All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.
You’re constantly leaving your fingerprint all over the internet. You leave it with the personal information you share willingly, the personal information you share unknowingly, and with the mountain of data that gets sent to each website you load. Maybe you know a thing or two about privacy and decided to pick up a VPN to keep your browsing private. Even then, you’re a lot less private than you expect.
Your PC and the millions of servers that make up the internet share a lot of information, but the vast majority of it doesn’t fall under the umbrella of personally identifiable information. For instance, a website might know that your default system language is English, so it loads the English version of its website. That’s not personally identifiable. Sure, the website knows English is your preferred language, but the same is true for hundreds of millions of others.
In isolation, this data doesn’t mean much of anything. Together, however, it can identify you. This is the data that makes up your browser fingerprint, and it can be used to track you across the internet, even when visiting different websites, opening different browsers, and when you have a VPN turned on. Here’s everything you need to know.
What’s a Browser Fingerprint?
AmIUnique via Jacob Roach
The best way to describe a browser fingerprint is to show you. Go to AmIUnique and wait a minute or two for the test to run. You can see all the information your browser sends, as well as a similarity score based on all the results in the AmIUnique database. If you can’t be bothered, my fingerprint on a PC running Windows and Chrome—by far the most common operating system and browser—is unique out of over 4 million entries in the AmIUnique database.
The Electronic Frontier Foundation (EFF) has its own fingerprinting tester called Cover Your Tracks, and it puts the information in a slightly different way. I’m using Linux on my PC, and according to this test, that’s true of about one out of six PCs the EFF has tested; not unique at all. However, my WebGL fingerprint—details about how graphics are rendered in my browser—is very unique. Only one in over 33,000 browsers has the same WebGL fingerprint.
Your browser fingerprint is a collection of innocuous information about your PC that, when put together, is unique enough that it could identify an individual. Some of the components of your browser fingerprint include your computer’s hardware, your browser and version, the various versions of software you have running in your browser, the fonts you have installed on your PC, your time zone, your system language, your keyboard layout; the list goes on. Out of the dozens of pieces of information, none of them could identify you individually. It’s when this data is bundled together that your fingerprint becomes unique.
EFF via Jacob Roach
There are some situations where that could be a problem. If you are a particularly high-profile figure with a big cybersecurity target on your back, someone could identify and track you, waiting for a key vulnerability to show up before attacking.
Most of us aren’t high-profile figures. No, your browser fingerprint isn’t used for an attack; it’s used for advertising. Most targeted advertising is straightforward. You visit a website, opt into or out of cookies, and whatever cookies remain identify you to serve you ads. Fingerprinting works in a way that doesn’t require cookies. Advertisers can get around needing a unique identifier (a cookie) to track your behavior online.
Advertising agencies have used fingerprinting to bypass cookies too. In a ProPublica exposé, it was revealed that AddThis, a company that made social sharing tools, was using canvas fingerprinting behind the scenes. This type of tracking draws invisible images on your screen and then uses how those images are rendered and displayed to create a unique identifier. AddThis, according to the report, was in use everywhere from the official White House website to YouPorn, and it started using canvas fingerprinting without the knowledge of the websites that used its tools.
Is Browser Fingerprinting Legal?
There aren’t any laws banning browser fingerprinting. Although the individual components of your fingerprint aren’t covered by privacy regulations like the GDPR, the collection of them is. All of the components of your browser fingerprint are transmitted without your consent. However, if a company plans on managing that data to create a unique identifier, it needs to comply with GDPR, including acquiring consent.
Is Browser Fingerprinting Accurate?
Browser fingerprinting is probabilistic. Unlike a cookie, which is an unambiguous identifier that can follow you across the internet, your browser fingerprint is a collection of data that, on their own, can’t identify you. When put together, however, this data is usually unique enough to identify you.
It’s tough to say how accurate browser fingerprinting is exactly, but a 2019 meta-analysis found anywhere from 35 percent to over 95 percent accuracy. The paper concludes that accuracy can vary wildly based on the device and the websites a user commonly visits.
What Browser Blocks Fingerprinting?
The two main browsers that block fingerprinting are Brave and Firefox. Both use lighter fingerprinting protections, where some information may be shared, but not so much as to upend the browsing experience. This lighter approach can reduce the accuracy of browser fingerprinting, even if it doesn’t fully obfuscate the data your browser sends with each request.
There are other browsers more resistant to fingerprinting, such as Tor and Librewolf. Both come with limitations, however, ranging from slow speeds to broken websites.
Where (and Why) Fingerprinting Is Used
Fingerprinting is used all over the internet, and it’s not always for nefarious purposes. The most well-known tool for fingerprinting is the aptly-named FingerprintJS, made by Fingerprint, which says its software is in use at companies like Dropbox, Western Union, TikTok, and Trustpilot.
Fingerprint says its software can help prevent fraud. Instead of blocking a login or payment from a specific location, a fingerprint creates a more intelligent blocking mechanism. Or maybe you could use it in a game to prevent cheaters from spoofing the accounts of real users. And, if you need a cynical example, you could use it to prevent account sharing, which we’ve seen ad nauseam from streaming services.
The problem with browser fingerprinting is that it’s probabilistic in nature. It looks at a treasure trove of data to track you online, not any individual piece of information. A VPN, for instance, can hide your IP address and make you appear in a different location. If enough of the other data in your fingerprint is consistent, however, it can still be used to track you. Your IP address may be different, but just about everything else about your browsing is not.
There may be practical use cases for fingerprinting, but you really don’t have much say in the matter. Even with protections like the GDPR, the moment you load a website, there are likely a few dozen (if not more) trackers copying the information your browser shares for their own purposes. Services like Fingerprint leverage that information to create an identifier, but make no mistake, the data is always there.
How to Get Around Browser Fingerprinting
You can’t get around browser fingerprinting, at least not without significant compromises to your browsing experience (more on that later). Even if you were to spoof or obfuscate every piece of data your browser sends along, that’d probably work against you. The goal with avoiding fingerprinting is to become a Jane Doe online; you want to disappear in the crowd, so every piece of data that makes you stand out sends up a red flag.
The best way to fight back against fingerprinting is to hide or rotate enough information so that it’s more difficult to track you, not impossible. And that starts with a VPN, though it doesn’t make you fully anonymous. The clearest online fingerprint you leave is your IP address and physical location, and VPNs hide both. More importantly, many of the best VPNs today include additional tools to combat fingerprinting.
ProtonVPN, which is what I use myself, includes NetShield to block trackers, ads, and malware. It doesn’t prevent fingerprinting, but NetShield can at least capture and block requests from well-known trackers to make you a bit more private online. NordVPN has a similar feature, as does Surfshark.
The most robust version of this type of blocker comes from Windscribe. Through its browser extension, you can do things like rotate your browser’s user agent to make it appear as if you’re using a different browser, as well as spoof your language, time zone, and GPS information to match the VPN server you’re connected to. Again, this will not make you fully anonymous online. But an extension like the one Windscribe offers makes tracking your fingerprint more difficult.
On top of a VPN, you can use a tracking-resistant browser like Brave or Firefox. Brave combats fingerprinting by blocking or randomizing values that are returned to trackers, dealing with the issue by making instances of Brave look as similar as possible while also ensuring that identifiers aren’t able to track you across sessions and websites.
Firefox has similar protections in place, as well as features like the Multi-Account Containers add-on. With it, you can have several containers in your browser that live independently of each other but within the same browser window. For example, you might have all of your social media websites in one container, your shopping in another, and your news in a third. These should all be isolated enough that what you interact with on social media isn’t suddenly influencing the ads you see on news websites.
If You Need Absolute Privacy
Courtesy of Librewolf
You can get around browser fingerprinting if you absolutely need to, but the juice isn’t worth the squeeze for most people. It involves using a browser that’s slow, clunky, and will often break or refuse to load the websites you want to visit. Browser fingerprinting really becomes problematic when it’s used to track you across websites, browsers, and sessions. Restricting all of your browsing to a browser designed to get around browser fingerprinting isn’t practical in most cases.
But I have some options if you want to go crazy. First things first: Regardless of the browser you’re using, you need to disable JavaScript. The vast majority of data collected through your browser is through JavaScript. You can disable it on just about any browser, including Chrome, but it’ll break some websites. Nearly every website uses JavaScript, and only some of them are designed to work with JavaScript disabled.
With JavaScript disabled, you need a VPN and a browser built to get around tracking. The most popular is undoubtedly Tor. Tor routes your traffic through the Tor network, which is a series of nodes to mask the origin of your traffic. It’s incredibly slow, often blocked, and clunky to use. You don’t use the Tor network for casual browsing. Other options include browsers like Librewolf, which is a fork of Firefox. And, once again, you’ll have to deal with slow load times and websites breaking due to blocking certain APIs.
There are so-called anti-detect browsers available, which are less about protecting individual privacy and more about skirting the terms of service of most websites. They’re set up for people using multiple accounts—read, bot farms—and you’ll need to pay a monthly fee to use one.
As you can hopefully tell, this game of privacy starts to break down quickly. If you’re going through all this effort to mask your browsing online, you’ll also need to give up on extensions, other software you use that’s connected to the internet, and even your OS. Windows and macOS track you, after all. You can do a lot to safeguard your privacy and make it more difficult to track you online. But if you really need privacy, you need to log off.
Power up with unlimited access to WIRED. Get best-in-class reporting and exclusive subscriber content that’s too important to ignore. Subscribe Today.
