As privacy experts constantly remind everyone, when it comes to tracking using web fingerprinting, users can run, but they simply can’t hide.
Most people assume third-party cookies are the main way they’re tracked from website to website and across different web sessions, and to a large extent that’s still true.
More recently, however, browsers and adblockers have started clamping down on this way of profiling users, which is why a second technique dating back a decade has come to the fore. It’s called browser profiling, aka the ‘cookieless monster’.
It works by analysing dozens of characteristics of a user’s software and hardware setup, which taken together form a unique pattern or fingerprint.
Having created this, advertisers track users as they browse by noticing every time that pattern pops up on sites across the web.
Even settings meant to protect privacy such as the failed DoNotTrack request can be used to aid fingerprinting collection.
It sounds almost impossible to stop, but not according to the makers of the Brave browser, which is using its latest developer build to test a new defence against fingerprinting: confusing fingerprinting collection algorithms by randomising some of the data they collect. As Brave explains it:
By making your browser constantly appear different when browsing, websites are unable to link your browsing behaviour, and are thus unable to track you on the web.
The main targets of this are the numerous Web APIs such as WebGL, the Canvas API and AudioContext that make it easy for developers to add graphical and other media features to websites.
But these can also be exploited invisibly by fingerprinting collection. For example, in canvas fingerprinting, a website uses the HTML5 API to render a hidden text element, generating a unique hash value of how this is done that varies minutely from machine to machine.
Brave tries to “poison” this value by randomising some of the data sent back to the website, in principle generating a different value every time it is accessed.
Although fingerprinting has a lot of possible APIs and network IDs to utilise, Brave’s concept is that it is only necessary to disrupt a few to confuse surveillance.
The company offers a demo site which users can visit to see how their fingerprint value remains constant between visits, even when browser data and cookies are deleted, or when using incognito mode. When repeated with Brave’s developer version, by contrast, each value should be different.
Why not just block the APIs outright? Because that might break a lot of websites users value.
The downside of blocking fingerprinting is that the technique is also used for legitimate reasons, for example by banks to detect account takeover (the criminal’s browser not being the same as the legitimate account holder’s).
The interesting aspect of Brave’s anti-fingerprinting is that the company seems determined to compete head-on with Mozilla’s Firefox, which from version 72 has blocked fingerprinting by blocking third-party requests from companies known to use the technique.
This is unlikely to be as effective as Brave’s technique. Not coincidentally, Mozilla said in January that:
The path forward in the fight against fingerprinting will likely involve both script blocking and API-level protections.
Which sounds as if the same technique now adopted by Brave will eventually turn up in Firefox at some point.
Brave hasn’t said when the feature will be rolled out. But after the slow-motion emergence of cookie control, it looks as if browser makers might finally be about to get serious about tackling fingerprinting.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.