Device fingerprint


A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification. The information is usually assimilated into a brief identifier using a fingerprinting algorithm. A browser fingerprint is information collected specifically by interaction with the web browser of the device.
Device fingerprints can be used to fully or partially identify individual devices even when persistent cookies cannot be read or stored in the browser, the client IP address is hidden, and even if one switches to another browser on the same device.
This may allow a service provider to detect and prevent identity theft and credit card fraud, but also to compile long-term records of individuals' browsing histories even when they are attempting to avoid tracking – raising a major concern for internet privacy advocates.

History

Basic web browser configuration information has long been collected by web analytics services in an effort to measure real human web traffic and discount various forms of click fraud. Since its introduction in the late 1990s, client-side scripting has gradually enabled the collection of an increasing amount of diverse information, with some computer security experts starting to complain about the ease of bulk parameter extraction offered by web browsers as soon as in 2003.
In 2005, researchers at University of California, San Diego showed how TCP timestamps could be used to estimate the clock skew of a device, and consequently to remotely obtain a hardware fingerprint of the device.
In 2010, Electronic Frontier Foundation launched a website where visitors can test their browser fingerprint. After collecting a sample of 470161 fingerprints, they measured at least 18.1 bits of entropy possible from browser fingerprinting, but that was before the advancements of canvas fingerprinting, which claims to add another 5.7 bits.
In 2012, Keaton Mowery and Hovav Shacham, researchers at University of California, San Diego, showed how the HTML5 canvas element could be used to create digital fingerprints of web browsers.
In 2013, at least 0.4% of Alexa top 10,000 sites were found to use fingerprinting scripts provided by a few known third parties.
In 2014, 5.5% of Alexa top 10,000 sites were found to use canvas fingerprinting scripts served by a total of 20 domains. The overwhelming majority of the scripts were served by AddThis, which started using canvas fingerprinting in January that year, without the knowledge of some of its clients.
In 2015, a feature to protect against browser fingerprinting was introduced in Firefox version 41, but it has been since left in an experimental stage, not initiated by default.
The same year a feature named Enhanced Tracking Protection was introduced in Firefox version 42 to protect against tracking during private browsing by blocking scripts from third party domains found in the lists published by the company Disconnect.
At WWDC 2018 Apple announced that Safari on macOS Mojave "presents simplified system information when users browse the web, preventing them from being tracked based on their system configuration."
A 2018 study revealed that only one-third of browser fingerprints in a French database were unique, indicating that browser fingerprinting may become less effective as the number of users increases and web technologies convergently evolve to implement fewer distinguishing features.
In 2019, starting from Firefox version 69, Enhanced Tracking Protection has been turned on by default for all users also during non-private browsing. The feature was first introduced to protect private browsing in 2015 and was then extended to standard browsing as an opt-in feature in 2018.

Diversity and stability

Motivation for the device fingerprint concept stems from the forensic value of human fingerprints.
In order to uniquely distinguish over time some devices through their fingerprints, the fingerprints must be both sufficiently diverse and sufficiently stable. In practice neither diversity nor stability is fully attainable, and improving one has a tendency to adversely impact the other. For example, the assimilation of an additional browser setting into the browser fingerprint would usually increase diversity, but it would also reduce stability, because if a user changes that setting, then the browser fingerprint would change as well.
Entropy is one of several ways to measure diversity.

Browser fingerprint

The collection of large amount of diverse and stable information from web browsers is possible thanks for most part to client-side scripting languages, which have been introduced in the late '90s.

Browser version

Browsers provide their name and version, together with some compatibility information, in the User-Agent request header. Being a statement freely given by the client, it shouldn't be trusted when assessing its identity. Instead, the type and version of the browser can be inferred from the observation of quirks in its behavior: for example, the order and number of HTTP header fields is unique to each browser family and, most importantly, each browser family and version differs in its implementation of HTML5, CSS and JavaScript. Such differences can be remotely tested by using JavaScript. A Hamming distance comparison of parser behaviors has been shown to effectively fingerprint and differentiate a majority of browser versions.
Browser familyProperty deletion Reassignment
Google Chromeallowedallowed
Mozilla Firefoxignoredignored
Operaallowedallowed
Internet Explorerignoredignored

Browser extensions

A browser unique combination of extensions or plugins can be added to a fingerprint directly. Extensions may also modify how any other browser attributes behave, adding additional complexity to the user's fingerprint. Adobe Flash and Java plugins were widely used to access user information before their deprecation.

Hardware properties

User agents may provide system hardware information, such as phone model, in the HTTP header.
Properties about the user's operating system, screen size, screen orientation, and display aspect ratio can be also retrieved by observing with JavaScript the result of CSS media queries.

Browsing history

The fingerprinter can determine which sites the browser has previously visited within a list he provides, by querying the list using JavaScript with the CSS selector. Typically, a list of 50 popular websites is sufficient to generate a unique user history profile, as well as provide information about the user's interests.

Font metrics

The letter bounding boxes differ between browsers based on anti-aliasing and font hinting configuration and can be measured by JavaScript.

Canvas and WebGL

Canvas fingerprinting uses the HTML5 canvas element, which is used by WebGL to render 2D and 3D graphics in a browser, to gain identifying information about the installed graphics driver, graphics card, or graphics processing unit. Canvas-based techniques may also be used to identify installed fonts. Furthermore, if the user does not have a GPU, CPU information can be provided to the fingerprinter instead.
A canvas fingerprinting script first draws text of specified font, size, and background color. The image of the text as rendered by the user's browser is then recovered by the ToDataURL Canvas API method. The hashed text-encoded data becomes the user's fingerprint. Canvas fingerprinting methods have been shown to produce 5.7 bits of entropy. Because the technique obtains information about the user's GPU, the information entropy gained is "orthogonal" to the entropy of previous browser fingerprint techniques such as screen resolution and JavaScript capabilities.

Hardware benchmarking

can be used to determine whether a user's CPU utilizes AES-NI or Intel Turbo Boost by comparing the CPU time used to execute various simple or cryptographic algorithms.
Specialized APIs can also be used, such as the Battery API, which constructs a short-term fingerprint based on the actual battery state of the device, or OscillatorNode, which can be invoked to produce a waveform based on user entropy.
A device's hardware ID, which is a cryptographic hash function specified by the device's vendor, can also be queried to construct a fingerprint.

Mitigation methods for browser fingerprinting

Offering a simplified fingerprint

Users may attempt to reduce their by selecting a web browser which minimizes availability of identifying information such as browser fonts, device ID, canvas element rendering, WebGL information, and local IP address.
As of 2017 Microsoft Edge is considered to be the most fingerprintable browser, followed by Firefox and Google Chrome, Internet Explorer, and Safari. Among mobile browsers, Google Chrome and Opera Mini are most fingerprintable, followed by mobile Firefox, mobile Edge, and mobile Safari.
Tor Browser disables fingerprintable features such as the canvas and WebGL API and notify users of fingerprint attempts.

Offering a spoofed fingerprint

some of the information exposed to the fingerprinter may allow to reduce diversity. The contrary could be achieved if the mismatch between the spoofed information and the real browser information differentiates the user from all the others who do not use such strategy.
Spoofing the information differently at each site visit allow to reduce stability.
Different browsers on the same machine would usually have different fingerprints, but if both browsers aren't protected against fingerprinting, then the two fingerprints could be identified as originating from the same machine.

Blocking scripts

Blindly blocking client-side scripts served from third-party domains, and possibly also first-party domains would usually render websites unusable. The preferred approach is to block only third-party domains that seem to track people, either because they're found on a blacklist of tracking domains or because the intention of tracking is inferred by past observations.