Browser fingerprinting, also known as online fingerprinting, is a tracking method used by websites to identify users across browsing sessions. It’s a useful tool for security and marketing, as it allows websites to detect fraud and prevent abuse by identifying specific site visitors using various evasion techniques like surfing through a VPN or incognito mode.
browser fingerprinting API Scripts can find out a lot about a device and its web browser, including information such as its operating system, its version of Java, its software and ad blocker, its timezone and other settings that allow the coding to accurately identify a user’s device. These data can then be stitched together to create a unique ‘digital fingerprint’ that identifies the device and a specific web browser.
This technology is incredibly powerful because it enables tracking without any user permissions. In Europe it is covered under the GDPR and the ePrivacy Regulation and marketers must inform people about their use of fingerprinting.
The privacy implications of fingerprinting are often complex, depending on the particular use case and threat model of the site or application. However, there are some common actions that authors of specifications for Web features can take to mitigate the impacts of fingerprinting (and other tracking technologies):
Best Practice 1: Avoid unnecessary or severe increases to fingerprinting surface, especially passive fingerprinting. This includes increasing the entropy of fingerprinting surface, such as by allowing an origin to read a canvas or font list in all contexts. It may be necessary to increase the scope of a feature with fingerprinting surface, but this should only be when it can be reasonably designed to have minimal impact on user-visible performance or functionality.
Similarly, Best Practice 2: Narrow the scope and availability of a feature with fingerprinting surface to what is functionally necessary for top-level browsing contexts. This helps ensure that a feature only has significant fingerprinting surface when it’s necessary for what it’s designed to do, and can help implementers build modes or API flags for users who are concerned about fingerprinting or whose devices or user agents don’t support the feature.
Good practices for limiting fingerprinting surface and its entropy include exposing only the capabilities and configurations that are needed to do what they’re supposed to do, or only the identifiers that a browser extension or other user agent can disable. Some implementations can also limit the entropy of fingerprinting surface by not exposing different capabilities or configurations for different devices or installations of a user agent (as implemented in Tor Browser, Firefox and Safari).
Best Practice 3: Mark features that contribute to fingerprintability, by explaining the impact (and any known implementer mitigations), and marking the relevant section with a fingerprint icon, as this paragraph is. This makes it easier for implementers to build modes or API flags for at-risk users, and also provides a way to document the fingerprinting surface and its impact so that other developers can easily spot them when writing applications and services.