What is Device Fingerprinting?
Category: primersA 2 Minute Read
17 Feb 2017
Image by Geoffrey Fairchild
Privacy is a right foul git. Even if you hide your IP through a VPN, block cookies, and use a tool like uBlock Origin, you can still be tracked through a technique called device fingerprinting.
Device fingerprinting is the process of reading and measuring various data about your device, such as screen size, installed fonts, and plugins, and calculating the degree to which the combination of them are unique. For example, the combination of your 1440p screen, your Shockwave Flash plugin and Widevine Decryption Module, as well as the fonts that are installed on your computer might be enough to identify you specifically.
Ironically, this also means that if you install a laundry list of add-ons in order to protect your privacy, you may actually be creating a larger, more identifiable fingerprint for trackers to read.
Fingerprints are typically described according to their entropy, measured in bits. A fingerprint with 3 bits of entropy would translate to you being unique among 8 (2^3) people. A fingerprint with 10 bits of entropy would mean only one in 1024 (2^10) people share your fingerprint. Obviously, because these numbers are exponential, a fingerprint with 15 bits of entropy would be twice as unique as one with 14 bits of entropy, and four times that of 13 bits.
In terms of those elements that are typically most revealing, user agent (a formal description of what browser you’re using), plugins, and fonts tend to provide the most entropy. In fact, my own font list provides 18 bits of entropy, meaning that only one in 261,144 people’s browsers share my font list. You can test your own fingerprint by participating in the EFF’s Panopticlick project, which will give you an array of data showing what factors identify you most.
So how do you protect against fingerprinting? The best protection comes with the Tor Browser, which is specifically built to provide as small a fingerprint as possible. Additionally, most fingerprinting techniques rely on the use of JavaScript, so disabling JavaScript completely would significantly mitigate your potential to be fingerprinted in the first place. This, however, would also break most of the sites you visit.
An adblocker would provide some protection by blocking the fingerprinting scripts from running in the first place, but it is likely that many could also slip through the cracks due to adblockers’ dependency on blacklists (if it hasn’t yet been added to the blacklist, it won’t be blocked). I would not recommend using add-ons that claim to switch your user agent around constantly, as this (highly odd) activity alone would likely just add to your fingerprint.