Web - Browser Fingerprinting

About

A digital fingerprint is a string that represents a unique id of a device (browser).

The more unique is the browser, the more it has a one on one relationship with a user.

A digital fingerprint may be computed for a device:

• via its characteristics
• or it behavior (see canvas)

Articles Related

• Consumer Analytics - Privacy
• How are users/consumers tracked on the internet?
• User Identity

Example

The below example is a device characteristic fingerprinting that has been computed with the valve library.

Type

Characteristic

A characteristic device fingerprinting is computed by collecting characteristics of a user's device and by generating a unique string of this collection via a hash function.

Example of characteristics:

• fonts a user has installed
• the exact list of which features a user agents supports.
• the maximum allowed stack depth for recursion in script.
• features that describe the user's environment
• the user's time zone.

See example

Canvas

Canvas fingerprinting is a type of browser or device fingerprinting technique that was first presented by (2012) Mowery and Shacham in 2012 (Pixel Perfect: Fingerprinting Canvas in HTML5) -

The rendering of a canvas is heavily dependent on the device.

Algo: Render a picture on the canvas > To Base64 encoded > digest function to get the fingerprint value.

Etag

An etag is an unique identifier resource send with a HTTP request.

Because the etag is used by the browser when validating the cache in a conditional request, it could be used as fingerprint.

Implementation

Valve

Valve is a browser fingerprinting library (Valve/fingerprintjs2) that implements a characteristics fingerprinting. The example is based on it.

Browser DNA

https://www.npmjs.com/package/@ch1/browser-dna

Aloodo

• Aloodo is a tracking detection script. (designed to be blocked by all the popular Web privacy tools). You can use it to help your users learn if they are still vulnerable to third-party tracking, and start to do something about it.

See also:

• https://www.aloodo.org/publishers/
• https://blog.aloodo.org/posts/track-js-script/ - track.js script, based on BlockAdBlock

panopticlick

Panopticlick, Eckersley’s “open-source” implementation of browser fingerprinting. They take:

• plugins,
• fonts,
• timezone,
• supercookies,
• cookies enabled,
• user agent,
• http accept
• and screen resolution

Documentation / Reference

• https://pixelprivacy.com/resources/browser-fingerprinting/
• Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting - Research
• https://amiunique.org/faq
• wiki/Device_fingerprint
• https://doc.dataiku.com/dss/5.0//preparation/processors/visitor-id.html
• https://developers.google.com/analytics/devguides/collection/analyticsjs/cookies-user-id and it's clientId