unfortunately even though this is more granular, it’s susceptible to dynamic IPs which will add to the volatility of your fingerprints.
Adding Adobe Flash into the mix
As Panopticlick data shows, one of the most uniquely identifying bits of information - fonts installed - can be accessed through Adobe Flash. This will greatly improve the uniqueness of fingerprints.
How users can avoid being uniquely fingerprinted
- Use a common browser configuration (e.g. get the most popular phone in your region and use the default browser)
- Avoid using Adobe Flash (Flash allows access to reading system fonts installed - one of the most uniquely identifying sources of information)
- Use a different IP address regularly (e.g. proxies)
- Update your browser and other software regularly
- Fake your user agent (personally I like to browse sites with IE 5 on WIndows 3.1 just for shits and giggles)
How browser fingerprinting can be augmented
- Never use it alone - always tie it back to a user’s cookie, IP address, customer ID or all of the above
- Rather than taking a hash of the user agent and a host of other identifying features, collect all the pieces of identifying information individually and account for small updates here and there.
Anyway, I hope you found this analysis on browser fingerprinting useful. Obviously there’s a lot more to it than what I have covered above but it may help answer some questions explored on sites like Reddit, Github and Stack Overflow.