Fingerprinting is a common technique used by sites and organizations either on its own or complementary to track and identify Internet users.

Fingerprinting uses two core approaches to assign unique identifiers to Internet users. The first uses data that is transmitted automatically when users connect to sites. The web browser and version, operating system, or language falls into that group.

The second uses APIs that browsers support to generate and retrieve additional data points.

Img

Techniques have reached a point where it has become possible to identify users across sessions and even across browsers. A study in 2013 suggested that at least 1% of the top 10000 sites used fingerprinting techniques.

Internet users can run tests such as Browserprint or Panopticlick 2 to test fingerprinting, and users can install extensions to detect or block certain attempts at collecting data points that may be used to distinguish users from others.

The research paper FP-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies by Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy, reveals that anti-fingerprinting techniques may not be as effective as developers claim they are.

The researchers investigated browser fingerprinting countermeasures to find out if these techniques would introduce inconsistencies and how these might impact user privacy.

The result is astonishing: not only is it possible to identify altered browser fingerprints, it is also sometimes possible to uncover the original values of fingerprint attributes that were altered by users.

The researchers developed FP-Scanner, a fingerprint scanner designed to explore "fingerprint attribute inconsistencies introduced by state-of-the-art countermeasures in order to detect if a given fingerprint is genuine or not".

The scanner detects a large number of attributes including HTTP headers, platform, fonts, screen resolution and more and checks them using various methods to find out whether they are genuine or fake.

One example: Firefox's fingerprint protection feature, which needs to be turned on by the user, changes the user agent of the browser to a generic one. Sites may use queries, e.g. -moz-os-version or the list of installed fonts, to determine whether that is indeed the right user agent, or not.

The developers provide analysis for user agent spoofers, random agent spoofer, canvas poiseners like Canvas Defender and Canvas FP Block, the Brave Browser, and other anti-fingerprinting techniques or implementations.

The researchers conclude that anti-fingerprinting techniques in browsers may make users more trackable rather than less because of the inconsistencies they introduce and use of these in the fingerprinting process.

In this article, we focused on evaluating the effectiveness of browser fingerprinting countermeasures. We showed that these countermeasures can be detected because of their side-effects, which may then be used to target some of their users more easily. We think that the same techniques could be applied, in general, to any browser extension.

Starov et al. [18] showed that browser extensions could be detected because of the way they interact with the DOM. Similar techniques that we used to detect and characterize fingerprinting countermeasures could also be used for browser extension detection. Moreover, if an extension has different settings resulting in different fingerprintable side effects, we argue that these side effects could be used to characterize the combination of settings used by a user, which may make the user more trackable.

Closing Words

If you break the research down you will come to the conclusion that most anti-fingerprinting techniques are ineffective as it is possible to detect inconsistencies. While that would not be such a bad thing, the fact that these inconsistencies may be used to fingerprint users who value privacy is.

It is too early to say what will come out of this but it looks as if browser developers need to integrate effective options into the browser to protect user privacy better.