Home | View fingerprints | Statistics | Blog (RSS)

Defences against fingerprinting

Posted: 2016-08-05
By Lachlan Kang

If you're on this website you probably have at least some idea of what browser fingerprinting is. Fingerprinting is a method of tracking you across the web that is much harder to defend against than previous techniques. Inter-domain tracking, the kind of tracking that involves following you between websites, is an invasion of your privacy; typically tracking is done to build a profile of your browsing habits that can then be sold and used to serve you ads. If you would have a problem with showing a stranger your Internet history you should have a problem with tracking. In particular you should have a problem with browser-fingerprint based tracking, which we refer to more succinctly as fingerprinting, since it's so difficult to disable.

There are several different ways to defend against fingerprinting, and each has their own positives and negatives. In this blog post we're going to discuss and compare each method.

Method 1: Share a fingerprint with others

The first method is probably the easiest, to give your browser a fingerprint that is not unique. The more people you share your fingerprint with the harder you are to track and the more you get lost within the crowd. Currently the most effective way of doing this is by using the Tor Browser Bundle (the TBB). The TBB is a fork of Firefox developed by the Tor Project and is their recommended way of browsing the Internet using Tor. The purpose of the Tor network is to anonymise your Internet traffic, and tracking technologies could potentially be used to deanonymise Tor users, so it stands to reason that they try to defend against it1. Tracking is an invasion of your privacy, and the Tor Project was created to help defend your privacy.

Installing Tor is easy, it doesn't require any special configuration or setup. It does have its downsides however. For instance if you use the TBB you're forced to use Tor. While it has many benefits, it also has some properties that some people may potentially find frustrating. Most notably when using Tor pages load noticeably slower, and Tor users are treated like second class citizens in the Internet, often being denied service by websites or shown very difficult CAPTCHAs to test if they're human before they can view a site [1].

Other browsers exist that have fingerprinting defences, but they tend to only defend against the simplest of attacks. For instance IceCat, another Firefox fork, has several fingerprinting defences, such as spoofing HTTP headers to make it look like you're running a common version of Firefox on the most common operating system, Windows. These defences don't stack up to the TBB however, and aren't really good enough to defend against any but the simplest of fingerprinting techniques.

Lastly fingerprinting attacks and defences are an arms race. For defences to be developed attacks first need to be discovered. An attack could be used in the wild for months or even years until a researcher discovers it and defences are created. For instance AudioContext fingerprinting was discovered in the wild [2] after having been active for who knows how long and defences are not yet widely available months later (Update 2016-09-08: Mozilla plans to give users the option of disabling the Web Audio API in Firefox 51).

Method 2: Disable JavaScript universally

The second method of defending against fingerprinting is to disable JavaScript completely for all sites that you don't want to be tracked to. All scripts on sites you don't want to be tracked to must be disabled, any scripts that you allow could contain fingerprinting code. The majority of fingerprinting tests, and certainly the most powerful ones, require the use of JavaScript, hence disabling JavaScript will defeat most tests. The problem with this is that a large amount of sites on the Internet require JavaScript to function properly and simply won't work with it disabled. This makes the technique too restrictive for most users.

Additionally it doesn't defeat all tests, and those few tests may be enough to uniquely identify you, we'd like to find out whether that's the case as part of our research. In 2011 a study of 989 fingerprint samples found that a combination of fonts, the first two octets of IP address, timezone, and screen resolution, were enough to uniquely identify most users [3]; all of those, except perhaps timezone, can be obtained without JavaScript. In 2012 a study by Microsoft using datasets from Bing and Hotmail found that 60% - 70% of clients were accurately identifiable based on their user-agent string, and that number went up to 80% when IP prefix information was also used [4]. And in 2016 we have a study that found that only 29% of fingerprints were unique when JavaScript was disabled [5], but they didn't have the CSS screen size and font detection tests Browserprint has.

A quick query of our database found that out of 2104 submitted fingerprints where JavaScript was disabled 1372 were unique, that means 65.2% of fingerprints with JavaScript disabled were still unique, and that's without the scriptless tests that we're planning but haven't implemented yet such as scriptless ad-blocking checking and a scriptless version of the char sizes test. This just goes to show that disabling JavaScript is not a silver bullet, it should probably be combined with using a browser such as IceCat that has some fingerprinting defences. In summary we don't recommend this technique.

Method 3: Use multiple browsers

Update 2017-08-01: This method is no longer recommended as Cao, Li, and Wijmans [8] published techniques for cross browser fingerprinting which actually showed decent effectiveness. If their results hold true then this technique is now, in the worst case scenario, little more than a placebo.

The third method is to use a different browser for different activities on the web. In its simplest form you partition your browsing habits between two browsers, for instance one browser for things tied to your identity (LinkedIn, Facebook, Google+, banking, online shopping) and one another for general browsing. This means that while it's still possible for companies to track you and build a profile based on your browsing habits, the profile won't get tied to your identity, and the profile that is tied to your identity is minimised. This technique could be augmented using more browsers, using virtual machines, and by assigning each virtual machine a different VPN server.

This approach does require a bit of discipline. When virtual machines are added to the mix this would likely become too troublesome for most people.

What's more, cross-browser fingerprinting may be possible. That is, if two browsers are running on the same computer and operating system, it may be possible to tie sessions of one browser to another using only fingerprint data associated with operating system, underlying hardware, and other browser independent data. At least one study has attempted to answer this question before. They found that a combination of fonts, the first two octets of your IP address, timezone, and screen resolution were enough to uniquely identify most users [3]; these are features that tend to be consistent between multiple different browsers on the same machine. We plan to examine the question further. For instance in a previous blog post we explored the possibility of device independent fingerprinting using CAPTCHAs, user fingerprinting.

In summary I can neither argue for nor recommend against this technique, in its simplest form it may just act as a placebo and provide little benefit; in its more advanced form it's likely very powerful, but still suffers from the fact it's unwieldy, and that you're only partitioning your profile, not completely defeating fingerprint-based tracking. If only it was possible to use a different combination of browser and operating system for every site you visited.

Method 4: Different fingerprints for different sites

The fourth method of defending against fingerprinting is where you spoof your fingerprint, providing a different one to each site you visit. The spoofing must be per site; there's no point for instance switching your user-agent string every 5 minutes2. Per request is also acceptable, but it's trivial to detect, which makes it less desirable.

There doesn't seem to exist a significant amount of software that provides the kind of per-domain or per-request spoofing we're looking for, but the few extensions we've found we list here.

The best software for fingerprint spoofing so far appears to be the Firefox extension FP-Block [6]. This randomises many fingerprint features per-site, including adding randomness to HTML canvases to foil canvas fingerprinting. Sadly it's not under active development and is a little bit buggy, but it's well worth playing around with.

Another study developed software called PriVaricator that randomised the fingerprint features offsetHeight, plugins, and fonts [7]. They found that this strategy worked against all tested fingerprinters, but sadly they do not seem to have released the extension publicly.

Apart from that we have closed-source extensions UAControl and Secret Agent. UAControl does user-agent string spoofing per domain, but you need to set the user-agent string manually rather than automatically generating mappings, meaning it's not particularly useful. Secret Agent randomises user-agent string and request headers per request.

Footnotes

  1. How could tracking deanonymise someone using Tor or a VPN? There's two scenarios; in the first scenario someone visits a site such as Gmail or Facebook that is tied to their identity, then they visit a second site that doesn't know their identity. If both websites have fingerprinting code and the websites collude, the first website could tell the second who you are, thus deanonymising you on the second site.

    In the second scenario you could visit a website with your IP address hidden by a proxy, then visit the site a second time without your IP address hidden. If the site uses fingerprinting they would be able to link the first visit of the site to the second, thus deanonymising your first visit.

  2. Imagine you switch your fingerprint at a regular (or irregular) interval. You visit one site where you have cookies enabled (or they're keeping track of your session with something else like a JSESSIONID), you switch your fingerprint, and then you visit the site again. The site can detect you've changed your fingerprint trivially. All that needs to be done is for them to store your original fingerprint, notice the change, then overwrite the stored fingerprint with your new one, and tell all collaborating sites your fingerprint has changed.

References

  1. Khattak, S., Fifield, D., Afroz, S., Javed, M., Sundaresan, S., Paxson, V., Murdoch, S.J., McCoy, D.: Do You See What I See? Differential Treatment of Anonymous Users. In: Network and Distributed System Security Symposium (2016)
  2. Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis Draft: May 18, 2016
  3. Boda, K., Foldes, A.M., Gulyas, G.G., Imre, S.: User Tracking on the Web via Cross-Browser Fingerprinting. In: Nordic Conference on Secure IT Systems, pp. 31–46. Springer (2011)
  4. Yen, T.F., Xie, Y., Yu, F., Yu, R.P., Abadi, M.: Host Fingerprinting and Tracking on the Web: Privacy and Security Implications. In:NDSS (2012)
  5. Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints. In: 37th IEEE Symposium on Security and Privacy (S&P 2016) (2016)
  6. Torres, C.F., Jonker, H., Mauw, S.: FP-Block: usable web privacy by controlling browser fingerprinting. In: European Symposium on Research in Computer Security, pp. 3–19. Springer (2015)
  7. Nikiforakis, N., Joosen, W., Livshits, B.: PriVaricator: Deceiving Fingerprinters With Little White Lies. In: Proceedings of the 24th International Conference on World Wide Web, pp. 820–830. ACM (2015)
  8. Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In Proc. of Network & Distributed System Security Symposium (NDSS).